Direct Connect identity-based policy examples using tag-based conditions
You can control access to resources and requests by using tag key conditions. You can also use a condition in your IAM policy to control whether specific tag keys can be used on a resource or in a request.
For information about how to use tags with IAM policies, see Controlling Access Using Tags in the IAM User Guide.
Associating Direct Connect virtual interfaces based on tags
The following example shows how you might create a policy that allows associating a virtual interface only if the tag contains the environment key and the preprod or production values.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "directconnect:AssociateVirtualInterface" ], "Resource": "arn:aws:directconnect:*:*:dxvif/*", "Condition": { "StringEquals": { "aws:ResourceTag/environment": [ "preprod", "production" ] } } }, { "Effect": "Allow", "Action": "directconnect:DescribeVirtualInterfaces", "Resource": "*" } ] }
Controlling access to requests based on tags
You can use conditions in your IAM policies to control which tag key–value pairs can be
passed in a request that tags an Amazon resource. The following example shows how you might
create a policy that allows using the Amazon Direct Connect TagResource action to attach tags to a virtual
interface only if the tag contains the environment key and the preprod or production values.
As a best practice, use the ForAllValues
modifier with the
aws:TagKeys
condition key to indicate that only the key environment is allowed
in the request.
{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "directconnect:TagResource", "Resource": "arn:aws:directconnect:*:*:dxvif/*", "Condition": { "StringEquals": { "aws:RequestTag/environment": [ "preprod", "production" ] }, "ForAllValues:StringEquals": {"aws:TagKeys": "environment"} } } }
Controlling tag keys
You can use a condition in your IAM policies to control whether specific tag keys can be used on a resource or in a request.
The following example shows how you might create a policy that allows you to tag resources, but only with the tag key environment
{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "directconnect:TagResource", "Resource": "*", "Condition": { "ForAllValues:StringEquals": { "aws:TagKeys": [ "environment" ] } } } }