By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AWS - tagging for all resources

0

Hi Team.

I am trying to implement tagging policies for all my accounts, I know that I can use tag policy with Organizations, but I have some questions:

1.-If I want to create mandatory tags for all resources, I should activate "Prevent noncompliant operations for this tag." and choose all resource types available?. I understand when an user try to create a resource without this tag, the resource will not be created.

2.-How will users know which tags are available or mandatory?. Every tag defined in tag policy will appear in every resource creation? or is there any way to do that?

3.-Can I define if a tag is an integer, boolean or string value in the tag policy?

4.-How can I tag existing resources which are created previously?

Thank you.

Topics
Management & Governance
Tags
AWS OrganizationsTagging
Language
English
Orlando
asked 7 months ago368 views
2 Answers
2

This is my go-to blog for topics around tagging strategies and tagging enforcement.

Tagging policies don't necessarily enforce tagging they are mainly to validate the values permitted for specific tags. If you completely omit the tag you will not get a message letting you know tags are missing. In order to enforce tagging you have to implement SCPs and attach them to OUs or accounts. You can include statements in the SCP to prevent users from updating/changing the tags once the resources have been provisioned. The blog walks you through the whole process. I have had issues copy-pasting the policies used in the blog. So double-check for trailing commas, closing curly-braces, or double-quotes being replaced with invalid quote characters.

Another thing to keep in mind is that the error messages shown when SPCs deny requests are encoded for security purposes. In order get information as to why the request failed you will have to decode the message. Check this post out for instructions to decode the message.

Let me know if you have any other questions or if anything need clarification.

AWS
iuurquiz
answered 7 months ago
  • Orlando
    7 months ago

    Hi..

    And, could I configure a SCP to enforce tagging for all aws resources? something like Resource: * for mandatory tags ? In this way, I could avoid that users create resources without tags

  • iuurquiz
    6 months ago

    Hi Orlando, Yes, you can use a wildcard in the Resource section of the SCP (SCP syntax). Just keep in mind, that as you mention, this will prevent the creation of any resources that aren't tagged. There are some resources that are created automatically or as a result of configuration options when provisioning certain types resources, for example security groups when provisioning EC2 instances, or execution roles when provisioning Lambda functions, etc. It may not be immediately obvious how to tag the "associated" resources when going through the console wizard. I recommend attaching the SCP to a test OU and try provisioning the resources that you typically would; it may turn out that the SCP is overly restrictive. Please let me know if you have any other questions. If this answers your question, would you mind marking the answer as accepted? Thanks.

  • iuurquiz
    6 months ago

    Hi Orlando, Do you have any other questions? If not, would you mind marking my answer as accepted?

1

Tagging policies are not the way to allow or deny the creation of resources as it only prevents noncompliant tagging requests from completing on the specified resource types. Also not all resource types support enforce compliance. (https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies-enforcement.html#enforcement-correcting). If you are looking to do so, you should use IAM Policy or SCP https://repost.aws/knowledge-center/iam-policy-tags-restrict https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_tagging.html.

profile pictureAWS
EXPERT
AWS-User-alantam
answered 7 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content