- Newest
- Most votes
- Most comments
This is my go-to blog for topics around tagging strategies and tagging enforcement.
Tagging policies don't necessarily enforce tagging they are mainly to validate the values permitted for specific tags. If you completely omit the tag you will not get a message letting you know tags are missing. In order to enforce tagging you have to implement SCPs and attach them to OUs or accounts. You can include statements in the SCP to prevent users from updating/changing the tags once the resources have been provisioned. The blog walks you through the whole process. I have had issues copy-pasting the policies used in the blog. So double-check for trailing commas, closing curly-braces, or double-quotes being replaced with invalid quote characters.
Another thing to keep in mind is that the error messages shown when SPCs deny requests are encoded for security purposes. In order get information as to why the request failed you will have to decode the message. Check this post out for instructions to decode the message.
Let me know if you have any other questions or if anything need clarification.
Tagging policies are not the way to allow or deny the creation of resources as it only prevents noncompliant tagging requests from completing on the specified resource types. Also not all resource types support enforce compliance. (https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies-enforcement.html#enforcement-correcting). If you are looking to do so, you should use IAM Policy or SCP https://repost.aws/knowledge-center/iam-policy-tags-restrict https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_tagging.html.
Relevant content
- asked 3 months ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
Hi..
And, could I configure a SCP to enforce tagging for all aws resources? something like Resource: * for mandatory tags ? In this way, I could avoid that users create resources without tags
Hi Orlando, Yes, you can use a wildcard in the
Resource
section of the SCP (SCP syntax). Just keep in mind, that as you mention, this will prevent the creation of any resources that aren't tagged. There are some resources that are created automatically or as a result of configuration options when provisioning certain types resources, for example security groups when provisioning EC2 instances, or execution roles when provisioning Lambda functions, etc. It may not be immediately obvious how to tag the "associated" resources when going through the console wizard. I recommend attaching the SCP to a test OU and try provisioning the resources that you typically would; it may turn out that the SCP is overly restrictive. Please let me know if you have any other questions. If this answers your question, would you mind marking the answer as accepted? Thanks.Hi Orlando, Do you have any other questions? If not, would you mind marking my answer as accepted?