Prerequisites and permissions - Tagging AWS Resources

Prerequisites and permissions

Before you can evaluate compliance with tag policies in Tag Editor, you must meet the requirements and set the necessary permissions.

Prerequisites for evaluating compliance with tag policies

Evaluating compliance with tag policies requires the following:

Permissions for evaluating compliance for an account

Finding noncompliant tags on an account's resources requires the following permissions:

  • organizations:DescribeEffectivePolicy – To get the contents of the effective tag policy for the account.

  • tag:GetResources – To get a list of resources that don't comply with the attached tag policy.

  • tag:TagResources – To add or update tags. You also need service-specific permissions to create tags. For example, to tag resources in Amazon Elastic Compute Cloud (Amazon EC2), you need permissions for ec2:CreateTags.

  • tag:UnTagResources – To remove a tag. You also need service-specific permissions to remove tags. For example, to untag resources in Amazon EC2, you need permissions for ec2:DeleteTags.

The following example AWS Identity and Access Management (IAM) policy provides permissions for evaluating tag compliance for an account.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "EvaluateAccountCompliance", "Effect": "Allow", "Action": [ "organizations:DescribeEffectivePolicy", "tag:GetResources", "tag:TagResources", "tag:UnTagResources" ], "Resource": "*" } ] }

For more information about IAM policies and permissions, see the IAM User Guide.

Permissions for evaluating organization-wide compliance

Evaluating organization-wide compliance with tag policies requires the following permissions:

  • organizations:DescribeEffectivePolicy – To get the contents of the tag policy that's attached to the organization, organizational unit (OU), or account.

  • tag:GetComplianceSummary – To get a summary of noncompliant resources in all accounts in the organization.

  • tag:StartReportCreation – To export the results of the most recent compliance evaluation to a file. Organization-wide compliance is evaluated every 48 hours.

  • tag:DescribeReportCreation – To check the status of report creation.

The following example IAM policy provides permissions for evaluating organization-wide compliance.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "EvaluateOrgCompliance", "Effect": "Allow", "Action": [ "organizations:DescribeEffectivePolicy", "tag:GetComplianceSummary", "tag:StartReportCreation", "tag:DescribeReportCreation" ], "Resource": "*" } ] }

For more information about IAM policies and permissions, see the IAM User Guide.

Amazon S3 bucket policy for report storage

To create an organization-wide compliance report, you must grant access for the tag policies service principal to an Amazon Simple Storage Service (Amazon S3) bucket in the US East (N. Virginia) Region for report storage. This Amazon S3 bucket must be in the same account that is requesting to generate a compliance report. The role you use must also have GetBucketAcl and s3:PutObject permissions to the bucket.

Attach the following bucket policy to the bucket, replacing each placeholder with your own information:

  • Your S3 bucket name

  • ID number of the organization

  • Account ID number of the organization's management account for the organization in which you're applying the policy

{ "Version": "2012-10-17", "Statement": [ { "Sid": "TagPolicyACL", "Effect": "Allow", "Principal": { "Service": [ "tagpolicies.tag.amazonaws.com" ] }, "Action": "s3:GetBucketAcl", "Resource": "arn:aws:s3:::<your-bucket-name>", "Condition": { "StringLike": { "aws:SourceAccount": "<organization-management-account-id>", "aws:SourceArn": "arn:aws:tag:us-east-1:<organization-management-account-id>:*" } } }, { "Sid": "TagPolicyBucketDelivery", "Effect": "Allow", "Principal": { "Service": [ "tagpolicies.tag.amazonaws.com" ] }, "Action": [ "s3:PutObject", "s3:PutObjectAcl" ], "Resource": "arn:aws:s3:::<your-bucket-name>/AwsTagPolicies/<your-organization-id>/*", "Condition": { "StringLike": { "aws:SourceAccount": "<organization-management-account-id>", "aws:SourceArn": "arn:aws:tag:us-east-1:<organization-management-account-id>:*" } } } ] }