I'm trying to apply an AWS Service Control Policy that prevents the creation of an EC2 instance unless a specific tag is provided in the request.

Why is the following SCP denying the creation of an EC2 instance (with an ENI & EBS volume) under, from what I can tell, all circumstances, even if I provide the required tag? (FYI, I am creating the instance from the AWS Console and am adding the tag in the request.) Without this policy applied, I am able to create the instance successfully.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "RequireEnvironmentTag",
      "Effect": "Deny",
      "Action": [
        "ec2:CreateTags",
        "ec2:RunInstances"
      ],
      "Resource": "*",
      "Condition": {
        "ForAllValues:StringNotEquals": {
          "aws:TagKeys": "sc:environment"
        }
      }
    }
  ]
}

CodePudding user response：

The SCP you're providing has Resource set to *, which is preventing the creation of your ENI (network-interface).

Set the resource to specific supported resource types defined by Amazon EC2 to fix the issue.

For example, the below SCP should only allow EC2 instances with the tag key of sc:environment to be created.

I also assume you are specifying ec2:CreateTags as an action to block modification of tags after they've been set as ec2:CreateTags is evaluated for modifying existing tags as well as creating new ones (they should probably rename the action).

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "RequireEnvironmentTag",
      "Effect": "Deny",
      "Action": [
        "ec2:CreateTags",
        "ec2:RunInstances"
      ]
      "Resource": "arn:aws:ec2:*:*:instance/*",
      "Condition": {
        "ForAllValues:StringNotEquals": {
          "aws:TagKeys": "sc:environment"
        }
      }
    }
  ]
}