Tag Policies: Account shows as compliant despite non-compliant resources

Question

Hi,  
  
I am looking to play around with Tag policies. I've created a policy which states I expect Name, Owner and Cost Code as mandatory tags.  
  
Name & Owner I want to enforce any value for:  
ec2:image  
ec2:instance  
ec2:security-group  
ec2:snapshot  
ec2:volume  
  
For Cost Code, same resources and 1 of 3 values:  
123456789  
3324234423  
342423234  
  
Now, when I apply my policy and evaluation has run on my account, it shows as "Compliant"  
  
This is false.  
  
I have a test instance (plus random resources scattered around) which definitely do not have the 3 tags which I'd expect to show up as non-compliant.  
  
Any ideas what is going on?  
See my tweet about this for screenshots:  
https://twitter.com/nmyster/status/1199976433810100224?s=20  
  
I don't believe this is an EC2 problem but it is ec2 resources I am looking to report on and appreciate this is a new feature but would hope to have got something back from it.  
  
Neil

Accepted Answer

Hi - This extract from the documentation explains why your resources without tags are being called compliant -   
  
"Tag policies are a type of policy that can help you standardize tags across resources in your organization's accounts. In a tag policy, you specify tagging rules applicable to resources _when they are tagged._   
  
For example, a tag policy can specify that when the CostCenter tag is attached to a resource, it must use the case treatment and tag values that the tag policy defines.  
  
Untagged resources or tags that aren't defined in the tag policy aren't evaluated for compliance with the tag policy."  
  
In other words, you cannot use Tag Policies to **require** resources to have tags. Tag Policies helps you check for compliance of tagged resources.   
  
Link to documentation that explains this further https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html#what-are-tag-policies  
  
If you want to prevent AWS resources from being created without tags in the first place, you can use Service Control Policies (SCPs) -   .   
  
A best practice would be to use Tag Policies to first identify all the noncompliant tagged resources, correct them, turn on  enforcement \[  ] to prevent any noncompliant changes to these tags. Next, use SCPs to prevent resources being created without tags.  
  
Edited by: santosh-aws on Dec 2, 2019 3:33 PM  
  
Edited by: santosh-aws on Dec 2, 2019 3:41 PM

Answer

Thank you for this! Turns out I should read more before jumping in!  
  
I've now managed to get Tag Policies to do something useful. I certainly think this would be 10x more useful if you could include resources where the tag **doesn't** exist when it should and be able to use Tag Policy to enforce the existence of a tag on creation/update   
  
Aware IAM can do this but the one source to rule them would be ideal

Answer

How did you go with this? I have implemented a tagging policy.  
  
But should this mean that if i apply a non compliant tag to an existing resource it will find it?  
  
Created a non compliant tag on purpose and then tried searching for non compliance from the resource groups tag policy page. It hasnt found the non compliant tag.

Tag Policies: Account shows as compliant despite non-compliant resources

관련 콘텐츠