Getting started with tag policies - AWS Organizations

Getting started with tag policies

Using tag policies involves working with multiple AWS services. To get started, review the following pages. Then follow the workflows on this page to get familiar with tag policies and their effects.

Using tag policies for the first time

Follow these steps to get started using tag policies for the first time.

Task Account to sign in to AWS service console to use

Step 1: Enable tag policies for your organization.

The organization's management account.¹

AWS Organizations

Step 2: Create a tag policy.

Keep your first tag policy simple. Enter one tag key in the case treatment you want to use and leave all other options at their defaults.

The organization's management account.¹

AWS Organizations

Step 3: Attach a tag policy to a single member account that you can use for testing.

You'll need to sign in to this account in the next step.

The organization's management account.¹

AWS Organizations

Step 4: Create some resources with compliant tags and some with noncompliant tags.

The member account that you're using for testing purposes.

Any AWS service that you are comfortable with. For example, you can use AWS Secrets Manager and follow the procedure in Creating a Basic Secret to create secrets with compliant and non-compliant secrets.

Step 5: View the effective tag policy and evaluate the compliance status of the account.

The member account that you're using for testing purposes.

Resource Groups and the AWS service where the resource was created.

If you created resources with compliant and non-compliant tags, you should see the non-compliant tags in the results.

Step 6: Repeat the process of finding and correcting compliance issues until the resources in the test account are compliant with your tag policy.

The member account that you're using for testing purposes.

Resource Groups and the AWS service where the resource was created.

At any time, you can evaluate organization-wide compliance.

The organization's management account.¹

Resource Groups

¹ You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization's management account.

Expanding use of tag policies

You can perform the following tasks in any order to expand your use of tag policies.

Advanced task Account to sign in to AWS service console to use

Create more advanced tag policies.

Follow the same process as for first-time users, but try other tasks. For example, define additional keys or values or specify different case treatment for a tag key.

You can use the information in Understanding management policy inheritance and Tag policy syntax to create more detailed tag policies.

The organization's management account.¹

AWS Organizations

Attach tag policies to additional accounts or OUs.

Check the effective tag policy for an account after you attach more policies to it or to any OU in which the account is a member.

The organization's management account.¹

AWS Organizations

Create an SCP to require tags when anyone creates new resources. For an example, see Require a tag on specified created resources.

The organization's management account.¹

AWS Organizations

Continue to evaluate the compliance status of the account against the effective tag policy as it changes. Correct noncompliant tags.

A member account with an effective tag policy.

Resource Groups and the AWS service where the resource was created.

Evaluate organization-wide compliance.

The organization's management account.¹

Resource Groups

¹ You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization's management account.

Enforcing tag policies for the first time

To enforce tag policies for the first time, follow a workflow similar to using tag policies for the first time and use a test account.

Warning

Use caution in enforcing compliance. Make sure that you understand the effects of using tag policies and follow the recommended workflow. Test how enforcement works on a test account before expanding it to more accounts. Otherwise, you could prevent users in your organization's accounts from tagging the resources they need. For more information, see Understanding enforcement.

Enforcement tasks Account to sign in to AWS service console to use

Step 1: Create a tag policy.

Keep your first enforced tag policy simple. Enter one tag key in the case treatment you want to use, and choose the Prevent noncompliant operations for this tag option. Then specify one resource type to enforce it on. Continuing with our earlier example, you can choose to enforce it on Secrets Manager secrets.

The organization's management account.¹

AWS Organizations

Step 2: Attach a tag policy to a single, test account.

The organization's management account.¹

AWS Organizations

Step 3: Try creating some resources with compliant tags, and some with noncompliant tags. You shouldn't be allowed to create a tag on a resource of the type specified in the tag policy with a noncompliant tag.

The member account that you're using for testing purposes.

Any AWS service that you are comfortable with. For example, you can use AWS Secrets Manager and follow the procedure in Creating a Basic Secret to create secrets with compliant and non-compliant secrets.

Step 4: Evaluate the compliance status of the account against the effective tag policy and correct noncompliant tags.

The member account that you're using for testing purposes.

Resource Groups and the AWS service where the resource was created.

Step 5: Repeat the process of finding and correcting compliance issues until the resources in the test account are compliant with your tag policy.

The member account that you're using for testing purposes.

Resource Groups and the AWS service where the resource was created.

At any time, you can evaluate organization-wide compliance.

The organization's management account.¹

Resource Groups

¹ You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization's management account.