- Newest
- Most votes
- Most comments
You can use AWS Tagging Policies and SCPs. More details in the blog below:
This can be achieved in 3 ways :
-
two features: tag-based access control's RequestTag IAM condition key and Tag Policies. https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html#access_tags_control-requests The RequestTag condition forces services which support that IAM condition key to supply tags during resource creation (or tag mutation requests) and their Organization's Tag Policy stipulates what tags must be present on supported resources at creation time or during tag mutations. Here's a sample RequestTags policy: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html#example-require-tag-on-create
-
By Using Preventive guardrails using AWS Control Tower which prevents resource creation if tags are not allocated. Details : https://getstarted.awsworkshop.io/05-extend/03-guardrails.html https://docs.aws.amazon.com/controltower/latest/userguide/guardrails.html
-
using AWS Service Catalog to provision resources with launch constraints : https://docs.aws.amazon.com/servicecatalog/latest/adminguide/constraints-launch.html https://docs.aws.amazon.com/servicecatalog/latest/adminguide/getstarted-launchconstraint.html
A more flexible solution that enables you to trigger automation if the resource is noncompliant is described here: https://aws.amazon.com/blogs/mt/implementing-automated-and-centralized-tagging-controls-with-aws-config-and-aws-organizations/
Relevant content
- asked 2 years ago
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated 2 years ago
when I am assigning SCP to Organization unit I am getting this error."You can apply SCPs to only member accounts in an organization. They have no effect on users or roles in the management account"