required-tags

Checks if your resources have the tags that you specify. For example, you can check whether your Amazon EC2 instances have the CostCenter tag, while also checking if all your RDS instance have one set of Keys tag. Separate multiple values with commas. You can check up to 6 tags at a time.

The AWS-managed AWS Systems Manager automation document AWS-SetRequiredTags does not work as a remediation with this rule. You will need to create your own custom Systems Manager automation documentation for remediation.

Context: AWS allows you to assign metadata to AWS resources in the form of tags. Each tag is a label consisting of a key and an optional value to store information about the resource or data retained on that resource. For more information see, Building your tagging strategy.

You can use this rule to find resources in your account that were not launched with your desired configurations by specifying which resources should have tags and the expected value for each tag. You can also run remediation actions to fix tagging mistakes. However, this rule does not prevent you from creating resources with incorrect tags.

Note

AWS Config does not support recording associated tags for all resource types. To verify if AWS Config records tags in the configuration item (CI) for a specific resource type:

Check that AWS Config correctly records the current configuration for the resource, excluding tags.
Check that AWS Config refreshes the recorded configuration when a change is made to the resource.

Identifier: REQUIRED_TAGS

Resource Types: AWS::ACM::Certificate, AWS::AutoScaling::AutoScalingGroup, AWS::CloudFormation::Stack, AWS::CodeBuild::Project, AWS::DynamoDB::Table, AWS::EC2::CustomerGateway, AWS::EC2::Instance, AWS::EC2::InternetGateway, AWS::EC2::NetworkAcl, AWS::EC2::NetworkInterface, AWS::EC2::RouteTable, AWS::EC2::SecurityGroup, AWS::EC2::Subnet, AWS::EC2::Volume, AWS::EC2::VPC, AWS::EC2::VPNConnection, AWS::EC2::VPNGateway, AWS::ElasticLoadBalancing::LoadBalancer, AWS::ElasticLoadBalancingV2::LoadBalancer, AWS::RDS::DBInstance, AWS::RDS::DBSecurityGroup, AWS::RDS::DBSnapshot, AWS::RDS::DBSubnetGroup, AWS::RDS::EventSubscription, AWS::Redshift::Cluster, AWS::Redshift::ClusterParameterGroup, AWS::Redshift::ClusterSecurityGroup, AWS::Redshift::ClusterSnapshot, AWS::Redshift::ClusterSubnetGroup, AWS::S3::Bucket

Trigger type: Configuration changes

AWS Region: All supported AWS regions

Parameters:

tag1Key
Type: String
Default: CostCenter: Key of the required tag.
tag1Value (Optional)
Type: CSV: Optional value of the required tag. Separate multiple values with commas.
tag2Key (Optional)
Type: String: Key of a second required tag.
tag2Value (Optional)
Type: CSV: Optional value of the second required tag. Separate multiple values with commas.
tag3Key (Optional)
Type: String: Key of a third required tag.
tag3Value (Optional)
Type: CSV: Optional value of the third required tag. Separate multiple values with commas.
tag4Key (Optional)
Type: String: Key of a fourth required tag.
tag4Value (Optional)
Type: CSV: Optional value of the fourth required tag. Separate multiple values with commas.
tag5Key (Optional)
Type: String: Key of a fifth required tag.
tag5Value (Optional)
Type: CSV: Optional value of the fifth required tag. Separate multiple values with commas.
tag6Key (Optional)
Type: String: Key of a sixth required tag.
tag6Value (Optional)
Type: CSV: Optional value of the sixth required tag. Separate multiple values with commas.

AWS CloudFormation template

To create AWS Config managed rules with AWS CloudFormation templates, see Creating AWS Config Managed Rules With AWS CloudFormation Templates.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

redshift-unrestricted-port-access

restricted-common-ports