- Newest
- Most votes
- Most comments
You can generate a report that lists all tagged resources in accounts across your organization and whether each resource is compliant with the effective tag policy.
You can generate the report from your organization's management account in the us-east-1 AWS Region only. The account generating the report must have access to an Amazon S3 bucket in the US East (N. Virginia) Region. The bucket must have an attached bucket policy as shown in Amazon S3 bucket policy for storing report.
To generate an organization-wide compliance report, you must have the following permissions:
organizations:DescribeEffectivePolicy
tag:StartReportCreation
tag:DescribeReportCreation
tag:GetComplianceSummary
To generate an organization-wide compliance report (console)
*Open the Tag Policies console.
*Choose the This organization root tab, and near the bottom of the page, choose Generate report.
*On the Generate report screen, specify where to store the report.
*Choose Start exporting.
When the report is complete, you can download it from the Noncompliance report section on the Organization root tab.
Reference:[+]Evaluating organization-wide compliance - https://docs.aws.amazon.com/tag-editor/latest/userguide/tag-policies-orgs-evaluating-org-wide-compliance.html
Relevant content
- Accepted Answerasked 5 years ago
- AWS OFFICIALUpdated 4 days ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 2 months ago
Thanks prabpran! That did indeed provide the info I needed. One thing to note for future users, there does not appear to be a way to kick off an evaluation of the policies manually, so you just need to wait until the system does. In my case, I had waited about 8 hours and the report didn't pick up my noncompliant resources. When I checked 12 hours later (20 hours total), it did show the noncompliant resources.