In a AWS shared account some of the Engineers not tagging the resources and they have Power user access. Is there any way restrict the IAM user cannot create any resource without tag.
I tried Tag on create IAM policy, its only working for EC2 and not power user access.
Thanks.
Firstly, try to avoid granting Power User access to typical users. It lets them do anything they want (except for IAM). You'll need to reduce their assigned permissions if you wish to limit what they are able to do.
It is possible to require tags on Amazon EC2 instances (which sounds like what you are doing already): AWS IAM Policy to Enforce Tagging
An alternate approach is to use AWS Config to look for resources that are not tagged and then either make a report, send a notification or (in extreme circumstances) delete the offending resources. The users will get upset, but they will learn their lesson!
(It would be fun instead to build a system that charges them personally for any resources they created but didn't tag appropriately!)
