Tag-based authorization guidelines - Amazon WorkSpaces Core
Tag conditionsAdditional examples

Tag-based authorization guidelines

Tag-based authorization can prevent you from modifying customer resources. This strategy utilizes IAM tag conditions. You assume a role in your customer’s account, and the role will have IAM policies based on tag conditions. When you create a resource in your customer’s account, the policy requires a specific tag to be added. And when you modify a resource in your customer’s account, the policy ensures that it only allows modification on resources with the specified tags. You should not have permission to modify or delete tags on a resource. To create a complete IAM policy for the assume role, the customer can use the following examples.

Tag conditions

TagKeys condition

To ensure that only a specific tag key can be used in a request, use the aws:TagKeys condition key.

RequestTag condition

To ensure that a specific tag key and value will be put on the resource, use a combination of the aws:TagKeys and aws:RequestTag condition keys. This applies to resource creation API actions, such as CreateWorkspaces.

The following tag keys policy example only allows API actions to use tag keys “PartnerManaged.”

{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
ws:CreateWorkspaces
],
"Resource":"*",
"Condition":{
"StringEquals": {
"aws:RequestTag/PartnerManaged": "true"
},
"ForAllValues:StringEquals": {
"aws:TagKeys": "PartnerManaged"
}
}
}
]
}

ResourceTag condition

To control access to a customer’s resources based on the tag key and value use a combination of the aws:TagKeys and aws:ResourceTag condition keys. This applies to modifications related to API actions, such as ModifyWorkspaceProperties.

The following resource tag policy example ensures that modifications can only happen on resources with the tag “Key=PartnerManaged, Value=true”.

{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
ws:ModifyWorkspaceProperties
],
"Resource":"*",
"Condition":{
"StringEquals":{
"aws:ResourceTag/PartnerManaged":"true"
},
"ForAllValues:StringEquals": {
"aws:TagKeys": "PartnerManaged"
}
}
}
]
}

Additional examples

API name Tag condition request Assumed role policy for UserTag Note
CreateWorkSpaces TagKeys + RequestTag 
{
"Version":"2012-10-17",
"Statement":[ {
"Effect":"Allow",
"Action":[
"workspaces:CreateWorkspaces"
],
"Resource":"*",
"Condition":{
"StringEquals":{
"aws:RequestTag/PartnerManaged":"tru
e"
},
"ForAllValues:StringEquals":{
"aws:TagKeys":"PartnerManaged"
}
}
}
]
}
 With this policy, you can only create a workspace if you provide a tag key "PartnerManaged" and value "true" in the request.
TerminateWorkSpaces TagKeys + RequestTag 
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"workspaces:TerminateWorkspaces"
],
"Resource":"*",
"Condition":{
"StringEquals":{
"aws:ResourceTag/PartnerManaged":"tr
ue"
},
"ForAllValues:StringEquals":{
"aws:TagKeys":"PartnerManaged"
}
}
}
]
}
 With this policy, you can only terminate a workspace if the workspace has a tag key "PartnerManaged" and value "true".