I'm intending to set up something similar to attribute-based access control, using an approach similar to the one outlined here by Amazon. For example, I'll have resources with environment tags, with values like prod, preprod, and test. Access control policies that use these values will be defined in CloudFormation templates.
Resources should be able to have multiple values for a tag - e.g. environment=test:preprod. How would I represent this requirement in a policy? Would I need to write something unwieldy like...
{
"Version": "2012-10-17",
"Statement": {
...
"Condition": {
"StringLike": {"ec2:ResourceTag/environment": [
"*:prod:*",
"prod:*",
"*:prod",
"prod"
],
"StringNotLike": {"ec2:ResourceTag/environment": [
"preprod:*"
]
}}
}
...for the policy document if I wanted to distinguish between prod and preprod, while also allowing prod to be anywhere in the list of tag values?