Dear Team - I have gone through https://aws.amazon.com/blogs/mt/implement-aws-resource-tagging-strategy-using-aws-tag-policies-and-service-control-policies-scps/ . As per this we can create the SCP tag policy to prevent creating new resources if no pre-defined tags are there.
In above link, example given is for EC2:runinstance. Which means, existing EC2 resources with non-compliance tags will not be impacted, right ?
If yes, i am looking for similar functionality for all the AWS resources. For example, if i create new RDS/EC2/S3 without tags "costcenter=0890", it should not let user to create those resources. At the same time, it should also not impact any existing resources without the same tag name and value.
To achieve this, do i need to add separate action for individual resource type like ec2:runinstance to stop creating that resources ? Do we have any documents for the same. i have 16 linked account under organization.
Thanks, my concern is SCP should not disturb existing resources. From the link you provided, if i add "backup:backup-vault" in SCP with tag enforce, existing backup vault will continue to work as it is even with non-compliant tag, right ?
Most likely adding backup-vault won't disturb existing vault operations. Typically these would be something that include tag inheritance as part of the service, like autoscaling or EMR. See https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies-enforcement.html