I've got this Service Control Policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyEC2ActionsWithoutTags",
"Effect": "Deny",
"Action": [
"ec2:RunInstances",
"ec2:CreateVpc”,
"ec2:CreateSecurityGroup",
],
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:vpc/*”,
"arn:aws:ec2:*:*:security-group/*"
],
"Condition": {
"StringNotLike": {
"aws:RequestTag/Name": [
"?*"
]
}
}
}
]
}
And I expect it to enforce a rule that tags are created with the key
of Name
and must have an associated value
from a list I've defined in a separate policy otherwise resource creation should fail.
I'm not sure what I'm doing wrong, as security-groups still get created without a key
Name
.
The VPC and EC2 instance creation fails without a Name
as expected, but not the security groups which I find odd.
Is there a way to enforce that all ec2
taggable resources must have a key
of Name
and an associated value at creation time?
Don't try tag enforcement with SCPs, tag policies are fine, but SCPs to force tags is dangerous... we tried it and terraform and other services break the api workflow and ultimately stop your teams from being productive.
For example, if you set up an EMR cluster (which is backed by ec2) there is no tag pass-through via the EMR console over to the sub-assets in EC2 and the SCP they way you have it written above will break it.
We gave up on enforcing it using SCPs and are searching for a more robust solution.