SCP not getting applied on EC2 Auto Scaling Groups

0

I am trying to enforce a tag InfraOwner on ASGS and resources created by it through following SCP but it is not working and ASG is getting created even without InfraOwner tag

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyEC2AuxilliaryInfraOwnerTag",
      "Effect": "Deny",
      "Action": [
        "autoscaling:CreateAutoScalingGroup"
      ],
      "Resource": [
        "arn:aws:autoscaling:*:*:autoScalingGroup/*"
      ],
      "Condition": {
        "Null": {
          "aws:RequestTag/InfraOwner": "true"
        }
      }
    }
  ]
}

Can someone help here

  • Hey @ashish0093 Just checking base with you about the answer provided.

    Let me know if you have any issues with this, or if it helps you then please accept my answer after you've tried it out - it would be much appreciated! Good luck :)

1 Answer
0

Try the following

],
  "Condition": {
    "StringNotLike": {
      "aws:RequestTag/InfraOwner": "?*"
    }
  }
}

Explanation: The <InfraOwner> will be required on all ASGs. The “?*” enforces that there is some value for the key of InfraOwner. Replacing this with “?” doesn’t require the value be present, but still requires the <InfraOwner>.

Let me know if you have any issues with this, or if it helps you then please accept my answer after you've tried it out - it would be much appreciated! Good luck :)

profile picture
D G
answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions