From 0c191ac33b3f38a05bd41ed8ee1e082c926de3d4 Mon Sep 17 00:00:00 2001
From: Mike Grima <mgrima@netflix.com>
Date: Mon, 30 Mar 2020 17:23:33 -0700
Subject: [PATCH] Raise errors on tagging buckets with aws:*

Cannot tag S3 buckets with reserved tag key space `aws:`
---
 moto/s3/exceptions.py    |  9 +++++++++
 moto/s3/responses.py     |  6 ++++++
 tests/test_s3/test_s3.py | 18 ++++++++++++++++++
 3 files changed, 33 insertions(+)

diff --git a/moto/s3/exceptions.py b/moto/s3/exceptions.py
index e26f384d5..c38a4f467 100644
--- a/moto/s3/exceptions.py
+++ b/moto/s3/exceptions.py
@@ -368,3 +368,12 @@ class WrongPublicAccessBlockAccountIdError(S3ClientError):
         super(WrongPublicAccessBlockAccountIdError, self).__init__(
             "AccessDenied", "Access Denied"
         )
+
+
+class NoSystemTags(S3ClientError):
+    code = 400
+
+    def __init__(self):
+        super(NoSystemTags, self).__init__(
+            "InvalidTag", "System tags cannot be added/updated by requester"
+        )
diff --git a/moto/s3/responses.py b/moto/s3/responses.py
index b74be9a63..197cd9080 100644
--- a/moto/s3/responses.py
+++ b/moto/s3/responses.py
@@ -34,6 +34,7 @@ from .exceptions import (
     InvalidNotificationARN,
     InvalidNotificationEvent,
     ObjectNotInActiveTierError,
+    NoSystemTags,
 )
 from .models import (
     s3_backend,
@@ -1399,6 +1400,11 @@ class ResponseObject(_TemplateEnvironmentMixin, ActionAuthenticatorMixin):
                 for tag in parsed_xml["Tagging"]["TagSet"]["Tag"]:
                     tags.append(FakeTag(tag["Key"], tag["Value"]))
 
+        # Verify that "aws:" is not in the tags. If so, then this is a problem:
+        for tag in tags:
+            if tag.key.startswith("aws:"):
+                raise NoSystemTags()
+
         tag_set = FakeTagSet(tags)
         tagging = FakeTagging(tag_set)
         return tagging
diff --git a/tests/test_s3/test_s3.py b/tests/test_s3/test_s3.py
index 800daaef8..303ed523d 100644
--- a/tests/test_s3/test_s3.py
+++ b/tests/test_s3/test_s3.py
@@ -2413,6 +2413,24 @@ def test_boto3_put_bucket_tagging():
         "Cannot provide multiple Tags with the same key"
     )
 
+    # Cannot put tags that are "system" tags - i.e. tags that start with "aws:"
+    with assert_raises(ClientError) as ce:
+        s3.put_bucket_tagging(
+            Bucket=bucket_name,
+            Tagging={"TagSet": [{"Key": "aws:sometag", "Value": "nope"}]},
+        )
+    e = ce.exception
+    e.response["Error"]["Code"].should.equal("InvalidTag")
+    e.response["Error"]["Message"].should.equal(
+        "System tags cannot be added/updated by requester"
+    )
+
+    # This is OK though:
+    s3.put_bucket_tagging(
+        Bucket=bucket_name,
+        Tagging={"TagSet": [{"Key": "something:aws:stuff", "Value": "this is fine"}]},
+    )
+
 
 @mock_s3
 def test_boto3_get_bucket_tagging():