By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Can't get tagging enforcement to work

0

I have followed all the steps in the AWS' KB to create a policy and assign it to the member (active AWS Account).:

https://aws.amazon.com/blogs/mt/implement-aws-resource-tagging-strategy-using-aws-tag-policies-and-service-control-policies-scps/

I am having issues enforcing the creation of the EC2 instances and requiring 'Name' and 'Product' tags to be included before launching it and displaying 'Launch Failed'.

Here is the code provided that I modified to my need:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyEC2CreationSCP1",
      "Effect": "Deny",
      "Action": [
        "ec2:RunInstances"
      ],
      "Resource": [
        "arn:aws:ec2:*:*:instance/*",
        "arn:aws:ec2:*:*:volume/*"
      ],
      "Condition": {
        "Null": {
          "aws:RequestTag/Product": "true"
        }
      }
    }
  ]
}

Could someone let me know what I could be doing wrong?

Topics
Compute
Tags
Amazon EC2Tagging
Language
English
rePost-User-0288970
asked 2 years ago408 views
3 Answers
0

Did you follow all of the steps:

  1. Enable tag policies for the organization
  2. Create the tag policy for the Name and Product tags (your code snippet above only shows a policy for a Product tag)
  3. Attach the tag policy to the Account or OU containing the account your testing in?
  4. Create the SCP(s) to enforce the presence of the the two required tags? -- the tag policy in step 2 only enforces the required tag value, not that the tag itself is present
  5. Attach the 'tag present' SCP to the Account or OU containing the account your testing in?
AWS
Scott_K
answered 2 years ago
0

I don't think I did 4. I did the other items already. Let me work on these and will report back. Thanks for your help.

rePost-User-0288970
answered 2 years ago
0

I did this although I am not 100% sure I am doing it correctly. I want the 'Product' tag to be only these values specified and if they are not, or the tag is not even added, then enforce for the instance to error out and not launch. What am I missing here?

{
  "tags": {
    "Product": {
      "tag_key": {
        "@@assign": "Product"
      },
      "tag_value": {
        "@@assign": [
          "Name1",
          "Name2",
          "Name3",
          "Name4",
          "Name5",
          "Name6",
          "Name7",
          "Name8"
        ]
      },
      "enforced_for": {
        "@@assign": [
          "ec2:instance",
          "ec2:volume"
        ]
      }
    }
  }
}
rePost-User-0288970
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content