Services and resource types that support enforcement

The following services and resource types support enforcement with tag policies:

Service name	Resource type	JSON syntax
Amazon API Gateway	API keys Domain names REST API operations Stages	"apigateway:apikeys" "apigateway:domainnames" "apigateway:restapis" "apigateway:restapis/stages"
AWS Amplify	Component Theme	"amplifyuibuilder:app/environment/components" "amplifyuibuilder:app/environment/themes"
AWS AppConfig	Application Configuration Profile Deployment Deployment Strategy Environment	"appconfig:application" "appconfig:application/configurationprofile" "appconfig:application/environment/deployment" "appconfig:deploymentstrategy" "appconfig:application/environment"
AWS App Mesh	All Gateway route Mesh Route Virtual gateway Virtual node Virtual router Virtual service	"appmesh:*" "appmesh:mesh/virtualGateway/gatewayRoute" "appmesh:mesh" "appmesh:mesh/virtualRouter/route" "appmesh:mesh/virtualGateway" "appmesh:mesh/virtualNode" "appmesh:mesh/virtualRouter" "appmesh:mesh/virtualService"
Amazon Athena	All Workgroup	"athena:*" "athena:workgroup"
AWS Audit Manager	Assessment Assessment Framework Control	"auditmanager:assessment" "auditmanager:assessmentFramework" "auditmanager:control"
AWS Backup	Backup plan Vault Gateway Hyper Visor VM	"backup:backup-plan" "backup:backup-vault" "backup-gateway:gateway" "backup-gateway:hypervisor" "backup-gateway:vm"
AWS Batch	Job Job Definition Job Queue	"batch:job" "batch:job-definition" "batch:job-queue"
AWS BugBust	Event	"bugbust:event"
AWS Certificate Manager	All Certificates Private Certificate Authority	"acm:*" "acm:certificate" "acm-pca:certificate-authority"
Amazon Chime	Application Instance Channel Media Pipeline Meeting SIP Media Applications User Application Instance Voice Connector	"chime:app-instance" "chime:app-instance/channel" "chime:media-pipeline" "chime:meeting" "chime:sma" "chime:app-instance/user" "chime:vc"
AWS Clean Rooms	Collaboration Configured Table Membership Configured Table Association	"cleanrooms:collaboration" "cleanrooms:configuredtable" "cleanrooms:membership" "cleanrooms:membership/configuredtableassociation"
AWS Cloud9	Environment	"cloud9:environment"
Amazon CloudFront	All Distribution Streaming distribution	"cloudfront:*" "cloudfront:distribution" "cloudfront:streaming-distribution"
AWS CloudTrail	All Trail	"cloudtrail:*" "cloudtrail:trail"
Amazon CloudWatch	All Alarm Contributor Insights Rule Metric Stream	"cloudwatch:*" "cloudwatch:alarm" "cloudwatch:insight-rule" "cloudwatch:metric-stream"
Amazon CloudWatch Internet Monitor	Monitor	"internetmonitor:monitor"
Amazon CloudWatch Logs	Log group	"logs:log-group"
Amazon CloudWatch Observability Access Manager	Link Sink	"oam:link" "oam:sink"
AWS CodeBuild	All Project	"codebuild:*" "codebuild:project"
Amazon CodeCatalyst	Connections	"codecatalyst:connections"
AWS CodeCommit	All Repository	"codecommit:*" "codecommit:repository"
AWS CodePipeline	All Action type Pipeline Webhook	"codepipeline:*" "codepipeline:actiontype" "codepipeline:pipeline" "codepipeline:webhook"
Amazon Cognito Identity	All Identity pool	"cognito-identity:*" "cognito-identity:identitypool"
Amazon Cognito user pools	All User pool	"cognito-idp:*" "cognito-idp:userpool"
Amazon Comprehend	All Document classifier Entity recognizer	"comprehend:*" "comprehend:document-classifier" "comprehend:entity-recognizer"
AWS Config	All Aggregation authorization Config aggregator Config rule	"config:*" "config:aggregation-authorization" "config:config-aggregator" "config:config-rule"
Amazon CodeGuru Reviewer	Association	"codeguru-reviewer:association"
Amazon CodeGuru Security	Scan	"codeguru-security:scans"
CodeConnections	Connection Host	"codestar-connections:connection" "codestar-connections:host"
Amazon Connect	Contact Flow Integration Association Queue Quick Connect Routing Profile User	"connect:instance/contact-flow" "connect:instance/integration-association" "connect:instance/queue" "connect:instance/transfer-destination" "connect:instance/routing-profile" "connect:instance/agent"
Amazon Connect Wisdom	Assistant Association Content Knowledge Base Session	"wisdom:assistant" "wisdom:association" "wisdom:content" "wisdom:knowledge-base" "wisdom:session"
AWS Database Migration Service	All Endpoint ES Rep Subgrp Task	"dms:*" "dms:endpoint" "dms:es" "dms:rep" "dms:subgrp" "dms:task"
Amazon Data Lifecycle Manager	Policy	"dlm:policy"
AWS Direct Connect	All Dxcon Dxlag Dxvif	"directconnect:*" "directconnect:dxcon" "directconnect:dxlag" "directconnect:dxvif"
Amazon DynamoDB	All Table	"dynamodb:*" "dynamodb:table"
Amazon EC2	Capacity reservation Client VPN endpoint Customer gateway DHCP options Elastic IP Fleet FPGA image Host reservation Image Instance Internet gateway Launch template NAT gateway Network ACL Network interface Reserved Instances Route table Security group Snapshot Spot Instances request Subnet Traffic mirror filter Traffic mirror session Traffic mirror target Volume VPC VPC endpoint VPC endpoint service VPC peering connection VPN connection VPN gateway	"ec2:capacity-reservation" "ec2:client-vpn-endpoint" "ec2:customer-gateway" "ec2:dhcp-options" "ec2:elastic-ip" "ec2:fleet" "ec2:fpga-image" "ec2:host-reservation" "ec2:image" "ec2:instance" "ec2:internet-gateway" "ec2:launch-template" "ec2:natgateway" "ec2:network-acl" "ec2:network-interface" "ec2:reserved-instances" "ec2:route-table" "ec2:security-group" "ec2:snapshot" "ec2:spot-instances-request" "ec2:subnet" "ec2:traffic-mirror-filter" "ec2:traffic-mirror-session" "ec2:traffic-mirror-target" "ec2:volume" "ec2:vpc" "ec2:vpc-endpoint" "ec2:vpc-endpoint-service" "ec2:vpc-peering-connection" "ec2:vpn-connection" "ec2:vpn-gateway"
Amazon EC2 Recycle Bin	Rule	"rbin:rule"
Amazon Elastic Container Registry	Repository	"ecr:repository"
AWS Elastic Beanstalk	Application Application version Configuration template Platform	"elasticbeanstalk:application" "elasticbeanstalk:applicationversion" "elasticbeanstalk:configurationtemplate" "elasticbeanstalk:platform"
Amazon Elastic Container Service	Cluster Service Task set	"ecs:cluster" "ecs:service" "ecs:task-set"
Amazon Elastic File System	All File system	"elasticfilesystem:*" "elasticfilesystem:file-system"
Amazon Elastic Inference	Accelerator	"elastic-inference:elastic-inference-accelerator"
Amazon Elastic Kubernetes Service	Cluster	"eks:cluster"
Amazon Elastic Search	Domain	"es:domain"
Amazon EMR	Cluster Editor	"elasticmapreduce:cluster" "elasticmapreduce:editor"
Amazon EMR Serverless	Application	"emr-serverless:applications"
AWS Entity Resolution	Matching Workflow Schema Mapping	"entityresolution:matchingworkflow" "entityresolution:schemamapping"
Amazon ElastiCache	Cluster	"elasticache:cluster"
Amazon EventBridge	All Event bus Rule	"events:*" "events:event-bus" "events:rule"
Amazon EventBridge Pipes	Pipe	"pipes:pipe"
Amazon EventBridge Scheduler	Schedule Group	"scheduler:schedule-group"
Amazon Fraud Detector	Detector Detector version Model Rule Variable	"frauddetector:detector" "frauddetector:detector-version" "frauddetector:model" "frauddetector:rule" "frauddetector:variable"
Amazon Global Accelerator	Accelerator	"globalaccelerator:accelerator"
Elastic Load Balancing	All Load balancer Target group	"elasticloadbalancing:*" "elasticloadbalancing:loadbalancer" "elasticloadbalancing:targetgroup"
Amazon FSx	All Backup File system	"fsx:*" "fsx:backup" "fsx:file-system"
Amazon GuardDuty	Detector Filter IP Set Threat Intel Set	"guardduty:detector" "guardduty:detector/filter" "guardduty:detector/ipset" "guardduty:detector/threatintelset"
AWS HealthLake	Datastore	"healthlake:datastore"
AWS HealthOmics	Annotation Store Annotation Store Version Reference Store Reference Run Run Group Sequence Store Read Set Variant Store Workflow	"omics:annotationStore" "omics:annotationStore/version" "omics:referenceStore" "omics:referenceStore/reference" "omics:run" "omics:runGroup" "omics:sequenceStore" "omics:sequenceStore/readSet" "omics:variantStore" "omics:workflow"
Amazon Inspector	Filter	"inspector2:filter"
AWS Identity and Access Management	Instance Profile MFA OIDC Provider Policy SAML Provider Server Certificate	"iam:instance-profile" "iam:mfa" "iam:oidc-provider" "iam:policy" "iam:saml-provider" "iam:server-certificate"
AWS IoT Analytics	All Channel Dataset Datastore Pipeline	"iotanalytics:*" "iotanalytics:channel" "iotanalytics:dataset" "iotanalytics:datastore" "iotanalytics:pipeline"
AWS IoT Events	All Detector model Input	"iotevents:*" "iotevents:detectorModel" "iotevents:input"
AWS IoT Fleet Hub	Application	"iotfleethub:application"
AWS IoT SiteWise	Asset Asset Model	"iotsitewise:asset" "iotsitewise:asset-model"
AWS IoT Greengrass	Bulk Deployment Connector Definition Core Definition Device Definition Function Definition Logger Definition Resource Definition Subscription Definition	"greengrass:bulk" "greengrass:connectorsDefinition" "greengrass:coresDefinition" "greengrass:devicesDefinition" "greengrass:functionsDefinition" "greengrass:loggersDefinition" "greengrass:resourcesDefinition" "greengrass:subscriptionsDefinition"
AWS Key Management Service	All Key	"kms:*" "kms:key"
Amazon Kinesis	All Application	"kinesisanalytics:*" "kinesisanalytics:application"
Amazon Data Firehose	All Delivery stream	"firehose:*" "firehose:deliverystream"
AWS Lambda	All Function	"lambda:*" "lambda:function"
Amazon Macie	Custom Data Identifier	"macie2:custom-data-identifier"
Amazon MediaStore	Container	"mediastore:container"
Amazon MQ	Broker Configuration	"mq:broker" "mq:configuration"
Amazon Network Firewall	Firewall Firewall Policy Stateful Rule Group Stateless Rule Group	"network-firewall:firewall" "network-firewall:firewall-policy" "network-firewall:stateful-rulegroup" "network-firewall:stateless-rulegroup"
Amazon OpenSearch Serverless	Collection	"aoss:collection"
AWS Organizations	Account Organizational Unit Policy Root	"organizations:account" "organizations:ou" "organizations:policy" "organizations:root"
Amazon Pinpoint SMS Voice V2	Configuration Set Opt Out List Phone Number Pool Sender Id	"sms-voice:configuration-set" "sms-voice:opt-out-list" "sms-voice:phone-number" "sms-voice:pool" "sms-voice:sender-id"
Amazon RDS	Cluster parameter group Cluster endpoint Event subscription DB option group DB parameter group DB proxy DB proxy endpoint Reserved DB instance DB security group DB subnet group Target group	"rds:cluster-pg" "rds:cluster-endpoint" "rds:es" "rds:og" "rds:pg" "rds:db-proxy" "rds:db-proxy-endpoint" "rds:ri" "rds:secgrp" "rds:subgrp" "rds:target-group"
Amazon Redshift	All Cluster DB group DB name DB user Event subscription HSM client certificate HSM configuration Parameter group Snapshot Snapshot copy grant Snapshot schedule Subnet group	"redshift:*" "redshift:cluster" "redshift:dbgroup" "redshift:dbname" "redshift:dbuser" "redshift:eventsubscription" "redshift:hsmclientcertificate" "redshift:hsmconfiguration" "redshift:parametergroup" "redshift:snapshot" "redshift:snapshotcopygrant" "redshift:snapshotschedule" "redshift:subnetgroup"
Amazon Redshift Serverless	Namespace Workgroup	"redshift-serverless:namespace" "redshift-serverless:workgroup"
AWS Resource Access Manager	All Resource share	"ram:*" "ram:resource-share"
AWS Resource Groups	All Group	"resource-groups:*" "resource-groups:group"
Amazon Route 53	Hosted zone	"route53:hostedzone"
Amazon Route 53 Resolver	All Resolver endpoint Resolver rule	"route53resolver:*" "route53resolver:resolver-endpoint" "route53resolver:resolver-rule"
Amazon S3	Bucket Storage Lens	"s3:bucket" "s3:storage-lens"
Amazon SageMaker	App Image Config Artifact Context Training job Processing job Model package group Human task UI Model Package Action Pipeline Experiment Flow Definition Project	"sagemaker:app-image-config" "sagemaker:artifact" "sagemaker:context" "sagemaker:training-job" "sagemaker:processing-job " "sagemaker:model-package-group" "sagemaker:human-task-ui" "sagemaker:model-package" "sagemaker:action" "sagemaker:pipeline" "sagemaker:experiment" "sagemaker:flow-definition" "sagemaker:project"
AWS Secrets Manager	All Secret	"secretsmanager:*" "secretsmanager:secret"
AWS Security Lake	Data Lake Subscriber	"securitylake:data-lake" "securitylake:subscriber"
AWS Service Catalog	Application Attribute Group Portfolio Product	"servicecatalog:applications" "servicecatalog:attribute-groups" "catalog:portfolio" "catalog:product"
Amazon Simple Notification Service (SNS)	Topic	"sns:topic"
Amazon Simple Queue Service (SQS)	Queue	"sqs:queue"
Amazon States Language	All Activity State Machine	"states:*" "states:activity" "states:stateMachine"
AWS Step Functions	Activity	"states:activity"
AWS Storage Gateway	All Gateway Share Tape Volume	"storagegateway:*" "storagegateway:gateway" "storagegateway:share" "storagegateway:tape" "storagegateway:gateway/volume"
AWS Systems Manager	Association Automation execution Document Maintenance Window Managed instance Ops item Patch baseline Session Contacts	"ssm:association" "ssm:automation-execution" "ssm:document" "ssm:maintenancewindow" "ssm:managed-instance" "ssm:opsitem" "ssm:patchbaseline" "ssm:session" "ssm-contacts:contact"
AWS Transfer Family	Server User Workflow	"transfer:server" "transfer:user" "transfer:workflow"
Amazon Well-Architected	Workload	"wellarchitected:workload"
AWS Wickr	Network	"wickr:network"
Amazon WorkSpaces	All Directory WorkSpace WorkSpaces bundle WorkSpaces image WorkSpaces IP group	"workspaces:*" "workspaces:directory" "workspaces:workspace" "workspaces:workspacebundle" "workspaces:workspaceimage" "workspaces:workspaceipgroup"
Amazon WorkLink	Fleet	"worklink:fleet"