How do you get specific details for noncompliant resources under Tag Policies?
I am learning about Tag Policies under Organizations, and setup a sample Tag Policy where all EC2 instances need a specific value for a tag called CostCenter. I have tested this out by creating a new EC2 instance that uses an invalid value for this tag, so it would be non-compliant. According to the documentation, I should use Tag Policies under AWS Resource Groups to view my noncompliant resources. This page does indeed show I have a noncompliant resource, but provides minimal details about which resource it is (see screenshot). In an account that has dozens or hundreds of EC2 instances, I am not sure how someone would track down this specific instance. Is there another tool or view that will provide this additional info?
- Newest
- Most votes
- Most comments
You can generate a report that lists all tagged resources in accounts across your organization and whether each resource is compliant with the effective tag policy.
You can generate the report from your organization's management account in the us-east-1 AWS Region only. The account generating the report must have access to an Amazon S3 bucket in the US East (N. Virginia) Region. The bucket must have an attached bucket policy as shown in Amazon S3 bucket policy for storing report.
To generate an organization-wide compliance report, you must have the following permissions:
organizations:DescribeEffectivePolicy
tag:StartReportCreation
tag:DescribeReportCreation
tag:GetComplianceSummary
To generate an organization-wide compliance report (console)
*Open the Tag Policies console.
*Choose the This organization root tab, and near the bottom of the page, choose Generate report.
*On the Generate report screen, specify where to store the report.
*Choose Start exporting.
When the report is complete, you can download it from the Noncompliance report section on the Organization root tab.
Reference:[+]Evaluating organization-wide compliance - https://docs.aws.amazon.com/tag-editor/latest/userguide/tag-policies-orgs-evaluating-org-wide-compliance.html
Relevant content
- asked 8 months ago
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 4 months ago
Thanks prabpran! That did indeed provide the info I needed. One thing to note for future users, there does not appear to be a way to kick off an evaluation of the policies manually, so you just need to wait until the system does. In my case, I had waited about 8 hours and the report didn't pick up my noncompliant resources. When I checked 12 hours later (20 hours total), it did show the noncompliant resources.