IAM Policy Question using conditions

0

Hi Team

I need to write a policy for one of the service where I dont see condition support (https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiot.html) For Actions in (CreateKeysAndCertificate, CreatePolicyVersion). {Dependent Actions/Conditions are not supported for these permissions)

Am not sure how to write the condition. For now this is what I wrote. { "Version": "20212-10-17", "Statement: : [ { "Sid": "IOTPermissions", "Effect": "Allow", "Action": [ "iot:CreateKeysAndCertificate", "iot:CreatePolicyVersion" ], "Resource": "arn:${Partition}:iot:${Region}:${Account}:/" } ] }

I know how to write or use the condition if the action supports based on documentation

I want to use either aws:ResourceTag/aws:RequestTag/aws:TagKeys with some KeyValue (ex. Department is the Key and Value will be FinanceTeam)

asked 9 months ago276 views
1 Answer
1

Hello.

I think the policy would probably be something like this:
When you look at the document table for "iot:CreateKeysAndCertificate", the resource is blank, so you cannot set anything other than "*".
"iot:CreatePolicyVersion" allows you to specify "aws:ResourceTag" when the resource is "policy*", so I thought it would be as follows.
https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiot.html

{ 
    "Version": "20212-10-17", 
    "Statement": [
        {
            "Sid": "IOTPermissions", 
            "Effect": "Allow",
            "Action": [
                "iot:CreateKeysAndCertificate"
            ],
            "Resource": "*"
        },
        {
            "Sid": "test",
            "Effect": "Allow",
            "Action": [
                "iot:CreatePolicyVersion"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/Department": "FinanceTeam"
                }
            }
        }
    ]
}
profile picture
EXPERT
answered 9 months ago
profile pictureAWS
EXPERT
reviewed 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions