- Overview of AWS Tags
- Types of Tags in AWS
- Common Tag Keys
- Detailed Explanations and Examples
-
[1. aws
](#1-awsrequesttagkey)
-
[2. aws
](#2-awsprincipaltagkey)
-
[3. aws
/](#3-awsresourcetagkey)
-
[4. s3
](#4-s3existingobjecttagkey)
-
[5. s3
](#5-s3requestobjecttagkey)
-
[6. ec2
/](#6-ec2resourcetagkey)
-
[7. ec2
](#7-ec2requesttagkey)
-
[8. rds
](#8-rdsresourcetagkey)
-
[9. rds
](#9-rdsrequesttagkey)
-
[10. kms
](#10-kmsrequesttagkey)
-
[11. kms
/](#11-kmsresourcetagkey)
-
- Practical Use Cases
Tags in AWS are key-value pairs that provide metadata for AWS resources, playing a crucial role in managing and controlling access to these resources. Tags are essential in Attribute-Based Access Control (ABAC) policies, allowing for granular control based on attributes rather than traditional identity-based permissions. Tags can be applied to requests, IAM principals (users or roles), and resources, enabling more flexible and scalable security practices.
- Request Tags: Tags applied at the time of resource creation or modification.
- Principal Tags: Tags associated with IAM principals (users or roles).
- Resource Tags: Tags applied to existing resources within AWS.
aws:RequestTag/<key>aws:PrincipalTag/<key>aws:ResourceTag/<key>s3:ExistingObjectTag/<key>s3:RequestObjectTag/<key>ec2:RequestTag/<key>ec2:ResourceTag/<key>rds:RequestTag/<key>rds:ResourceTag/<key>kms:RequestTag/<key>kms:ResourceTag/<key>
- Description: Tags specified at the request level, applied during the creation or modification of a resource. These tags are pivotal for controlling access based on conditions set in the request.
- Example: The tag
aws:RequestTag/Environmentcan be used to enforce that only resources tagged with a specific environment value can be created.
- Description: Tags associated with the IAM principal (user or role) making the request. These are particularly useful in ABAC (Attribute-Based Access Control) policies, enabling access based on the tags of the requesting principal.
- Example: The tag
aws:PrincipalTag/Departmentcan be used to grant access only to users with a specific department tag.
- Description: Tags associated with the resource being accessed or managed. These tags help enforce policies based on the resource’s attributes.
- Example: The tag
aws:ResourceTag/Projectcan be used to grant access to resources only if they have a specific project tag.
- Description: Used in Amazon S3 policies to refer to tags applied to existing objects within a bucket. This is crucial for policies that depend on object-specific tags.
- Example: The tag
s3:ExistingObjectTag/Environmentcan be used to allow access based on the tags of existing S3 objects.
- Description: Tags specified for new objects in an Amazon S3 bucket. These tags help enforce conditions during the creation of new objects.
- Example: The tag
s3:RequestObjectTag/Environmentcan be used to ensure that new objects must have specific tags.
- Description: Tags applied to EC2 resources (e.g., instances, volumes). These are critical for policies controlling access based on EC2 resource tags.
- Example: The tag
ec2:ResourceTag/Environmentcan be used to control access to EC2 instances based on their environment tag.
- Description: Tags applied to EC2 resources during their creation. These tags are essential for controlling resource creation based on tags specified in the request.
- Example: The tag
ec2:RequestTag/Projectcan be used to permit or deny the creation of EC2 instances based on the project tag.
- Description: Tags associated with RDS (Relational Database Service) resources. These tags help enforce policies that control access to RDS resources based on their tags.
- Example: The tag
rds:ResourceTag/Environmentcan be used to control access to RDS instances based on their environment tag.
- Description: Tags applied to RDS resources at the time of creation. These are essential for controlling the creation of RDS resources based on tags in the request.
- Example: The tag
rds:RequestTag/Projectcan be used to ensure that RDS instances are created only with specific project tags.
- Description: Tags specified during the creation or modification of AWS Key Management Service (KMS) keys. These tags are critical for controlling the creation of keys based on specified tags.
- Example: The tag
kms:RequestTag/Projectcan be used to enforce specific tags on KMS keys during their creation.
- Description: Tags associated with KMS keys. These are crucial for policies that control access based on the existing tags of KMS keys.
- Example: The tag
kms:ResourceTag/Environmentcan be used to allow or deny access to KMS keys based on their environment tag.
This policy allows users with the Development department tag to create EC2 instances with the Development environment tag.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:PrincipalTag/Department": "Development",
"ec2:RequestTag/Environment": "Development"
}
}
}
]
}This policy allows users with the Production department tag to start, stop, and reboot EC2 instances that are tagged with the Production environment tag
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:RebootInstances"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:PrincipalTag/Department": "Production",
"ec2:ResourceTag/Environment": "Production"
}
}
}
]
}This policy allows users to get and put objects in an S3 bucket if they have the Development environment tag on the principal and the existing objects have the Production environment tag.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::s3bucketslearningproduction/*",
"Condition": {
"StringEquals": {
"aws:PrincipalTag/Environment": "Development",
"s3:ExistingObjectTag/Environment": "Production"
}
}
}
]
}Tags are a powerful and flexible way to manage and control access to AWS resources. By leveraging tags in IAM policies, you can implement more granular and effective security controls that align with your organization’s operational and compliance needs.
This guide has provided an in-depth look at how to use tags effectively in AWS IAM policies, complete with practical examples. Whether you're just getting started or looking to refine your AWS security practices, understanding and using tags will enhance your ability to manage and secure your AWS environment.