How to Enforce tagging in aws using aws organizations Service Control Policies(SCP)

Question

I have tried different configurations of scps but still users can create resources without giving tags. Please suggest me the policy which works in this scenario. PFA example of one policy.

I have tried these policies but it is not working. I am expecting that user should give proper tags while creating aws resources otherwise he should not be allowed to do it.

1)

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyRunInstanceWithNoProjectTag",
      "Effect": "Deny",
      "Action": "ec2:RunInstances",
      "Resource": [
        "arn:aws:ec2:*:*:instance/*",
        "arn:aws:ec2:*:*:volume/*"
      ],
      "Condition": {
        "Null": {
          "aws:RequestTag/Env": "true"
        }
      }
    },

{
  "Version": "2012-10-17",
  "Statement": [  
  {
      "Sid": "SCP1",
      "Effect": "Deny",
      "Action": "ec2:RunInstances",
      "Resource": [
        "arn:aws:ec2:*:*:instance/*",
        "arn:aws:ec2:*:*:volume/*"
      ],
      "Condition": {
        "StringEquals": {
          "aws:RequestTag/Env": "true"
        }
      }
}