SCP to enforce tags fails

Question

After attaching the above SCP policy to an account, I am unable (with Administrator access) to launch an instance with all the compliant tags. The policy is working fine when I deploy an instance with incorrect tags. Does it require an special permissions? Any advice please.
I used the policy from the following link: https://aws.amazon.com/blogs/mt/implement-aws-resource-tagging-strategy-using-aws-tag-policies-and-service-control-policies-scps/

I modified the policy just to reflect the tag keys applicable in my environment, the policy below:

{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyEC2CreationSCP1", "Effect": "Deny", "Action": [ "ec2:RunInstances" ], "Resource": [ "arn:aws:ec2:::instance/", "arn:aws:ec2:::volume/" ], "Condition": { "Null": { "aws:RequestTag/CostCode": "True" } } }, { "Sid": "DenyEC2CreationSCP2", "Effect": "Deny", "Action": [ "ec2:RunInstances" ], "Resource": [ "arn:aws:ec2:.:instance/", "arn:aws:ec2:.:volume/" ], "Condition": { "Null": { "aws:RequestTag/Project_Team": "True" } } } ] }

Answer

Hi @Ed, I modified the policy just to reflect the tag keys applicable in my environment, the policy below:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyEC2CreationSCP1",
      "Effect": "Deny",
      "Action": [
        "ec2:RunInstances"
      ],
      "Resource": [
        "arn:aws:ec2:*:*:instance/*",
        "arn:aws:ec2:*:*:volume/*"
      ],
      "Condition": {
        "Null": {
          "aws:RequestTag/CostCode": "True"
        }
      }
    },
    {
      "Sid": "DenyEC2CreationSCP2",
      "Effect": "Deny",
      "Action": [
        "ec2:RunInstances"
      ],
      "Resource": [
        "arn:aws:ec2:*.*:instance/*",
        "arn:aws:ec2:*.*:volume/*"
      ],
      "Condition": {
        "Null": {
          "aws:RequestTag/Project_Team": "True"
        }
      }
    }
  ]
}

SCP to enforce tags fails

관련 콘텐츠