SCP - Require tag Project on every resource

Question

Hello,

I'm looking into SCPs, and I see that's possible to require a tag for EC2 for example with the following policy:

```json
{
      "Sid": "DenyRunInstanceWithNoProjectTag",
      "Effect": "Deny",
      "Action": "ec2:RunInstances",
      "Resource": [
        "arn:aws:ec2:*:*:instance/*",
        "arn:aws:ec2:*:*:volume/*"
      ],
      "Condition": {
        "Null": {
          "aws:RequestTag/Project": "true"
        }
      }
    }
```

But what in case when I want to create a policy which would deny creation or any modification of any resource when it doesn't have tag Project. Can I simply use wildcard for action and resource, like below?

```json
{
      "Sid": "DenyResourcesWithNoProjectTag",
      "Effect": "Deny",
      "Action": "*",
      "Resource": "*",
      "Condition": {
        "Null": {
          "aws:RequestTag/Project": "true"
        }
      }
    }
```

Answer

Hello.

If you set this, all resources that do not have tags set will become Deny, so some services will become inoperable.  
For example, you may encounter problems such as not being able to select an AMI even if you want to start EC2.  
Therefore, I think it is necessary to set the required action in "Action" and which resource to target in the "Resource" section.  
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_tagging.html

SCP - Require tag Project on every resource

Relevant content