SCP - Require tag Project on every resource

0

Hello,

I'm looking into SCPs, and I see that's possible to require a tag for EC2 for example with the following policy:

{
      "Sid": "DenyRunInstanceWithNoProjectTag",
      "Effect": "Deny",
      "Action": "ec2:RunInstances",
      "Resource": [
        "arn:aws:ec2:*:*:instance/*",
        "arn:aws:ec2:*:*:volume/*"
      ],
      "Condition": {
        "Null": {
          "aws:RequestTag/Project": "true"
        }
      }
    }

But what in case when I want to create a policy which would deny creation or any modification of any resource when it doesn't have tag Project. Can I simply use wildcard for action and resource, like below?

{
      "Sid": "DenyResourcesWithNoProjectTag",
      "Effect": "Deny",
      "Action": "*",
      "Resource": "*",
      "Condition": {
        "Null": {
          "aws:RequestTag/Project": "true"
        }
      }
    }
asked 5 months ago171 views
1 Answer
1

Hello.

If you set this, all resources that do not have tags set will become Deny, so some services will become inoperable.
For example, you may encounter problems such as not being able to select an AMI even if you want to start EC2.
Therefore, I think it is necessary to set the required action in "Action" and which resource to target in the "Resource" section.
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_tagging.html

profile picture
EXPERT
answered 5 months ago
  • If you set this, all resources that do not have tags set will become Deny, so some services will become inoperable.

    But that would only apply to resources which can be tagged, right? And may be inoperable until they are tagged with Project, right?

  • Yes, services that allow tagging may become unavailable.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions