So pissed off at aws. My goal is to deny the creation of any taggable resource without having a specific tag on the organizational level. (tag policies, service control policies, etc)
Tag policies do not have any effect if the resource is created without any tag. WTF.
I managed to put together a service control policy, that makes it impossible, but since not all resources are taggable, I had to list every taggable resource in the policy and put every read action on a condition. Surprise: the policy exceeda the max size limit. FML.