AWS IAM: Policy to allow users/role to create any resource, but only with specific tags

Question

I am trying to create an IAM policy that will allow the user/role to create any resource (EC2, Redshift, RDS, etc.) - only if they provide certain pre-defined tags while creating them.

Steps followed so far:

Create an IAM Role: Let's call it role-XYZ
Attach AWS-Managed 'ReadOnlyPolicy' to this role - this will make sure the role has read-only access to all services
Create a new managed policy as follows. This will allow rest (including creation) of the actions based on a condition.

{
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "VitalizeTagPermission",
                "Effect": "Allow",
                "Action": [
                    "ec2:*",
                    "rds:*"
                ],
                "Resource": [
                    "*"
                ],
                "Condition": {
                    "ForAllValues:StringLike": {
                        "aws:TagKeys": "ProjectCode"
                    }
                }
            }
        ]
    }

This does not work. The user is able to create the resource even without the ProjectCode tag. Any leads will be appreciated.

Unfortunately, tags are not universal. Each AWS service handles them in a different way and some API calls do not necessarily accept tags. — John Rotenstein, Aug 18 '21 at 12:13
Related: https://stackoverflow.com/questions/48426761/aws-iam-policy-to-enforce-tagging — jarmod, Aug 18 '21 at 13:29

AWS IAM: Policy to allow users/role to create any resource, but only with specific tags

0 Answers0