'How to restrict kms:TagResource in AWS policy only to creation of new key, preventing tagging of existing keys?

When you create a AWS KMS key you can provide tags for it. Creation alone needs kms:CreateKey permission, for providing the tags during the creation you need the kms:TagResource permission in addition. - I want to write a policy which only allows the creation of a KMS key if a certain marker tag is set AND it should not be allowed to use the kms:TagResource permission to add that marker tag to other existing keys. How to do that? Thus, I would then be able to restrict other KMS permissions of that policy to only keys having that tag after that and a policy's user would not be allowed to add that marker tag to other keys which they should not be allowed to operate on

amazon-kmsaws-policies


Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source

Related Questions

Terraform update Route53 DOMAIN NameServers

Terraform update Route53 DOMAIN NameServers

Terraform update Route53 DOMAIN NameServers

Amazon AWS S3 to Force Download Mp3 File instead of Stream It

How to enable terraform module only with a specific workspace

AWS RDS Postgres: WAL_LEVEL not set to 'logical' after changing rds.logical_replication = 1

Use terraform to set up a lambda function triggered by a scheduled event source

Use terraform to set up a lambda function triggered by a scheduled event source

Self stopping EC2 once task complete?

AWS - SWF - Asynchronous method

Why my cloudformation template is over 1 MB?

AWS elastic beanstalk - WARN install EACCES: permission denied, access '/tmp/.npm'

Aws step functions - Resume from failed step function activity instead of starting a new execution

Redirect Elastic Beanstalk URL to domain name

node-lambda - TypeError: handler is not a function