By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

SCP for Tag Enforcement not working for some services

0

I'm implementing Tag Policy and enforcing it using SCP, however I'm noticing that some resources aren't working, such as creating an R53 hosted zone, an S3 bucket, or a Dynamo DB table. Is a list of services that do not support Tag Based Access Control available?

Topics
Management & GovernanceSecurity, Identity, & Compliance
Tags
AWS OrganizationsIAM PoliciesTagging
Language
English
Anonymous
asked 10 months ago591 views
3 Answers
3
Accepted Answer

Hello,

Thank you for posting your question on the AWS Repost, my name is Rochak and it will be a pleasure assisting you with this today.

I understand you noticed that some resources in AWS does not support Tag Based Access Control . Please, let me know if my understanding is incorrect.

Yes, all AWS services does not support Tag Based Access Control .To find out whether an AWS service supports controlling access using tags, see the following document “AWS services that work with IAM” and look for the services that have Yes in the Authorization based on tags column. Choose the name of the service to view the authorization and access control documentation for that service. [1]

I hope this helps. If you need further info, let me know in the comments; otherwise I'd appreciate if you mark my answer as "ACCEPTED".

Kind regards,

Rochak from AWS

References:

[1] AWS services that work with IAM https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html

AWS
AWS-Rochak
answered 10 months ago
profile picture
EXPERT
Sedat Salman
reviewed 8 months ago
  • Anonymous
    10 months ago

    thanks, Rochak! I also created an SCP to deny tag deletion, but there are also some services like SQS, SNS that i can still delete the tags even SCP to deny tag deletion is applied. Do we have a documentation that explains this?

3

Yes, please refer to https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html. Tag based conditions are not listed for CreateBucket. Likewise you can check for R53 and dynamodb too from the same document link but choose service from left pane to see the list of all ABAC(attribute based access control)/condition keys.

Take a look and comment here if you find any difficulty to find the appropriate documentation around it.

If you really want to enforce tagging on services like S3, then use events and as a new bucket comes in, it's tag would be checked and if certain tags are not present, delete the bucket. hope it helps.

profile pictureAWS
EXPERT
secondabhi_aws
answered 10 months ago
profile picture
EXPERT
Sedat Salman
reviewed 8 months ago
2

Hello,

Thank you for the response and it will be a pleasure assisting you with this today. You are correct. I went and double checked and I can confirm that the service “SQS” and “SNS” does support the ABAC. [1]

I see you have already posted this question and has been answered in another post. [2] Hope that helped.

Thank you again for contacting us. You have a great rest of the week.

References:

[1] https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html [2] https://repost.aws/questions/QUcVuzZgC1R9yTlPNRM7dNMw/scp-to-deny-tag-deletion-not-working-for-sqs?sc_ichannel=ha&sc_ilang=en&sc_isite=repost&sc_iplace=hp&sc_icontent=QUcVuzZgC1R9yTlPNRM7dNMw&sc_ipos=4

AWS
AWS-Rochak
answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content