What is the difference between aws:PrincipalTag and aws:ResourceTag in IAM conditions?

aws:PrincipalTag/${TagKey} reads the tag attached to the IAM principal (user or role) making the API call. aws:ResourceTag/${TagKey} reads the tag on the AWS resource being accessed. ABAC works by comparing these two values inside a Condition block — if you reference only ResourceTag without PrincipalTag, you're checking the resource's tag against nothing, which either always evaluates to true or always denies depending on operator, breaking your access model entirely.

Why is my ABAC policy allowing access even though the tags don't match?

The most common cause is a missing Condition block entirely — the policy grants the action on the resource with no tag comparison at all, making it effectively a wildcard allow scoped only by Action and Resource ARN. The second cause is using aws:RequestTag instead of aws:PrincipalTag: RequestTag only evaluates tags being set in a tagging API call, not tags already on the principal. Audit your Condition blocks and confirm you're using StringEquals with aws:PrincipalTag/${TagKey}: ${aws:ResourceTag/${TagKey}}.

Does aws:PrincipalTag work with IAM roles assumed via AWS SSO or federated identity?

Yes, but the tag must be passed as a session tag at assume-role time. For AWS SSO, configure attribute mappings in the IAM Identity Center permission set to forward IdP attributes as session tags. For federated SAML/OIDC, use the sts:TagSession permission and pass PrincipalTag values in the AssumeRoleWithWebIdentity or AssumeRoleWithSAML call. If the session tag is not passed, aws:PrincipalTag will be null and any Null condition check you've added will trigger a deny.

How to Fix IAM ABAC Failures: Missing aws:PrincipalTag Condition Key in Tag-Based Access Control Policies

Threat/Impact Level: CRITICAL | Exploitability/Downtime Risk: HIGH | Time to Fix: 15 mins

TL;DR

What broke: Your IAM policy relies on ABAC tag matching but omits the aws:PrincipalTag condition key, meaning the tag on the calling principal is never evaluated — the policy either over-permits or silently denies all requests.
How to fix it: Add a Condition block using aws:PrincipalTag/${TagKey} with StringEquals to enforce that the principal's tag value matches the resource's tag value before granting access.
Fast path: Use our Client-Side Sandbox above to auto-refactor this — paste your broken policy and get a corrected version with the condition key injected without sending your ARNs anywhere.

The Incident (What Does the Error Mean?)

You'll see this surface as an implicit deny in CloudTrail, or worse — no deny at all because the Condition block is absent entirely:

{
  "errorCode": "AccessDenied",
  "errorMessage": "User: arn:aws:iam::123456789012:assumed-role/dev-role/session
  is not authorized to perform: s3:GetObject on resource:
  arn:aws:s3:::prod-data-bucket/reports/q4.csv
  because no identity-based policy allows the s3:GetObject action"
}

Or the inverse — no error at all, meaning a dev-tagged principal is reading prod-tagged S3 objects because the Condition block that should have blocked it was never written.

Immediate consequence: Your entire ABAC model is non-functional. Tag-based segmentation between environments, teams, or data classifications is not being enforced at the IAM evaluation layer.

The Attack Vector / Blast Radius

ABAC on AWS depends on a three-way tag match: the principal must carry a tag, the resource must carry a matching tag, and the policy Condition must explicitly compare them via aws:PrincipalTag. If any leg of that triangle is missing, the policy degrades to either a blanket allow or a blanket deny — both are catastrophic in different ways.

Exploitation path:

Attacker compromises a team:payments IAM role via credential leak.
Your ABAC policy was intended to restrict that role to only team:payments-tagged resources.
Because aws:PrincipalTag/team was never added to the Condition block, the restriction is never evaluated.
Attacker laterally moves to team:finance S3 buckets, RDS snapshots, and Secrets Manager entries — all tagged differently, all now accessible.

Blast radius: Every resource in the account that relies on this policy for tag-scoped isolation is now effectively unprotected. In multi-tenant SaaS architectures, this is a full tenant-isolation breach.

How to Fix It (The Solution)

Basic Fix

Add the missing Condition block that compares the principal's tag to the resource tag.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:GetObject", "s3:PutObject"],
-     "Resource": "arn:aws:s3:::*/*"
+     "Resource": "arn:aws:s3:::*/*",
+     "Condition": {
+       "StringEquals": {
+         "aws:PrincipalTag/team": "${aws:ResourceTag/team}"
+       }
+     }
    }
  ]
}

This enforces that the team tag on the calling principal must exactly match the team tag on the target S3 object before access is granted.

Enterprise Best Practice

In production, layer multiple tag dimensions and add an explicit deny for untagged principals to prevent ABAC bypass via tag absence.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ABACTagScopedAccess",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:DeleteObject"
      ],
-     "Resource": "arn:aws:s3:::*/*"
+     "Resource": "arn:aws:s3:::*/*",
+     "Condition": {
+       "StringEquals": {
+         "aws:PrincipalTag/team": "${aws:ResourceTag/team}",
+         "aws:PrincipalTag/env": "${aws:ResourceTag/env}"
+       },
+       "StringLike": {
+         "aws:PrincipalTag/team": "?*"
+       }
+     }
    },
+   {
+     "Sid": "DenyUntaggedPrincipals",
+     "Effect": "Deny",
+     "Action": "s3:*",
+     "Resource": "*",
+     "Condition": {
+       "Null": {
+         "aws:PrincipalTag/team": "true"
+       }
+     }
+   }
  ]
}

Key additions:

aws:PrincipalTag/env adds a second tag dimension — a dev principal cannot reach prod resources even if team matches.
StringLike with ?* ensures the tag value is non-empty, blocking principals with blank tag values.
The explicit Deny statement with Null condition is your safety net — it fires if someone provisions a role without the required tags, preventing silent ABAC bypass.

💡 Tired of pasting proprietary configs into ChatGPT? Generic AI tools log your company's ARNs, DB strings, and private keys. StackEngine is a zero-backend, pure Client-Side WASM utility. Drop your failing config into the sandbox above. We redact your secrets locally in the browser and auto-generate the refactored code using your own API key.

Prevention in CI/CD

This class of misconfiguration is fully automatable to catch at PR time.

1. Checkov (IaC scanning — Terraform/CloudFormation)

Checkov rule CKV_AWS_355 flags IAM policies with overly permissive actions, but for ABAC-specific enforcement, write a custom check:

# checkov custom check: enforce PrincipalTag condition on ABAC policies
from checkov.common.models.enums import CheckResult
from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck

class CheckABACPrincipalTag(BaseResourceCheck):
    def __init__(self):
        name = "Ensure aws:PrincipalTag condition is present in ABAC IAM policies"
        id = "CKV_CUSTOM_ABAC_001"
        supported_resources = ["aws_iam_policy"]
        super().__init__(name=name, id=id, categories=[], supported_resources=supported_resources)

    def scan_resource_conf(self, conf):
        policy = conf.get("policy", [{}])[0]
        for stmt in policy.get("Statement", []):
            condition = stmt.get("Condition", {})
            se = condition.get("StringEquals", {})
            if not any("aws:PrincipalTag" in k for k in se.keys()):
                return CheckResult.FAILED
        return CheckResult.PASSED

2. OPA / Conftest (policy-as-code gate in CI)

# opa policy: deny IAM statements without PrincipalTag condition
package aws.iam.abac

violation[msg] {
  stmt := input.Statement[_]
  stmt.Effect == "Allow"
  not principal_tag_condition_present(stmt)
  msg := sprintf("Statement '%v' is missing aws:PrincipalTag condition — ABAC not enforced", [stmt.Sid])
}

principal_tag_condition_present(stmt) {
  keys := object.keys(stmt.Condition.StringEquals)
  startswith(keys[_], "aws:PrincipalTag/")
}

Wire this into your GitHub Actions or GitLab CI pipeline as a blocking gate on any PR that modifies *.json IAM policy files or Terraform aws_iam_policy resources.

3. AWS Config Rule

Deploy a custom AWS Config rule using config:PutConfigRule to continuously evaluate attached policies across all IAM roles in the account for missing PrincipalTag conditions. Flag non-compliant roles in Security Hub for remediation tracking.