Menu
I'm trying to create a IAM group that can fully access all resources that have certain tags.
For example, if an S3 bucket and an EC2 instance are tagged env:qa, the group project-qa should have full access to them.
So far I've tried the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
Effect: "Allow",
Action: "*",
Resource: "*",
Condition: {
"StringEquals": {
"aws:ResourceTag/env": "qa"
}
}
}
]
}
I created an account to test this, but when browsing buckets I was immediately told that I lack permissions for the s3:ListAllMyBuckets action - which I assumed would be covered by Action: "*"
929
Yes, the ListAllMyBuckets action is covered by the * but its "resource" is not tagged because its resource is not actually a really existing resource and therefore you are not allowed to perform that operation. You either have ListAllMyBuckets for * or you don't, there is no way to restrict that based on the bucket, because you are not listing a bucket, you are listing all buckets and this "all buckets" does not have a tag, it does not really have anything, it does not really exist. See https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html: the Resource types for ListAllMyBuckets is empty, there is no actual resource to interact with.
Listing object in a bucket can work based on tags, but not listing all the buckets in the first place. Same thing will happen in a lot of places, listing does not respect the permission for the resources that are being listed. Look at it this way: you may not be allowed to do anything with the bucket, you cannot browse it, configure it but you are still allowed to see it in the list.
The only way around this is to add these special permission one by one as soon as you see that you are missing one.
Note that there are actual AWS resources that are not taggable and therefore you will not succeed with that strategy at all.
175
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
