Tagging customer managed policies
You can use IAM tag key-value pairs to add custom attributes to your customer managed
policies. For example, to tag a policy with department information, you can add the tag key
Department and the tag value eng. Or, you
might want to tag policies to indicate that they are for a specific environment, such as
Environment = lab. You can use tags to control access to
resources or to control what tags can be attached to a resource. To learn more about using
tags to control access, see Controlling access to and for IAM users and roles using
tags.
You can also use tags in Amazon STS to add custom attributes when you assume a role or federate a user. For more information, see Passing session tags in Amazon STS.
Permissions required for tagging customer managed policies
You must configure permissions to allow an IAM entity (users or roles) to tag customer managed policies. You can specify one or all of the following IAM tag actions in an IAM policy:
-
iam:ListPolicyTags -
iam:TagPolicy -
iam:UntagPolicy
To allow an IAM entity (user or role) to add, list, or remove a tag for a customer managed policy
Add the following statement to the permissions policy for the IAM entity that needs
to manage tags. Use your account number and replace
<policyname> with the name of the policy whose
tags need to be managed. To learn how to create a policy using this example JSON
policy document, see Creating policies on the JSON tab.
{ "Effect": "Allow", "Action": [ "iam:ListPolicyTags", "iam:TagPolicy", "iam:UntagPolicy" ], "Resource": "arn:aws:iam::<account-number>:policy/<policyname>" }
To allow an IAM entity (user or role) to add a tag to a specific customer managed policy
Add the following statement to the permissions policy for the IAM entity that needs to add, but not remove, tags for a specific policy.
The iam:TagPolicy action requires that you also include the
iam:ListPolicyTags action.
To use this policy, replace <policyname> with the name of
the policy whose tags need to be managed. To learn how to create a policy using this example
JSON policy document, see Creating policies on the JSON tab.
{ "Effect": "Allow", "Action": [ "iam:ListPolicyTags", "iam:TagPolicy" ], "Resource": "arn:aws:iam::<account-number>:policy/<policyname>" }
Alternatively, you can use an Amazon managed policy such as IAMFullAccess
Managing tags on IAM customer managed policies (console)
You can manage tags for IAM customer managed policies from the Amazon Web Services Management Console.
To manage tags on customer managed policies (console)
Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/
. -
In the navigation pane of the console, choose Policies and then choose the name of the customer managed policy that you want to edit.
-
Choose the Tags tab and then complete one of the following actions:
-
Choose Add tags if the policy does not yet have tags.
-
Choose Edit tags to manage the existing set of tags.
-
-
Add or remove tags to complete the set of tags. Then choose Save changes.
Managing tags on IAM customer managed policies (Amazon CLI or Amazon API)
You can list, attach, or remove tags for IAM customer managed policies. You can use the Amazon CLI or the Amazon API to manage tags for IAM customer managed policies.
To list the tags currently attached to an IAM customer managed policy (Amazon CLI or Amazon API)
-
Amazon CLI: aws iam list-policy-tags
-
Amazon API: ListPolicyTags
To attach tags to an IAM customer managed policy(Amazon CLI or Amazon API)
-
Amazon CLI: aws iam tag-policy
-
Amazon API: TagPolicy
To remove tags from an IAM customer managed policy (Amazon CLI or Amazon API)
-
Amazon CLI: aws iam untag-policy
-
Amazon API: UntagPolicy
For information about attaching tags to resources for other Amazon services, see the documentation for those services.
For information about using tags to set more granular permissions with IAM permissions policies, see IAM policy elements: Variables and tags.