IAM Access Control with Tags

Automatically tag AWS resources to enable fine-grained access control using tag-based IAM policies.

Overview

IAM policies can use resource tags to control access to AWS resources, allowing you to implement attribute-based access control (ABAC). TagOps can automatically apply the tags required for tag-based IAM policies, ensuring resources are consistently tagged for access control enforcement.

What TagOps Can Do

TagOps can automatically tag AWS resources with the tags required for tag-based IAM access control:

  • Automatic Tagging: TagOps rules automatically apply access control tags like Department, Owner, Team, VolumeUser, or Project to resources when they are created or discovered
  • Generate/Attach IAM Policies Based on Resource Tags: TagOps ensures resources are consistently tagged, enabling automated IAM policy generation and attachment based on tag values
  • Restrict Access by Team Tags: Tag resources with Team tags to enable team-based access control policies that restrict access to resources based on team membership
  • Auto-Revoke Access When Owner Changes: TagOps automatically updates Owner tags when resources are transferred or ownership changes, enabling IAM policies to automatically revoke access from previous owners
  • Allow/Deny Session Manager by Team Tag: Tag EC2 instances with Team tags to control AWS Systems Manager Session Manager access, allowing only team members to access instances tagged with their team
  • Conditional Tagging: Create rules to tag resources based on criteria (e.g., environment, department, owner, team, or resource characteristics)
  • Consistent Coverage: Ensure all resources have the required tags for IAM policy enforcement, preventing access control gaps
  • Environment-Based Tagging: Use different tag values for different environments to enable separate access policies (e.g., Department: Development, Department: Production)
  • Owner-Based Tagging: Tag resources with owner information to enable owner-based access control policies

Example Use Cases

EBS Volume Access Control

Tag EBS volumes and EC2 instances to control who can attach volumes to instances:

TagOps Rules:

  1. Tag EBS Volumes with Owner:

    • Condition: Resource type is ec2:volume
    • Action: Add tag VolumeUser: ${createdBy} (using dynamic tag)

  2. Tag EC2 Instances by Department:

    • Condition: Resource type is ec2:instance and tag Environment equals Development
    • Action: Add tag Department: Development

IAM Policy Example:

This policy allows users to attach or detach EBS volumes they own (tagged with VolumeUser matching their username) to EC2 instances tagged as development instances:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:AttachVolume",
                "ec2:DetachVolume"
            ],
            "Resource": "arn:aws:ec2:*:*:instance/*",
            "Condition": {
                "StringEquals": {"aws:ResourceTag/Department": "Development"}
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:AttachVolume",
                "ec2:DetachVolume"
            ],
            "Resource": "arn:aws:ec2:*:*:volume/*",
            "Condition": {
                "StringEquals": {"aws:ResourceTag/VolumeUser": "${aws:username}"}
            }
        }
    ]
}

Team-Based Access Control

Tag resources with team information to restrict access by team:

TagOps Rules:

  1. Tag Resources by Team:

    • Condition: Resource type is ec2:instance and tag Department equals Engineering
    • Action: Add tag Team: Engineering

  2. Tag Resources with Owner:

    • Condition: Resource type is ec2:instance
    • Action: Add tag Owner: ${createdBy} (using dynamic tag)

IAM Policy Example - Restrict Access by Team:

This policy allows users to access EC2 instances only if their IAM principal tag Team matches the resource tag Team:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:StartInstances",
                "ec2:StopInstances",
                "ec2:TerminateInstances"
            ],
            "Resource": "arn:aws:ec2:*:*:instance/*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/Team": "${aws:PrincipalTag/Team}"
                }
            }
        }
    ]
}

Session Manager Access Control by Team

Tag EC2 instances with team tags to control Session Manager access:

TagOps Rules:

  1. Tag EC2 Instances by Team:
    • Condition: Resource type is ec2:instance
    • Action: Add tag Team: ${Department} (or based on other criteria)

IAM Policy Example - Allow/Deny Session Manager by Team:

This policy allows users to start Session Manager sessions only on EC2 instances tagged with their team:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ssm:StartSession"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:instance/*",
                "arn:aws:ssm:*:*:document/AWS-StartSSHSession"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/Team": "${aws:PrincipalTag/Team}"
                }
            }
        }
    ]
}

TagOps automatically applies these tags, enabling IAM policies to enforce access control based on resource ownership, team membership, and department. When owner tags change, TagOps updates them automatically, allowing IAM policies to revoke access from previous owners.

Additional Resources