AWS Resource Tagging Standard - AWS Security Hub

AWS Resource Tagging Standard

This section provides information about the AWS Resource Tagging Standard.


The AWS Resource Tagging Standard isn't available in Canada West (Calgary), China, and AWS GovCloud (US).

What is the AWS Resource Tagging Standard?

Tags are key and value pairs that act as metadata for organizing your AWS resources. With most AWS resources, you have the option of adding tags when you create the resource or after creation. Examples of resources include an Amazon CloudFront distribution, an Amazon Elastic Compute Cloud (Amazon EC2) instance, or a secret in AWS Secrets Manager.

Tags can help you manage, identify, organize, search for, and filter resources.

Each tag has two parts:

  • A tag key (for example, CostCenter, Environment, or Project). Tag keys are case sensitive.

  • A tag value (for example, 111122223333 or Production). Like tag keys, tag values are case sensitive.

You can use tags to categorize resources by purpose, owner, environment, or other criteria.

For instructions on adding tags to AWS resources, see How to add tags to your AWS resource in the AWS Security Hub User Guide.

The AWS Resource Tagging Standard, developed by AWS Security Hub, helps you quickly identify if any of your AWS resources are missing tag keys. You can customize the requiredTagKeys parameter to specify specific tag keys that the controls check for. If specific tags aren't provided, the controls just check for the existence of at least one tag key.

When you enable the AWS Resource Tagging Standard, you'll begin receiving findings in the AWS Security Finding Format (ASFF).


When you enable AWS Resource Tagging Standard, Security Hub may take up to 18 hours to generate findings for controls that use the same AWS Config service-linked rule as enabled controls in other enabled standards. For more information, see Schedule for running security checks.

This standard has the following Amazon Resource Name (ARN): arn:aws:securityhub:region::standards/aws-resource-tagging-standard/v/1.0.0.

You can also use the GetEnabledStandards operation of the Security Hub API to find out the ARN of an enabled standard.

Controls in the AWS Resource Tagging Standard

The AWS Resource Tagging Standard includes the following controls. Select a control to view a detailed description of it.