I am using SCP policy to stop ec2 resource ( subnet, security group, instance, vpc) creation when they don't have tags. i am using tag policy to check for compliant tags.
But as soon as i am adding action and resource for vpc in my scp policy, i am not able to create subnet, security group.
Below SCP policy is working fine without vpc resource -
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1ForProjectTag",
"Effect": "Deny",
"Action": [
"ec2:RunInstances",
"ec2:CreateSecurityGroup",
"ec2:CreateSubnet"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:subnet/*"
],
"Condition": {
"Null": {
"aws:RequestTag/project": [
"true"
]
}
}
}
]
}
This SCP policy is breaking - i.e i am not able to create security group/subnet with proper tags aslo.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1ForProjectTag",
"Effect": "Deny",
"Action": [
"ec2:RunInstances",
"ec2:CreateSecurityGroup",
"ec2:CreateSubnet",
"ec2:CreateVpc"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:vpc/*"
],
"Condition": {
"Null": {
"aws:RequestTag/project": [
"true"
]
}
}
}
]
}
Can someone shed a light on this?
CodePudding user response:
It is not recommendable to combine different Actions and Resource in the same statement. It could cause unexpected behaviours or some issues. Also not all actions are applicable to all resources, you need to specify the suitable one.
So first it is necessary to split the statement into multiple ones. Then change the effect from Allow to Deny and condition to 'StringNotEquals'.
The SCP should be similar to this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1ForProjectTag",
"Effect": "Deny",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"ForAllValues:StringNotEquals": {
"aws:TagKeys": [
"project"
]
}
}
},
{
"Sid": "Statement2ForProjectTag",
"Effect": "Deny",
"Action": [
"ec2:CreateSecurityGroup"
],
"Resource": [
"arn:aws:ec2:*:*:security-group/*"
],
"Condition": {
"ForAllValues:StringNotEquals": {
"aws:TagKeys": [
"project"
]
}
}
},
{
"Sid": "Statement3ForProjectTag",
"Effect": "Deny",
"Action": [
"ec2:CreateSubnet"
],
"Resource": [
"arn:aws:ec2:*:*:subnet/*"
],
"Condition": {
"ForAllValues:StringNotEquals": {
"aws:TagKeys": [
"project"
]
}
}
},
{
"Sid": "Statement4ForProjectTag",
"Effect": "Deny",
"Action": [
"ec2:CreateVpc"
],
"Resource": [
"arn:aws:ec2:*:*:vpc/*"
],
"Condition": {
"ForAllValues:StringNotEquals": {
"aws:TagKeys": [
"project"
]
}
}
}
]
}