Tagging policy at account level

0

I tried to define a tagging policy (for ec2 instance) at Org level and have attached to a child account. JSON looks something like below. I’m not able to see any tags after instance creation in the child account. However, if I try to manually add the tag for same key, it does evaluate as per the policy . Say - I can define a tag with key as ‘Function’ and value as ‘Devops’ , I’m not allowed add a tag with other value with the Function as key . Is this the expected behaviour, any leads ?

{
    "tags": {
        "Function": {
            "tag_key": {  
                "@@assign": "Function"  
            },  
            "tag_value": {  
                "@@assign": [  
                    "Devops",  
                    "DevOps"  
                ]  
            },  
            "enforced_for": {  
                "@@assign": [  
                    "ec2:elastic-ip",  
                    "ec2:instance",  
                    "ec2:volume"  
                ]  
            }  
        },  
        "Name": {  
            "tag_key": {  
                "@@assign": "Name"  
            },  
            "enforced_for": {  
                "@@assign": [  
                    "ec2:instance"  
                ]  
            }  
        },  
        "Instance Owner": {  
            "tag_key": {  
                "@@assign": "Instance Owner"  
            },  
            "tag_value": {  
                "@@assign": [  
                    "*example.com"
                ]
            },
            "enforced_for": {
                "@@assign": [
                    "ec2:instance"
                ]
            }
        }
    }
}
asked 4 years ago547 views
1 Answer
0
Accepted Answer

This is the expected behaviour; Tag Policies only enforce values for tags which are present and do not enforce the presence of a tag: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies-enforcement.html

As alternatives you could specify in the IAM policy that the tag must be specified on creation of the resource, and/or you can use AWS Config to report compliance on tag presence or not.

profile pictureAWS
EXPERT
James_S
answered 4 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions