Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.
SCP to deny EC2 instance creation base on tags does not allow to create EC2 even if it tags are compliant
Hi I am following this blog to create scp to deny ec2 creation if tags are not compliant: https://aws.amazon.com/blogs/mt/implement-aws-resource-tagging-strategy-using-aws-tag-policies-and-service-control-policies-scps/
But even after adding correct tags and values, it does not allow to create ec2 and instance launch fails everytime with message: "Instance launch failed You are not authorized to perform this operation. Encoded authorization failure message: <encoded message> " as below:
"{"allowed":false,"explicitDeny":true,"matchedStatements":{"items":[{"statementId":"DenyEC2CreationSCP1","effect":"DENY","principals":{"items":[{"value":"AAAAAAAAAAAAAAAAAA"}]},"principalGroups":{"items":[]},"actions":{"items":[{"value":"ec2:RunInstances"}]},"resources":{"items":[{"value":"arn:aws:ec2:::instance/"},{"value":"arn:aws:ec2:::volume/"}]},"conditions":{"items":[{"key":"aws:RequestTag/costcenter","values":{"items":[{"value":"true"}]}}]}}]},"failures":{"items":[]},"context":{"principal":{"id":"AAAAAAAAAAAAAAAAAA:aaaa-user","arn":"arn:aws:sts::123456789123:assumed-role/Admin/aaaa-user"},"action":"ec2:RunInstances","resource":"arn:aws:ec2:us-east-1:123456789123:instance/","conditions":{"items":[{"key":"ec2:MetadataHttpPutResponseHopLimit","values":{"items":[{"value":"2"}]}},{"key":"ec2:InstanceMarketType","values":{"items":[{"value":"on-demand"}]}},{"key":"aws:Resource","values":{"items":[{"value":"instance/"}]}},{"key":"aws:Account","values":{"items":[{"value":"123456789123"}]}},{"key":"ec2:AvailabilityZone","values":{"items":[{"value":"us-east-1c"}]}},{"key":"ec2:ebsOptimized","values":{"items":[{"value":"false"}]}},{"key":"ec2:IsLaunchTemplateResource","values":{"items":[{"value":"false"}]}},{"key":"ec2:InstanceType","values":{"items":[{"value":"t2.micro"}]}},{"key":"ec2:RootDeviceType","values":{"items":[{"value":"ebs"}]}},{"key":"aws:Region","values":{"items":[{"value":"us-east-1"}]}},{"key":"aws:Service","values":{"items":[{"value":"ec2"}]}},{"key":"ec2:InstanceID","values":{"items":[{"value":""}]}},{"key":"ec2:MetadataHttpTokens","values":{"items":[{"value":"required"}]}},{"key":"aws:Type","values":{"items":[{"value":"instance"}]}},{"key":"ec2:Tenancy","values":{"items":[{"value":"default"}]}},{"key":"ec2:Region","values":{"items":[{"value":"us-east-1"}]}},{"key":"aws:ARN","values":{"items":[{"value":"arn:aws:ec2:us-east-1:123456789123:instance/"}]}}]}}}"
I have fullAWSAccess default SCP policy at root. And ec2tagenforcement SCP policy (same as in above blog link) at OU level.
Any advise please? I saw few similar posts but no luck.
- Language
- English
- Newest
- Most votes
- Most comments
Looks as though your SCP is matching, which means the tag name it's looking for is Null. If you don't speak American English, try double checking the spelling of your tag name? The tag in the blog post uses costcenter, so check you're not naming your tag costcentre?
While creating instance, you should select Instances and Volumes both for tags as below, if you won't choose both for tagging then instance creation would fail.
You might be adding tags but by default, it would apply only to instance not volume so SCP explicit deny would come into effect as shown in error message.
Edit: Adding snapshot for your reference for adding tags:
Hi, I am selecting both instances and volumes, still I get authorization error. Also, I have Admin role. With any SCP I can create EC2. Are you able to make it work in your environment?
Hey,
I got the problem, if you look at tag policy(Step-1), allowed values for tag costcenter are CC102, CC103, CC104 and allowed values for team are Team1, Team2, Team3. I assume, you have copied pasted the policies from the blog as is, which means you can only pass values to these two tags from the allowed values.
Earlier, I only tested with those conditions, not with exact policies. I'm attaching snapshot for your reference in the answer for your reference.
Relevant content
- asked 2 years ago
- asked 6 years ago
- asked 4 years ago
- asked 2 years ago
Never realized I had been using "costcentre" and not costcenter :-|