ConsoleMe
GitHub
  • About
  • Architecture
  • Features
    • Credentials
      • AWS Console Login
      • AWS Credential Broker
    • Policy Management
      • Policies View
      • Policy Editor for IAM, SQS, SNS, and S3
      • Self-Service IAM Wizard
      • Policy Request - Review Page
      • Role Creation and Cloning
  • Demo
  • Quick Start
    • Docker
    • Local
  • Prerequisites
    • Required IAM Permissions
      • Central Account
      • Spoke Accounts
  • Configuration
    • Web App Authentication and Authorization
      • Local Development (Auth bypass)
      • ALB Auth (Recommended)
      • Retrieving Google Groups
      • OIDC/OAuth2
        • Cognito
        • Okta
      • SAML
      • Plain-Text Headers
    • Role Credential Authorization
      • Role Tags
        • Role Tagging Service Control Policy (Recommended)
      • Role Authorization through Dynamic Configuration
      • Custom Authorization (Internal Plugin)
    • Account Syncing
    • Metrics
    • Dynamic Configuration
    • AWS Resource Syncing
    • CLI Authentication
    • Sending email through SES
    • AWS Secret Manager Integration
    • CloudTrail Integration via AWS Event Bridge
    • Slack Notifications
  • Celery Tasks
    • Celery Flower
  • Development Guide
    • UI Components
    • Managing Dependencies
  • Deployment Strategies
  • Contributing
  • FAQ
  • License
  • Security
  • Weep CLI
    • Getting Started with Weep
    • AWS Credentials in the CLI using Weep and ConsoleMe
    • Configuration
    • Commands
      • List
      • Serve
      • Export
      • File
      • Credential Process
    • Assuming Roles
    • Advanced Configuration
      • Routing for Metadata Service
      • Shell Completion
Powered by GitBook
On this page

Was this helpful?

  1. Configuration
  2. Role Credential Authorization
  3. Role Tags

Role Tagging Service Control Policy (Recommended)

We highly recommend that you prevent unauthorized services from modifying sensitive tags. In order to do this, we recommend using an organizational-wide Service Control Policy (SCP).

  1. Log in to your AWS Organizations master account and create an SCP

  2. Configure it with a policy similar to the one below. Be sure to rename sensitivetagprefix- to whatever you've decided as a tag prefix. Also ensure that the Principal ARNs match what your ConsoleMe Spoke account roles are named. Add any administrative or fallback users that will need to also perform tagging.

  3. Attach this policy to all of your accounts. Use discretion and roll it out slowly if you're concerned about breakage.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "protectmytags",
            "Effect": "Deny",
            "Action": [
                "iam:CreateRole",
                "iam:TagRole",
                "iam:UntagRole",
                "iam:CreateUser",
                "iam:TagUser",
                "iam:UntagUser"
            ],
            "Resource": [
                "*"
            ],
            "Condition": {
                "ForAnyValue:StringLike": {
                    "aws:TagKeys": [
                        "sensitivetagprefix-*"
                    ]
                },
                "StringNotLike": {
                    "aws:PrincipalArn": [
                        "arn:aws:iam::*:role/ConsoleMe"
                    ]
                }
            }
        }
    ]
}
PreviousRole TagsNextRole Authorization through Dynamic Configuration

Last updated 3 years ago

Was this helpful?