By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Tag Policies: Account shows as compliant despite non-compliant resources

0

Hi,

I am looking to play around with Tag policies. I've created a policy which states I expect Name, Owner and Cost Code as mandatory tags.

Name & Owner I want to enforce any value for:
ec2:image
ec2:instance
ec2:security-group
ec2:snapshot
ec2:volume

For Cost Code, same resources and 1 of 3 values:
123456789
3324234423
342423234

Now, when I apply my policy and evaluation has run on my account, it shows as "Compliant"

This is false.

I have a test instance (plus random resources scattered around) which definitely do not have the 3 tags which I'd expect to show up as non-compliant.

Any ideas what is going on?
See my tweet about this for screenshots:
https://twitter.com/nmyster/status/1199976433810100224?s=20

I don't believe this is an EC2 problem but it is ec2 resources I am looking to report on and appreciate this is a new feature but would hope to have got something back from it.

Neil

Topics
Compute
Tags
Amazon EC2
Language
English
njsn
asked 4 years ago949 views
3 Answers
0
Accepted Answer

Hi - This extract from the documentation explains why your resources without tags are being called compliant -

"Tag policies are a type of policy that can help you standardize tags across resources in your organization's accounts. In a tag policy, you specify tagging rules applicable to resources when they are tagged.

For example, a tag policy can specify that when the CostCenter tag is attached to a resource, it must use the case treatment and tag values that the tag policy defines.

Untagged resources or tags that aren't defined in the tag policy aren't evaluated for compliance with the tag policy."

In other words, you cannot use Tag Policies to require resources to have tags. Tag Policies helps you check for compliance of tagged resources.

Link to documentation that explains this further https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html#what-are-tag-policies

If you want to prevent AWS resources from being created without tags in the first place, you can use Service Control Policies (SCPs) - https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_example-scps.html#example-require-tag-on-create .

A best practice would be to use Tag Policies to first identify all the noncompliant tagged resources, correct them, turn on enforcement [ https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies-enforcement.html ] to prevent any noncompliant changes to these tags. Next, use SCPs to prevent resources being created without tags.

Edited by: santosh-aws on Dec 2, 2019 3:33 PM

Edited by: santosh-aws on Dec 2, 2019 3:41 PM

santosh-aws
answered 4 years ago
profile picture
EXPERT
Antonio_Lagrotteria
reviewed 7 months ago
0

Thank you for this! Turns out I should read more before jumping in!

I've now managed to get Tag Policies to do something useful. I certainly think this would be 10x more useful if you could include resources where the tag doesn't exist when it should and be able to use Tag Policy to enforce the existence of a tag on creation/update

Aware IAM can do this but the one source to rule them would be ideal

njsn
answered 4 years ago
0

How did you go with this? I have implemented a tagging policy.

But should this mean that if i apply a non compliant tag to an existing resource it will find it?

Created a non compliant tag on purpose and then tried searching for non compliance from the resource groups tag policy page. It hasnt found the non compliant tag.

Roarkz
answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content