Getting started with Tag Editor - Tagging AWS Resources

Getting started with Tag Editor

Tag Editor is one way to tag your resources. View the sections below to understand the prerequisites you must satisfy to use it.

Prerequisites for working with Tag Editor

Before you get started working to tag your resources, be sure you have an active AWS account with existing resources and appropriate rights to tag resources and create groups.

Sign up for an AWS account

If you do not have an AWS account, complete the following steps to create one.

To sign up for an AWS account
  1. Open https://portal.aws.amazon.com/billing/signup.

  2. Follow the online instructions.

    Part of the sign-up procedure involves receiving a phone call and entering a verification code on the phone keypad.

    When you sign up for an AWS account, an AWS account root user is created. The root user has access to all AWS services and resources in the account. As a security best practice, assign administrative access to an administrative user, and use only the root user to perform tasks that require root user access.

AWS sends you a confirmation email after the sign-up process is complete. At any time, you can view your current account activity and manage your account by going to https://aws.amazon.com/ and choosing My Account.

Create an administrative user

After you sign up for an AWS account, secure your AWS account root user, enable AWS IAM Identity Center, and create an administrative user so that you don't use the root user for everyday tasks.

Secure your AWS account root user
  1. Sign in to the AWS Management Console as the account owner by choosing Root user and entering your AWS account email address. On the next page, enter your password.

    For help signing in by using root user, see Signing in as the root user in the AWS Sign-In User Guide.

  2. Turn on multi-factor authentication (MFA) for your root user.

    For instructions, see Enable a virtual MFA device for your AWS account root user (console) in the IAM User Guide.

Create an administrative user
  1. Enable IAM Identity Center.

    For instructions, see Enabling AWS IAM Identity Center in the AWS IAM Identity Center User Guide.

  2. In IAM Identity Center, grant administrative access to an administrative user.

    For a tutorial about using the IAM Identity Center directory as your identity source, see Configure user access with the default IAM Identity Center directory in the AWS IAM Identity Center User Guide.

Sign in as the administrative user
  • To sign in with your IAM Identity Center user, use the sign-in URL that was sent to your email address when you created the IAM Identity Center user.

    For help signing in using an IAM Identity Center user, see Signing in to the AWS access portal in the AWS Sign-In User Guide.

Create resources

You must have resources in your AWS account to tag. For more information about the supported resource types, see the Tag Editor Tagging column under Supported resource types in the AWS Resource Groups User Guide.

Set up permissions

To make full use of Tag Editor, you might need additional permissions to tag resources or to see a resource's tag keys and values. These permissions are in the following categories:

  • Permissions for individual services so that you can tag resources from those services and include them in resource groups.

  • Permissions that are required to use the Tag Editor console.

If you're an administrator, you can provide permissions for your users by creating policies through the AWS Identity and Access Management (IAM) service. You first create IAM roles, users, or groups, and then apply the policies with the permissions that they need. For information about creating and attaching IAM policies, see Working with policies.

Permissions for individual services

Important

This section describes permissions that are required if you want to tag resources from other AWS service consoles and APIs.

To add tags to a resource, you need the permissions required for the service to which the resource belongs. For example, to tag Amazon EC2 instances, you must have permissions to the tagging operations in that service's API, such as the Amazon EC2 CreateTags operation.

Required permissions for Tag Editor

To use Tag Editor, the following permissions must be added to a user's policy statement in IAM. You can add either AWS managed policies that are maintained and kept up to date by AWS, or you can create and maintain your own custom policy.

Using AWS managed policies for Tag Editor permissions

Tag Editor supports the following AWS managed policies that you can use to provide a predefined set of permissions to your users. You can attach these managed policies to any role, user, or group just as you would any other policy that you create.

ResourceGroupsandTagEditorReadOnlyAccess

This policy grants the attached IAM role or user permission to call the read-only operations for both AWS Resource Groups and Tag Editor. To read a resource's tags, you must also have permissions for that resource through a separate policy. See the following Important note.

ResourceGroupsandTagEditorFullAccess

This policy grants the attached IAM role or user permission to call any Resource Groups operation and the read and write tag operations in Tag Editor. To read or write a resource's tags, you must also have permissions for that resource through a separate policy. See the following Important note.

Important

The two previous policies grant permission to call the Tag Editor operations and use the Tag Editor console. However, you must also have permissions not only to invoke the operation, but also appropriate permissions to the specific resource whose tags you're trying to access. To grant that access to the tags, you must also attach one of the following policies:

  • The AWS managed policy ReadOnlyAccess grants permissions to the read-only operations for every service's resources. AWS automatically keeps this policy up to date with new AWS services as they become available.

  • Many services provide service-specific read-only AWS managed policies that you can use to limit access to only the resources provided by that service. For example, Amazon EC2 provides AmazonEC2ReadOnlyAccess.

  • You can create your own policy that grants access to only the specific read-only operations for the few services and resources you want your users to access. This policy uses either an allowlist strategy or a denylist strategy.

    An allowlist strategy takes advantage of the fact that access is denied by default until you explicitly allow it in a policy. So, you can use a policy like the following example.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "tag:*" ], "Resource": "<ARNs of resources to allow tagging>" } ] }

    Alternatively, you could use a denylist strategy that allows access to all resources except those that you explicitly block. This requires a separate policy that applies to the relevant users that allows access. The following example policy then denies access to the specific resources listed by the Amazon Resource Name (ARN).

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "tag:*" ], "Resource": "<ARNs of resources to disallow tagging>" } ] }
Adding Tag Editor permissions manually
  • tag:* (This permission allows all Tag Editor actions. If you instead want to restrict actions that are available to a user, you can replace the asterisk with a specific action, or with a comma-separated list of actions.)

  • tag:GetResources

  • tag:TagResources

  • tag:UntagResources

  • tag:getTagKeys

  • tag:getTagValues

  • resource-explorer:*

Granting permissions for using Tag Editor

To add a policy for using AWS Resource Groups and Tag Editor to a role, do the following.

  1. Open the IAM console to the Roles page.

  2. Find the role to which you want to grant Tag Editor permissions. Choose the role's name to open the role's Summary page.

  3. On the Permissions tab, choose Add permissions.

  4. Choose Attach existing policies directly.

  5. Choose Create policy.

  6. On the JSON tab, paste the following policy statement.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "tag:GetResources", "tag:TagResources", "tag:UntagResources", "tag:getTagKeys", "tag:getTagValues", "resource-explorer:*" ], "Resource": "*" } ] }
    Note

    This example policy statement grants permissions to perform only Tag Editor actions.

  7. Choose Next: Tags and then choose Next: Review.

  8. Enter a name and description for the new policy. For example, AWSTaggingAccess.

  9. Choose Create policy.

Now that the policy is saved in IAM, you can attach it to other principals, such as roles, groups, or users. For more information about how to add a policy to a principal, see Adding and removing IAM identity permissions in the IAM User Guide.

Authorization and access control based on tags

AWS services support the following:

  • Action-based policies – For example, you can create a policy that allows users to perform GetTagKeys or GetTagValues operations, but no others.

  • Resource-level permissions in policies – Many services support using ARNs to specify individual resources in the policy.

  • Authorization based on tags – Many services support using resource tags in the condition of a policy. For example, you can create a policy that allows users full access to a group that has the same tag as the users. For more information, see What is ABAC for AWS? in the AWS Identity and Access Management User Guide.

  • Temporary credentials – Users can assume a role with a policy that allows Tag Editor operations.

Tag Editor doesn't use any service-linked roles.

For more information about how Tag Editor integrates with AWS Identity and Access Management (IAM), see the following topics in the AWS Identity and Access Management User Guide: