Services and resource types that support enforcement - AWS Organizations

Services and resource types that support enforcement

The following services and resource types support enforcement with tag policies:

Service name Resource type JSON syntax

Amazon API Gateway

  • API keys

  • Domain names

  • REST API operations

  • Stages

  • "apigateway:apikeys"

  • "apigateway:domainnames"

  • "apigateway:restapis"

  • "apigateway:stages"

AWS AppConfig

  • Application

  • Configuration Profile

  • Deployment

  • Deployment Strategy

  • Environment

  • "appconfig:application"

  • "appconfig:configurationprofile"

  • "appconfig:deployment"

  • "appconfig:deploymentstrategy"

  • "appconfig:environment"

AWS App Mesh

  • All

  • Mesh

  • Router

  • Virtual node

  • Virtual router

  • Virtual service

  • "appmesh:*"

  • "appmesh:mesh"

  • "appmesh:route"

  • "appmesh:virtualNode"

  • "appmesh:virtualRouter"

  • "appmesh:virtualService"

Amazon Athena

  • All

  • Workgroup

  • "athena:*"

  • "athena:workgroup"

AWS Audit Manager
  • Assessment

  • Assessment Control Set

  • Assessment Framework

  • Control

  • "auditmanager:assessment"

  • "auditmanager:assessmentControlSet"

  • "auditmanager:assessmentFramework"

  • "auditmanager:control"

AWS Backup
  • All

  • Backup plan

  • Vault

  • "backup:*"

  • "backup:backupPlan"

  • "backup:backupVault"

AWS Batch
  • Job

  • Job Definition

  • Job Queue

  • "batch:job"

  • "batch:job-definition"

  • "batch:job-queue"

AWS BugBust
  • Event

  • "bugbust:event"

AWS Certificate Manager

  • All

  • Certificates

  • Private Certificate Authority

  • "acm:*"

  • "acm:certificate"

  • "acm-pca:certificate-authority"

Amazon CloudFront

  • All

  • Distribution

  • Streaming distribution

  • "cloudfront:*"

  • "cloudfront:distribution"

  • "cloudfront:streaming-distribution"

AWS CloudTrail

  • All

  • Trail

  • "cloudtrail:*"

  • "cloudtrail:trail"

Amazon CloudWatch

  • All

  • Alarm

  • "cloudwatch:*"

  • "cloudwatch:alarm"

Amazon CloudWatch Events

  • All

  • Event bus

  • Rule

  • "events:*"

  • "events:event-bus"

  • "events:rule"

Amazon CloudWatch Logs
  • All

  • Log group

  • "logs:*"

  • "logs:log-group"

AWS CodeBuild

  • All

  • Project

  • "codebuild:*"

  • "codebuild:project"

AWS CodeCommit

  • All

  • Repository

  • "codecommit:*"

  • "codecommit:repository"

AWS CodePipeline

  • All

  • Action type

  • Pipeline

  • Webhook

  • "codepipeline:*"

  • "codepipeline:actiontype"

  • "codepipeline:pipeline"

  • "codepipeline:webhook"

Amazon Cognito Identity

  • All

  • Identity pool

  • "cognito-identity:*"

  • "cognito-identity:identitypool"

Amazon Cognito user pools

  • All

  • User pool

  • "cognito-idp:*"

  • "cognito-idp:userpool"

Amazon Comprehend

  • All

  • Document classifier

  • Entity recognizer

  • "comprehend:*"

  • "comprehend:document-classifier"

  • "comprehend:entity-recognizer"

AWS Config

  • All

  • Aggregation authorization

  • Config aggregator

  • Config rule

  • "config:*"

  • "config:aggregation-authorization"

  • "config:config-aggregator"

  • "config:config-rule"

AWS Chime
  • Application Instance

  • User Application Instance

  • Channel

  • "chime:app-instance"

  • "chime:app-instance-user"

  • "chime:channel"

AWS Cloud9
  • Environment

  • "cloud9:environment"

AWS CodeGuru Reviewer
  • Association

  • "codeguru-reviewer:association"

AWS CodeStar Connections
  • Connection

  • Host

  • "codestar-connections:connection"

  • "codestar-connections:host"

AWS Connect
  • Contact Flow

  • Integration Association

  • Queue

  • Quick Connect

  • Routing Profile

  • User

  • "connect:contact-flow"

  • "connect:integration-association"

  • "connect:queue"

  • "connect:quick-connect"

  • "connect:routing-profile"

  • "connect:user"

AWS Database Migration Service

  • All

  • Endpoint

  • ES

  • Rep

  • Subgrp

  • Task

  • "dms:*"

  • "dms:endpoint"

  • "dms:es"

  • "dms:rep"

  • "dms:subgrp"

  • "dms:task"

AWS Data Lifecycle Manager
  • Policy

  • "dlm:policy"

AWS Direct Connect

  • All

  • Dxcon

  • Dxlag

  • Dxvif

  • "directconnect:*"

  • "directconnect:dxcon"

  • "directconnect:dxlag"

  • "directconnect:dxvif"

Amazon DynamoDB

  • All

  • Table

  • "dynamodb:*"

  • "dynamodb:table"

Amazon EC2

  • Capacity reservation

  • Client VPN endpoint

  • Customer gateway

  • DHCP options

  • Elastic IP

  • Fleet

  • FPGA image

  • Host reservation

  • Image

  • Instance

  • Internet gateway

  • Launch template

  • NAT gateway

  • Network ACL

  • Network interface

  • Reserved Instances

  • Route table

  • Security group

  • Snapshot

  • Spot Instance request

  • Subnet

  • Traffic mirror filter

  • Traffic mirror session

  • Traffic mirror target

  • Volume

  • VPC

  • VPC endpoint

  • VPC endpoint service

  • VPC peering connection

  • VPN connection

  • VPN gateway

  • "ec2:capacity-reservation"

  • "ec2:client-vpn-endpoint"

  • "ec2:customer-gateway"

  • "ec2:dhcp-options"

  • "ec2:elastic-ip"

  • "ec2:fleet"

  • "ec2:fpga-image"

  • "ec2:host-reservation"

  • "ec2:image"

  • "ec2:instance"

  • "ec2:internet-gateway"

  • "ec2:launch-template"

  • "ec2:natgateway"

  • "ec2:network-acl"

  • "ec2:network-interface"

  • "ec2:reserved-instances"

  • "ec2:route-table"

  • "ec2:security-group"

  • "ec2:snapshot"

  • "ec2:spot-instance-request"

  • "ec2:subnet"

  • "ec2:traffic-mirror-filter"

  • "ec2:traffic-mirror-session"

  • "ec2:traffic-mirror-target"

  • "ec2:volume"

  • "ec2:vpc"

  • "ec2:vpc-endpoint"

  • "ec2:vpc-endpoint-service"

  • "ec2:vpc-peering-connection"

  • "ec2:vpn-connection"

  • "ec2:vpn-gateway"

AWS Elastic Container Registry
  • Repository

  • "ecr:repository"

AWS Elastic Beanstalk

  • Application

  • Application version

  • Configuration template

  • Platform

  • "elasticbeanstalk:application"

  • "elasticbeanstalk:applicationversion"

  • "elasticbeanstalk:configurationtemplate"

  • "elasticbeanstalk:platform"

Amazon Elastic Container Service

  • Cluster

  • Service

  • Task set

  • "ecs:cluster"

  • "ecs:service"

  • "ecs:task-set"

Amazon Elastic File System

  • All

  • File system

  • "elasticfilesystem:*"

  • "elasticfilesystem:file-system"

Amazon Elastic Inference
  • Accelerator

  • "elastic-inference:accelerator"

Amazon Elastic Kubernetes Service
  • Cluster

  • "eks:cluster"

Amazon Elastic Search
  • Domain

  • "es:domain"

Amazon EMR
  • All

  • Cluster

  • Editor

  • "elasticmapreduce:*"

  • "elasticmapreduce:cluster"

  • "elasticmapreduce:editor"

Amazon ElastiCache

  • Cluster

  • "elasticache:cluster"

Amazon Fraud Detector
  • Detector

  • Detector version

  • Model

  • Rule

  • Variable

  • "frauddetector:detector"

  • "frauddetector:detector-version"

  • "frauddetector:model"

  • "frauddetector:rule"

  • "frauddetector:variable"

Amazon Global Accelerator
  • Accelerator

  • "globalaccelerator:accelerator"

Elastic Load Balancing

  • All

  • Load balancer

  • Target group

  • "elasticloadbalancing:*"

  • "elasticloadbalancing:loadbalancer"

  • "elasticloadbalancing:targetgroup"

Amazon FSx

  • All

  • Backup

  • File system

  • "fsx:*"

  • "fsx:backup"

  • "fsx:file-system"

Amazon GuardDuty
  • Detector

  • Filter

  • IP Set

  • Threat Intel Set

  • "guardduty:detector"

  • "guardduty:filter"

  • "guardduty:ipset"

  • "guardduty:threatintelset"

AWS IAM

  • Instance Profile

  • MFA

  • OIDC Provider

  • Policy

  • SAML Provider

  • Server Certificate

  • "iam:instance-profile"

  • "iam:mfa"

  • "iam:oidc-provider"

  • "iam:policy"

  • "iam:saml-provider"

  • "iam:server-certificate"

AWS IoT Analytics

  • All

  • Channel

  • Dataset

  • Datastore

  • Pipeline

  • "iotanalytics:*"

  • "iotanalytics:channel"

  • "iotanalytics:dataset"

  • "iotanalytics:datastore"

  • "iotanalytics:pipeline"

AWS IoT Events

  • All

  • Detector model

  • Input

  • "iotevents:*"

  • "iotevents:detectorModel"

  • "iotevents:input"

AWS IoT Fleet Hub
  • Application

  • "iotfleethub:application"

AWS IoT SiteWise
  • Asset

  • Asset Model

  • "iotsitewise:asset"

  • "iotsitewise:asset-model"

AWS IoT Greengrass
  • Bulk Deployment

  • Connector Definition

  • Core Definition

  • Device Definition

  • Function Definition

  • Logger Definition

  • Resource Definition

  • Subscription Definition

  • "greengrass:bulkDeployment"

  • "greengrass:connectorDefinition"

  • "greengrass:coreDefinition"

  • "greengrass:deviceDefinition"

  • "greengrass:functionDefinition"

  • "greengrass:loggerDefinition"

  • "greengrass:resourceDefinition"

  • "greengrass:subscriptionDefinition"

AWS Key Management Service

  • All

  • Key

  • "kms:*"

  • "kms:key"

Amazon Kinesis

  • All

  • Application

  • "kinesisanalytics:*"

  • "kinesisanalytics:application"

Amazon Kinesis Data Firehose

  • All

  • Delivery stream

  • "firehose:*"

  • "firehose:deliverystream"

AWS Lambda

  • All

  • Function

  • "lambda:*"

  • "lambda:function"

Amazon Macie
  • Custom Data Identifier

  • "macie2:custom-data-identifier"

Amazon MediaStore
  • Container

  • "mediastore:container"

Amazon MQ
  • Broker

  • Configuration

  • "mq:broker"

  • "mq:configuration"

Amazon Network Firewall
  • Firewall

  • Firewall Policy

  • Stateful Rule Group

  • Stateless Rule Group

  • "network-firewall:firewall"

  • "network-firewall:firewall-policy"

  • "network-firewall:stateful-rulegroup"

  • "network-firewall:stateless-rulegroup"

AWS Organizations
  • Account

  • Organizational Unit

  • Policy

  • Root

  • "organizations-account"

  • "organizations-ou"

  • "organizations-policy"

  • "organizations-root"

Amazon RDS

  • Cluster parameter group

  • Cluster endpoint

  • Event subscription

  • DB option group

  • DB parameter group

  • DB proxy

  • DB proxy endpoint

  • Reserved DB instance

  • DB security group

  • DB subnet group

  • Target group

  • "rds:cluster-pg"

  • "rds:cluster-endpoint"

  • "rds:es"

  • "rds:og"

  • "rds:pg"

  • "rds:db-proxy"

  • "rds:db-proxy-endpoint"

  • "rds:ri"

  • "rds:secgrp"

  • "rds:subgrp"

  • "rds:target-group"

Amazon Redshift

  • All

  • Cluster

  • DB group

  • DB name

  • DB user

  • Event subscription

  • HSM client certificate

  • HSM configuration

  • Parameter group

  • Snapshot

  • Snapshot copy grant

  • Snapshot schedule

  • Subnet group

  • "redshift:*"

  • "redshift:cluster"

  • "redshift:dbgroup"

  • "redshift:dbname"

  • "redshift:dbuser"

  • "redshift:eventsubscription"

  • "redshift:hsmclientcertificate"

  • "redshift:hsmconfiguration"

  • "redshift:parametergroup"

  • "redshift:snapshot"

  • "redshift:snapshotcopygrant"

  • "redshift:snapshotschedule"

  • "redshift:subnetgroup"

AWS Resource Access Manager

  • All

  • Resource share

  • "ram:*"

  • "ram:resource-share"

AWS Resource Groups

  • All

  • Group

  • "resource-groups:*"

  • "resource-groups:group"

Amazon Route 53

  • Hosted zone

  • "route53:hostedzone"

Amazon Route 53 Resolver

  • All

  • Resolver endpoint

  • Resolver rule

  • "route53resolver:*"

  • "route53resolver:resolver-endpoint"

  • "route53resolver:resolver-rule"

Amazon S3

  • Bucket

  • "s3:bucket"

Amazon SageMaker
  • App Image Config

  • Artifact

  • Context

  • Training job

  • Processing job

  • Model package group

  • Human task UI

  • Model Package

  • Action

  • Pipeline

  • Experiment

  • Flow Definition

  • Project

  • "sagemaker:app-image-config"

  • "sagemaker:artifact"

  • "sagemaker:context"

  • "sagemaker:training-job"

  • "sagemaker:processing-job "

  • "sagemaker:model-package-group"

  • "sagemaker:human-task-ui"

  • "sagemaker:model-package"

  • "sagemaker:action"

  • "sagemaker:pipeline"

  • "sagemaker:experiment"

  • "sagemaker:flow-definition"

  • "sagemaker:project"

AWS Secrets Manager

  • All

  • Secret

  • "secretsmanager:*"

  • "secretsmanager:secret"

AWS Service Catalog
  • Application

  • Attribute Group

  • Portfolio

  • Product

  • "servicecatalog:application"

  • "servicecatalog:attributeGroup"

  • "servicecatalog:portfolio"

  • "servicecatalog:product"

Amazon Simple Notification Service (SNS)
  • All

  • Topic

  • "sns:*

  • "sns:topic"

Amazon Simple Queue Service (SQS)

  • Queue

  • "sqs:queue"

Amazon States Language
  • All

  • Activity

  • State Machine

  • "states:*"

  • "states:activity"

  • "states:stateMachine"

AWS Step Functions

  • Activity

  • "states:activity"

AWS Storage Gateway

  • All

  • Gateway

  • Share

  • Tape

  • Volume

  • "storagegateway:*"

  • "storagegateway:gateway"

  • "storagegateway:share"

  • "storagegateway:tape"

  • "storagegateway:volume"

AWS Systems Manager

  • Automation execution

  • Document

  • Maintenance window task

  • Managed instance

  • Ops item

  • Patch baseline

  • Session

  • Contacts

  • "ssm:automation-execution"

  • "ssm:document"

  • "ssm:maintenancewindowtask"

  • "ssm:managed-instance"

  • "ssm:opsitem"

  • "ssm:patchbaseline"

  • "ssm:session"

  • "ssm-contacts:contact"

Amazon Well-Architected

  • Workload

  • "wellarchitected:workload"

Amazon WorkSpaces

  • All

  • Directory

  • WorkSpace

  • WorkSpaces bundle

  • WorkSpaces image

  • WorkSpaces IP group

  • "workspaces:*"

  • "workspaces:directory"

  • "workspaces:workspace"

  • "workspaces:workspacebundle"

  • "workspaces:workspaceimage"

  • "workspaces:workspaceipgroup"

Amazon WorkLink
  • Fleet

  • "worklink:fleet"