Merge pull request #14 from architlatkar27/DWX-17678

DWX-17678: Add iam:TagRole to restricted mode
cloudera · Apr 25, 2024 · e499810 · e499810
2 parents 3ae7b2d + f786da1
commit e499810
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/aws-iam-policies/docs/restricted-policy-doc-2.json5 b/aws-iam-policies/docs/restricted-policy-doc-2.json5
@@ -251,6 +251,20 @@
           "aws:CalledVia": "cloudformation.amazonaws.com"
         }
       }
+    },
+    {
+      "Sid": "TagRoleRestriction",
+      "Effect": "Allow",
+      "Action": [
+        // used by Cloudformation to tag EKSServiceRole and NodeInstanceRole
+        "iam:TagRole"
+      ],
+      "Resource": "*",
+      "Condition": {
+          "ForAnyValue:StringEquals": {
+            "aws:CalledVia": "cloudformation.amazonaws.com"
+          }
+      }
     }
   ]
 }