The Ops Community ⚙️

Cover image for Enforcing Mandatory Tags Across Your AWS Resources
Patrick Londa for Blink Ops

Posted on • Updated on • Originally published at

Enforcing Mandatory Tags Across Your AWS Resources

Amazon Web Services (AWS) tags help developers and teams organize resources. Without proper labeling practices, you could end up with scattered resources and no way to identify their purpose or provenance.

Setting up mandatory tags in AWS standardizes their use within a given environment, as users can’t create new resources unless they add a compliant tag. Enforcing mandatory tags helps you build upon and enrich your cloud management environment. As a result, your team will be able to properly manage your AWS resources and leverage them efficiently.

What Are Mandatory Tags in AWS?

An AWS tag consists of a user-defined tag key and a tag value. Below are some of the most common tag types used for AWS resources and related attributes.

Technical tags

  • Name: Used to identify an individual resource
  • Application ID: Identifies resources associated with a specific application
  • Application Role: Describes a resource’s function, like a web server or message broker
  • Cluster: Identifies resources farms with standard configurations and functions
  • Environment: Identifies whether the resource is associated with a development or production resource
  • Version: Distinguishes between different versions of a resource or application

Automation tags

  • Date/Time: Identifies the period for when to start, stop, delete, or rotate a resource
  • Opt-in/Opt-out: Identifies when to include a resource with an automated activity
  • Security: Outlines security requirements and identifies route tables or security groups that require additional review

Business tags

  • Project: Identifies project supported by the resource
  • Owner: Identifies who’s responsible for managing the resource
  • Cost Center/Business Unit: Identifies the business unit or cost center linked to the resource
  • Customer: Identifies the client who relies on the resource Security tags
  • Confidentiality: Identifies the data confidentiality level supported by the resource
  • Compliance: Identifies workloads required to follow specific compliance requirements

Best Practices for Tagging AWS Resources

When naming your tags, use a case-sensitive, standardized format and apply those tags consistently across all resources. Be sure your new labels do not contain any sensitive or personally identifiable information and design your tags so that they can be reused for multiple purposes.

Remember, since the goal of mandatory tagging is to better organize and manage your AWS resources, don't hold back on the number of tags you create. It's better to have too many tags than not enough. Finally, leverage low-code automation tools like Steampipe to simplify your resource management and enforce mandatory AWS tags.

Setting up Mandatory Tags in AWS

Once you’ve designed a tag policy, go into your organization's AWS management account and ensure you have service control policies (SCPs) enabled. Create a new SCP and add all relevant details. Select "Add actions" to select the resources you wish to control. Use "Add condition" to define any condition keys to include with your policy. Alternatively, you can use the JSON editor to manually create an SCP.

How to Enforce Mandatory Tags in AWS

The Steampipe CLI lets you automatically run SQL scripts to check for untagged resources within your AWS environments. Use the following steps to manually check for AWS resources that are missing any mandatory tags.

Step 1. Set up a new benchmark mod.

Step 2. Create queries designed to search your AWS environment for unassigned resources based on control tags already set up.

with analysis as (
     tags ?& $1 as has_mandatory_tags,
     to_jsonb($1) - array(select jsonb_object_keys(tags)) as missing_tags,
     region, account_id
   arn as resource,
     when has_mandatory_tags then 'ok'
     else 'alarm'
   end as status,
     when has_mandatory_tags then title || ' has all mandatory tags.'
     else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.'
   end as reason,
   region, account_id
Enter fullscreen mode Exit fullscreen mode

Step 3. Make sure each query conforms to the control set up within a Steampipe Mod.

Control Example:

control "cisv130_2_1_2" {
  title      = "2.1.2 Ensure S3 Bucket Policy allows HTTPS requests (Manual)"
  description   = "At the Amazon S3 bucket level, you can configure permissions through a bucket policy making the objects accessible only through HTTPS."
  documentation = file("docs/cisv130/")
  sql        = query.s3_bucket_encryption_in_transit_control.sql

  tags = {
    cloud_provider = "aws"
    framework   = "cis"
    cis_version = "v1.3.0"
    cis_item_id = "1.4"
    cis_control = "4.3"
    cis_type    = "automated"
    cis_level   = "1"

Enter fullscreen mode Exit fullscreen mode

Step 4. Check that the control is associated with the correct benchmark.

Step 5. Make sure the benchmark conforms to the following syntax: {mod}.benchmark.{name}

Step 6. Check that the benchmark's name is unique within the benchmark’s namespace.

Step 7. Run all benchmarks using the following command:
steampipe check all

Alternatively, you can run individual benchmarks for untagged resources: Steampipe check benchmark.untagged

Step 8. Execute the following syntax if you wish to run an individual control searching for untagged items: Steampipe check control.s3_bucket_untagged

Cloud Management With Mandatory AWS Tags

AWS tags are great to use in your test environment to ensure you don't accidentally deploy the wrong resources with projects. Furthermore, using mandatory tags throughout your AWS environment makes it easier to search, filter, and organize your resources.

Top comments (2)

ashfaqsharif profile image

This is awesome but questions I have a what do one needs to do if they have to deploy this across 100+ accounts in an automated way? A dashboard to cover all accounts? Or a notification service for untagged resources to send out to relevant recipients for each account?

patrick_londa profile image
Patrick Londa

Good question, it definitely isn't easy to maintain this manually. Automation tools like Blink enable teams to do these types of checks automatically. Here's a workflow for this mandatory tags use case for example.