By using AWS re:Post, you agree to the Terms of Use
/How to enforce tags while creating any kind of resource in AWS?/

How to enforce tags while creating any kind of resource in AWS?


I want create a IAM policy/Tagging policy / SCP that should allow me to enforce user to create/add tags that are mandatory(mentioned in the policy), when they create resource(EC2,S3,VPC etc) on AWS.

2 Answers
answered 5 months ago
  • when I am assigning SCP to Organization unit I am getting this error."You can apply SCPs to only member accounts in an organization. They have no effect on users or roles in the management account"


This can be achieved in 3 ways :

  1. two features: tag-based access control's RequestTag IAM condition key and Tag Policies. The RequestTag condition forces services which support that IAM condition key to supply tags during resource creation (or tag mutation requests) and their Organization's Tag Policy stipulates what tags must be present on supported resources at creation time or during tag mutations. Here's a sample RequestTags policy:

  1. By Using Preventive guardrails using AWS Control Tower which prevents resource creation if tags are not allocated.

Details :

  1. using AWS Service Catalog to provision resources with launch constraints :

answered 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions