Tag policies - AWS Organizations

Tag policies

For information and procedures common to all policy types, see the following topics:

You can use tag policies to maintain consistent tags, including the preferred case treatment of tag keys and tag values.

What are tags?

Tags are custom attribute labels that you assign or that AWS assigns to AWS resources. Each tag has two parts:

  • A tag key (for example, CostCenter, Environment, or Project). Tag keys are case sensitive.

  • An optional field known as a tag value (for example, 111122223333 or Production). Omitting the tag value is the same as using an empty string. Like tag keys, tag values are case sensitive.

The rest of this page describes tag policies. For more information about tags, see the following sources:

What are tag policies?

Tag policies are a type of policy that can help you standardize tags across resources in your organization's accounts. In a tag policy, you specify tagging rules applicable to resources when they are tagged.

For example, a tag policy can specify that when the CostCenter tag is attached to a resource, it must use the case treatment and tag values that the tag policy defines. A tag policy can also specify that noncompliant tagging operations on specified resource types are enforced. In other words, noncompliant tagging requests on specified resource types are prevented from completing. Untagged resources or tags that aren't defined in the tag policy aren't evaluated for compliance with the tag policy.

Using tag policies involves working with multiple AWS services:

  • Use AWS Organizations to manage tag policies. When signed in to the organization's management account (formerly known as the "master account"), you use Organizations to enable the tag policies feature. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization's management account. Then you can create tag policies and attach them to the organization entities to put those tagging rules in effect.

  • Use AWS Resource Groups to manage compliance with tag policies. When signed in to an account in your organization, you use Resource Groups to find noncompliant tags on resources in the account. You can correct noncompliant tags in the AWS service where you created the resource.

    If you sign in to the management account in your organization, you can view compliance information for all your organization's accounts.

Tag policies are available only in an organization that has all features enabled. For more information on what's required to use tag policies, see Prerequisites and permissions for managing tag policies.

Important

To get started with tag policies, AWS strongly recommends that you follow the example workflow described in Getting started with tag policies before moving on to more advanced tag policies. It's best to understand the effects of attaching a simple tag policy to a single account before expanding tag policies to an entire OU or organization. It's especially important to understand a tag policy's effects before you enforce compliance with any tag policy. The tables on the Getting started with tag policies page also provide links to instructions for more advanced policy-related tasks.