Principle Tag for user

SCP Policy that will prevent a user from being deleted

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "DenyIAMAccountDeletion",
			"Effect": "Deny",
			"Action": [
				"iam:DeleteUser",
				"iam:DeleteUserPolicy",
				"iam:DeleteUserAccessKey",
				"iam:DeleteLoginProfile",
				"iam:DeleteSigningCertificate",
				"iam:RemoveUserFromGroup",
				"iam:DeleteSSHPublicKey"
			],
			"Resource": [
				"arn:aws:iam::*:user/${aws:PrincipleTag/296704428774}/*"
			],
			"Condition": {
				"StringNotEquals": {
					"aws:PrincipalTag/296704428774": "296704428774"
				}
			}
		}
	]
}

• The Resource is looking at if any user has the PrincipleTag with the value "296704428774"
• The Condition is looking to see if the string does not equal the principle tag, they are not able to do any of the actions listed above