Adding guidance for excluding specific resources from RCP controls

Author: tatyatsk

README.md

@@ -87,6 +87,8 @@ In addition to the default and service-specific data perimeter policies, conside
 
 Policy examples in this repository use the `aws:PrincipalTag/tag-key` and `aws:ResourceTag/tag-key` global condition keys to control the scope of data perimeter guardrails with the following tagging conventions. You should follow your existing tagging strategy or [AWS tagging best practices](https://docs.aws.amazon.com/whitepapers/latest/tagging-best-practices/tagging-best-practices.html) when implementing in your environment.
 
+Note that `aws:ResourceTag/tag-key`only works with resources that [support authorization based on tags](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html). For details on supported service actions, see the [Service Authorization Reference](https://docs.aws.amazon.com/service-authorization/latest/reference/reference.html). 
+
 1. Tag [AWS Identity and Access Management](https://aws.amazon.com/iam/) (IAM) principals and resources in your accounts that you would like to target with network perimeter controls with the `dp:include:network` tag key and the value set to `true`. You may want to start enforcing network perimeter controls on IAM principals used by human users to access AWS services interactively in the AWS Management Console, or programmatically with the AWS CLI, AWS Tools for PowerShell, or API.
 2. Tag IAM principals and resources in your accounts that should be excluded from the network perimeter with the `dp:exclude:network` tag key and the value set to `true`. This tag key can be used for human users and applications that should be able to use AWS services from outside of your expected network, or for resources that should not have the network perimeter applied.
 3. Tag IAM principals and resources in your accounts that should be excluded from the identity perimeter with the `dp:exclude:identity` tag key and the value set to `true`. This tag key is designed for human users and applications that should be able to use AWS services without being restricted by identity perimeter controls. This tag can also be used on resources that should not have the identity perimeter applied, such as those with a business reason to be accessible by a large number of external identities (public resources).

resource_control_policies/README.md

@@ -49,6 +49,8 @@ Additional considerations:
 
 * If you have [Amazon CloudFront](https://aws.amazon.com/cloudfront/) distributions configured to use origin access identity (OAI) to send requests to an Amazon S3 origin, this statement will prevent CloudFront from communicating with the origin. We recommend [migrating from origin access identity (OAI) to origin access control (OAC)](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html#migrate-from-oai-to-oac). If you need to maintain OAI support during the migration, you can implement an exception using the `aws:PrincipalArn` condition key, setting the unique OAI user ARNs from your distributions as the value (`arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity <my-origin-access-identity-ID>`).
 
+* This policy statement demonstrates using `aws:ResourceTag/tag-key` to exclude specific resources from the control. Note that this key only works with resources that [support authorization based on tags](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html). For details on supported service actions, see the [Service Authorization Reference](https://docs.aws.amazon.com/service-authorization/latest/reference/reference.html). For resources not yet supporting `aws:ResourceTag/tag-key`, you can use `aws:ResourceAccount` or `aws:ResourceOrgPaths` to exclude resources owned by specific AWS accounts, or the `NotResource` IAM policy element to exclude specific resource Amazon Resource Names (ARNs). Alternatively, you can use a service-specific version of `aws:ResourceTag/tag-key` such as `s3:ExistingObjectTag`, if available.
+
 ### "Sid":"EnforceTrustedOIDCProviders"
 
 This policy statement is included in the [identity_perimeter_rcp](identity_perimeter_rcp.json) and limits access to `sts:AssumeRoleWithWebIdentity` to only federated identities associated with a specific OIDC provider.