Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

IAM: Create new users only with specific tags

Focus mode
IAM: Create new users only with specific tags - AWS Identity and Access Management

This example shows how you might create an identity-based policy that allows the creation of IAM users but only with one or both of the Department and JobFunction tag keys. The Department tag key must have either the Development or QualityAssurance tag value. The JobFunction tag key must have the Employee tag value. You can use this policy to require that new users have a specific job function and department. This policy grants the permissions necessary to complete this action programmatically from the AWS API or AWS CLI. To use this policy, replace the italicized placeholder text in the example policy with your own information. Then, follow the directions in create a policy or edit a policy.

The first condition in the statement uses the StringEqualsIfExists condition operator. If a tag with the Department or JobFunction key is present in the request, then the tag must have the specified value. If neither key is present, then this condition is evaluated as true. The only way that the condition evaluates as false is if one of the specified condition keys is present in the request, but has a different value than those allowed. For more information about using IfExists, see ...IfExists condition operators.

The second condition uses the ForAllValues:StringEquals condition operator. The condition returns true if there's a match between every one of the specified tag keys specified in the request, and at least one value in the policy. This means that all of the tags in the request must be in this list. However, the request can include only one of the tags in the list. For example, you can create an IAM user with only the Department=QualityAssurance tag. However, you cannot create an IAM user with the JobFunction=employee tag and the Project=core tag. For more information about using ForAllValues, see Multivalued context keys.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "TagUsersWithOnlyTheseTags", "Effect": "Allow", "Action": [ "iam:CreateUser", "iam:TagUser" ], "Resource": "*", "Condition": { "StringEqualsIfExists": { "aws:RequestTag/Department": [ "Development", "QualityAssurance" ], "aws:RequestTag/JobFunction": "Employee" }, "ForAllValues:StringEquals": { "aws:TagKeys": [ "Department", "JobFunction" ] } } } ] }
PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.