Trying to restrict tags to only a given set of keys that can be attached to the objects. Using bucket level policies to define this condition. However, the logic is not working. Bucket policy (https://docs.aws.amazon.com/AmazonS3/latest/userguide/tagging-and-policies.html)
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<Account-Id>:user/AdminUser"
},
"Action": "s3:PutObjectTagging",
"Resource": "arn:aws:s3:::test-notifications-per-prefix/*",
"Condition": {
"ForAllValues:StringLike": {
"s3:RequestObjectTagKeys": "LIFE"
}
}
}
]
}
Boto3 code to upload the object
s3 = boto3.client('s3')
response = s3.put_object_tagging(
Bucket='test-notifications-per-prefix',
Key="file.txt",
Tagging = {
'TagSet': [
{
'Key': "TEST",
'Value': "SHORTTERM"
}
]
}
)
The object is still getting uploaded when i run the above code.
I am not able to figure out as why this is happening. Tried denying object tagging in the bucket policy (removed the condition from the policy and made the effect as Deny) then any object uploaded with a tag was throwing an access denied error. (so, the rules are being applied for sure)
Can you please let me know as what i am doing wrong here?
CodePudding user response:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": {
"AWS": "arn:aws:iam::<account-id>:user/AdminUser"
},
"Action": "s3:PutObjectTagging",
"Resource": "arn:aws:s3:::<bucket-name>/prefix1/*",
"Condition": {
"StringNotEquals": {
"s3:RequestObjectTag/LIFE": [
"2",
"15"
]
}
}
}
]
}
Able to restrict the key and value pairs in my S3 bucket using the following bucket policy. An explicit deny is denying all the requests coming from the principal that do not have the following tags.
However, this policy will not work for object that are uploaded without tags.
EDIT:
We can define the below policy defined for a role to enforce the tags that are uploaded with given key and value pairs
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::<bucket-name>/prefix1/*",
"Condition": {
"ForAnyValue:StringEquals": {
"s3:RequestObjectTagKeys": "LIFE"
},
"ForAllValues:StringEquals": {
"s3:RequestObjectTag/LIFE": ["2", "15"]
}
}
}
]
}