How to enforce Tag usage when creating S3 Buckets?

Question

I want to prevent users from creating an S3 bucket when there is not Tag with the key 'project'. Following policy won't work. It prevents creation in any case

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "DenyCreationWithoutProjectTag",
        "Effect": "Deny",
        "Action": "s3:CreateBucket",
        "Resource": "*",
        "Condition": {
            "StringNotLike": {
                "aws:RequestTag/project": "*"
            }
        }
    }
]}

Tag Enforcement for EC2 - AWS and Enforce tagging for AWS resources

did not help.

Answer 1

Go to Polices in AWS Organizations and select Tag policies. be sure to enable it if it isn't enabled prior. then create a policy like this. you can use the given json editor for this.

{ 
  "tags": { 
    "Project": { 
      "tag_key": { 
        "@@assign": "Project" 
      }, 
      "enforced_for": { 
        "@@assign": [ 
          "s3:bucket" 
        ] 
      } 
    } 
  } 
} 
 

In here, I have created a tag policy for Project tag. Once the tag policy is created, make sure to attach it to the target OU/Account.

After this, go to Policies again and select Service control policies (SCPs) and if it isn't available, make sure to enable it. In there, create a new SCPs policy and add the following policy.

{ 
  "Version": "2012-10-17", 
  "Statement": [ 
    { 
      "Sid": "DenyS3CreationSCP1", 
      "Effect": "Deny", 
      "Action": [ 
        "s3:CreateBucket" 
      ], 
      "Resource": "*", 
      "Condition": { 
        "Null": { 
          "aws:RequestTag/Project": "true" 
        } 
      } 
    } 
  ] 
} 

In here I have created SCP to enforce previous tag policy. Once the SCPs are created, make sure that you attach it to the target OU/Account.