How can I use SCPs and tag policies to prevent users in my AWS Organizations member accounts from creating resources?

Last updated: 2022-01-25

I want to prevent users in my AWS Organizations member accounts from creating AWS resources using a Service control policies (SCPs) or tag policies.

Short description

SCPs can be used to manage permissions in your organization, but not to grant permission. For more information, see Service control policies (SCPs).

Tag policies can be used to maintain standardized tags with AWS resources for accounts with Organizations. For more information, Tag policies.

Resolution

Use the following SCP or tag policy based on your use case.

Use tag policies to prevent tagging on existing resources

The tag policies are checked when you perform operations that affect the tags on an existing resource. For example, tag policies can enforce that users can't change the specified tag on AWS resources to a non-compliant tag.

The following example tag policy allows the tag key-value pair as Environment-Production enforced for Amazon Elastic Compute Cloud (Amazon EC2) instances. The policy prevents users from changing this tag on existing Amazon EC2 instances, but it doesn't prevent launching new instances with non-compliant tags, or no tags.

{
  "tags": {
    "Environment": {
      "tag_key": {
        "@@assign": "Environment"
      },
      "tag_value": {
        "@@assign": [
          "Production"
        ]
      },
      "enforced_for": {
        "@@assign": [
          "ec2:instance"
        ]
      }
    }
  }
}

Use SCPs to prevent tagging for creating new resources

You can use SCPs to prevent the creation of new AWS resources that aren't tagged for your Organization’s tagging restriction guidelines. To make sure that the AWS resources are created only if a certain tag is present, use the example SCP policy to require a tag on specified created resources.