i have created following SCP to enforce tags on EC2,Lambda and dynamodb. However it is not working for dynamo db
`
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyEC2CreationInfraOwnerTag",
"Effect": "Deny",
"Action": [
"ec2:RunInstances",
"ec2:StartInstances"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*"
],
"Condition": {
"Null": {
"aws:RequestTag/InfraOwner": "true"
}
}
},
{
"Sid": "DenyEC2CreationProductTag",
"Effect": "Deny",
"Action": [
"ec2:RunInstances",
"ec2:StartInstances"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*"
],
"Condition": {
"Null": {
"aws:RequestTag/Product": "true"
}
}
},
{
"Sid": "DenyEC2CreationNameTag",
"Effect": "Deny",
"Action": [
"ec2:RunInstances",
"ec2:StartInstances"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*"
],
"Condition": {
"Null": {
"aws:RequestTag/Name": "true"
}
}
},
{
"Sid": "DenyLambdaCreationInfraOwnerTag",
"Effect": "Deny",
"Action": [
"lambda:Create*"
],
"Resource": [
"*"
],
"Condition": {
"Null": {
"aws:RequestTag/InfraOwner": "true"
}
}
},
{
"Sid": "DenyLambdaCreationProductTag",
"Effect": "Deny",
"Action": [
"lambda:Create*"
],
"Resource": [
"*"
],
"Condition": {
"Null": {
"aws:RequestTag/Product": "true"
}
}
},
{
"Sid": "DenyLambdaCreationNameTag",
"Effect": "Deny",
"Action": [
"lambda:Create*"
],
"Resource": [
"*"
],
"Condition": {
"Null": {
"aws:RequestTag/Name": "true"
}
}
},
{
"Sid": "DenyDynamoDBCreationNameTag",
"Effect": "Deny",
"Action": [
"dynamodb:CreateTable"
],
"Resource": [
"*"
],
"Condition": {
"Null": {
"aws:RequestTag/Name": "true"
}
}
}
]
}
`
I am giving tag Name while creating table but it is giving error
User: arn:aws:iam::458225596744:root is not authorized to perform: dynamodb:CreateTable on resource: arn:aws:dynamodb:us-east-1:458225596744:table/ashish0001 with an explicit deny in a service control policy
No other SCP is applied