Unable to deny snapshot creation based on tags


A customer wants to deny creating resources unless it has specific tags. I'm currently working on EC2 snapshots, volumes, and instances with the following SCP:

  "Version": "2012-10-17",
  "Statement": [
      "Sid": "GRAPPTAG2",
      "Effect": "Deny",
      "Action": [
      "Resource": [
      "Condition": {
        "Null": {
          "aws:RequestTag/application": "true"

But this policy doesn't allow me to create EC2 snapshot, regardless if I specify the tag or not, but it works as expected for creating an EBS volume or EC2 instance

Now If I separate the ec2:CreateSnapshot into its own statement then it works as expected like the following:

enter code here
  "Version": "2012-10-17",
  "Statement": [
      "Sid": "GRAPPTAG2",
      "Effect": "Deny",
      "Action": [
      "Resource": [
      "Condition": {
        "Null": {
          "aws:RequestTag/application": "true"
      "Sid": "GRAPPTAG3",
      "Effect": "Deny",
      "Action": [
      "Resource": [
      "Condition": {
        "Null": {
          "aws:RequestTag/application": "true"

So I'd like to know why this is happening and if there is anyway to combine them into a single statement. Thanks!

preguntada hace 4 años712 visualizaciones
1 Respuesta
Respuesta aceptada

The following policy ensures that only EC2 instances, volumes and snapshots will launched if they have an "application" key with any value except null value.

    "Version": "2012-10-17",
    "Statement": [
            "Effect": "Deny",
            "Action": [
            "Resource": [
            "Condition": {
                "StringNotLike": {
                    "aws:RequestTag/application": "?*"
respondido hace 4 años
  • I tried to implement something almost exactly like this without luck. Are we sure this works?

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas