Services and resource types that support enforcement - AWS Organizations

Services and resource types that support enforcement

The following services and resource types support enforcement with tag policies:

Service name Resource type JSON syntax

Amazon API Gateway

  • API keys

  • Domain names

  • REST API operations

  • Stages

  • "apigateway:apikeys"

  • "apigateway:domainnames"

  • "apigateway:restapis"

  • "apigateway:stages"

AWS App Mesh

  • All

  • Mesh

  • Router

  • Virtual node

  • Virtual router

  • Virtual service

  • "appmesh:*"

  • "appmesh:mesh"

  • "appmesh:route"

  • "appmesh:virtualNode"

  • "appmesh:virtualRouter"

  • "appmesh:virtualService"

Amazon Athena

  • All

  • Workgroup

  • "athena:*"

  • "athena:workgroup"

AWS Certificate Manager

  • All

  • Certificates

  • "acm:*"

  • "acm:certificate"

Amazon CloudFront

  • All

  • Distribution

  • Streaming distribution

  • "cloudfront:*"

  • "cloudfront:distribution"

  • "cloudfront:streaming-distribution"

AWS CloudTrail

  • All

  • Trail

  • "cloudtrail:*"

  • "cloudtrail:trail"

Amazon CloudWatch

  • All

  • Alarm

  • "cloudwatch:*"

  • "cloudwatch:alarm"

Amazon CloudWatch Events

  • All

  • Event bus

  • Rule

  • "events:*"

  • "events:event-bus"

  • "events:rule"

AWS CodeBuild

  • All

  • Project

  • "codebuild:*"

  • "codebuild:project"

AWS CodeCommit

  • All

  • Repository

  • "codecommit:*"

  • "codecommit:repository"

AWS CodePipeline

  • All

  • Action type

  • Pipeline

  • Webhook

  • "codepipeline:*"

  • "codepipeline:actiontype"

  • "codepipeline:pipeline"

  • "codepipeline:webhook"

Amazon Cognito Identity

  • All

  • Identity pool

  • "cognito-identity:*"

  • "cognito-identity:identitypool"

Amazon Cognito User Pools

  • All

  • User pool

  • "cognito-idp:*"

  • "cognito-idp:userpool"

Amazon Comprehend

  • All

  • Document classifier

  • Entity recognizer

  • "comprehend:*"

  • "comprehend:document-classifier"

  • "comprehend:entity-recognizer"

AWS Config

  • All

  • Aggregation authorization

  • Config aggregator

  • Config rule

  • "config:*"

  • "config:aggregation-authorization"

  • "config:config-aggregator"

  • "config:config-rule"

AWS Database Migration Service

  • All

  • Endpoint

  • ES

  • Rep

  • Subgrp

  • Task

  • "dms:*"

  • "dms:endpoint"

  • "dms:es"

  • "dms:rep"

  • "dms:subgrp"

  • "dms:task"

AWS Direct Connect

  • All

  • Dxcon

  • Dxlag

  • Dxvif

  • "directconnect:*"

  • "directconnect:dxcon"

  • "directconnect:dxlag"

  • "directconnect:dxvif"

Amazon DynamoDB

  • All

  • Table

  • "dynamodb:*"

  • "dynamodb:table"

Amazon EC2

  • Capacity reservation

  • Client VPN endpoint

  • Customer gateway

  • DHCP options

  • Elastic IP

  • Fleet

  • FPGA image

  • Host reservation

  • Image

  • Instance

  • Internet gateway

  • Launch template

  • NAT gateway

  • Network ACL

  • Network interface

  • Reserved Instances

  • Route table

  • Security group

  • Snapshot

  • Spot Instance request

  • Subnet

  • Traffic mirror filter

  • Traffic mirror session

  • Traffic mirror target

  • Volume

  • VPC

  • VPC endpoint

  • VPC endpoint service

  • VPC peering connection

  • VPN connection

  • VPN gateway

  • "ec2:capacity-reservation"

  • "ec2:client-vpn-endpoint"

  • "ec2:customer-gateway"

  • "ec2:dhcp-options"

  • "ec2:elastic-ip"

  • "ec2:fleet"

  • "ec2:fpga-image"

  • "ec2:host-reservation"

  • "ec2:image"

  • "ec2:instance"

  • "ec2:internet-gateway"

  • "ec2:launch-template"

  • "ec2:natgateway"

  • "ec2:network-acl"

  • "ec2:network-interface"

  • "ec2:reserved-instances"

  • "ec2:route-table"

  • "ec2:security-group"

  • "ec2:snapshot"

  • "ec2:spot-instance-request"

  • "ec2:subnet"

  • "ec2:traffic-mirror-filter"

  • "ec2:traffic-mirror-session"

  • "ec2:traffic-mirror-target"

  • "ec2:volume"

  • "ec2:vpc"

  • "ec2:vpc-endpoint"

  • "ec2:vpc-endpoint-service"

  • "ec2:vpc-peering-connection"

  • "ec2:vpn-connection"

  • "ec2:vpn-gateway"

AWS Elastic Beanstalk

  • Application

  • Application version

  • Configuration template

  • Platform

  • "elasticbeanstalk:application"

  • "elasticbeanstalk:applicationversion"

  • "elasticbeanstalk:configurationtemplate"

  • "elasticbeanstalk:platform"

Amazon Elastic Container Service

  • Cluster

  • Service

  • Task set

  • "ecs:cluster"

  • "ecs:service"

  • "ecs:task-set"

Amazon Elastic File System

  • All

  • File system

  • "elasticfilesystem:*"

  • "elasticfilesystem:file-system"

Amazon ElastiCache

  • Cluster

  • "elasticache:cluster"

Elastic Load Balancing

  • All

  • Load balancer

  • Target group

  • "elasticloadbalancing:*"

  • "elasticloadbalancing:loadbalancer"

  • "elasticloadbalancing:targetgroup"

Amazon FSx

  • All

  • Backup

  • File system

  • "fsx:*"

  • "fsx:backup"

  • "fsx:file-system"

AWS IoT Analytics

  • All

  • Channel

  • Dataset

  • Datastore

  • Pipeline

  • "iotanalytics:*"

  • "iotanalytics:channel"

  • "iotanalytics:dataset"

  • "iotanalytics:datastore"

  • "iotanalytics:pipeline"

AWS IoT Events

  • All

  • Detector model

  • Input

  • "iotevents:*"

  • "iotevents:detectorModel"

  • "iotevents:input"

AWS Key Management Service

  • All

  • Key

  • "kms:*"

  • "kms:key"

Amazon Kinesis

  • All

  • Application

  • "kinesisanalytics:*"

  • "kinesisanalytics:application"

Amazon Kinesis Data Firehose

  • All

  • Delivery stream

  • "firehose:*"

  • "firehose:deliverystream"

AWS Lambda

  • All

  • Function

  • "lambda:*"

  • "lambda:function"

Amazon RDS

  • Cluster parameter group

  • Event subscription

  • DB option group

  • DB parameter group

  • Reserved DB instance

  • DB security group

  • DB subnet group

  • "rds:cluster-pg"

  • "rds:es"

  • "rds:og"

  • "rds:pg"

  • "rds:ri"

  • "rds:secgrp"

  • "rds:subgrp"

Amazon Redshift

  • All

  • Cluster

  • DB group

  • DB name

  • DB user

  • Event subscription

  • HSM client certificate

  • HSM configuration

  • Parameter group

  • Snapshot

  • Snapshot copy grant

  • Snapshot schedule

  • Subnet group

  • "redshift:*"

  • "redshift:cluster"

  • "redshift:dbgroup"

  • "redshift:dbname"

  • "redshift:dbuser"

  • "redshift:eventsubscription"

  • "redshift:hsmclientcertificate"

  • "redshift:hsmconfiguration"

  • "redshift:parametergroup"

  • "redshift:snapshot"

  • "redshift:snapshotcopygrant"

  • "redshift:snapshotschedule"

  • "redshift:subnetgroup"

AWS Resource Access Manager

  • All

  • Resource share

  • "ram:*"

  • "ram:resource-share"

AWS Resource Groups

  • All

  • Group

  • "resource-groups:*"

  • "resource-groups:group"

Amazon Route 53

  • Hosted zone

  • "route53:hostedzone"

Amazon Route 53 Resolver

  • All

  • Resolver endpoint

  • Resolver rule

  • "route53resolver:*"

  • "route53resolver:resolver-endpoint"

  • "route53resolver:resolver-rule"

Amazon S3

  • Bucket

  • "s3:bucket"

AWS Secrets Manager

  • All

  • Secret

  • "secretsmanager:*"

  • "secretsmanager:secret"

Amazon Simple Queue Service (SQS)

  • Queue

  • "sqs:queue"

AWS Step Functions

  • Activity

  • "states:activity"

AWS Storage Gateway

  • All

  • Gateway

  • Share

  • Tape

  • Volume

  • "storagegateway:*"

  • "storagegateway:gateway"

  • "storagegateway:share"

  • "storagegateway:tape"

  • "storagegateway:volume"

AWS Systems Manager

  • Automation execution

  • Document

  • Maintenance window task

  • Managed instance

  • Ops item

  • Patch baseline

  • Session

  • "ssm:automation-execution"

  • "ssm:document"

  • "ssm:maintenancewindowtask"

  • "ssm:managed-instance"

  • "ssm:opsitem"

  • "ssm:patchbaseline"

  • "ssm:session"

Amazon WorkSpaces

  • All

  • Directory

  • WorkSpace

  • WorkSpaces bundle

  • WorkSpaces image

  • WorkSpaces IP group

  • "workspaces:*"

  • "workspaces:directory"

  • "workspaces:workspace"

  • "workspaces:workspacebundle"

  • "workspaces:workspaceimage"

  • "workspaces:workspaceipgroup"