SCP to enforce tags fails

0

After attaching the above SCP policy to an account, I am unable (with Administrator access) to launch an instance with all the compliant tags. The policy is working fine when I deploy an instance with incorrect tags. Does it require an special permissions? Any advice please. I used the policy from the following link: https://aws.amazon.com/blogs/mt/implement-aws-resource-tagging-strategy-using-aws-tag-policies-and-service-control-policies-scps/

I modified the policy just to reflect the tag keys applicable in my environment, the policy below:

{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyEC2CreationSCP1", "Effect": "Deny", "Action": [ "ec2:RunInstances" ], "Resource": [ "arn:aws:ec2:::instance/", "arn:aws:ec2:::volume/" ], "Condition": { "Null": { "aws:RequestTag/CostCode": "True" } } }, { "Sid": "DenyEC2CreationSCP2", "Effect": "Deny", "Action": [ "ec2:RunInstances" ], "Resource": [ "arn:aws:ec2:.:instance/", "arn:aws:ec2:.:volume/" ], "Condition": { "Null": { "aws:RequestTag/Project_Team": "True" } } } ] }

  • Did you make any changes to the SCP in the blog post - if so, could you post the exact SCP you're using?

1 Answer
0

Hi @Ed, I modified the policy just to reflect the tag keys applicable in my environment, the policy below: { "Version": "2012-10-17", "Statement": [ { "Sid": "DenyEC2CreationSCP1", "Effect": "Deny", "Action": [ "ec2:RunInstances" ], "Resource": [ "arn:aws:ec2:::instance/", "arn:aws:ec2:::volume/" ], "Condition": { "Null": { "aws:RequestTag/CostCode": "True" } } }, { "Sid": "DenyEC2CreationSCP2", "Effect": "Deny", "Action": [ "ec2:RunInstances" ], "Resource": [ "arn:aws:ec2:.:instance/", "arn:aws:ec2:.:volume/" ], "Condition": { "Null": { "aws:RequestTag/Project_Team": "True" } } } ] }

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions