AWS Resource Tagging Standard
This section provides information about the AWS Resource Tagging Standard.
Note
The AWS Resource Tagging Standard isn't available in Canada West (Calgary), China, and AWS GovCloud (US).
What is the AWS Resource Tagging Standard?
Tags are key and value pairs that act as metadata for organizing your AWS resources. With most AWS resources, you have the option of adding tags when you create the resource or after creation. Examples of resources include an Amazon CloudFront distribution, an Amazon Elastic Compute Cloud (Amazon EC2) instance, or a secret in AWS Secrets Manager.
Tags can help you manage, identify, organize, search for, and filter resources.
Each tag has two parts:
A tag key (for example,
CostCenter
,Environment
, orProject
). Tag keys are case sensitive.A tag value (for example,
111122223333
orProduction
). Like tag keys, tag values are case sensitive.
You can use tags to categorize resources by purpose, owner, environment, or other criteria.
For instructions on adding tags to AWS resources, see How to add tags to your AWS resource in the AWS Security Hub User Guide.
The AWS Resource Tagging Standard, developed by AWS Security Hub, helps you quickly identify if any of your AWS resources are
missing tag keys. You can customize the requiredTagKeys
parameter to specify specific tag keys that the controls
check for. If specific tags aren't provided, the controls just check for the existence of at least one tag key.
When you enable the AWS Resource Tagging Standard, you'll begin receiving findings in the AWS Security Finding Format (ASFF).
Note
When you enable AWS Resource Tagging Standard, Security Hub may take up to 18 hours to generate findings for controls that use the same AWS Config service-linked rule as enabled controls in other enabled standards. For more information, see Schedule for running security checks.
This standard has the following Amazon Resource Name (ARN): arn:aws:securityhub:
.region
::standards/aws-resource-tagging-standard/v/1.0.0
You can also use the GetEnabledStandards operation of the Security Hub API to find out the ARN of an enabled standard.
Controls in the AWS Resource Tagging Standard
The AWS Resource Tagging Standard includes the following controls. Select a control to view a detailed description of it.
[EKS.7] EKS identity provider configurations should be tagged
[GlobalAccelerator.1] Global Accelerator accelerators should be tagged
[IoT.1] AWS IoT Device Defender security profiles should be tagged
[NetworkFirewall.7] Network Firewall firewalls should be tagged
[NetworkFirewall.8] Network Firewall firewall policies should be tagged
[Redshift.12] Redshift event notification subscriptions should be tagged
[Redshift.14] Redshift cluster subnet groups should be tagged
[StepFunctions.2] Step Functions activities should be tagged