Using Service Control Policies with Instaclustr RIYOA

If your organization runs AWS at scale, tagging is part of your control plane. Tags drive cost allocation, access controls, and compliance reporting. Many teams enforce required tags at resource creation using Service Control Policies (SCPs) in AWS Organizations. If a required tag is missing, the API call is denied. 

AWS’s own Cloud Financial Management team recommends enforcing tags through Service Control Policies (SCPs) when using AWS Organizations that require that every resource carries specific tags from the moment they’re created. No tag, no resource. This ensures cost visibility, compliance, and security from day one. 

If you run NetApp Instaclustr clusters in your own AWS account with RIYOA (Run In Your Own Account), you can use this same governance model. Here’s how. 

How Instaclustr tags RIYOA resources 

When you provision a RIYOA cluster, Instaclustr creates and manages resources in your AWS account, including: 

• EC2 instances 
• Elastic Load Balancers 
• IAM roles & IAM instance profiles  
• Security groups, EBS volumes, and other supporting infrastructure and VPCs 

With Self-Service Tag Management, you can define custom tags on your cluster. Instaclustr includes those tags in provisioning calls so resources are tagged at creation time, which is required by many SCP patterns. 

To use this feature with your own tags you’ll need to manage your custom tags through the NetApp Instaclustr Console, NetApp Instaclustr Cluster Management API, or Terraform Provider. There are some reserved tags that Instaclustr utilizes which are also documented on the Self-Service Tag Management page.  

Example: Enforcing Tags with Service Control Policies 

If your organization uses SCPs to enforce tagging at resource creation, Instaclustr resources will satisfy those policies. A common SCP pattern looks like this: 

In this model, calls that do not specify the BusinessUnit tags are denied. If your cluster includes the required tags, provisioning requests satisfy the policy condition. 

Note: This is a simplified example. Final behavior depends on the Organizational Unit (OU) hierarchy, inherited SCPs, and combined policy evaluation in AWS Organizations. See the official AWS documentation on Service Control Policies. 

What the NetApp Instaclustr tagging system and your SCP enforcement enables 

• Cost visibility from day one: Instaclustr resources appear in Cost Explorer and Cost and Usage Reports organized by your required allocation tags. 
• Compliance continuity: Controls apply from creation time, with no retroactive tagging required for resources created by us or anyone else in your team meaning all resource creation is traceable and auditable. 
• Consistent governance: Instaclustr-managed resources follow the same rules as the resources your internal teams create meaning there’s no exceptions required just because you’re working with a 3rd party provider. 

How do I make sure provisioning will work if I use an SCP? 

1. Verify the Instaclustr Run in Your Own Account (RIYOA) provisioning IAM has the necessary permissions for tagged resource creation

Your SCP should permit iam:CreateRole, iam:CreateInstanceProfile, ec2:RunInstances, and related actions for the Instaclustr Provisioning Role. 

2. Ensure tag-creation operations are allowed 

On-creation tagging requires that the iam:TagInstanceRole is added to the IAM role for the Instacustr Provisioning service, the ec2:CreateTags, and related tag-write permissions remain available. You will need to ensure this configuration is in place as it is not enabled by default.  

3. Reach out to support 

By default NetApp Instaclustr does not tag IAM roles, as it requires additional AWS permissions (the iam:TagInstanceRole permission). If you would like to utilize SCP provisioning reach out to our support team and to let us know you’ve added this to your IAM policy and we can ensure your account is configured to apply tags to IAM roles.