When you create a AWS KMS key you can provide tags for it. Creation alone needs kms:CreateKey permission, for providing the tags during the creation you need the kms:TagResource permission in addition. - I want to write a policy which only allows the creation of a KMS key if a certain marker tag is set AND it should not be allowed to use the kms:TagResource permission to add that marker tag to other existing keys. How to do that? Thus, I would then be able to restrict other KMS permissions of that policy to only keys having that tag after that and a policy's user would not be allowed to add that marker tag to other keys which they should not be allowed to operate on
Asked
Active
Viewed 276 times
