How to enforce tags while creating any kind of resource in AWS?
I want create a IAM policy/Tagging policy / SCP that should allow me to enforce user to create/add tags that are mandatory(mentioned in the policy), when they create resource(EC2,S3,VPC etc) on AWS.
You can use AWS Tagging Policies and SCPs. More details in the blog below:
when I am assigning SCP to Organization unit I am getting this error."You can apply SCPs to only member accounts in an organization. They have no effect on users or roles in the management account"
This can be achieved in 3 ways :
- two features: tag-based access control's RequestTag IAM condition key and Tag Policies.
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html#access_tags_control-requests The RequestTag condition forces services which support that IAM condition key to supply tags during resource creation (or tag mutation requests) and their Organization's Tag Policy stipulates what tags must be present on supported resources at creation time or during tag mutations. Here's a sample RequestTags policy: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html#example-require-tag-on-create
- By Using Preventive guardrails using AWS Control Tower which prevents resource creation if tags are not allocated.
- using AWS Service Catalog to provision resources with launch constraints :
How to perform logical OR with condition for an action in a IAM policyAccepted Answerasked 6 months ago
Unable to create Tag to restrict resource deploymentasked 6 months ago
CloudFormation create-change-set Tags propagationasked 4 months ago
IAM Policy to enforce KMS encryption whenasked 3 months ago
Enforce Encryption on SNS creation by SCPasked 3 months ago
How to enforce tags while creating any kind of resource in AWS?asked 5 months ago
Tag enforcement while creating a new resourceAccepted Answerasked 2 years ago
Update Tags across entire accountAccepted Answerasked 2 years ago
Enforce Tags SCP for DynamoDB is not workingasked 4 months ago
Did not have IAM permissions to process tags on AWS::EC2::Instance resourceasked a year ago