Can we write an iam policy to restrict the creation of s3 bucket only when tags are present. I,e user should be able to create s3 bucket only of he has certain tags are present.
Iam policy for s3 buckets
132 views Asked by Kevin At
3
There are 3 answers
1
On
No, policies are not meant to be used this way, but you can solve the problem like this:
1- Remove public access to the S3 bucket
2- Create a web-application (maybe a simple html (hosted on s3) supported by a lambda function) to let the users to select their files to upload to S3 and provide some tags
3- After your custom validations passed, call the aws-sdk api to uplad the files to S3
0
On
There is no way to tag users using resource tags; they are not supported for users.
Instead you should consider using IAM groups, and deny the CreateBucket permission to a specific IAM group, then assign that user to that group. That way, users in that group would not have permission to create S3 buckets.
Note: I have not tested this but this is documented by AWS.
You may be able to do this using IAM User Paths. For example you could create an IAM User Path of "bucket_managers". Then in your policy you can use a resource statement like this:
IAM Identifiers