- 최신
- 최다 투표
- 가장 많은 댓글
Hello,
Thank you for posting your question on the AWS Repost, my name is Rochak and it will be a pleasure assisting you with this today.
I understand you noticed that some resources in AWS does not support Tag Based Access Control . Please, let me know if my understanding is incorrect.
Yes, all AWS services does not support Tag Based Access Control .To find out whether an AWS service supports controlling access using tags, see the following document “AWS services that work with IAM” and look for the services that have Yes in the Authorization based on tags column. Choose the name of the service to view the authorization and access control documentation for that service. [1]
I hope this helps. If you need further info, let me know in the comments; otherwise I'd appreciate if you mark my answer as "ACCEPTED".
Kind regards,
Rochak from AWS
References:
[1] AWS services that work with IAM https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html
Yes, please refer to https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html. Tag based conditions are not listed for CreateBucket. Likewise you can check for R53 and dynamodb too from the same document link but choose service from left pane to see the list of all ABAC(attribute based access control)/condition keys.
Take a look and comment here if you find any difficulty to find the appropriate documentation around it.
If you really want to enforce tagging on services like S3, then use events and as a new bucket comes in, it's tag would be checked and if certain tags are not present, delete the bucket. hope it helps.
Hello,
Thank you for the response and it will be a pleasure assisting you with this today. You are correct. I went and double checked and I can confirm that the service “SQS” and “SNS” does support the ABAC. [1]
I see you have already posted this question and has been answered in another post. [2] Hope that helped.
Thank you again for contacting us. You have a great rest of the week.
References:
[1] https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html [2] https://repost.aws/questions/QUcVuzZgC1R9yTlPNRM7dNMw/scp-to-deny-tag-deletion-not-working-for-sqs?sc_ichannel=ha&sc_ilang=en&sc_isite=repost&sc_iplace=hp&sc_icontent=QUcVuzZgC1R9yTlPNRM7dNMw&sc_ipos=4
관련 콘텐츠
AWS 공식업데이트됨 8달 전- AWS 공식업데이트됨 2년 전
thanks, Rochak! I also created an SCP to deny tag deletion, but there are also some services like SQS, SNS that i can still delete the tags even SCP to deny tag deletion is applied. Do we have a documentation that explains this?