- Newest
- Most votes
- Most comments
Hello.
As I answered in the following post, I think it can be controlled by using "Condition".
The "aws:PrincipalArn" can be controlled by setting it to the ARN of the IAM role used by Lambda.
https://repost.aws/questions/QUaLMr8nNLRIS4-gol-sknMQ/prevent-function-deletion#ANzwYUljYfSzqiBIyWqrkdyQ
Hello, Another thing to keep in mind is that each service has their own tagging action, so you need to make sure that each tagging action for each service is restricted in the SCP. You can view the list of services and their actions within this doc: https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html
Additionally, for the conditions on restricting it to specific roles are a lambda function, they may want to use conditions such as these: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcearn https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-principalarn
Relevant content
- asked a year ago
- asked a year ago
- Accepted Answerasked 6 years ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 3 years ago