无法基于标签拒绝快照创建。

【以下的问题经过翻译处理】 客户想要阻止创建资源，除非它们具有特定的标签。我目前正在使用以下SCP处理EC2快照、卷和实例：

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "GRAPPTAG2",
      "Effect": "Deny",
      "Action": [
        "ec2:RunInstances",
        "ec2:CreateVolume",
        "ec2:CreateSnapshot"
      ],
      "Resource": [
        "arn:aws:ec2:*:*:instance/*",
        "arn:aws:ec2:*:*:volume/*",
        "arn:aws:ec2:*::snapshot/*"
      ],
      "Condition": {
        "Null": {
          "aws:RequestTag/application": "true"
        }
      }
    }
  ]
}

但这个策略不允许我创建EC2快照，无论我是否指定标签，但它适用于创建EBS卷或EC2实例。 Now If I separate the ec2:CreateSnapshot into its own statement then it works as expected like the following: 现在，如果我将ec2:CreateSnapshot分离出来，写一个它自己的语句，它就像下面所示一样按预期工作：

enter code here
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "GRAPPTAG2",
      "Effect": "Deny",
      "Action": [
        "ec2:RunInstances",
        "ec2:CreateVolume"
      ],
      "Resource": [
        "arn:aws:ec2:*:*:instance/*",
        "arn:aws:ec2:*:*:volume/*"
      ],
      "Condition": {
        "Null": {
          "aws:RequestTag/application": "true"
        }
      }
    },
    {
      "Sid": "GRAPPTAG3",
      "Effect": "Deny",
      "Action": [
        "ec2:CreateSnapshot"
      ],
      "Resource": [
        "arn:aws:ec2:*::snapshot/*"
      ],
      "Condition": {
        "Null": {
          "aws:RequestTag/application": "true"
        }
      }
    }
  ]
}

因此，我想知道这是为什么以及是否有任何方式将它们合并成一个语句。