AWS Cloud Operations & Migrations Blog
Implement AWS resource tagging strategy using AWS Tag Policies and Service Control Policies (SCPs)
AWS lets us assign metadata to the AWS resources in the form of tags. Each tag is a simple label consisting of a customer-defined key and a value that makes it easier to manage, search for, and filter AWS resources. Tagging can be an effective scaling mechanism for implementing cloud management and governance strategies. Tags can simplify attribute based access control (ABAC), as well as streamline automation/operation processes, grouping of resources for enhanced visibility, and effective cost management.
Without tags, managing your resources effectively can become difficult as you continue to utilize more AWS services. Companies of any size face the challenge of having a centralized framework or programmatic controls to enforce consistent tagging on cloud resources. This post will walk you through how to build and enrich cloud management and governance practices by utilizing AWS Organizations to create Tag Policies and Service Control Policies. We guide you in enforcing the standardization of tags, denying AWS resource creation if a specific tag is missing, and denying users from deleting existing tags on AWS resources.
- Tag policies are a policy type that can help you standardize tags across resources in your AWS Organization.
- When a tag policy is applied to your AWS account, users are unable to create resources using noncompliant tags.
- You can enforce specific tag policies by choosing the option ‘prevent non-compliant operations for this tag’, and selecting the resource types that supports tag policy enforcement.
- These AWS Services and resource types support enforcement using tag policies.
Service Control Policies (SCPs)
- SCPs are a policy type that you can utilize to manage permissions across accounts in your AWS Organization.
- Using SCPs lets you ensure that your accounts stay within your organization’s access control guidelines.
- SCPs can be used along-side tag policies to ensure that the tags are applied at the resource creation time and remain attached to the resource.
Policies in AWS Organizations enable you to apply additional types of management to your AWS accounts. In this solution, we enable the tag policies from the AWS Organizations, create the appropriate tag policy, and attach the policy to the target member account. Then, utilizing service control policies (SCPs), we define guardrails or set limits on the actions that an IAM user/role can conduct on the target member account. Using Tag policies and SCPs would not incur any additional charge.
This solution covers detailed steps, including reusable policy templates to:
- Apply and enforce a standardized tagging policy during AWS resource creation.
- Deny AWS resource creation if a specific tag is missing.
- Deny users from deleting specific tags on AWS resources.
For this walkthrough, you need the following prerequisites:
- AWS Account
- AWS IAM admin user or role in your management account
- AWS Organization
- AWS Organizations – Tag policies
- AWS Organizations – Service control policies
Step 1: Creating Tag Policy
First, sign in to the organization’s management account and enable Tag policies for your AWS Organization.
The following steps help you create standardized tags during Amazon EC2 resource creation. Utilize this tag policy to define the tag keys costcenter and team, as well as their allowed values (including how the tag keys and values are capitalized).
You can also create a tag policy by simply copying the following JSON template and pasting it in the Tag policy –> JSON editor.
Once the tag policy is created, make sure to attach it to the target OU/Account.
Checking Tag Policy Compliance
Once this policy is created and attached to the target account, check the policy compliance by visiting the Tag policies page in the Resource Groups console (AWS Resource Groups -> Tagging -> Tag Policies).
You have just created a tag policy, which will limit the AWS account from creating an EC2 instance without the compliant tags, ‘costcenter and team’. Now, utilizing SCPs, we will ensure that every new EC2 instance contains these tags, and that those tags remain attached to the resources.
Step 2: Creating Service Control Policy – Enforce tagging at resource creation
Tag Policy only enforces the accepted value of a tag, and not its presence. Therefore, users (with appropriate IAM permissions) would still be able to create untagged resources. To restrict the creation of an AWS resource without the appropriate tags, we will utilize SCPs to set guardrails around resource creation requests.
Sign in to the organization’s management account and enable SCPs for your organization.
Now, let’s create an SCP that denies Amazon EC2 instance creation if the tag keys costcenter and team and their allowed values in the Tag Policy (including how the values are capitalized) are missing.
Utilize Add actions to choose an AWS service, and Add resource to choose the service whose resources you want to control from the list. Then, utilize Add condition to define which condition keys you want to include in your policy.
You can also create an SCP policy using the SCP –> JSON editor. The following policy denies Amazon EC2 launch if the tag key costcenter and the tag key team are missing.
Step 3: Creating Service Control Policy – Deny tag deletion
Now, let’s create another SCP that denies users from deleting tag key costcenter and the tag key team after it has been created. Create this SCP by simply copying the following JSON template and pasting it in the SCP –> JSON editor. Alternatively, you can build the SCP by using the ‘Create policy’ wizard.
Once the SCPs are created, make sure that you attach it to the target OU/Account.
Step 4: Validation
Sign in to the target member account, create an EC2 instance, and follow the test below.
|Tag enforcement test||Outcome||Expected result|
|without tags||launch failed||Yes|
|with random tag key and value||launch failed||Yes|
|with tag key costcenter and wrong tag value||launch failed||Yes|
|with tag key team only and correct tag value||launch failed||Yes|
|with both tag keys (costcenter & team) and correct tag value||launch success||Yes|
The following screenshot shows a ‘failed EC2 instance launch’ error message due to tag enforcement.
Once the EC2 instance is created, try to delete the tags.
|Tag enforcement test||Outcome||Expected result|
|add a new random tag key / value||success||Yes|
|remove the random tag key / value||success||Yes|
|remove the tag costcenter||error||Yes|
|remove the tag team||error||Yes|
The following screenshot shows a ‘failed to delete tags’ error message due to tag enforcement.
Quotas for AWS Organizations
The number of policies that you can attach to an entity (root, OU, and account) is subject to quotas for AWS Organizations. If need be, the following policy illustrates how to combine the SCPs described above into a single SCP while still being within the quota.
By combining the AWS Tag Policies and SCPs explained in this post, customers can achieve consistency in coverage, discoverability, and enforcement of resource tags by using a centralized tagging governance framework. Companies of any size can adopt this proactive approach to resource tagging enforcement as part of the broader cloud governance framework. This framework will simplify attribute based access control (ABAC), as well as streamline the automation/operation processes, grouping of resources for enhanced visibility, and better cost management.
AWS Tag Policies and SCPs are available from the AWS Management Console, AWS Command Line Interface (CLI), and through the AWS SDKs. Utilize AWS CloudFormation to create and provision the Tag Policies and SCPs in an orderly and predictable fashion. For further reading, refer to AWS Well-Architected Framework to apply best practices in the design, delivery, and maintenance of AWS environments. We are here to help, and if you need further assistance in implementing a tagging governance framework for your AWS environment, reach out to AWS Support and your AWS account team.