Amazon Web Services Question posted in
The official Amazon Web Services documentation can be found here.

Amazon web services – AWS Policy deny action if condition is not met

I am trying to create a new AWS IAM policy for a basic role.
I want to deny the deletion of the resources if they are missing the tag ResourceDelete = True

What I have so far:

{
          "Sid" : "AllowList",
          "Effect" : "Allow",
          "Action" : [
            "acm:*",
            "autoscaling:*",
            "cloudtrail:*",
            "cloudwatch:*",
            "DMS:*",
            "ec2:*",
            "eks:*",
            "elasticache:*",
            "elasticloadbalancing:*",
            "IAM:*",
            "kms:*",
            "lambda:*",
            "rds:*",
            "redshift:*",
            "route53:*",
            "s3:*",
            "sns:*",
            "sqs:*"
          ],
          "Resource" : "*"
        },
        {
          "Sid" : "DenyDelete",
          "Effect" : "Deny",
          "Action" : [
            "acm:Delete*",
            "acm:Request*",
            "autoscaling:Delete*",
            "cloudtrail:Delete*",
            "cloudwatch:Delete*",
            "DMS:Delete*",
            "ec2:Delete*",
            "ec2:Terminate*",
            "eks:DeleteCluster",
            "elasticache:Delete*",
            "elasticloadbalancing:Delete*",
            "kms:Delete*",
            "lambda:Delete*",
            "rds:Delete*",
            "redshift:Delete*",
            "route53:Delete*",
            "s3:DeleteBucket*",
            "sns:Delete*",
            "sqs:Delete*"
          ],
          "Resource" : "*",
          "Condition" : {
            "StringEquals" : { "aws:ResourceTag/ResourceDelete" : "True" }
          }

I think I got something wrong regarding the condition.
Right the policy above I am able to delete any resource even if it has the tag ResourceDelete" : "True" or not.

Tags:

2

Answers


  1. 0

    Your current policy is saying If ResourceDelete = true, then Deny the Delete. You probably want to use StringNotEquals to fix this.

    However, I don’t think it is possible to do what you are wanting.

    If you look at the Actions and Conditions page for a particular service, you can see whether particular actions accept a tag.

    For example, the AWS Lambda page Actions, resources, and condition keys for AWS Lambda – Service Authorization Reference says that the DeleteFunction action does not accept a Tag as a Condition.

    Similarly, for Route 53 Actions, resources, and condition keys for Amazon Route 53 – Service Authorization Reference does not show any Condition tags for the Delete commands.

    Therefore, it would seem that your idea of requiring a Tag before resources can be deleted will not actually work.

    Login or Signup to reply.
  2. 0

    First, you said you want to deny the deletion if they are missing the tag ResourceDeletion = true, but you put Deny with Condition of aws:ResourceTag/ResourceDelete = true. You should change it to Allow instead.

    However, putting Allow will also not achieve your purpose. If you paste your policy in the IAM policy editor in the AWS console, you will probably see the message in the Suggestion tab at the bottom of the pageenter image description here
    To understand more about this error, you can refer the error explaination.

    This is because aws:ResourceTag is currently not applicable to most of the resources/actions, although AWS said it’s globally available. You can only use it for limited resources and/or actions; see the AWS documentation for more information about ABAC.

    As an alternative, I reckon you can specify the AWS resources that safe to delete instead of using wildcard.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search