Home › Forums › AWS › AWS Certified Solutions Architect Professional › SCPs and IAM policies for tags › Reply To: SCPs and IAM policies for tags
-
Hi,
Thanks for your reply. I didn’t think about the possibility of the SCP being removed in the near future in this scenario, if that were to happen, then yes everyone would be able to launch instances without the tags again. Although I agree that using both is more secure, it certainly entails a lot overhead to create an IAM policy in each AWS account when you can do this centrally with SCP, which is the whole purpose in the first place to not need to get in every AWS account and do this one by one. I guess my question is more to know if you just were to have this SCP applied, will it restrict people from running ec2 instances without the tags or not? If the SCP is there, do we still need to have IAM policies in place for the restriction to be in place? Or is this just because it’s a best practice to have both, so it will be more secure?
Thanks!
Juan