Home › Forums › AWS › AWS Certified Solutions Architect Professional › SCPs and IAM policies for tags › Reply To: SCPs and IAM policies for tags
-
Hi juano1985,
You’re correct that managing IAM policies in each AWS account can be a bit of an overhead. However, the purpose of having both SCPs and IAM policies is to provide layered security.
To answer your question, yes, an SCP alone can restrict people from running EC2 instances without the required tags. If the SCP is in place and properly configured, it will enforce the restrictions as defined.
However, the reason for also having IAM policies is to provide an additional layer of security at the account level. This is particularly useful in scenarios where the SCP might be modified or removed. With an IAM policy in place, the tagging requirement would still be enforced even if the SCP were removed.
I hope this clarifies your question.
Best Regards,
JR @ Tutorials Dojo