SCP to deny EC2 instance creation base on tags does not allow to create EC2 even if it tags are compliant

Question

Hi I am following this blog to create scp to deny ec2 creation if tags are not compliant:
 https://aws.amazon.com/blogs/mt/implement-aws-resource-tagging-strategy-using-aws-tag-policies-and-service-control-policies-scps/

But even after adding correct tags and values, it does not allow to create ec2 and instance launch fails everytime with message:
"Instance launch failed
You are not authorized to perform this operation. Encoded authorization failure message:  " as below:

> "{\"allowed\":false,\"explicitDeny\":true,\"matchedStatements\":{\"items\":[{\"statementId\":\"DenyEC2CreationSCP1\",\"effect\":\"DENY\",\"principals\":{\"items\":[{\"value\":\"AAAAAAAAAAAAAAAAAA\"}]},\"principalGroups\":{\"items\":[]},\"actions\":{\"items\":[{\"value\":\"ec2:RunInstances\"}]},\"resources\":{\"items\":[{\"value\":\"arn:aws:ec2:*:*:instance/*\"},{\"value\":\"arn:aws:ec2:*:*:volume/*\"}]},\"conditions\":{\"items\":[{\"key\":\"aws:RequestTag/costcenter\",\"values\":{\"items\":[{\"value\":\"true\"}]}}]}}]},\"failures\":{\"items\":[]},\"context\":{\"principal\":{\"id\":\"AAAAAAAAAAAAAAAAAA:aaaa-user\",\"arn\":\"arn:aws:sts::123456789123:assumed-role/Admin/aaaa-user\"},\"action\":\"ec2:RunInstances\",\"resource\":\"arn:aws:ec2:us-east-1:123456789123:instance/*\",\"conditions\":{\"items\":[{\"key\":\"ec2:MetadataHttpPutResponseHopLimit\",\"values\":{\"items\":[{\"value\":\"2\"}]}},{\"key\":\"ec2:InstanceMarketType\",\"values\":{\"items\":[{\"value\":\"on-demand\"}]}},{\"key\":\"aws:Resource\",\"values\":{\"items\":[{\"value\":\"instance/*\"}]}},{\"key\":\"aws:Account\",\"values\":{\"items\":[{\"value\":\"123456789123\"}]}},{\"key\":\"ec2:AvailabilityZone\",\"values\":{\"items\":[{\"value\":\"us-east-1c\"}]}},{\"key\":\"ec2:ebsOptimized\",\"values\":{\"items\":[{\"value\":\"false\"}]}},{\"key\":\"ec2:IsLaunchTemplateResource\",\"values\":{\"items\":[{\"value\":\"false\"}]}},{\"key\":\"ec2:InstanceType\",\"values\":{\"items\":[{\"value\":\"t2.micro\"}]}},{\"key\":\"ec2:RootDeviceType\",\"values\":{\"items\":[{\"value\":\"ebs\"}]}},{\"key\":\"aws:Region\",\"values\":{\"items\":[{\"value\":\"us-east-1\"}]}},{\"key\":\"aws:Service\",\"values\":{\"items\":[{\"value\":\"ec2\"}]}},{\"key\":\"ec2:InstanceID\",\"values\":{\"items\":[{\"value\":\"*\"}]}},{\"key\":\"ec2:MetadataHttpTokens\",\"values\":{\"items\":[{\"value\":\"required\"}]}},{\"key\":\"aws:Type\",\"values\":{\"items\":[{\"value\":\"instance\"}]}},{\"key\":\"ec2:Tenancy\",\"values\":{\"items\":[{\"value\":\"default\"}]}},{\"key\":\"ec2:Region\",\"values\":{\"items\":[{\"value\":\"us-east-1\"}]}},{\"key\":\"aws:ARN\",\"values\":{\"items\":[{\"value\":\"arn:aws:ec2:us-east-1:123456789123:instance/*\"}]}}]}}}"

I have **fullAWSAccess default SCP policy** at root. And **ec2tagenforcement SCP policy** (same as in above blog link)  at OU level.

Any advise please? I saw few similar posts but no luck.

Accepted Answer

Looks as though your SCP is matching, which means the tag name it's looking for is Null. If you don't speak American English, try double checking the spelling of your tag name? The tag in the blog post uses costcent**er**, so check you're not  naming your tag costcent**re**?

Answer

While creating instance, you should select **Instances** and **Volumes** both for tags as below, if you won't choose both for tagging then instance creation would fail.

You might be adding tags but by default, it would apply only to instance not volume so SCP explicit deny would come into effect as shown in error message.

Edit: Adding snapshot for your reference for adding tags:

![Enter image description here](/media/postImages/original/IMRZiiEKHwQ2eMUNSOipfvFQ)

![Enter image description here](/media/postImages/original/IMxuRlCbcOT--F-n3iTrVEkw)

![Enter image description here](/media/postImages/original/IMQez9AmDVQbu5EKeS5T86Rw)

SCP to deny EC2 instance creation base on tags does not allow to create EC2 even if it tags are compliant

Relevant content