SCP for tag enforcement not working on Dynamodb

0

i have created following SCP to enforce tags on EC2,Lambda and dynamodb. However it is not working for dynamo db `

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "DenyEC2CreationInfraOwnerTag",
			"Effect": "Deny",
			"Action": [
				"ec2:RunInstances",
				"ec2:StartInstances"
			],
			"Resource": [
				"arn:aws:ec2:*:*:instance/*",
				"arn:aws:ec2:*:*:volume/*"
			],
			"Condition": {
				"Null": {
					"aws:RequestTag/InfraOwner": "true"
				}
			}
		},
		{
			"Sid": "DenyEC2CreationProductTag",
			"Effect": "Deny",
			"Action": [
				"ec2:RunInstances",
				"ec2:StartInstances"
			],
			"Resource": [
				"arn:aws:ec2:*:*:instance/*",
				"arn:aws:ec2:*:*:volume/*"
			],
			"Condition": {
				"Null": {
					"aws:RequestTag/Product": "true"
				}
			}
		},
		{
			"Sid": "DenyEC2CreationNameTag",
			"Effect": "Deny",
			"Action": [
				"ec2:RunInstances",
				"ec2:StartInstances"
			],
			"Resource": [
				"arn:aws:ec2:*:*:instance/*",
				"arn:aws:ec2:*:*:volume/*"
			],
			"Condition": {
				"Null": {
					"aws:RequestTag/Name": "true"
				}
			}
		},
		{
			"Sid": "DenyLambdaCreationInfraOwnerTag",
			"Effect": "Deny",
			"Action": [
				"lambda:Create*"
			],
			"Resource": [
				"*"
			],
			"Condition": {
				"Null": {
					"aws:RequestTag/InfraOwner": "true"
				}
			}
		},
		{
			"Sid": "DenyLambdaCreationProductTag",
			"Effect": "Deny",
			"Action": [
				"lambda:Create*"
			],
			"Resource": [
				"*"
			],
			"Condition": {
				"Null": {
					"aws:RequestTag/Product": "true"
				}
			}
		},
		{
			"Sid": "DenyLambdaCreationNameTag",
			"Effect": "Deny",
			"Action": [
				"lambda:Create*"
			],
			"Resource": [
				"*"
			],
			"Condition": {
				"Null": {
					"aws:RequestTag/Name": "true"
				}
			}
		},
		{
			"Sid": "DenyDynamoDBCreationNameTag",
			"Effect": "Deny",
			"Action": [
				"dynamodb:CreateTable"
			],
			"Resource": [
				"*"
			],
			"Condition": {
				"Null": {
					"aws:RequestTag/Name": "true"
				}
			}
		}
	]
}

`

I am giving tag Name while creating table but it is giving error User: arn:aws:iam::458225596744:root is not authorized to perform: dynamodb:CreateTable on resource: arn:aws:dynamodb:us-east-1:458225596744:table/ashish0001 with an explicit deny in a service control policy No other SCP is applied

1 Antwort
2

The issue here is that DynamoDB does not yet support Tag Based Access Control:

https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/specifying-conditions.html#FGAC_DDB.Overview

profile pictureAWS
EXPERTE
beantwortet vor einem Jahr

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen