Reputation: 111
Need help to deny S3 bucket creation without specific Tags
I want to create an IAM policy to only allow the "Test" user to create S3 bucket with "Name" and "Bucket" Tags while creating. But not able to do.
I have tried this, but even with the specified condition, the user is not able to create an Bucket.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Deny",
"Action": "s3:CreateBucket",
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:RequestTag/Name": "Bucket"
}
}
}
]
}
Thanks in advance.
Upvotes: 3
Views: 2522
Answers (3)
Reputation: 11
@pop I believe you can't do this using an IAM policy nor an SCP because by design S3 create tag API is configured to be triggered as a subsequent call to CreateBucket API. So your IAM policy would prevent creation of S3 Bucket itself even if you have added this tag. This is by design for S3 service compared to other AWS services.
Only option in my opinion would be a post-deployment action i.e. to choose an event driven model where you use S3 events to take actions (delete bucket/ add access block bucket policy etc.) based on how a bucket got created.
Upvotes: 1
Reputation: 8097
As John Rotenstein pointed out, this is not possibly (yet at least) to explicitly deny this but there are a few options that people do for this since this type of tagging policy is a common things in many organizations.
Compliance Reports
You can use the AWS Config service to detect S3 bucket resources that are out-of-compliance. You can define your tagging policy for S3 Buckets with a Config rule.
This will not prevent users from creating buckets but it will provide a way to audit your accounts and also be proactively notified.
Auto-remediation
If you want a bucket to be auto-deleted or flagged, you can create a lambda function that is triggered by the CloudTrail API for when buckets are created.
The Lambda could be implemented to check the tags and, if the bucket is non-compliant, try and delete the bucket or mark it for deletion via some other process you define.
Upvotes: 0
Reputation: 269500
The Actions, resources, and condition keys for Amazon S3 - Service Authorization Reference documentation page lists the conditions that can be applied to the CreateBucket command.
Tags are not included in this list. Therefore, it is not possible to restrict the CreateBucket command based on tags being specified with the command.
Upvotes: 3
Related Questions
- How to enforce Tag usage when creating S3 Buckets?
- Deny delete of an S3 bucket if a specific tag exists
- S3 bucket policy to deny all except a particular AWS service role and IAM role
- AWS S3 IAM grant access to buckets based on tags
- What is best way to deny creation of public S3 buckets?
- How to deny s3 bucket access for an AWS account
- AWS S3 bucket restrict accss
- Create Amazon S3 bucket only when tag is created
- S3 Bucket Creation: Restrict to Specific Name Pattern
- IAM Group Policy for S3 bucket: deny folders but not files