AWS Cloud Operations Blog

Implement AWS resource tagging strategy using AWS Tag Policies and Service Control Policies (SCPs)

AWS lets us assign metadata to the AWS resources in the form of tags. Each tag is a simple label consisting of a customer-defined key and a value that makes it easier to manage, search for, and filter AWS resources. Tagging can be an effective scaling mechanism for implementing cloud management and governance strategies. Tags can simplify attribute based access control (ABAC), as well as streamline automation/operation processes, grouping of resources for enhanced visibility, and effective cost management.

Without tags, managing your resources effectively can become difficult as you continue to utilize more AWS services. Companies of any size face the challenge of having a centralized framework or programmatic controls to enforce consistent tagging on cloud resources. This post will walk you through how to build and enrich cloud management and governance practices by utilizing AWS Organizations to create Tag Policies and Service Control Policies. We guide you in enforcing the standardization of tags, denying AWS resource creation if a specific tag is missing, and denying users from deleting existing tags on AWS resources.

Tag Policies

  • Tag policies are a policy type that can help you standardize tags across resources in your AWS Organization.
  • When a tag policy is applied to your AWS account, users are unable to create resources using noncompliant tags.
  • You can enforce specific tag policies by choosing the option ‘prevent non-compliant operations for this tag’, and selecting the resource types that supports tag policy enforcement.
  • These AWS Services and resource types support enforcement using tag policies.

Service Control Policies (SCPs)

  • SCPs are a policy type that you can utilize to manage permissions across accounts in your AWS Organization.
  • Using SCPs lets you ensure that your accounts stay within your organization’s access control guidelines.
  • SCPs can be used along-side tag policies to ensure that the tags are applied at the resource creation time and remain attached to the resource.

Solution Overview

Policies in AWS Organizations enable you to apply additional types of management to your AWS accounts. In this solution, we enable the tag policies from the AWS Organizations, create the appropriate tag policy, and attach the policy to the target member account. Then, utilizing service control policies (SCPs), we define guardrails or set limits on the actions that an IAM user/role can conduct on the target member account. Using Tag policies and SCPs would not incur any additional charge.

This solution covers detailed steps, including reusable policy templates to:

  • Apply and enforce a standardized tagging policy during AWS resource creation.
  • Deny AWS resource creation if a specific tag is missing.
  • Deny users from deleting specific tags on AWS resources.

The following architectural diagram shows the recommended way to configure tag policies and SCPs at an AWS Organization level.

Walkthrough

For this walkthrough, you need the following prerequisites:

Step 1: Creating Tag Policy

First, sign in to the organization’s management account and enable Tag policies for your AWS Organization.

The status of Tag policies, with the status of "Enabled"

The following steps help you create standardized tags during Amazon EC2 resource creation. Utilize this tag policy to define the tag keys costcenter and team, as well as their allowed values (including how the tag keys and values are capitalized).

Under Policies, Select Tag policies, then select "Create new tag policy" Add Policy name and optionally add a description.

A tag policy with the tag key costcenter and allowed tag values.

A tag policy with the tag key team and allowed tag values.

You can also create a tag policy by simply copying the following JSON template and pasting it in the Tag policy –> JSON editor.

{
  "tags": {
    "costcenter": {
      "tag_key": {
        "@@assign": "costcenter"
      },
      "tag_value": {
        "@@assign": [
          "CC102",
          "CC103",
          "CC104"
        ]
      },
      "enforced_for": {
        "@@assign": [
          "ec2:instance"
        ]
      }
    },
    "team": {
      "tag_key": {
        "@@assign": "team"
      },
      "tag_value": {
        "@@assign": [
          "Team1",
          "Team2",
          "Team3"
        ]
      },
      "enforced_for": {
        "@@assign": [
          "ec2:instance"
        ]
      }
    }
  }
}

Once the tag policy is created, make sure to attach it to the target OU/Account.

To attach a policy to the target AWS OU/Account select the targets tab. Select a tag policy and select attach.

Checking Tag Policy Compliance

Once this policy is created and attached to the target account, check the policy compliance by visiting the Tag policies page in the Resource Groups console (AWS Resource Groups -> Tagging -> Tag Policies).

Tag policy compliance report.

You have just created a tag policy, which will limit the AWS account from creating an EC2 instance without the compliant tags, ‘costcenter and team’. Now, utilizing SCPs, we will ensure that every new EC2 instance contains these tags, and that those tags remain attached to the resources.

Step 2: Creating Service Control Policy – Enforce tagging at resource creation

Tag Policy only enforces the accepted value of a tag, and not its presence. Therefore, users (with appropriate IAM permissions) would still be able to create untagged resources. To restrict the creation of an AWS resource without the appropriate tags, we will utilize SCPs to set guardrails around resource creation requests.

Sign in to the organization’s management account and enable SCPs for your organization.

Status of Service control policies, currently Enabled.

Now, let’s create an SCP that denies Amazon EC2 instance creation if the tag keys costcenter and team and their allowed values in the Tag Policy (including how the values are capitalized) are missing.

The creation of a SCP using the ‘Create policy’ wizard

Utilize Add actions to choose an AWS service, and Add resource to choose the service whose resources you want to control from the list. Then, utilize Add condition to define which condition keys you want to include in your policy.

The creation of an SCP to deny Amazon EC2 launch if the tag key costcenter is missing.

You can also create an SCP policy using the SCP –> JSON editor. The following policy denies Amazon EC2 launch if the tag key costcenter and the tag key team are missing.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyEC2CreationSCP1",
      "Effect": "Deny",
      "Action": [
        "ec2:RunInstances"
      ],
      "Resource": [
        "arn:aws:ec2:*:*:instance/*",
        "arn:aws:ec2:*:*:volume/*"
      ],
      "Condition": {
        "Null": {
          "aws:RequestTag/costcenter": "true"
        }
      }
    },
    {
      "Sid": " DenyEC2CreationSCP2",
      "Effect": "Deny",
      "Action": [
        "ec2:RunInstances"
      ],
      "Resource": [
        "arn:aws:ec2:*:*:instance/*",
        "arn:aws:ec2:*:*:volume/*"
      ],
      "Condition": {
        "Null": {
          "aws:RequestTag/team": "true"
        }
      }
    }
  ]
}

Step 3: Creating Service Control Policy – Deny tag deletion

Now, let’s create another SCP that denies users from deleting tag key costcenter and the tag key team after it has been created. Create this SCP by simply copying the following JSON template and pasting it in the SCP –> JSON editor. Alternatively, you can build the SCP by using the ‘Create policy’ wizard.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyDeleteTag1",
      "Effect": "Deny",
      "Action": [
        "ec2:DeleteTags"
      ],
      "Resource": [
        "arn:aws:ec2:*:*:instance/*",
        "arn:aws:ec2:*:*:volume/*"
      ],
      "Condition": {
        "Null": {
          "aws:RequestTag/costcenter": "false"
        }
      }
    },
    {
      "Sid": "DenyDeleteTag2",
      "Effect": "Deny",
      "Action": [
        "ec2:DeleteTags"
      ],
      "Resource": [
        "arn:aws:ec2:*:*:instance/*",
        "arn:aws:ec2:*:*:volume/*"
      ],
      "Condition": {
        "Null": {
          "aws:RequestTag/team": "false"
        }
      }
    }
  ]
}

Once the SCPs are created, make sure that you attach it to the target OU/Account.

To attach SCPs to the target AWS OU/Account, select the Targets tag. Select your target and press "Attach"

Step 4: Validation

Sign in to the target member account, create an EC2 instance, and follow the test below.

Tag enforcement test Outcome Expected result
without tags launch failed Yes
with random tag key and value launch failed Yes
with tag key costcenter and wrong tag value launch failed Yes
with tag key team only and correct tag value launch failed Yes
with both tag keys (costcenter & team) and correct tag value launch success Yes

The following screenshot shows a ‘failed EC2 instance launch’ error message due to tag enforcement.

A ‘failed EC2 instance launch’ error message due to tag enforcement.

Once the EC2 instance is created, try to delete the tags.

Tag enforcement test Outcome Expected result
add a new random tag key / value success Yes
remove the random tag key / value success Yes
remove the tag costcenter error Yes
remove the tag team error Yes

The following screenshot shows a ‘failed to delete tags’ error message due to tag enforcement.

The following screenshot shows a ‘failure to delete tags’ error message due to tag enforcement.

Quotas for AWS Organizations

The number of policies that you can attach to an entity (root, OU, and account) is subject to quotas for AWS Organizations. If need be, the following policy illustrates how to combine the SCPs described above into a single SCP while still being within the quota.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyanyEC2operationSCP1",
      "Effect": "Deny",
      "Action": [
        "ec2:RunInstances"
      ],
      "Resource": [
        "arn:aws:ec2:*:*:instance/*",
        "arn:aws:ec2:*:*:volume/*"
      ],
      "Condition": {
        "Null": {
          "aws:RequestTag/costcenter": "true"
        }
      }
    },
    {
      "Sid": "DenyanyEC2operationSCP2",
      "Effect": "Deny",
      "Action": [
        "ec2:RunInstances"
      ],
      "Resource": [
        "arn:aws:ec2:*:*:instance/*",
        "arn:aws:ec2:*:*:volume/*"
      ],
      "Condition": {
        "Null": {
          "aws:RequestTag/team": "true"
        }
      }
    },
    {
      "Sid": "DenyDeleteTag1",
      "Effect": "Deny",
      "Action": [
        "ec2:DeleteTags"
      ],
      "Resource": [
        "arn:aws:ec2:*:*:instance/*",
        "arn:aws:ec2:*:*:volume/*"
      ],
      "Condition": {
        "Null": {
          "aws:RequestTag/costcenter": "false"
        }
      }
    },
    {
      "Sid": "DenyDeleteTag2",
      "Effect": "Deny",
      "Action": [
        "ec2:DeleteTags"
      ],
      "Resource": [
        "arn:aws:ec2:*:*:instance/*",
        "arn:aws:ec2:*:*:volume/*"
      ],
      "Condition": {
        "Null": {
          "aws:RequestTag/team": "false"
        }
      }
    }
  ]
}

Conclusion

By combining the AWS Tag Policies and SCPs explained in this post, customers can achieve consistency in coverage, discoverability, and enforcement of resource tags by using a centralized tagging governance framework. Companies of any size can adopt this proactive approach to resource tagging enforcement as part of the broader cloud governance framework. This framework will simplify attribute based access control (ABAC), as well as streamline the automation/operation processes, grouping of resources for enhanced visibility, and better cost management.

AWS Tag Policies and SCPs are available from the AWS Management Console, AWS Command Line Interface (CLI), and through the AWS SDKs. Utilize AWS CloudFormation to create and provision the Tag Policies and SCPs in an orderly and predictable fashion. For further reading, refer to AWS Well-Architected Framework to apply best practices in the design, delivery, and maintenance of AWS environments. We are here to help, and if you need further assistance in implementing a tagging governance framework for your AWS environment, reach out to AWS Support and your AWS account team.

About the authors

Arun Chandapillai

Arun Chandapillai is a Cloud Infrastructure Architect who is a diversity and inclusion champion. He is passionate about helping his Customers accelerate IT modernization through business-first Cloud adoption strategies and successfully build, deploy, and manage applications and infrastructure in the Cloud. Arun is an automotive enthusiast, an avid speaker, and a philanthropist who believes in ‘you get (back) what you give’.

Shak Kathir

Shak Kathirvel is Senior Cloud Application Architect with AWS ProServe. He enjoys working with customers and helping them with Application Modernization and Optimization efforts, guide their Enterprise Cloud management and Governance strategies and migrate their workloads to the cloud. He is passionate about Enterprise architecture, Serverless technologies and AWS cost and usage optimization. He loves his job for its challenges and the opportunity to work with inspiring customers and colleagues.