Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

SCP for Tag Enforcement not working for some services

0

I'm implementing Tag Policy and enforcing it using SCP, however I'm noticing that some resources aren't working, such as creating an R53 hosted zone, an S3 bucket, or a Dynamo DB table. Is a list of services that do not support Tag Based Access Control available?

Argomenti
Gestione e amministrazioneSicurezza, identità e conformità
Tag
Organizzazioni AWSPolitiche IAMEtichettatura
Lingua
English
Anonymous
posta un anno fa624 visualizzazioni
3 Risposte
3
Risposta accettata

Hello,

Thank you for posting your question on the AWS Repost, my name is Rochak and it will be a pleasure assisting you with this today.

I understand you noticed that some resources in AWS does not support Tag Based Access Control . Please, let me know if my understanding is incorrect.

Yes, all AWS services does not support Tag Based Access Control .To find out whether an AWS service supports controlling access using tags, see the following document “AWS services that work with IAM” and look for the services that have Yes in the Authorization based on tags column. Choose the name of the service to view the authorization and access control documentation for that service. [1]

I hope this helps. If you need further info, let me know in the comments; otherwise I'd appreciate if you mark my answer as "ACCEPTED".

Kind regards,

Rochak from AWS

References:

[1] AWS services that work with IAM https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html

AWS
AWS-Rochak
con risposta un anno fa
profile picture
ESPERTO
Sedat Salman
verificato 9 mesi fa
  • Anonymous
    un anno fa

    thanks, Rochak! I also created an SCP to deny tag deletion, but there are also some services like SQS, SNS that i can still delete the tags even SCP to deny tag deletion is applied. Do we have a documentation that explains this?

3

Yes, please refer to https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html. Tag based conditions are not listed for CreateBucket. Likewise you can check for R53 and dynamodb too from the same document link but choose service from left pane to see the list of all ABAC(attribute based access control)/condition keys.

Take a look and comment here if you find any difficulty to find the appropriate documentation around it.

If you really want to enforce tagging on services like S3, then use events and as a new bucket comes in, it's tag would be checked and if certain tags are not present, delete the bucket. hope it helps.

profile pictureAWS
ESPERTO
secondabhi_aws
con risposta un anno fa
profile picture
ESPERTO
Sedat Salman
verificato 9 mesi fa
2

Hello,

Thank you for the response and it will be a pleasure assisting you with this today. You are correct. I went and double checked and I can confirm that the service “SQS” and “SNS” does support the ABAC. [1]

I see you have already posted this question and has been answered in another post. [2] Hope that helped.

Thank you again for contacting us. You have a great rest of the week.

References:

[1] https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html [2] https://repost.aws/questions/QUcVuzZgC1R9yTlPNRM7dNMw/scp-to-deny-tag-deletion-not-working-for-sqs?sc_ichannel=ha&sc_ilang=en&sc_isite=repost&sc_iplace=hp&sc_icontent=QUcVuzZgC1R9yTlPNRM7dNMw&sc_ipos=4

AWS
AWS-Rochak
con risposta un anno fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente