By using AWS re:Post, you agree to the Terms of Use

Enforce Tags SCP for DynamoDB is not working


Hi, I followed this official guide from aws in order to implement a tagging strategy for resources in my AWS Organization

The example is for EC2 instances, I followed all steps and this worked, however when I wanted to replicate the steps for S3, RDS and DynamoDB it did not work.

The following is the SCP I want to use in order to enforce the tag test to be on every created dynamodb table. This is exactly how it is done in the Guide for EC2.

	"Version": "2012-10-17",
	"Statement": [
			"Sid": "Statement1",
			"Effect": "Deny",
			"Action": [
			"Resource": [
			"Condition": {
				"Null": {
					"aws:RequestTag/test": "true"

However when I try to create a DynamoDB Table with the tag test I get the following error message. I am passing the tag test, however I still get a deny.

User: arn:aws:sts::<account>:assumed-role/<role>/<email> is not authorized to perform: dynamodb:CreateTable on resource: arn:aws:dynamodb:eu-central-1:<table>:<table> with an explicit deny. 

I tried creating this SCP for the Services RDS, S3 and DynamoDB, only EC2 seems to work.

Do you have an idea what the error could be or is anyone using this tagging strategy in their AWS Organization/AWS Control Tower. Would be interested to hear what your experience is as this seems really complicated to me to implement and does not work so far.

Looking forward to hear form you people :)

No Answers

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions