Skip to content

Instantly share code, notes, and snippets.

@atheiman

atheiman/IAM policy - KMS access by key tag - "Dual Resource Requirement"

Last active February 5, 2026 16:04
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save atheiman/68695e7996fc6ff8fc05c0601daa079c to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save atheiman/68695e7996fc6ff8fc05c0601daa079c to your computer and use it in GitHub Desktop.
Download ZIP
IAM policy example with "dual resource requirement". `kms:CreateAlias` action creates an alias (untaggable) referencing a key (taggable). Breaking alias resource permission into two statements `AllowAllOnTaggedKeys` and `AllowAllOnAliasResource` restricts access to keys w/ the required tag but any alias (b/c untaggable).
Raw
IAM policy - KMS access by key tag - "Dual Resource Requirement"
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCreateKeyWithTagInRequest",
"Effect": "Allow",
"Action": [
"kms:CreateKey"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestTag/owner": "austin"
}
}
},
{
"Sid": "AllowAllOnTaggedKeys",
"Effect": "Allow",
"Action": "kms:*",
"Resource": "arn:*:kms:*:*:key/*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/owner": "austin"
}
}
},
{
"Sid": "AllowAllOnAliasResource",
"Effect": "Allow",
"Action": "kms:*",
"Resource": "arn:*:kms:*:*:alias/austin/*"
},
{
"Sid": "DenySettingUnauthorizedTagValue",
"Effect": "Deny",
"Action": [
"kms:TagResource"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:RequestTag/owner": "austin"
}
}
},
{
"Sid": "DenyRemovingTag",
"Effect": "Deny",
"Action": [
"kms:UntagResource"
],
"Resource": "*",
"Condition": {
"ForAnyValue:StringEquals": {
"aws:TagKeys": "owner"
}
}
}
]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment