AWS Tag Policies

In this lab, you’ll learn how to use AWS Tag Policies to help you standardize tags across resources in your AWS Control Tower environment. As an example, you can build policy to enforce naming convention for tag keys and values. This can prevent users from entering tag key or value that did not align with standard that you have established. Standardization is important in tag governance, with consistent tag key and values, you can perform analysis of usage and spend, perform automations and achieve predictable results.

Overview

Tag policies are a type of policy that can help you standardize tags across resources in your organization’s accounts. In a tag policy, you specify tagging rules applicable to resources when they are tagged. Each tag has two parts:

  • A tag key (for example, CostCenter, Environment, or Project). Tag keys are case sensitive.
  • An optional field known as a tag value (for example, 111122223333 or Production). Omitting the tag value is the same as using an empty string. Like tag keys, tag values are case sensitive.

Important :

  • Tag policies did not mandate or enforce that certain tag key must be present when creating / updating AWS resources.
  • Tag policies enforcement applies when certain tag key are present and the policy defines what tag values and case sensitivity will apply.
  • Untagged resources or tags that aren’t defined in the tag policy aren’t evaluated for compliance with the tag policy

For example, a tag policy can specify that when the CostCenter tag is attached to a resource, it must use the case treatment and tag values that the tag policy defines. A tag policy can also specify that noncompliant tagging operations on specified resource types are enforced. In other words, noncompliant tagging requests on specified resource types are prevented from completing. Untagged resources or tags that aren’t defined in the tag policy aren’t evaluated for compliance with the tag policy.

Tag policies are managed from AWS Organizations, you start by creating Tag policies and then apply them to target accounts or OUs.

In the following section, we will create a tag policy to standardize the CostCenter tag with predefined values, and then we will apply it to the target account and run a test. At the end of the lab, we will create a compliance report to evaluate the results.

Prerequisites

  • This lab requires fully provisioned AWS Control Tower and administrator role access to AWS Control Tower management account.
  • An AWS account for the test, you can use preexisting accounts such as the Log Archive or Audit account.

1. Enable Tag Policies

First, you need to enable Tag Policies before you can start using it.

1.1 Sign in to AWS Control Tower management account using Administrator role.

1.2 Navigate to AWS Organizations

1.3 Choose Policies from the side panel.

1.4 Choose Tag policies

1.5 If required, choose Enable tag policies (it’s normal if you dont see this selection, it means that Tag policies has been enabled previously)

1.6 Next you want to grant Tag policies as trusted service in your AWS Organizations.

1.7 Choose Services from the side panel.

1.8 Locate and choose Tag Policies

1.9 Choose Enable trusted access

1.10 Choose the checkbox “Show the option to enable trusted access for Tag policies without performing additional setup tasks.”

1.11 Type enable on the text box and choose Enable trusted access

2. Create Tag Policies

Next, let’s create simple tag policy for CostCenter. For this demonstration purpose, we want to enforce capitalization of CostCenter and set two predefined value A001 and B001.

2.1 Return back to the tag policies console, use this shortcut if needed.

2.2 Choose Create policy

2.3 Set Policy name for example: CostCenter

2.3 Choose the Visual editor

2.4 Enter the Tag key value : CostCenter

2.5 To enforce capitalization compliance, choose the check box “Use the capitalization that you’ve specified above for the tag key”.

2.6 To restrict the predefined tag values, choose check box “Specify allowed values for this tag key”.

2.7 Choose Specify values and then enter two predefiend value A001 and B001.

2.8 Choose Save changes to confirm.

2.9 To define the scope, choose check box “Prevent noncompliant operations for this tag”

2.10 Choose Specify resource types, expand the tree selection and choose ec2:volume.

2.11 Choose Save changes to confirm.

2.12 Your configuration should be similar to example screenshot below

2.12 Choose Create policy to finish this step.

3. Understanding Tag policies syntax

Now its a good time to review the tag policies that we just created earlier.

3.1 Return back to the tag policies console, use this shortcut if needed.

3.2 Choose the CostCenter policies that you just created earlier.

3.3 Under the Content section, you can see the actual policy document:

{
    "tags": {
        "CostCenter": {
            "tag_key": {
                "@@assign": "CostCenter"
            },
            "tag_value": {
                "@@assign": [
                    "A001",
                    "B001"
                ]
            },
            "enforced_for": {
                "@@assign": [
                    "ec2:volume"
                ]
            }
        }
    }
}

3.4 Let’s dive deeper to this tag policy.

  • This policy has a single tag_key set to CostCenter. It then set tag_value with two possible options A001 and B001. Keep in mind that you can create a different policy with the same tag_key set to CostCenter and assign a different tag_value. For example, each OUs will have an unique tag policies.

  • When defining the tag_value you could utilize wildcard to keep it simpler. As an example you could re-write the policy to A00* to allow any values starting with “A00”

  • This policy is enforced to specific AWS resources only, in this case ec2:volume. Keep in mind at the moment you can’t use wildcard * to select all resources. However, some services allows you to use a wildcard such as kms:* on your policy statement. Refer to supported resource enforcement for the full list.

  • The operator @@assign will overwrites or set the value. When dealing with only a single policy, the overwrites operator didn’t bring much value. However, you can utilize it when you are dealing with multiple policies in a nested OU structure. Since AWS Control Tower did not support nested OUs, we will skip it in this labs.

  • For detailed example, use the link to refer to types of operators

  • For complete reference documentation, please check out the Tag policy syntax and examples

4. Attach Tag policies to target OU

Now let us apply the tag policies to target OU.

4.1 Return back to the tag policies console, use this shortcut if needed.

4.2 Choose the CostCenter policies that you just created earlier.

4.3 Under the Targets section, choose Attach

4.4 On the OU selection, choose one account as the target. * In this example we will use Log archive account but you could choose other accounts as per your preferences. If you have completed the account factory lab earlier, you could choose that newly vended account as an example. * Important : Please be mindful of the effect of this policy on the target account. * Navigate to your Security or Core OU and select Log archive account. * Select Attach policy to confirm

In practice, you could attach the policy at the OU level instead of account level. On this lab, to minimize impact we will selectively attach it on account level.

5. Testing the tag policies enforcement

In this section, we will login to Log archive account and test the effectiveness of the tag policies.

5.1 Sign in to Log archive account using Administrator role.

5.2 Navigate to EC2 console, you can use this link as shortcut.

5.3 Tag policies apply at account level, thus it doesn’t matter which region that you choose.

5.4 From EC2 console, navigate to Volumes by selecting from the side-panel.

5.5 Go ahead and create a new volume, the volume type or size does not matter in this case.

  • As guidance, choose volume type gp2 and set the size to 1 GiB.
  • Choose Add Tag
  • We will intentionally set it wrong to test the policies:
  • Enter key : costcenter
  • Enter value : C001
  • Select Create Volume

5.6 You should receive error about wrong capitalization for CostCenter.

5.7 Choose Back to return to the create volume section.

5.8 Go ahead and rename the key to CostCenter to fix the capitalization. Choose Create Volume again to proceed.

5.9 You should receive new error stating that the specified value is not allowed.

5.10 Choose Back to return to the create volume section.

5.11 Let’s do the final fix, rename the value from C001 to A001. Choose Create Volume again to proceed.

5.12 You should see confirmation that the volume created successfully.

5.13 To avoid further charges, go ahead and delete the volume.

We have successfully demonstrated how to use Tag policies to enforce standard capitalization for the tag keys and to setup predefined list of tag values.

In the following section, we’ll modify the tag policies and explore how to generate report for tag compliance.

6. Using Tag policies without enforcement

Earlier we set the tag policies with enforcement applied to ec2:volume and we succesfully tested the enforcement. Now let’s go back to AWS Control Tower management account to modify the tag policies.

6.1 Sign in to AWS Control Tower management account using Administrator role.

6.2 Return back to the tag policies console, use this shortcut if needed.

6.3 Choose the CostCenter tag policies.

6.4 Choose Edit policy

6.5 Uncheck the check box “Prevent noncompliant operations for this tag.”

6.6 Choose Save Changes

Notice how the tag policies document now changed and there are no enforced_for section in the policy document.

7. Testing the tag policies report at account level

In this section, we will navigate back to Log archive account, create EBS volume that did not match the policy and then view the report.

7.1 Sign in to Log archive account using Administrator role.

7.2 Navigate to EC2 console, you can use this link as shortcut.

7.3 Tag policies apply at account level, thus it doesn’t matter which region that you choose.

7.4 From EC2 console, navigate to Volumes by selecting from the side-panel.

7.5 Go ahead and create a new volume, the volume type or size does not matter in this case.

  • As guidance, choose volume type gp2 and set the size to 1 GiB.
  • Select Add Tag
  • We will intentionally set the value wrong to test the report:
  • Enter key : CostCenter
  • Enter value : C001
  • Choose Create Volume

7.6 Notice that you are able to successfully created the volume since the enforcement was not in place.

7.7 Navigate to AWS Resource Groups , you can use this link as shortcut

7.8 Select Tag Policies from the side panel

7.9 To search for non-compliant resources, filter by the region where you create the volume. Choose Search resources

7.10 You can find the volume that you created earlier listed as non-compliant.

7.11 Clicking on the noncompliant status on the table will pop up further details about the non-compliant item.

7.12 Let’s go ahead and delete the EBS volume again to avoid further charges.

As bonus item, you can explore the Tag Editor to search any resources based on certain tag criteria and do bulk update as necessary. To read more about Tag Editor, please check out the documentation link

8. Managing tag compliance at scale

Earlier we saw how to check tag compliance at individual account. In this last section, we will explore how to review and generate report for tag compliance across all accounts in your AWS Control Tower environment.

8.1 Sign in to AWS Control Tower management account using Administrator role.

8.2 Navigate to AWS Resource Groups , you can use this link as shortcut

8.3 Choose Tag Policies from the side panel

8.3 Notice the UI selection is different compared at the individual account (Log archive)

8.4 You can choose on each individual account to retrieve the compliance status. Please keep in mind that it will take up to 48 hours to propagate the results at AWS Organization level.

8.5 You can also generate report by specifying the S3 bucket as target. Please check out example report below for your references

Further detail about the content of the report can be found on the documentation link

Before you end the lab, please check the last section below to clean up any resources that you deployed in this lab.

9. Deleting AWS resources deployed in this lab

To decommission the lab, let’s delete the tag policies that you created earlier.

9.1 Sign in to AWS Control Tower management account using Administrator role.

9.2 Return back to the tag policies console, use this shortcut if needed.

9.3 Choose the CostCenter tag policies.

9.4 Choose Targets section

9.5 Choose the target which should be the Log archive account and choose Detach

9.6 Choose Delete from the top menu.

9.7 Confirm it by entering the policy name CostCenter and choose Delete

Congratulation for completing the lab, if you created additional EBS volumes as part of this lab, don’t forget to delete those as well.

Best Practices

We highly recommend you to review the collection of Tag policies best practices before you continue with implementation on your production environment.

References