The following examples depict some use cases to implement attribute-based conditions using tags.
Topics
Example 1: Allow an action using aws:ResourceTag
Using the aws:ResourceTag/tag-key
condition key, you can compare the tag key-value pair that's specified in an IAM policy with the key-value pair that's attached in a DynamoDB table. For example, you can allow a specific action, such as PutItem, if the tag conditions match in an IAM policy and a table. To do this, perform the following steps:
-
Create a table. The following example uses the create-table AWS CLI command to create a table named
myMusicTable
.aws dynamodb create-table \ --table-name myMusicTable \ --attribute-definitions AttributeName=id,AttributeType=S \ --key-schema AttributeName=id,KeyType=HASH \ --provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5 \ --region
us-east-1
-
Add a tag to this table. The following tag-resource AWS CLI command example adds the tag key-value pair
Title: ProductManager
to themyMusicTable
.aws dynamodb tag-resource --region
us-east-1
--resource-arn arn:aws:dynamodb:us-east-1
:123456789012
:table/myMusicTable --tags Key=Title,Value=ProductManager -
Create an inline policy and add it to a role which has the AmazonDynamoDBReadOnlyAccess AWS managed policy attached to it, as shown in the following example.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "dynamodb:PutItem", "Resource": "arn:aws:dynamodb:*:*:table/*", "Condition": { "StringEquals": { "aws:ResourceTag/Title": "ProductManager" } } } ] }
This policy allows the
PutItem
action on the table when the tag key and value attached to the table matches with the tags specified in the policy. -
Assume the role with the policies described in Step 3.
-
Use the put-item AWS CLI command to put an item to the
myMusicTable
.aws dynamodb put-item \ --table-name myMusicTable --region us-east-1 \ --item '{ "id": {"S": "2023"}, "title": {"S": "Happy Day"}, "info": {"M": { "rating": {"N": "9"}, "Artists": {"L": [{"S": "Acme Band"}, {"S": "No One You Know"}]}, "release_date": {"S": "2023-07-21"} }} }'
-
Scan the table to verify if the item was added to the table.
aws dynamodb scan --table-name myMusicTable --region
us-east-1
Without ABAC
If ABAC isn't enabled for your AWS account, the tag conditions in the IAM policy and the DynamoDB table aren’t matched. Consequently, the PutItem
action returns an AccessDeniedException
because of the effect of the AmazonDynamoDBReadOnlyAccess
policy.
An error occurred (AccessDeniedException) when calling the PutItem operation: User: arn:aws:sts::123456789012:assumed-role/DynamoDBReadOnlyAccess/Alice is not authorized to perform: dynamodb:PutItem on resource: arn:aws:dynamodb:us-east-1:123456789012:table/myMusicTable because no identity-based policy allows the dynamodb:PutItem action.
With ABAC
If ABAC is enabled for your AWS account, the put-item
action completes successfully and adds a new item to your table. This is because the inline policy on the table allows the PutItem
action if the tag conditions in the IAM policy and the table match.
Example 2: Allow an action using aws:RequestTag
Using the aws:RequestTag/tag-key condition key, you can compare the tag key-value pair that's passed in your request with the tag pair that's specified in the IAM policy. For example, you can allow a specific action, such as CreateTable
, using the aws:RequestTag
if the tag conditions don't match. To do this, perform the following steps:
-
Create an inline policy and add it to a role which has the AmazonDynamoDBReadOnlyAccess AWS managed policy attached to it, as shown in the following example.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:CreateTable", "dynamodb:TagResource" ], "Resource": "arn:aws:dynamodb:*:*:table/*", "Condition": { "StringEquals": { "aws:RequestTag/Owner": "John" } } } ] }
-
Create a table that contains the tag key-value pair of
"Owner": "John"
.aws dynamodb create-table \ --attribute-definitions AttributeName=ID,AttributeType=S \ --key-schema AttributeName=ID,KeyType=HASH \ --provisioned-throughput ReadCapacityUnits=1000,WriteCapacityUnits=500 \ --region
us-east-1
\ --tags Key=Owner,Value=John \ --table-name myMusicTable
Without ABAC
If ABAC isn't enabled for your AWS account, the tag conditions in the inline policy and the DynamoDB table aren’t matched. Consequently, the CreateTable
request fails and your table isn’t created.
An error occurred (AccessDeniedException) when calling the CreateTable operation: User: arn:aws:sts::123456789012:assumed-role/Admin/John is not authorized to perform: dynamodb:CreateTable on resource: arn:aws:dynamodb:us-east-1:123456789012:table/myMusicTable because no identity-based policy allows the dynamodb:CreateTable action.
With ABAC
If ABAC is enabled for your AWS account, your table creation request completes successfully. Because the tag key-value pair of "Owner": "John"
is present in the CreateTable
request, the inline policy allows the user John
to perform the CreateTable
action.
Example 3: Deny an action using aws:TagKeys
Using the aws:TagKeys condition key, you can compare the tag keys in a request with the keys that are specified in the IAM policy. For example, you can deny a specific action, such as CreateTable
, using aws:TagKeys
if a specific tag key is not present in the request. To do this, perform the following steps:
-
Add a customer managed policy to a role which has the AmazonDynamoDBFullAccess AWS managed policy attached to it, as shown in the following example.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "dynamodb:CreateTable", "dynamodb:TagResource" ], "Resource": "arn:aws:dynamodb:*:*:table/*", "Condition": { "Null": { "aws:TagKeys": "false" }, "ForAllValues:StringNotEquals": { "aws:TagKeys": "CostCenter" } } } ] }
-
Assume the role to which the policy was attached, and create a table with the tag key
Title
.aws dynamodb create-table \ --attribute-definitions AttributeName=ID,AttributeType=S \ --key-schema AttributeName=ID,KeyType=HASH \ --provisioned-throughput ReadCapacityUnits=1000,WriteCapacityUnits=500 \ --region
us-east-1
\ --tags Key=Title,Value=ProductManager \ --table-name myMusicTable
Without ABAC
If ABAC isn't enabled for your AWS account, DynamoDB doesn’t send the tag keys in the create-table
command to IAM. The Null
condition ensures that the condition evaluates to false
if there are no tag keys in the request. Because the Deny
policy doesn't match, the create-table
command completes successfully.
With ABAC
If ABAC is enabled for your AWS account, the tag keys passed in the create-table
command are passed to IAM. The tag key Title
is evaluated against the condition-based tag key, CostCenter
, present in the Deny
policy. The tag key Title
doesn't match the tag key present in the Deny
policy because of the StringNotEquals
operator. Therefore, the CreateTable
action fails and your table isn’t created. Running the create-table
command returns an AccessDeniedException
.
An error occurred (AccessDeniedException) when calling the CreateTable operation: User: arn:aws:sts::123456789012:assumed-role/DynamoFullAccessRole/ProductManager is not authorized to perform: dynamodb:CreateTable on resource: arn:aws:dynamodb:us-east-1:123456789012:table/myMusicTable with an explicit deny in an identity-based policy.