AWS S3 IAM grant access to buckets based on tags

12
votes

I'm trying to grant a group of users access to all s3-buckets with a certain tag, but no access to all others. The policy I've cobbled together looks like this:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowListAll",
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets"
            ],
            "Resource": [
                "arn:aws:s3:::*"
            ]
        },
        {
            "Sid": "AllowAllIfGroup",
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Condition: : {
                "StringEquals" : {
                        "s3.ResourceTag/allow-group": "s3-access-group"
                }
            },
            "Resource": [
                "arn:aws:s3:::*",
                "arn:aws:s3:::*/*"
            ]
        }
    ] 
}

and I can't get it to work I have tried simulating the policy for ListBucket and ListAllMyBuckets against the arn of a tagged Bucket, ListAllMyBuckets works, ListBucket fails.

If I adapt this policy to ec2 (as in 'grant start/stop/terminate to instances if tag matches') it works like a charm.

Is this possible at all or does S3 not allow for matching buckets this way?

(further clarification: my bucket has tags "allow-group" and "AllowGroup" set, I was not sure if the dash may be a problem)

3
amazon-web-servicesamazon-s3amazon-iam
Define "I can't get it to work". What is the issue? - kosa
It shouldn't work at all, you lack a colon here: "s3.ResourceTag/allow-group" "s3-access-group" - Adam Owczarczyk
I just checked, the missing colon is a c&p-error, the policy says "s3.ResourceTag/AllowGroup": "s3-access-group". - Hartwig Hauschild
As for the definition of '"can't get it to work": I tried simulating the policy for ListBucket and ListAllMyBuckets against the arn of the bucket and ListBucket fails, ListAllMyBuckets works. I also tested with the user I generated the policy for, that does not work either. - Hartwig Hauschild
Did you find a way to use ABAC on S3 so far? - Gadelkareem

3 Answers

12
votes

S3 does not support condition keys based on bucket tags (ResourceTag), but only on object tags.

See the full list of supported conditions keys here (Scroll down to "Condition Keys for Amazon S3"): https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazons3.html#amazons3-policy-keys

That's why it does not work.

5
votes

I did some experimentation and was also unable to obtain the result you seek.

Firstly, online references to the S3 ResourceTag are rare, but AWS re:Invent 2016: AWS S3 Deep-Dive Hands-On Workshop gives an example:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": "arn:aws:s3:::EXAMPLE-BUCKET-NAME/*",
            "Condition": {
                "StringEquals": {
                    "S3:ResourceTag/HIPAA": "True"
                }
            }
        }
    ]
}

Note that it uses S3:ResourceTag rather than S3.ResourceTag.

I tried using this logic against both a bucket tag and an object tag but was unsuccessful in getting it to work. I suspect that ResourceTag is meant to refer to an object-level tag rather than a bucket-level tag, but couldn't prove this since it failed to work in both situations.

I used a policy like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::my-bucket",
                "arn:aws:s3:::my-bucket/*"
            ],
            "Condition": {
                "StringEquals": {
                    "s3:ResourceTag/AllowGroup": "s3-access-group"
                }
            }
        }
    ]
}

However, it would not give me access to an object even when both the bucket and the object had the appropriate tag.

1
votes

AWS docs has a reference for all services which have support for use with AWS IAM and resource tagging here https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html

At the moment, only object level tagging in S3 is supported:

¹ Amazon S3 supports tag-based authorization for only object resources.

² Amazon S3 supports service-linked roles for Amazon S3 Storage Lens.

Digging into the docs more, it appears as though PUT and DELETE operations on objects is not supported at the time of writing: https://docs.aws.amazon.com/AmazonS3/latest/userguide/tagging-and-policies.html