Direct Connect identity-based policy examples using tag-based conditions - Amazon Direct Connect
Associating Direct Connect virtual interfaces based on tagsControlling access to requests based on tagsControlling tag keys
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Direct Connect identity-based policy examples using tag-based conditions

You can control access to resources and requests by using tag key conditions. You can also use a condition in your IAM policy to control whether specific tag keys can be used on a resource or in a request.

For information about how to use tags with IAM policies, see Controlling Access Using Tags in the IAM User Guide.

Associating Direct Connect virtual interfaces based on tags

The following example shows how you might create a policy that allows associating a virtual interface only if the tag contains the environment key and the preprod or production values. 

       {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "directconnect:AssociateVirtualInterface"
          ],
          "Resource": "arn:aws:directconnect:*:*:dxvif/*",
          "Condition": {
            "StringEquals": {
              "aws:ResourceTag/environment": [
                "preprod",
                "production"
              ]
            }
          }
        },
        {
          "Effect": "Allow",
          "Action": "directconnect:DescribeVirtualInterfaces",
          "Resource": "*"
        }
      ]
    }

Controlling access to requests based on tags

You can use conditions in your IAM policies to control which tag key–value pairs can be passed in a request that tags an Amazon resource. The following example shows how you might create a policy that allows using the Amazon Direct Connect TagResource action to attach tags to a virtual interface only if the tag contains the environment key and the preprod or production values. As a best practice, use the ForAllValues modifier with the aws:TagKeys condition key to indicate that only the key environment is allowed in the request. 

    {
        "Version": "2012-10-17",
        "Statement": {
            "Effect": "Allow",
            "Action": "directconnect:TagResource",
            "Resource": "arn:aws:directconnect:*:*:dxvif/*",
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/environment": [
                        "preprod",
                        "production"
                    ]
                },
                "ForAllValues:StringEquals": {"aws:TagKeys": "environment"}
            }
        }
    }

Controlling tag keys

You can use a condition in your IAM policies to control whether specific tag keys can be used on a resource or in a request.

The following example shows how you might create a policy that allows you to tag resources, but only with the tag key environment

     {
      "Version": "2012-10-17",
      "Statement": {
        "Effect": "Allow",
        "Action": "directconnect:TagResource",
        "Resource": "*",
        "Condition": {
          "ForAllValues:StringEquals": {
            "aws:TagKeys": [
              "environment"
            ]
          }
        }
      }
    }