I have an Org with ROOT + Management Account and TWO Accounts that inherit from Root: Development and Production. In the Development Account I'm creating the following SCPs:
- I have DETACHED the default FullAwsAccess
- SCP will ONLY deny any RDS action (create, delete etc) --- WORKS
- SCP will ONLY allow EC2 to CREATE EC2s if it has the correct tags values --- WORKS
- SCP will ONLY allow to CREATE EC2s if it has the correct tag keys--- DOESNT WORK
Am trying to understand why the final SCP is having no effect. I can put ANY tag named say "FOOO" It doesnt matter WHAT tag I put in (its supposed to fail since i dont have BOTH "ENV" & "OwnerContact" tabs, but its still allowing me to launch the EC2 Instance. As opposed to say the second SCP which fails correctly if I dont put in the ENV tag with either DEV/QA/PROD!!
SCP FullAWSAccess Detached
SCP 1 Attached (Works)
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAllAccess",
"Effect": "Allow",
"Action": [
"*"
],
"Resource": [
"*"
]
},
{
"Sid": "DenyRDSAccess",
"Effect": "Deny",
"Action": [
"rds:*"
],
"Resource": [
"*"
]
}
]
}
SCP 2 Attached (Works)
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowLaunchEC2OnlyWithENVTag",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"StringNotEquals": {
"aws:RequestTag/ENV": [
"DEV",
"QA",
"PROD"
]
}
}
}
]
}
SCP 3 Attached (Doesn't Work)
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AlowOnlySpecificTags",
"Effect": "Deny",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"ForAllValues:StringNotEquals": {
"aws:TagKeys": [
"ENV",
"OwnerContact"
]
}
}
}
]
}