Controlling access to and for IAM users and roles using tags - Amazon Identity and Access Management
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Controlling access to and for IAM users and roles using tags

Use the information in the following section to control who can access your IAM users and roles and what resources your users and roles can access. For more general information and examples of controlling access to other Amazon resources, including other IAM resources, see Controlling access to Amazon resources using tags.

Tags can be attached to the IAM resource, passed in the request, or attached to the principal that is making the request. An IAM user or role can be both a resource and principal. For example, you can write a policy that allows a user to list the groups for a user. This operation is allowed only if the user making the request (the principal) has the same project=blue tag as the user they're trying to view. In this example, the user can view the group membership for any user, including themselves, as long as they are working on the same project.

To control access based on tags, you provide tag information in the condition element of a policy. When you create an IAM policy, you can use IAM tags and the associated tag condition key to control access to any of the following:

  • Resource – Control access to user or role resources based on their tags. To do this, use the aws:ResourceTag/key-name condition key to specify which tag key-value pair must be attached to the resource. For more information, see Controlling access to Amazon resources.

  • Request – Control what tags can be passed in an IAM request. To do this, use the aws:RequestTag/key-name condition key to specify what tags can be added, changed, or removed from an IAM user or role. This key is used the same way for IAM resources and other Amazon resources. For more information, see Controlling access during Amazon requests.

  • Principal – Control what the person making the request (the principal) is allowed to do based on the tags that are attached to that person's IAM user or role. To do this, use the aws:PrincipalTag/key-name condition key to specify what tags must be attached to the IAM user or role before the request is allowed.

  • Any part of the authorization process – Use the aws:TagKeys condition key to control whether specific tag keys can be used on a resource, in a request, or by a principal. In this case, the key value does not matter. This key behaves similarly for IAM resources and other Amazon resources. However, when you tag a user in IAM, this also controls whether the principal can make the request to any service. For more information, see Controlling access based on tag keys.

You can create an IAM policy using the visual editor, using JSON, or by importing an existing managed policy. For details, see Creating IAM policies.

Controlling access for IAM principals

You can control what the principal is allowed to do based on the tags attached to that person's identity.

This example shows how you might create an IAM policy that allows any user in this account to view the group membership for any user, including themselves, as long as they are working on the same project. This operation is allowed only when the user's resource tag and the principal's tag have the same value for the tag key project. To use this policy, replace the italicized placeholder text in the example policy with your own information. Then, follow the directions in create a policy or edit a policy.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "iam:ListGroupsForUser", "Resource": "arn:aws:iam::111222333444:user/*", "Condition": { "StringEquals": {"aws:ResourceTag/project": "${aws:PrincipalTag/project}"} } }] }

Controlling access based on tag keys

You can use tags in your IAM policies to control whether specific tag keys can be used on a resource, in a request, or by a principal.

This example shows how you might create an IAM policy that allows removing only the tag with the temporary key from users. To use this policy, replace the italicized placeholder text in the example policy with your own information. Then, follow the directions in create a policy or edit a policy.

{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "iam:UntagUser", "Resource": "*", "Condition": {"ForAllValues:StringEquals": {"aws:TagKeys": ["temporary"]}} }] }