AWS SCPs With Tags Not Working

Question

Hello,  
  
I tried to follow the example in https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_ec2-start-stop-tags.html.

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "StartStopIfTags",
            "Effect": "Allow",
            "Action": [
                "ec2:StartInstances",
                "ec2:StopInstances",
                "ec2:DescribeTags"
            ],
            "Resource": "arn:aws:ec2:region:account-id:instance/*",
            "Condition": {
                "StringEquals": {
                    "ec2:ResourceTag/Project": "DataAnalytics",
                    "aws:PrincipalTag/Department": "Data"
                }
            }
        }
    ]
}
```

But the Policy editor keep complaining with error "**The provided policy document does not meet the requirements of the specified policy type."**.  
  
Please take note that I copied this directly from the documentation.  
  
But when the Effect is changed to 'Deny', it accepts it.. Any idea why this is so?

Answer

Hello,  
  
Currently you can only use resources and conditions in your SCPs with Deny statements. Your policy is an Allow policy, which does not support those policy elements. See the docs here: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_reference_scp-syntax.html  
  
You should be able to invert the statements in the policy to create the same effect. For example, you can use NotAction instead of Action and use StringNotEquals instead of StringEquals in your policy condition.  
  
Thanks,  
Mike

Answer

Thanks for the response.. it works now

Answer

Hi,   
MikeS-aws gave the correct answer below.. so removing my comment :-)  
  
Edited by: RandyTakeshita on Sep 20, 2019 11:03 AM

AWS SCPs With Tags Not Working

Relevant content