Home > Software engineering >  SCP to create a security group with no tag or with specific tag
SCP to create a security group with no tag or with specific tag

Time:02-08

I want to create an SCP (service control policy) that should allow creating a security group if no tags are present. If a tag is created, it should have a specific value. For example, if 'bu' is a tag, the value should always be 'finance' only. How this can be done. I have done this bit:

{
  "Sid": "SGBu",
  "Effect": "Deny",
  "Action": [
    "ec2:CreateSecurityGroup"
  ],
  "Resource": [
    "arn:aws:ec2:*:*:security-group/*"
  ],
  "Condition": {
    "ForAnyValue:Null": {
      "aws:RequestTag/bu": "false"
    }
  }
}

How can I add an OR condition along with this so that the value has to be 'finance' if 'bu' tag is added?

Thank you

CodePudding user response:

You can have multiple Conditions in a SCP but these Conditions will only work as AND. But Each Condition it self can have more than one key/value pair and the relationship between these key/value pairs is OR.

Here is an example: (See the last Condition IpAdressess)

"Condition" :  {
      "DateGreaterThan" : {
         "aws:CurrentTime" : "2019-07-16T12:00:00Z"
       },
      "DateLessThan": {
         "aws:CurrentTime" : "2019-07-16T15:00:00Z"
       },
       "IpAddress" : {
          "aws:SourceIp" : ["192.0.2.0/24", "203.0.113.0/24"]
      }
}

Here is AWS docs on it: Example Tag Policy

Page link:https//www.codepudding.com/Softwareengineering/292396.html

Prev:Referencing SNS Topic that already exists in CDK?
Next:Why are these solid lines appearing below my plot in ggplot?
  •  Tags:  
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding