# AWS Filtering We'll go through all the available access-types for AWS request filtering. ### Filtering on tags Policies and permission sets can be filtered based on their tags in AWS. To do this, use the `tag` access-type. The key is the tag key, and the pattern matches on the tag value. #### Rule structure: ``` resource: type: integration service: aws filters: tag: effect: keep|remove|removeAll key: pattern: ``` #### Allow requesting only policies and permission sets with the tag "environment" set to "dev" : ``` resource: type: integration service: aws filters: tag: effect: keep key: environment pattern: ^dev$. ``` ### Filtering on IAM groups To filter on IAM group requests, we can use the `group` access-type. There is a single available key, `name`, which refers to the name of the IAM group. #### Rule structure: ``` resource: type: integration service: aws filters: group: effect: keep|remove|removeAll key: name pattern: ``` #### Allow requesting any IAM groups except for "Admin" : ``` resource: type: integration service: aws filters: group: effect: keep key: name pattern: ^Admin$. ``` ### Filtering on permission sets To filter on Identity Center permission set requests, we can use the `permission-set` access-type. There are two available keys, `name` (the name of the permission set) and `arn` (the ARN of the permission set). #### ' Rule structure: ``` resource: type: integration service: aws filters: permission-set: effect: keep|remove|removeAll key: name | arn pattern: ``` #### Allow requesting only permission sets with "project-1" in the name: ``` resource: type: integration service: aws filters: permission-set: effect: keep key: name pattern: project-1 ``` ### Filtering on policies To filter on IAM policy requests, we can use the `policy` access-type. There is a single available key, `arn`, which refers to the ARN of the IAM policy. #### Rule structure: ``` resource: type: integration service: aws filters: policy: effect: keep|remove|removeAll key: arn pattern: ``` #### Allow requesting only AmazonS3 predefined policies ``` resource: type: integration service: aws filters: policy: effect: keep key: arn pattern: ^arn:aws:iam::aws:policy/AmazonS3 ``` ### Filtering on resources To filter on permission requests, we can use the `resource` access-type. There are 3 available keys: * `name`: This is the name of the resource. * `service`: This is the AWS service that the resource belongs to: for example, `s3`, or `sagemaker`. It will found in the resource ARN, after `arn:aws:`. For example, if the ARN is `arn:aws:iam::391052057035:role/AmazonEKSNodeRole` the service is `iam`. * `arn`: This is the ARN of the resource. #### Rule structure: ``` resource: type: integration service: aws filters: resource: effect: keep|remove|removeAll key: name|service|arn pattern: ``` #### Allow requesting only S3 resources ``` resource: type: integration service: aws filters: resource: effect: keep key: service pattern: ^s3$ ``` #### Allow requesting any resource except for IAM resources ``` resource: type: integration service: aws filters: resource: effect: remove key: service pattern: ^iam$ ``` #### Allow requesting any resource containing "project-1" in the name ``` resource: type: integration service: aws filters: resource: effect: keep key: name pattern: project-1 ``` #### Allow requesting only S3 buckets with names starting with "dev" ``` resource: type: integration service: aws filters: resource: effect: keep key: arn pattern: ^arn:aws:s3:::dev ``` #### Allow requesting any resource except for the S3 bucket named "top-secret-bucket" ``` resource: type: integration service: aws filters: resource: effect: keep key: arn pattern: ^arn:aws:s3:::top-secret-bucket$ ```