How do I create an IAM policy for tag based restriction with the PrincipalTag, ResourceTag, RequestTag and TagKeys condition keys?

Last updated: 2021-02-09

I want to create an AWS Identity and Access Management (IAM) policy for tag-based restriction. How do I use the PrincipalTag, ResourceTag, RequestTag and TagKeys condition keys?

Short description

Use the following IAM example policies to create tag-based restriction with condition keys for your use case.

Resolution

PrincipalTag condition key

The aws:PrincipalTag condition key is used to match the tag attached to the principal making the request with the tag in the IAM policy. The value of the PrincipalTag key is entered with the value of the IAM tag with matching tag key if present on the principal of the request.

The following example IAM policy provides restriction for an Amazon Simple Storage Service (Amazon S3) bucket. The Amazon S3 PutObject action denied permission to the bucket to all users except those with the title "Product-Manager".

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DenyAllButProductManagers",
            "Effect": "Deny",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::productionbucket/*"
            ],
            "Condition": {
                "StringNotEquals": {
                    "aws:PrincipalTag/job-title": "Product-Manager"
                }
            }
        }
    ]
}

ResourceTag condition key

The aws:ResourceTag/tag-key condition key is used to compare the tag key-value pair specified in the IAM policy with the key-value pair that's attached to the AWS resource. For more information, see Controlling access to AWS resources.

During the IAM policy evaluation, the value of the ResourceTag key is entered with the value of the IAM tag with the matching key-value pair if present for the AWS resource. This condition key can be used with global version aws:ResourceTag and AWS services such as ec2:ResourceTag. For more information, see Actions, resources, and condition keys for AWS services.

The following example IAM policy allows users to start, stop, and terminate instances that are in the "test" environment.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowOnlyForTestEnvironment",
            "Effect": "Allow",
            "Action": [
                "ec2:TerminateInstances",
                "ec2:StartInstances",
                "ec2:StopInstances"
            ],
            "Resource": "arn:aws:ec2:*:*:instance/*",
            "Condition": {
                "StringLike": {
                    "ec2:ResourceTag/Env": "test"
                }
            }
        }
    ]
}

RequestTag condition key

The aws:RequestTag/tag-key condition key used to compare the key-value pair passed in the user request with the tag pair specified in the IAM policy. The condition key is available for actions that create a resource or tag on a resource, and checks the value of the tag.

The following example IAM policy enforces users to create a specific tag "Env" with values "Dev", "Prod" or "QA" when creating an Amazon Elastic Block Store (Amazon EBS) volume.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowCreateVolumeWithEnvTag",
            "Effect": "Allow",
            "Action": "ec2:CreateVolume",
            "Resource": "arn:aws:ec2:*:*:volume/*",
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/Env": [
                        "Dev",
                        "Prod",
                        "QA"
                    ]
                }
            }
        }
    ]
}

TagKeys condition key

The aws:TagKeys condition key is used to compare the tag keys in a request with the keys specified in the IAM policy. The value of the TagKeys key is entered with the list of tags in the AWS resource request. The TagKeys condition key is used to validate the tag-keys attached to a resource.

Because you can define multiple tag key-value pairs in a request, the request can have multiple values. These values can be compared using the ForAllValues or ForAnyValue set operators.

The following example policy restricts the tags created on an AWS resource. The "Env" and "CostCenter" tags are the only tag keys that users can create with a new Amazon EBS volume. Using the ForAllValues set operator with aws:TagKeys restricts users to attach only the required tags on the AWS resource. This doesn't require users to provide these tag keys in the resource creation request, but it prevents users from creating tags with other key-value pairs.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "ec2:CreateVolume",
            "Resource": "arn:aws:ec2:*:*:volume/*",
            "Condition": {
                "ForAllValues:StringEquals": {
                    "aws:TagKeys": [
                        "Env",
                        "CostCenter"
                    ]
                }
            }
        }
    ]
}