AWS Cloud Operations Blog
Enforce consistent tagging across IaC deployments with AWS Organizations Tag Policies
Organizations manage thousands of AWS resources across multiple accounts and Regions to support their business operations. They want consistent tagging to support essential workflows such as attribute-based-access-controls (ABAC), cost allocation, organizing resources by project/application/owner/environment, and triggering automated processes based on tag criteria. Many customers use Infrastructure as Code (IaC) tools like AWS CloudFormation, Terraform, and Pulumi to automate infrastructure deployments, reduce manual errors, and maintain consistent environments across development, staging, and production.
Customers use IaC to automate their infrastructure deployments, however they face challenges in maintaining tagging consistency across different IaC tools, as each provider has their own policy engine and syntax. Additionally, traditional tagging governance requires separate policies and enforcement mechanisms for each IaC tool, resulting in configuration drifts and compliance gaps. Beyond IaC deployment, different teams need consistent tagging resources for cost allocation, compliance requirements, and resource tracking on AWS, on-premises, and multi-cloud environments. As a result, teams spend significant time building custom validation scripts, implementing tool-specific hooks, and manually remediating resources that do not comply with resource compliance through inconsistent enforcement layers.
AWS Organizations Tag Policies now eliminates this complexity with “Enforce Required tags for IaC,” so that enterprises can define tagging requirements once and enforce them consistently across CloudFormation, Terraform, and Pulumi deployments. This new capability validates IaC templates and code against your tag policies before resources are created, preventing non-compliant deployments and ensuring consistent governance across your entire infrastructure pipeline. Customers can now maintain unified tagging standards without building separate enforcement mechanisms for each IaC tool, reducing operational overhead while strengthening compliance and cost management capabilities.
In this blog, we will walk you through setting up required tags through CloudFormation to standardize consistent resource tagging across accounts and Regions.
Prerequisites
- Access your AWS Organization Management Account
- AWS Organizations permissions to create, update and list a Tag Policy
- Create an execution role required to activate a CloudFormation Hook.
- AWS CLI
Setting Up Required Tag Validation for CloudFormation
You can implement required tags for CloudFormation in two steps: 1/ updating your tag policy to include validation requirements, 2/activating the AWS-managed hook that performs the validation.
This process ensures that all CloudFormation deployments are automatically checked against your organization’s tagging standards before resources are created.
Step 1: Define Your Tag Policy with Required Tag Validation
In your AWS Organizations management account, navigate to Policies > Tag Policies and modify your existing tag policy or create a new one that includes the report_required_tag_for field. This field tells AWS which tag keys are mandatory for resource creation and should be validated during CloudFormation deployments. Your tag policy should specify the required tag keys and optionally define allowed values for those tags.
For example, you might require all EC2 instances and S3 buckets to have “CostCenter” tag, with specific allowed values for the CostCenter tag like “Finance”, “Engineering”, and “Marketing”.
{
"tags": {
"Environment": {
"tag_key": {
"@@assign": "Environment"
},
"tag_value": {
"@@assign": ["Prod", "Test", "Dev"]
},
"report_required_tag_for": {
"@@assign": ["ec2:ALL_SUPPORTED"]
}
}
}
}
![[Figure 1] Tag Policy in visual editor in AWS Organization policies](https://d2908q01vomqb2.cloudfront.net/972a67c48192728a34979d9a35164c1295401b71/2025/11/20/Figure-1-Tag-Policy-in-visual-editor-in-AWS-Organization-policies-.png)
[Figure 1] Tag Policy in visual editor in AWS Organization policies
Step 2: Activate the AWS::TagPolicies::TaggingComplianceValidator CloudFormation Hook
After setting up your execution role, you will need to activate the AWS::TagPolicies::TaggingComplianceValidator .This is a AWS-managed hook that integrates with CloudFormation’s deployment process to validate templates against your tag policies.
You can deploy the CloudFormation Hook in every AWS account and Region where you want to enforce tagging compliance. You cab find the hook in public extension with AWS as publisher. For more information on public hooks, visit Publishing Hooks for public use.
![[Figure 2] CloudFormation catalog of AWS managed Hooks.](https://d2908q01vomqb2.cloudfront.net/972a67c48192728a34979d9a35164c1295401b71/2025/11/20/Figure-2-CloudFormation-catalog-of-AWS-managed-Hooks.png)
[Figure 2] CloudFormation catalog of AWS managed Hooks
AWS::TagPolicies::TaggingComplianceValidator Hook with the execution role created
![[Figure 3] Select AWS::TagPolicies::TaggingComplianceValidator Hook from the list of AWS managed Hooks](https://d2908q01vomqb2.cloudfront.net/972a67c48192728a34979d9a35164c1295401b71/2025/11/20/Figure-3-Select-AWSTagPoliciesTaggingComplianceValidator-Hook-from-the-list-of-AWS-managed-Hooks.png)
[Figure 3] Select AWS::TagPolicies::TaggingComplianceValidator Hook from the list of AWS managed Hooks
![[Figure 4] Description page for AWS::TagPolicies::TaggingComplianceValidator CloudFormation Hook](https://d2908q01vomqb2.cloudfront.net/972a67c48192728a34979d9a35164c1295401b71/2025/11/20/Figure-4-Description-page-for-AWSTagPoliciesTaggingComplianceValidator-CloudFormation-Hook.png)
[Figure 4] Description page for AWS::TagPolicies::TaggingComplianceValidator CloudFormation Hook
![[Figure 5] Activate the extension button for the hook](https://d2908q01vomqb2.cloudfront.net/972a67c48192728a34979d9a35164c1295401b71/2025/11/20/Figure5-4.png)
[Figure 5] Activate the extension button for the hook
![[Figure 6] Configuring AWS::TagPolicies::TaggingComplianceValidator Hook for WARN or FAIL mode](https://d2908q01vomqb2.cloudfront.net/972a67c48192728a34979d9a35164c1295401b71/2025/11/20/Figure-6-Configuring-AWSTagPoliciesTaggingComplianceValidator-Hook-for-WARN-or-FAIL-mode.png)
[Figure 6] Configuring AWS::TagPolicies::TaggingComplianceValidator Hook for WARN or FAIL mode
{"CloudFormationConfiguration":{"HookConfiguration":{"HookInvocationStatus": "ENABLED", "FailureMode": "FAIL", "TargetOperations": ["STACK"], "Properties":{}}}}If you want to use the WARN mode. To learn more on CloudFormation hooks, visit CloudFormation Hooks concepts.
{"CloudFormationConfiguration":{"HookConfiguration":{"HookInvocationStatus": "ENABLED", "FailureMode": "WARN", "TargetOperations": ["STACK"], "Properties":{}}}}This is the page when you the hook is activated.
![[Figure 7] Successful hook activated](https://d2908q01vomqb2.cloudfront.net/972a67c48192728a34979d9a35164c1295401b71/2025/11/20/Figue-6-.png)
[Figure 7] Successful hook activated
AWS::TagPolicies::TaggingComplianceValidator CloudFormation Hook via CLI:
➜ aws cloudformation activate-type \
--type HOOK \
--type-name AWS::TagPolicies::TaggingComplianceValidator \
--execution-role-arn arn:aws:iam::975050053660:role/MyHookExecutionRole \
--publisher-id aws-hooks \
--region us-east-1
{
"Arn": "arn:aws:cloudformation:us-east-1:975050053660:type/hook/AWS-TagPolicies-TaggingComplianceValidator"
}You can configure WARN or FAIL mode for AWS::TagPolicies::TaggingComplianceValidator Hook via CLI:
➜ aws cloudformation set-type-configuration \
--configuration '{"CloudFormationConfiguration":{"HookConfiguration":{"HookInvocationStatus": "ENABLED", "FailureMode": "FAIL", "TargetOperations": ["STACK"], "Properties":{}}}}' \
--type-arn "arn:aws:cloudformation:us-east-1:975050053660:type/hook/AWS-TagPolicies-TaggingComplianceValidator" \
--region us-east-1
{
"ConfigurationArn": "arn:aws:cloudformation:us-east-1:975050053660:type-configuration/hook/AWS-TagPolicies-TaggingComplianceValidator/default"
}Step 3: Deploy Across Multiple Accounts with CloudFormation StackSets (optional)
For organizations managing multiple AWS accounts, you can use AWS CloudFormation StackSets to activate the tagging compliance CloudFormation Hook across all accounts and Regions simultaneously. StackSets eliminate the need to manually configure each account, ensuring consistent tagging enforcement throughout your AWS Organization.
To create a CloudFormation template that defines the hook activation and configuration, then deploy it using StackSets to target your Organizational Units (OUs) or specific accounts. This approach guarantees uniform tagging compliance across your entire AWS environment and simplifies ongoing management of the enforcement mechanism.
Resources:
# Create Hook execution role
MyHookExecutionRole:
Type: AWS::IAM::Role
Properties:
RoleName: MyHookExecutionRole
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- resources.cloudformation.amazonaws.com
- hooks.cloudformation.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: HookExecutionPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- tag:ListRequiredTags
Resource: '*'
# Activate the AWS-managed hook type
MyHookActivation:
Type: AWS::CloudFormation::TypeActivation
DependsOn: MyHookExecutionRole
Properties:
ExecutionRoleArn: !GetAtt MyHookExecutionRole.Arn
PublisherId: aws-hooks
Type: HOOK
TypeName: AWS::TagPolicies::TaggingComplianceValidator
# Configure the hook
HookTypeConfiguration:
Type: AWS::CloudFormation::HookTypeConfig
DeletionPolicy: Retain
DependsOn: MyHookActivation
Properties:
TypeArn: !GetAtt MyHookActivation.Arn
Configuration: '{"CloudFormationConfiguration":{"HookConfiguration":{"HookInvocationStatus": "ENABLED", "FailureMode": "FAIL", "TargetOperations": ["STACK"], "Properties":{}}}}'Once these steps are complete, CloudFormation deploys the CloudFormation stacksets in the targeted accounts and Regions. And will automatically validate against your tag policies. Deployments missing required tags will either generate warnings or fail entirely, depending on your configured enforcement mode.
AWS Tag Policies with pre-deployment validation of required tags simplifies cloud governance in your Infrastruture as Code, using CloudFormation as well as IaC tools provided by Terraform and Pulumi. Your teams can now proactively maintain consistent tagging standards by preventing resources that do not meet your tagging strategy from being created. Required tags for IaC provides tools to strengthen your governance, compliance, access controls, and automation across your AWS Organization and accounts.
To learn more how you can enforce tagging through Terraform, Tag Policy Compliance with Terraform.
To learn more how you can enforce tagging through Pulumi, Enforce AWS Organizations Tag Policies with Pulumi.