Profile Applicability:
 • Level 2

Description:

Tag-based access control allows IAM policies to manage access to AWS resources based on resource tags. By using tag-based policies, you can enforce more granular access control to resources such as EC2 instances, S3 buckets, and RDS databases. This enables access to resources based on their assigned tags, ensuring that only authorized users can interact with tagged resources.

Rationale:

Tag-based access control simplifies resource management by allowing policies to be defined based on the metadata (tags) attached to AWS resources. By using tags, administrators can apply access control at a granular level, ensuring that users can only access resources that are appropriately tagged according to their roles or business needs. This aligns with the principle of least privilege.

Impact:

Pros:

  • Provides a flexible and dynamic method to control access based on resource tags

  • Enhances security by ensuring that users only access tagged resources relevant to their roles

  • Simplifies access management by using consistent resource tagging strategies across services

  • Reduces the risk of misconfigurations and human errors by automating access control through tags

Cons:

  • Tagging strategy must be consistent and well-maintained to be effective

  • May introduce complexity if tag management is not properly enforced or standardized

  • Increased administrative overhead in ensuring all resources are appropriately tagged

  • If tags are not correctly applied, users could be granted unintended access

Default Value:

By default, AWS does not automatically apply tag-based access controls. IAM policies must be explicitly created and associated with the tags on resources to enable this functionality.

Pre-requisites:

  • IAM permissions to create and manage tag-based policies (e.g., iam:CreatePolicyiam:AttachUserPolicy)

  • Proper tagging strategies and consistent resource tagging in place across AWS resources

  • Familiarity with AWS resource tagging and IAM policy syntax

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console

  2. Navigate to IAM > Policies

  3. Review IAM policies to verify the use of tag-based conditions, such as aws:RequestTag and aws:ResourceTag

  4. Ensure that resources are correctly tagged according to the organizational access control strategy

  5. Check that tag-based policies are attached to the relevant users, groups, or roles to limit access to appropriately tagged resources

  6. Review the policies to ensure they are correctly restricting access based on tags

Using AWS CLI:

List the IAM policies that include tag-based conditions:

aws iam list-policies --query "Policies[?PolicyName=='<policy-name>']"

Describe a specific IAM policy:

aws iam get-policy --policy-arn arn:aws:iam::<account-id>:policy/<policy-name>

Review the policy document to confirm that it includes conditions based on resource tags:

aws iam get-policy-version --policy-arn arn:aws:iam::<account-id>:policy/<policy-name> --version-id <version-id>

Implementation Plan

Using AWS Console:

  1. Sign in to the AWS Management Console

  2. Navigate to IAM > Policies

  3. Click Create Policy

  4. In the JSON tab, define the policy using aws:ResourceTag and aws:RequestTag conditions. Example:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "StringEquals": {
          "aws:RequestTag/Environment": "Production"
        }
      }
    }
  ]
}

  1. Name the policy (e.g., S3ReadAccessByTag) and attach it to the appropriate users, groups, or roles

  2. Tag the resources according to the defined access control strategy (e.g., tag S3 buckets with the Environment=Production tag)

  3. Review and apply the policy

Using AWS CLI:

Create a policy with a tag-based condition to allow access to a resource based on the tag Environment=Production:

aws iam create-policy --policy-name S3ReadAccessByTag --policy-document file://policy.json

  1. Example policy document (policy.json):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "StringEquals": {
         "aws:RequestTag/Environment": "Production"
        }
      }
    }
  ]
}

Attach the policy to a user or group:

aws iam attach-user-policy --user-name <username> --policy-arn arn:aws:iam::<account-id>:policy/S3ReadAccessByTag

Ensure the resource (e.g., S3 bucket) is tagged with Environment=Production:

aws s3api put-bucket-tagging --bucket example-bucket --tagging "TagSet=[{Key=Environment,Value=Production}]"

Backout Plan

Using AWS Console:

  1. Navigate to IAM > Policies

  2. Select the tag-based policy to delete or modify

  3. Click Delete Policy or edit the policy to remove the tag-based conditions

  4. Review any affected users, groups, or roles and update their policies accordingly

Using AWS CLI:

Detach the policy from the user, group, or role:

aws iam detach-user-policy --user-name <username> --policy-arn arn:aws:iam::<account-id>:policy/S3ReadAccessByTag

Delete the policy:

aws iam delete-policy --policy-arn arn:aws:iam::<account-id>:policy/S3ReadAccessByTag

References: