By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Enforce tagging at the time of resource creation

1

I want to enforce the tagging for the management of resources. So I am doing this by using aws organizations service control policies(SCP). But I am not able to enforce it and still able to create resources without tagging it. I have used the policy which is given in the documentation. Can you please give me snippet of SCP which is working ? I have tried following policies.

{ "Version": "2012-10-17", "Statement": [ 1)
{ "Sid": "SCP1", "Effect": "Deny", "Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:::instance/", "arn:aws:ec2:::volume/" ], "Condition": { "StringEquals": { "aws:RequestTag/Env": "true" } } 2) { "Version": "2012-10-17", "Statement": [ { "Sid": "DenyRunInstanceWithNoProjectTag", "Effect": "Deny", "Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:::instance/", "arn:aws:ec2:::volume/" ], "Condition": { "StringLike": { "aws:RequestTag/Env": "true" } } } } 3) { "Version": "2012-10-17", "Statement": [ { "Sid": "DenyRunInstanceWithNoProjectTag", "Effect": "Deny", "Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:::instance/", "arn:aws:ec2:::volume/" ], "Condition": { "Null": { "aws:RequestTag/Env": "true" } } }, 4) { "Sid": "DenyRunInstanceWithNoCostCenterTag", "Effect": "Deny", "Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:::instance/", "arn:aws:ec2:::volume/" ], "Condition": { "Null": { "aws:RequestTag/": "true" } } } ] }

Topics
Security, Identity, & ComplianceManagement & Governance
Tags
Security, Identity, & ComplianceAWS OrganizationsTaggingService Control Policy
Language
English
SAPHS
asked 9 months ago796 views
4 Answers
0

Hi, you may want to follow this detailled blog post: https://aws.amazon.com/blogs/mt/implement-aws-resource-tagging-strategy-using-aws-tag-policies-and-service-control-policies-scps/

It combines SCPs and tag policies. Having proper tag policies in place is key as per post:

When a tag policy is applied to your AWS account, users are unable 
to create resources using noncompliant tags.

You can enforce specific tag policies by choosing the option ‘prevent 
non-compliant operations for this tag’, and selecting the resource types 
that supports tag policy enforcement.

Please, also have a look at https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies-best-practices.html

Resources that have never had tags attached to them don't show as noncompliant 
in reports. Account administrators can still create untagged resources. In some cases, 
you can use a service control policy (SCP) to set guardrails around resource creation 
requests. For an example SCP, see Require a tag on specified created resources. To 
learn whether an AWS service supports controlling access using tags, see AWS Services 
that Work with IAM in the IAM User Guide. Look for the services that have Yes in the 
Authorization based on tags column. Choose the name of the service to view the 
authorization and access control documentation for that service.

So, you will have to check this table to see if the services that you use supports controlling access using tags.

Best,

Didier

profile pictureAWS
EXPERT
Didier_Durand
answered 9 months ago
profile picture
EXPERT
JimmyDqv
reviewed 9 months ago
  • SAPHS
    9 months ago

    Thank you, I have seen this blog earlier but the SCPs mentioned there are not working as expected. Tag policies are working fine and it only prevent users from creating non compliant tags. I want to enforce tagging in such a way that user should not be able to create resource if it is not tagged(any key value). User should give tag to the resource.

0

Hello!

It is hard to help with specifics in this case, but I would double-check if you applied your SCPs correctly. The overview is here: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html

SCPs affect member accounts in your organization, not users in a management account. You will need to test your policies with a member account, as if you try the management account you may encounter your issue where you can still create untagged resources.

There are also exceptions to what SCPs can affect, detailed here: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html#not-restricted-by-scp

Check to see if you are attempting to use SCPs to do any of these things.

I would also recommend checking if you are using the condition operator that would achieve your use-case of blocking creation without tags. Currently the StringEquals operator would only deny creation with those specific tags. You can double-check which conditions do what with this resource: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html

This blog post also may be of use as it goes through creating a tagging strategy step-by-step: https://aws.amazon.com/blogs/mt/implement-aws-resource-tagging-strategy-using-aws-tag-policies-and-service-control-policies-scps/

Again, it is hard to troubleshoot the exact issue without specific details. If you are still encountering issues, I would suggest perhaps reaching out to AWS Technical Support with specifics on your use case.

Mark_G
answered 8 months ago
0

I want to enforce tagging in such a way that user should not be able to create resource if it is not tagged(any key value).

While this is a valid ask, it is impossible to achieve because resource creation and tagging are not always an atomic API operation but 2 separate calls. If you are willing to limit yourself to small number of services, it would be possible to create an IAM policy to do this but your would have to explicitely list create actions with appropriate tags in conditions (and then hit the maximum length of policy pretty soon).

I would recommend focusing on tagging policies to retain high quality tagging when tags are applied, and then use reporting (and other indirect methods) to encourage applying the tags voluntary.

profile picture
EXPERT
Kallu
answered 4 months ago
0

it took my a while but i have this working:

{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyLambda", "Effect": "Deny", "Action": [ "lambda:CreateFunction" ], "Resource": [ "*" ], "Condition": { "Null": { "aws:RequestTag/team": "true" } } } ] }

make sure it is attached to the right role as well!

And logout and back in to make sure the new policy is enabled

tibi
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content