How do I use the PrincipalTag, ResourceTag, RequestTag, and TagKeys condition keys to create an IAM policy for tag-based restriction?

4 minute read

I want to create an AWS Identity and Access Management (IAM) policy for tag-based restriction. I want to use the PrincipalTag, ResourceTag, RequestTag, and TagKeys condition keys.

Resolution

The following IAM example policies use condition keys to create tag-based restriction.

Note: To determine the API actions that you can complete, it's a best practice to review API documentation for the service that you're using.

PrincipalTag condition key

Use the aws:PrincipalTag/tag-key condition key to match the tag that's attached to the principal who's making the request with the tag in the IAM policy.

The following example IAM policy provides restriction for an Amazon Simple Storage Service (Amazon S3) bucket. The Amazon S3 PutObject action denies bucket access to all users except those with the title Product-Manager:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyAllButProductManagers",
      "Effect": "Deny",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "s3:PutObject"
      ],
      "Resource": [
        "arn:aws:s3:::productionbucket/*"
      ],
      "Condition": {
        "StringNotEquals": {
          "aws:PrincipalTag/job-title": "Product-Manager"
        }
      }
    }
  ]
}

ResourceTag condition key

Use the aws:ResourceTag/tag-key condition key to compare the tag key-value pair that's specified in the IAM policy with the key-value pair that's attached to the AWS resource. For more information, see Controlling access to AWS resources.

You can use this condition key with the global aws:ResourceTag version and AWS services, such as ec2:ResourceTag. For more information, see Actions, resources, and condition keys for AWS services.

The following example IAM policy allows users to start, stop, and terminate instances that are in the test environment:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowOnlyForTestEnvironment",
      "Effect": "Allow",
      "Action": [
        "ec2:TerminateInstances",
        "ec2:StartInstances",
        "ec2:StopInstances"
      ],
      "Resource": "arn:aws:ec2:*:*:instance/*",
      "Condition": {
        "StringLike": {
          "ec2:ResourceTag/Env": "test"
        }
      }
    }
  ]
}

RequestTag condition key

Use the aws:RequestTag/tag-key condition key to compare the key-value pair that's passed in the user request with the tag pair that's specified in the IAM policy. You can use this condition key for actions that create a resource or resource tag and that check the tag's value.

The following example policy forces users to create a specific Env tag when the users create an Amazon Elastic Block Store (Amazon EBS) volume. Env must have the Dev, Prod or QA values:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowCreateVolumeWithEnvTag",
      "Effect": "Allow",
      "Action": "ec2:CreateVolume",
      "Resource": "arn:aws:ec2:*:*:volume/*",
      "Condition": {
        "StringEquals": {
          "aws:RequestTag/Env": [
            "Dev",
            "Prod",
            "QA"
          ]
        }
      }
    }
  ]
}

TagKeys condition key

Use the aws:TagKeys condition key to compare the tag keys in a request with the keys that are specified in the IAM policy. This condition key validates the tag keys that are attached to a resource.

Because you can define multiple tag key-value pairs in a request, the request can have multiple values. To compare these values, use the ForAllValues or ForAnyValue set operators.

The following example policy restricts the tags that are created on an AWS resource. The Env and CostCenter tags are the only tag keys that users can create with a new Amazon EBS volume. The use of the ForAllValues set operator with aws:TagKeys allows users to attach only the required tags on the AWS resource. This policy doesn't require users to provide these tag keys in the resource creation request. Instead, the policy doesn't allow users to create tags with other key-value pairs:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": "ec2:CreateVolume",
      "Resource": "arn:aws:ec2:*:*:volume/*",
      "Condition": {
        "ForAllValues:StringEquals": {
          "aws:TagKeys": [
            "Env",
            "CostCenter"
          ]
        }
      }
    }
  ]
}

Related information

IAM tutorial: Define permissions to access AWS resources based on tags

Topics

Security, Identity, & Compliance

Relevant content

IAM Policy Question using conditions
kumar
asked a month ago
Using ResourceTags or ThingAttributes for AWS IoT policy "conditions"
AWS-User-3949958
asked a year ago
Restricting access to EC2 instances using IAM Policy
Accepted Answer
FredericD
asked 2 years ago
IAM Policy Conditions
rePost-User-3267970
asked 2 years ago
ec2:ResourceTag/Name not working with IAM Policy
Linda
asked a year ago
How does IAM evaluation logic work for an explicit Deny policy with multiple condition keys?
AWS OFFICIALUpdated 4 months ago
How can I restrict access to a specific IAM role session using an IAM identity-based policy?
AWS OFFICIALUpdated 2 years ago
How can I use IAM policy tags to restrict how an EC2 instance or EBS volume can be created?
AWS OFFICIALUpdated 2 years ago
How do I create an IAM policy to explicitly grant permissions to create and manage EC2 instances in a specified VPC that has tags?
AWS OFFICIALUpdated 10 days ago
Why doesn't S3 respect the TLS settings in my IAM policy?
EXPERT
Brettski-AWS
published 2 years ago