Giving access to s3 having a specific "tag" using AWS IAM roles and policy

Question

I want to create an AWS IAM Policy, such that the attached role should have access to all S3 buckets having the Tag , "Team = devops". I tried the following JSON file, but it wont work.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "arn:aws:s3:::*",
            "Condition": {
                "StringEquals": {"s3:ResourceTag/Team": "devops"}
            }
        }
    ]
}

Answer 1

This did not work. The only difference is the action was Deny in my case and I can confirm that did not apply!

        "Resource": "arn:aws:s3:::*/*",
        "Effect": "Deny",
        "Sid": "TestPreventS3ObjectDeletion",
        "Condition": {
            "StringEquals": {
                "s3:ResourceTag/Protection": "True"
            }
        }

Answer 2

As per Available Condition Keys, s3:ResourceTag is not available for S3 conditions.

The predefined keys available for specifying conditions in an Amazon S3 access policy can be classified as follows:

As in Object Tagging and Access Control Policies, access control per object is possible with s3:ExistingObjectTag condition key.

The following permissions policy grants a user permission to read objects, but the condition limits the read permission to only objects that have the following specific tag key and value.

security : public

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect":     "Allow",
      "Action":     "s3:GetObject",
      "Resource":    "arn:aws:s3:::examplebucket/*",
      "Principal":   "*",
      "Condition": {  "StringEquals": {"s3:ExistingObjectTag/security": "public" } }
    }
  ]
}