Block resource creation if required tags are missing

 

🔐 Option 1: IAM Policy with Tag Condition Keys

Use condition keys in IAM policies to require specific tags at resource creation.

---

📌 Example: Enforce Application and Environment Tags

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyCreateWithoutTags",
      "Effect": "Deny",
      "Action": [
        "ec2:RunInstances",
        "s3:CreateBucket",
        "rds:CreateDBInstance",
        "lambda:CreateFunction"
      ],
      "Resource": "*",
      "Condition": {
        "StringNotEqualsIfExists": {
          "aws:RequestTag/Application": "MyApp",
          "aws:RequestTag/Environment": "prod"
        }
      }
    }
  ]
}

• ✅ Denies creation unless BOTH Application=MyApp and Environment=prod are specified in the request.

---

💡 Add Another Statement to Allow Other Actions:

{
  "Sid": "AllowAllOtherActions",
  "Effect": "Allow",
  "Action": "*",
  "Resource": "*"
}

You can scope this to specific services or use this only in conjunction with other specific permissions.

✅ Option 2: Service Control Policies (SCP) (For AWS Organizations)

If you're using AWS Organizations, use an SCP to block untagged resource creation across accounts.

📌 Example SCP:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyUntaggedResourceCreation",
      "Effect": "Deny",
      "Action": "*",
      "Resource": "*",
      "Condition": {
        "Null": {
          "aws:RequestTag/Environment": "true",
          "aws:RequestTag/Application": "true"
        }
      }
    }
  ]
}

• Denies if the Environment or Application tag is missing (null).

 Bonus: Allow tagging only certain values

"Condition": {
  "StringEquals": {
    "aws:RequestTag/Environment": ["dev", "test", "prod"]
  }
}

---

 Summary Table

Feature	IAM Policy	SCP (Organizations)
Scope	Per user/group/role	Entire OU/account
Good For	Fine-grained control	Enforcing org-wide standards
Tag enforcement supported?	✅ Yes	✅ Yes
Works on all services?	Only services supporting tags	Same