How to create a Service Control Policy which denies Ec2 creation action if specific tags are missing?

Question

I'm currently working on implementing an AWS Organization SCP. I'm aiming to fulfill the following conditions:

1. Prevent the 'ec2:RunInstances' action if the required tag keys are absent from the instance.
2. Additionally, block the action even if any of the mandatory tag keys are missing.

Thank you!

I tried the policy as below,

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyEC2CreationSCP1",
      "Effect": "Deny",
      "Action": [
        "ec2:RunInstances"
      ],
      "Resource": [
        "arn:aws:ec2:*:*:instance/*"
      ],
      "Condition": {
        "Null": {
          "aws:RequestTag/Department": "true",
          "aws:RequestTag/Name": "true"
        }
       }
    }
  ]
}

But this policy only works for the condition 1 mentioned. If any of the one tag missing, we are still able to create the instance. Also I read that we can't use the 'Allow' action in Organization SCPs.

Answer 1

Try to use specify a statement for each tag, by specifying multiple tags in the same condition you are allowing the action if any of the tags is present.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyEC2CreationSCP1",
      "Effect": "Deny",
      "Action": [
        "ec2:RunInstances"
      ],
      "Resource": [
        "arn:aws:ec2:*:*:instance/*"
      ],
      "Condition": {
        "Null": {
          "aws:RequestTag/Department": "true"
        }
       }
    },
    {
      "Sid": "DenyEC2CreationSCP2",
      "Effect": "Deny",
      "Action": [
        "ec2:RunInstances"
      ],
      "Resource": [
        "arn:aws:ec2:*:*:instance/*"
      ],
      "Condition": {
        "Null": {
          "aws:RequestTag/Name": "true"
        }
       }
    }
  ]
}