Tag enforcement while creating a new resource

Question

My customer is looking for automation to enforce tagging while creating a new resource. Please let me know if any of you have implemented this for your respective customer.

Accepted Answer

This is accomplished through two features: tag-based access control's [RequestTag][1] IAM condition key and [Tag Policies][2].  
The RequestTag condition forces services which support that IAM condition key to supply tags during resource creation (or tag mutation requests) and their Organization's Tag Policy stipulates what tags must be present on supported resources at creation time or during tag mutations.

[Here's][3] a sample RequestTags policy (it can be generalized).

[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html#access_tags_control-requests
  [2]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html
  [3]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_example-scps.html#example-require-tag-on-create

Answer

Tag policies define which are the correct tags that can be used. Service control policies can be used to prevent resources from being created without a tag. Ref: https://aws.amazon.com/blogs/mt/implement-aws-resource-tagging-strategy-using-aws-tag-policies-and-service-control-policies-scps/

Tag enforcement while creating a new resource

관련 콘텐츠