i have created following scp to enforce tag key on certain resources. It is working fine in case of EC2,Lambda .But for RDS AWS Console donot provide a way to add tags while creating RDS instance How to accomplish this enforcement in case of RDS
This is SCP
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyEC2CreationInfraOwnerTag",
"Effect": "Deny",
"Action": [
"ec2:RunInstances",
"ec2:StartInstances"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*"
],
"Condition": {
"Null": {
"aws:RequestTag/InfraOwner": "true"
}
}
},
{
"Sid": "DenyEC2CreationProductTag",
"Effect": "Deny",
"Action": [
"ec2:RunInstances",
"ec2:StartInstances"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*"
],
"Condition": {
"Null": {
"aws:RequestTag/Product": "true"
}
}
},
{
"Sid": "DenyEC2CreationNameTag",
"Effect": "Deny",
"Action": [
"ec2:RunInstances",
"ec2:StartInstances"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*"
],
"Condition": {
"Null": {
"aws:RequestTag/Name": "true"
}
}
},
{
"Sid": "DenyLambdaCreationInfraOwnerTag",
"Effect": "Deny",
"Action": [
"lambda:Create*"
],
"Resource": [
"*"
],
"Condition": {
"Null": {
"aws:RequestTag/InfraOwner": "true"
}
}
},
{
"Sid": "DenyLambdaCreationProductTag",
"Effect": "Deny",
"Action": [
"lambda:Create*"
],
"Resource": [
"*"
],
"Condition": {
"Null": {
"aws:RequestTag/Product": "true"
}
}
},
{
"Sid": "DenyLambdaCreationNameTag",
"Effect": "Deny",
"Action": [
"lambda:Create*"
],
"Resource": [
"*"
],
"Condition": {
"Null": {
"aws:RequestTag/Name": "true"
}
}
},
{
"Sid": "DenyRDSCreationInfraOwnerTag",
"Effect": "Deny",
"Action": [
"rds:CreateDBInstance",
"rds:CreateDBCluster"
],
"Resource": [
"*"
],
"Condition": {
"Null": {
"aws:RequestTag/InfraOwner": "true"
}
}
},
{
"Sid": "DenyRDSCreationProductTag",
"Effect": "Deny",
"Action": [
"rds:CreateDBInstance",
"rds:CreateDBCluster"
],
"Resource": [
"*"
],
"Condition": {
"Null": {
"aws:RequestTag/Product": "true"
}
}
},
{
"Sid": "DenyRDSCreationNameTag",
"Effect": "Deny",
"Action": [
"rds:CreateDBInstance",
"rds:CreateDBCluster"
],
"Resource": [
"*"
],
"Condition": {
"Null": {
"aws:RequestTag/Name": "true"
}
}
},
{
"Sid": "DenyDynamoDBCreationNameTag",
"Effect": "Deny",
"Action": [
"dynamodb:CreateTable"
],
"Resource": [
"*"
],
"Condition": {
"Null": {
"aws:RequestTag/Name": "true"
}
}
}
]
}
Also, please check the SCP i am giving tag Name for dynamodb but not able to create it gives an error
User: arn:aws:iam::458225596744:root is not authorized to perform: dynamodb:CreateTable on resource: arn:aws:dynamodb:us-east-1:458225596744:table/ashish0001 with an explicit deny in a service control policy