Use tags to manage access to purchase orders
You can use attribute-based access control (ABAC) to manage access to your purchase
orders. When you create your purchase orders, you can tags with key-value pairs. You can
then create IAM policies and specify the tags. For example, if you add the
project key and assign it a value of test, your IAM
policies can explicitly allow or deny access to any purchase order that has this
tag.
To add tags to new purchase orders or update existing ones, see Adding a purchase order and Editing your purchase orders.
Example: Use tags to allow access
The following policy allows the IAM entity to add, modify, or tag purchase
orders that have the project key and a value of
test.
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "purchase-orders:AddPurchaseOrder", "purchase-orders:TagResource", "purchase-orders:ModifyPurchaseOrders" ], "Resource": "arn:aws:purchase-orders::*:purchase-order/*", "Condition": { "StringEquals": { "aws:RequestTag/project": "test" }, "ForAllValues:StringEquals": { "aws:TagKeys": "project" } } }] }
Example: Use tags to deny access
The following policy denies the IAM entity from completing any purchase order
action on purchase orders that have the project key and a value of
test.
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Deny", "Action": "purchase-orders:*", "Resource": "arn:aws:purchase-orders::*:purchase-order/*", "Condition": { "StringEquals": { "aws:ResourceTag/Project": "test" } } }] }
For more information, see the following topics in the IAM User Guide: