By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Policy for tagging of S3 bucket

0

Dear Team - I want to create SCP that will prevent users from creating S3 bucket without mandatory tag, for an example, application. I was checking https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html for supported resources for aws:RequestTag and i see CreateBucket api does not have aws:RequestTag listed in the table. Does it mean that, it is not possible to prevent users from creating bucket without mandatory tags ?

Q-2 - In general, if aws:RequestTag is not there for any of the services listed on above link, we can not enforce tag policy ? For now, i am only looking for S3 but in future, if some other services needs to be added, is this the correct understanding ?

Thanks Team

Topics
StorageSecurity, Identity, & Compliance
Tags
Amazon Simple Storage ServiceSecurity, Identity, & ComplianceTagging
Language
English
JD
asked 2 months ago88 views
2 Answers
1
Accepted Answer
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "RequireOwnerForS3",
      "Effect": "Deny",
      "Action": [
        "s3:CreateBucket"
      ],
      "Resource": [
        "arn:aws:s3:::*"
      ],
      "Condition": {
        "Null": {
          "aws:RequestTag/Owner": "true"
        }
      }
    }
  ]
}

For any other service a scp like this should work, for eg, it work for checking owner name while using a similar action "ec2:CreateInstance" for resource "arn:aws:ec2:::*"

For Ec2 It Works 🔹 Action: Denies ec2:CreateInstance (prevents users from creating instance). 🔹 Condition (Null): Checks if the Owner tag is missing (true means the tag is missing). 🔹 Result: If a user tries to create an ec2 instance without specifying an Owner tag, the request is denied.

But For S3; Create Bucket doesn't have aws:RequestTag/${TagKey} conditional key, thus all the actions are denied.

TO enforce this something like Cloud Custodian can be used https://cloudcustodian.io/ . But I havent found any other way to enforce tag value in AWS

widpra
answered 2 months ago
profile pictureAWS
EXPERT
Jordan Sandri
reviewed a month ago
  • JD
    2 months ago

    Thanks, this helps... might be diverting from original question, For ec2:CreateInstance, i tried to use resources as * but had some issue. and other one, can i add two tag name in one statement ?

1

The CreateBucket API used to create a new S3 bucket doesn't support tagging it on creation: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateBucket.html. The bucket-level tags must be added separately, after the bucket has been created, by calling the PutBucketTagging API: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketTagging.html.

This makes it conceptually impossible to require that a bucket could only be created if it's tagged in a specified way, so the requirement can't be enforced with an SCP alone.

The ways APIs and associated data models are structured vary by service, but S3 is certainly not the sole service that doesn't allow tagging a resource on creation.

EXPERT
Leo K
answered 2 months ago
  • JD
    2 months ago

    Thanks for confirming

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content