0

I have this policy which should prevent users to remove tagging from any recourses in AWS. but tags are still being removed from resources.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "ec2:Delete*",
                "s3:Delete*",
                "s3:ReplicateTags",
                "iam:Untag*",
                "tag:UntagResources"
            ],
            "Effect": "Deny",
            "Resource": "*"
        },
        {
            "Action": [
                "s3:Create*",
                "s3:Describe*",
                "s3:Get*",
                "s3:List*",
                "s3:Put*",
                "s3:Update*",
                "s3:Replicate*",
                "s3:RestoreObject",
                "s3:ObjectOwnerOverrideToBucketOwner"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "ec2:Create*",
                "ec2:Describe*",
                "ec2:Get*",
                "ec2:Modify*",
                "ec2:StartInstances",
                "ec2:StopInstances"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "iam:Tag*",
                "tag:TagResources",
                "tag:GetResources"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "iam:Untag*",
                "tag:UntagResources"
            ],
            "Effect": "Deny",
            "Resource": "*"
        }
    ]
}

As I'm new to AWS, I have no Idea what's gone Wrong. other permissions works fine. just un-tagging isn't working. how to Deny for un-tagging recourses? thanks in advance.

How do I make tag:UntagResources work?

markin jason
  • 45
  • 11
  • I don't have the time to write a complete answer, but the short answer is that tagging APIs are service-specific. So `iam:Untag*` would only apply to resources managed by IAM, such as users, and _not_ resources such as an EC2 instance. – kdgregory May 27 '21 at 13:53
  • So what do I need to do to make it happen? Thank you so much for your time and effort. @kdgregory – markin jason May 27 '21 at 14:48

1 Answers1

0

One approach would be to use the IAM Create Policy visual editor. Type in a service you are interested in, like S3, and then in the actions search dialog, search for 'tag' to find all the relevant actions you want to deny. Use the 'switch to deny permissions' link to make it a deny statement. Then for Resources, choose All resources. Finally, toggle to the JSON tab, to see the resulting statement.

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "VisualEditor0",
        "Effect": "Allow",
        "Action": [
            "s3:DeleteObjectTagging",
            "s3:DeleteJobTagging",
            "s3:DeleteStorageLensConfigurationTagging",
            "s3:DeleteObjectVersionTagging"
        ],
        "Resource": "*"
    }
]

}

You could then repeat the process for each service you want to disable tagging on, to create multiple policy statements.

dmohr
  • 2,699
  • 1
  • 22
  • 22