Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How do I use SCPs and tag policies so that users in my organization's member accounts in Organizations can't create resources?

3 minute read
0

I want to use service control policies (SCPs) and tag policies so that users in my member accounts in AWS Organizations can't create AWS resources.

Short description

Use tag policies to maintain standardized tags on supported AWS resources across your member accounts in your organization. By default, tag key capitalization is inherited from the parent policy. To define the case capitalization of the enforced tag key, select Use the capitalization that you've specified above for the tag key. If a parent policy doesn't exist or you don't activate capitalization, then an all-lowercase tag key is considered compliant.

When you create a resource, tag policies check for compliant tag keys that match the defined tag value and capitalization. However, a user can modify the standardized tag keys, and create resources without compliant tags. Use SCPs to restrict the permissions for the entities in your member accounts.

Resolution

Use tag policies to prevent non-compliant tags on new or existing resources

The following policy allows users to change the tag_value for their Amazon Elastic Compute Cloud (Amazon EC2) instances only to Preprod or Production:

{  
  "tags": {
    "Environment": {
      "tag_key": {
        "@@assign": "Environment"
      },
      "tag_value": {
        "@@assign": [
          "Preprod",
          "Production"
        ]
      },
      "enforced_for": {
        "@@assign": [
          "ec2:instance"
        ]
      }
    }
  }
}

In the preceding policy, a user can't enter Dev for the tag_value because the policy doesn't define the Dev option. Also, if the policy includes the capitalization option, then the user can't change Environment to environment.

Use SCPs to stop the creation of instance resources without a compliant tag key

The following SCP requires users to include a compliant tag key in the metadata of the instance when they call the RunInstances API operation. If a user with this SCP attached creates a resource with a compliant tag, then the user can't add, modify, or delete tag key value pairs:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyUpdatingOrDeletingAnyTagOnInstanceWithAnAttachedCopliantTags",
      "Effect": "Deny",
      "Action": [
        "ec2:CreateTags",
        "ec2:DeleteTags"
      ],
      "Resource": "arn:aws:ec2:*:*:instance/*",
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/Environment": [
            "Preprod",
            "Production"
          ]
        },
        "Null": {
          "aws:ResourceTag/Environment": "false"
        }
      }
    },
    {
      "Sid": "DenyRunInstancesWithoutOneofTheCompliantTagKeys",
      "Effect": "Deny",
      "Action": [
        "ec2:RunInstances"
      ],
      "Resource": "arn:aws:ec2:*:*:instance/*",
      "Condition": {
        "Null": {
          "aws:RequestTag/Environment": "true"
        }
      }
    }
  ]
}

Note: When you call the RunInstances API, make sure to pass all required tags.

Related information

What's the difference between an AWS Organizations service control policy and an IAM policy?

Tag policy syntax

Topics
Management & Governance
Tags
AWS Organizations
Language
English

Related videos

Watch Ximena's video to learn more (6:44)
Watch Ximena's video to learn more (6:44)
AWS OFFICIALUpdated a year ago
No comments

Relevant content