Tagging policy at account level


I tried to define a tagging policy (for ec2 instance) at Org level and have attached to a child account. JSON looks something like below. I’m not able to see any tags after instance creation in the child account. However, if I try to manually add the tag for same key, it does evaluate as per the policy . Say - I can define a tag with key as ‘Function’ and value as ‘Devops’ , I’m not allowed add a tag with other value with the Function as key . Is this the expected behaviour, any leads ?

    "tags": {
        "Function": {
            "tag_key": {  
                "@@assign": "Function"  
            "tag_value": {  
                "@@assign": [  
            "enforced_for": {  
                "@@assign": [  
        "Name": {  
            "tag_key": {  
                "@@assign": "Name"  
            "enforced_for": {  
                "@@assign": [  
        "Instance Owner": {  
            "tag_key": {  
                "@@assign": "Instance Owner"  
            "tag_value": {  
                "@@assign": [  
            "enforced_for": {
                "@@assign": [
asked 4 years ago624 views
1 Answer
Accepted Answer

This is the expected behaviour; Tag Policies only enforce values for tags which are present and do not enforce the presence of a tag: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies-enforcement.html

As alternatives you could specify in the IAM policy that the tag must be specified on creation of the resource, and/or you can use AWS Config to report compliance on tag presence or not.

profile pictureAWS
answered 4 years ago
profile picture
reviewed a month ago
profile picture
reviewed 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions