AWS Security ChangesHomeSearch

AWS vpc-lattice documentation change

Service: vpc-lattice · 2025-10-16 · Documentation low

File: vpc-lattice/latest/ug/auth-policies.md

Summary

Added documentation sections for resource tags and principal tags in authentication policies, including policy examples using tag-based access controls

Security assessment

The changes document how to use resource/principal tags for fine-grained access control in auth policies, which is a security feature but does not indicate a security vulnerability fix. This enhances security documentation by showing tag-based permission strategies.

Diff

diff --git a/vpc-lattice/latest/ug/auth-policies.md b/vpc-lattice/latest/ug/auth-policies.md
index e58cde8e2..401ea8de2 100644
--- a//vpc-lattice/latest/ug/auth-policies.md
+++ b//vpc-lattice/latest/ug/auth-policies.md
@@ -5 +5 @@
-Common elements in an auth policyResource format for auth policiesCondition keys that can be used in auth policiesAnonymous (unauthenticated) principalsExample auth policiesHow authorization works
+Common elements in an auth policyResource format for auth policiesCondition keys that can be used in auth policiesResource tagsPrincipal tagsAnonymous (unauthenticated) principalsExample auth policiesHow authorization works
@@ -26,0 +27,4 @@ You can use the AWS CLI and console to view, add, update, or remove auth policie
+  * Resource tags
+
+  * Principal tags
+
@@ -340,0 +345,61 @@ Condition keys | Description | Example | Available for anonymous (unauthenticate
+## Resource tags
+
+A _tag_ is a metadata label that you assign or that AWS assigns to an AWS resource. Each tag has two parts:
+
+  * A _tag key_ (for example, `CostCenter`, `Environment`, or `Project`). Tag keys are case sensitive.
+
+  * An optional field known as a _tag value_ (for example, `111122223333` or `Production`). Omitting the tag value is the same as using an empty string. Like tag keys, tag values are case-sensitive.
+
+
+
+
+For more information about tagging, see [Controlling access to AWS resources using tags](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html)
+
+You can use tags in your auth policies using the `aws:ResourceTag/key` AWS global condition context key.
+
+The following example policy grants access to services with the tag `Environment=Gamma`. This policy lets you refer to services without hard‑coding service ARNs or IDs.
+    
+    
+    {
+      "Version": "2012-10-17",		 	 	 
+      "Statement": [
+        {
+          "Sid": "AllowGammaAccess",
+          "Effect": "Allow",
+          "Principal": "*",
+          "Action": "vpc-lattice-svcs:Invoke",
+          "Resource": "arn:aws:vpc-lattice:us-west-2:123456789012:service/svc-0124446789abcdef0/*",
+          "Condition": {
+            "StringEquals": {
+              "aws:ResourceTag/Environment": "Gamma",
+            }
+          }
+        }
+      ]
+    }
+
+## Principal tags
+
+You can control access to your services and resources based on the tags attached to the caller's identity. VPC Lattice supports access control based on any principal tags on the user, role, or session tags using the `aws:PrincipalTag/context` variables. For more information, see [Controlling access for IAM principals](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_iam-tags.html#access_iam-tags_control-principals).
+
+The following example policy grants access only to identities with the tag `Team=Payments`. This policy lets you control access without hard‑coding account IDs or role ARNs.
+    
+    
+    {
+      "Version": "2012-10-17",		 	 	 
+      "Statement": [
+        {
+          "Sid": "AllowPaymentsTeam",
+          "Effect": "Allow",
+          "Principal": "*",
+          "Action": "vpc-lattice-svcs:Invoke",
+          "Resource": "arn:aws:vpc-lattice:us-west-2:123456789012:service/svc-0123456789abcdef0/*",
+          "Condition": {
+            "StringEquals": {
+              "aws:PrincipalTag/Team": "Payments",
+            }
+          }
+        }
+      ]
+    }
+