Object tags in bucket policies

Bucket policies support tag-based condition keys to control access.

Three condition keys are supported:

  • s3:ExistingObjectTag/<tag-key>
  • s3:RequestObjectTag/<tag-key>
  • s3:RequestObjectTagKeys

Using existing object tags in bucket policies

The s3:ExistingObjectTag/<tag-key> condition evaluates tags already attached to objects.

Syntax 

"Condition": {
  "<operator>": {
    "s3:ExistingObjectTag/<tag-key>": "<tag-value>"
  }
}

Supported operations

Read operations only:

  • s3:GetObject
  • s3:GetObjectVersion
  • s3:GetObjectAcl
  • s3:GetObjectVersionAcl
  • s3:GetObjectTagging
  • s3:GetObjectVersionTagging
  • s3:GetObjectTorrent

Not supported for: s3:PutObject, s3:DeleteObject, and s3:DeleteObjectVersion.

Supported operators

  • StringEquals
  • StringNotEquals
  • StringLike
  • StringNotLike

Using request object tags in bucket policies

The s3:RequestObjectTag/<tag-key> condition evaluates tags included in the request. It is used to enforce tagging requirements during object creation or modification.

Syntax 

"Condition": {
  "<operator>": {
    "s3:RequestObjectTag/<tag-key>": "<tag-value>"
  }
}

Supported operations

  • s3:PutObject
  • s3:PutObjectTagging
  • s3:CreateMultipartUpload
  • s3:CopyObject

Supported operators

  • StringEquals
  • StringNotEquals
  • StringLike
  • StringNotLike

Using request tag keys in bucket policies

The s3:RequestObjectTagKeys condition evaluates the set of tag keys in the request. It does not evaluate tag values. It is used to enforce key presence or restrictions.

Syntax 

"Condition": {
  "<operator>": {
    "s3:RequestObjectTagKeys": ["<tag-key1>", "<tag-key2>", ...]
  }
}

Supported operations

  • s3:PutObject
  • s3:PutObjectTagging
  • s3:CreateMultipartUpload
  • s3:CopyObject

Supported operators

  • ForAllValues:StringEquals
  • ForAllValues:StringNotEquals
  • ForAllValues:StringLike
  • ForAllValues:StringNotLike
  • ForAnyValue:StringEquals
  • ForAnyValue:StringNotEquals
  • ForAnyValue:StringLike
  • ForAnyValue:StringNotLike

Using the Null condition with tag keys

When using set operators with s3:RequestObjectTagKeys, the Null condition is often required to correctly handle requests without tags.

Set operators behave differently when no tags are provided:

  • ForAllValues:* evaluates to true if the request contains no tags.
  • ForAnyValue:* evaluates to false if the request contains no tags.

Without a Null condition, ForAllValues rules may unintentionally allow untagged requests.

Syntax 

"Condition": {
  "Null": {
    "s3:RequestObjectTagKeys": "true"
  }
}

Example: deny requests without tags 

{
  "Effect": "Deny",
  "Action": "s3:PutObject",
  "Resource": "arn:aws:s3:::bucket/*",
  "Condition": {
    "Null": {
      "s3:RequestObjectTagKeys": "true"
    }
  }
}

Example: require specific tag keys only 

{
  "Effect": "Allow",
  "Action": "s3:PutObject",
  "Resource": "arn:aws:s3:::bucket/*",
  "Condition": {
    "Null": {
      "s3:RequestObjectTagKeys": "false"
    },
    "ForAllValues:StringEquals": {
      "s3:RequestObjectTagKeys": ["Environment", "Project"]
    }
  }
}

This configuration ensures that:

  1. Tags must be present (Null: false).
  2. Only the specified tag keys are allowed (ForAllValues restricts to specified keys).
Related Topics Link IconSee also