I added tags to my AWS resources, but my IAM policy isn't working. Which AWS services support authorization-based tags?

Last updated: 2022-02-17

My resources are tagged with the correct tag key and value, but my AWS Identity and Access Management (IAM) policy isn't evaluating the tags on my resources.

Short description

IAM policies can use the global condition key aws:ResourceTag to control access based on the resource's tag key and value. Not all AWS services support tag authorization. Some AWS resources, such as AWS Lambda functions and Amazon Simple Queue Service (Amazon SQS) queues, can be tagged. However, these tags can't be used in an IAM policy to control access to the resources. For a list of AWS services that support tag-based authorization, see AWS services that work with IAM.

Resolution

If an AWS service doesn't support tag-based authorization, then check the actions, resources, and condition keys for the service to see the resource-level permissions and condition keys that are supported in IAM policies. Some AWS services, such as Overview of managing access in Amazon SQS and Identity-based IAM policies for AWS Lambda, have documentation that contains example IAM policies.

Some Lambda actions, such as DeleteFunction and PublishVersion, can be restricted to a specific Lambda function by using resource-level permissions. Attaching this example IAM policy to an IAM user allows these Lambda actions, but only on a single Lambda function.
Note: Edit the IAM policy to include your own Lambda function ARN.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowActionsOnSpecificFunction",
      "Effect": "Allow",
      "Action": [
        "lambda:DeleteFunction",
        "lambda:PublishVersion"
      ],
      "Resource": "arn:aws:lambda:us-west-2:123456789012:function:my-function"
    }
  ]
}