- 新しい順
- 投票が多い順
- コメントが多い順
Hi - This extract from the documentation explains why your resources without tags are being called compliant -
"Tag policies are a type of policy that can help you standardize tags across resources in your organization's accounts. In a tag policy, you specify tagging rules applicable to resources when they are tagged.
For example, a tag policy can specify that when the CostCenter tag is attached to a resource, it must use the case treatment and tag values that the tag policy defines.
Untagged resources or tags that aren't defined in the tag policy aren't evaluated for compliance with the tag policy."
In other words, you cannot use Tag Policies to require resources to have tags. Tag Policies helps you check for compliance of tagged resources.
Link to documentation that explains this further https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html#what-are-tag-policies
If you want to prevent AWS resources from being created without tags in the first place, you can use Service Control Policies (SCPs) - https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_example-scps.html#example-require-tag-on-create .
A best practice would be to use Tag Policies to first identify all the noncompliant tagged resources, correct them, turn on enforcement [ https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies-enforcement.html ] to prevent any noncompliant changes to these tags. Next, use SCPs to prevent resources being created without tags.
Edited by: santosh-aws on Dec 2, 2019 3:33 PM
Edited by: santosh-aws on Dec 2, 2019 3:41 PM
Thank you for this! Turns out I should read more before jumping in!
I've now managed to get Tag Policies to do something useful. I certainly think this would be 10x more useful if you could include resources where the tag doesn't exist when it should and be able to use Tag Policy to enforce the existence of a tag on creation/update
Aware IAM can do this but the one source to rule them would be ideal
How did you go with this? I have implemented a tagging policy.
But should this mean that if i apply a non compliant tag to an existing resource it will find it?
Created a non compliant tag on purpose and then tried searching for non compliance from the resource groups tag policy page. It hasnt found the non compliant tag.