Decide on a tag capitalization strategy Use the recommended workflow Determine tagging rules Educate account administrators Use caution in enforcing compliance Consider creating an SCP to set guardrails around resource creation requests

Best practices for using tag policies

AWS recommends the following best practices for using tag policies.

Decide on a tag capitalization strategy

Determine how you want to capitalize tags and consistently implement that strategy across all resource types. For example, decide whether to use Costcenter, costcenter, or CostCenter, and use the same convention for all tags. For consistent results in compliance reports, avoid using similar tags with inconsistent case treatment. This strategy will help you define tag policies for your organization.

Use the recommended workflow

Start small by creating a simple tag policy. Then attach it to a member account that you can use for testing purposes. Use the workflows described in Getting started with tag policies.

Determine tagging rules

This will depend on your organization's needs. For example, you may want to specify that when a CostCenter tag is attached to AWS Secrets Manager secrets, it must use the specified case treatment. Create tag policies that define compliant tags and attach them to the organization entities where you want those tagging rules to be in effect.

Educate account administrators

When you're ready to expand your use of tag policies, educate account administrators as follows:

Communicate your tagging strategy.
Emphasize that administrators need to use tags on specific resource types.

This is important, as untagged resources don't show as noncompliant in compliance results.
Provide guidance on checking compliance with tag policies. Instruct administrators to find and correct noncompliant tags on resources in their account using the procedure described in Evaluating Compliance for an Account in the Tagging AWS Resource User Guide. Let them know how often you want them to check for compliance.

Use caution in enforcing compliance

Enforcing compliance could prevent users in your organization's accounts from tagging the resources they need. Review the information in Understanding enforcement. Also see the workflows described in Getting started with tag policies.

Consider creating an SCP to set guardrails around resource creation requests

Resources that have never had tags attached to them don't show as noncompliant in reports. Account administrators can still create untagged resources. In some cases, you can use a service control policy (SCP) to set guardrails around resource creation requests. For an example SCP, see Require a tag on specified created resources. To learn whether an AWS service supports controlling access using tags, see AWS Services That Work with IAM in the IAM User Guide. Look for the services that have Yes in the Authorization based on tags column. Choose the name of the service to view the authorization and access control documentation for that service.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Prerequisites and permissions

Getting started