Tag, You're It: 18 Different Tagging IAM Permissions for Amazon S3

We're taking a break from our ransomware and data perimeter work to do a tangentially related blog post. While doing research and building tools to help with ransomware prevention and data protection in AWS, we came across the following complexities and nuances about tagging:

IAM Actions and Permissions

• 7 different IAM actions to tag a resource in Amazon S3.
• 5 different IAM actions to remove a tag (6 if you count a previously mentioned action from tagging resources).
• 6 different IAM actions to view tags in Amazon S3.

CLI and API 

• These actions are split between s3control and s3api with:
  • 6 tagging API actions in S3 (s3api cli service).
  • 12 tagging API actions in s3 Control (s3control cli service).

We will cover more complexities, observations, and recommendations for tagging in S3 below. We see tagging as a good addition to enterprise cloud - bringing security, compliance, visibility and more.  We won't get into details on this post. For a quick introduction to tagging on AWS, see AWS's guidance on tagging here.

If you have questions or feedback, we can be reached at info@fogsecurity.io and promise a human (not AI) will read your email.

Tagging: The 18 IAM Permissions and Corresponding API Actions

Here's a breakdown by IAM actions grouped into adding tags, removing tags, and viewing tags.

To Add Tags to a Resource in S3

• s3:PutObjectTagging (S3 API)
• s3:ReplicateTags (No direct API call)
• s3:PutBucketTagging (S3 API)
• s3:PutObjectVersionTagging (No direct API call)
• s3:TagResource (S3 Control API)
• s3:PutJobTagging (S3 Control API)
• s3:PutStorageLensConfigurationTagging (S3 Control API)

To Remove Tags from a Resource in S3

• s3:DeleteJobTagging (S3 Control API)
• s3:DeleteStorageLensConfigurationTagging (S3 Control API)
• s3:DeleteObjectTagging (S3 API)
• s3:DeleteObjectVersionTagging (No direct API call)
• s3:UntagResource (S3 Control API)
• s3:PutBucketTagging (DeleteBucketTagging API) (S3 API)

To View Tags of Resources in S3

• s3:ListTagsForResource (S3 Control API)
• s3:GetBucketTagging (S3 API)
• s3:GetObjectVersionTagging (No direct API call)
• s3:GetJobTagging (S3 Control API)
• s3:GetObjectTagging (S3 API)
• s3:GetStorageLensConfigurationTagging (S3 Control API)

Observations

S3Control:PutBucketTagging is for S3 on Outposts and not for standard S3 buckets

S3 Control's Put Bucket Tagging and Get Bucket Tagging operations are for an Amazon S3 on Outposts on Bucket only (s3-outposts:GetBucketTagging and s3-outposts:PutBucketTagging) and not for a standard S3 bucket.

To tag a standard bucket via CLI, the following can be done:

 aws s3api put-bucket-tagging \
 --bucket <your_bucket_here> \
 --tagging 'TagSet=[{Key=<tag_key>,Value=<tag_value>}]' 

‍

Object Version Tagging and Object Tagging have different IAM Permissions but same API action

Object Version Tagging and Object Tagging actions use the same CLI and API actions, but require different IAM Permissions.

The following command tags an object and requires s3:PutObjectTagging:

aws s3api put-object-tagging \
--bucket <bucket_name> \
--key <object_key> \
--tagging 'TagSet=[{Key=<tag_key>,Value=<tag_value}]' 

‍

The following command tags an object version and requires s3:PutObjectVersionTagging:

aws s3api put-object-tagging \
--bucket <bucket_name> \
--key <object_key> \
--version-id <object_version> \
--tagging 'TagSet=[{Key=<tag_key>,Value=<tag_value}]' 

‍

IAM Permission Classifications

AWS classifies IAM actions into 5 different categories:

• List
• Read
• Write
• Permissions Management
• Tagging

This is meant to help understand the level of access that an action grants when used in an IAM policy. With all of our tagging permissions, they're spread out across multiple categories:

• List (1) 
  • s3:ListTagsforResource
• Read (5)
  • s3:GetJobTagging
  • s3:GetObjectTagging
  • s3:GetObjectVersionTagging
  • s3:GetStorageLensConfigurationTagging
  • s3:GetBucketTagging
• Tagging (12)
  • s3:DeleteJobTagging
  • s3:DeleteStorageLensConfigurationTagging
  • s3:PutObjectTagging
  • s3:ReplicateTags
  • s3:DeleteObjectTagging
  • s3:PutBucketTagging
  • s3:PutObjectVersionTagging
  • s3:TagResource
  • s3:DeleteObjectVersionTagging
  • s3:PutJobTagging
  • s3:PutStorageLensConfigurationTagging
  • s3:UntagResource

How to Grant Permissions to Tag Amazon S3 Resources

We could map tagging permissions by resource type in S3:

Use TagResource, UntagResource, and ListTagsForResource for these resources:

• Access Grant
• Access Grants Instance
• Access Grants Location
• Storage Lens Group

Use PutObjectTagging, DeleteObjectTagging, and GetObjectTagging for these resources:

• Object

Use PutObjectVersionTagging, DeleteObjectVersionTagging, and GetObjectVersionTagging for these resources:

• Object Version

Use PutBucketTagging, PutBucketTagging (DeleteBucketTagging), and GetBucketTagging for these resources:

• Bucket

Use PutJobTagging, DeleteJobTagging, and GetJobTagging for these resources:

• Job

Use PutStorageLensConfigurationTagging, DeleteStorageLensConfigurationTagging, and GetStorageLensConfigurationTagging for these resources:

• Storage Lens Configuration

‍

Other AWS Services

Other AWS Services typically have 3 permissions for tagging:

• Add Tags (ex. dynamodb:TagResource)
• Remove Resource (ex. dynamodb:UntagResource
• List Tags (ex. rds:ListTagsForResource)

For example, DynamoDB, where there's a singular TagResource and UntagResource as well as ListTagsOfResource. Another example is RDS, where we also have rds:ListTagsForResource. Or EC2 (which is an AWS service that covers both compute and networking) where ec2:CreateTags is used to tag EC2 resources.

Note: The preposition in the IAM action and actions differ for certain services. DynamoDB:ListTagsOfResource (of) vs s3:ListTagsForResource (for).

We have other ideas for tagging research, if you're interested - reach out to us at info@fogsecurity.io!

Reference S3 Tagging IAM Policy

The 2 below policies have also been added to our data perimeter GItHub repository that contains RCPs, SCPs, policies, and more references to help with data perimeters.

S3 Tagging View Only

GitHub Link to IAM Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "S3ViewTags",
            "Effect": "Allow",
            "Action": [
                "s3:GetJobTagging",
                "s3:GetBucketTagging",
                "s3:GetObjectTagging",
                "s3:GetObjectVersionTagging",
                "s3:GetStorageLensConfigurationTagging",
                "s3:ListTagsForResource"
            ],
            "Resource": "*"
        }
    ]
}

‍

S3 Tagging Full Access

GitHub Link to IAM Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "S3FullTagging",
            "Effect": "Allow",
            "Action": [
                "s3:GetJobTagging",
                "s3:GetBucketTagging",
                "s3:GetObjectTagging",
                "s3:GetObjectVersionTagging",
                "s3:GetStorageLensConfigurationTagging",
                "s3:ListTagsForResource",
                "s3:PutBucketTagging",
                "s3:PutObjectTagging",
                "s3:PutStorageLensConfigurationTagging",
                "s3:PutObjectVersionTagging",
                "s3:PutJobTagging",
                "s3:TagResource",
                "s3:DeleteStorageLensConfigurationTagging",
                "s3:DeleteObjectTagging",
                "s3:DeleteObjectVersionTagging",
                "s3:UntagResource",
                "s3:ReplicateTags",
                "s3:DeleteJobTagging"
            ],
            "Resource": "*"
        }
    ]
}

‍

Conclusion

Tagging in S3 is complicated and the IAM configuration of S3 tagging is complex as well. The above research can help with better understanding how to manage tags and IAM permissions in S3. We have more work in the ransomware, cloud data perimeter, and tagging space planned.  If you're interested, reach out to us at info@fogsecurity.io.

References

Fog Security Github: Data Perimeter IAM

AWS: S3 Service Authorization Reference

AWS Permissions Cloud

AWS Whitepaper: Best Practices for Tagging AWS Resources