By using AWS re:Post, you agree to the Terms of Use

Enforcing Tag Policies on existing instances


A customer is using tagging policies and enforcing them SCP, so that an instance can't run unless it's tagged with relevant required tags.

If they were to attach that SCP, currently triggered on ec2:RunInstances, to an account with already running instances and potentially untagged or tagged in a non-compliant way, what would happen? Would it stop the instances or only prevent them from restarting once stopped?

  • After attaching the above SCP policy to an account, I am unable (with Administrator access) to launch an instance with all the compliant tags. The policy is working fine when I deploy an instance with incorrect tags. Does it require an special permissions? Any advice please.

1 Answer
Accepted Answer

RunInstances is the API for launching instances so an SCP that limits use of it with conditions will only apply to launching new ones.

StartInstances and StopInstances are for stop/start actions.

answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions