Best practices for using tag policies - Amazon Organizations
Decide on a tag capitalization strategyUse the recommended workflowDetermine tagging rulesEducate account administratorsUse caution in enforcing complianceBe aware of tagging limitsConsider creating an SCP to set guardrails around resource creation requests
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Best practices for using tag policies

Amazon recommends the following best practices for using tag policies.

Decide on a tag capitalization strategy

Determine how you want to capitalize tags and consistently implement that strategy across all resource types. For example, decide whether to use Costcenter, costcenter, or CostCenter, and use the same convention for all tags. For consistent results in compliance reports, avoid using similar tags with inconsistent case treatment. This strategy will help you define tag policies for your organization.

Use the recommended workflow

Start small by creating a simple tag policy. Then attach it to a member account that you can use for testing purposes. Use the workflows described in Getting started with tag policies.

Determine tagging rules

This will depend on your organization's needs. For example, you may want to specify that when a CostCenter tag is attached to Amazon Secrets Manager secrets, it must use the specified case treatment. Create tag policies that define compliant tags and attach them to the organization entities where you want those tagging rules to be in effect.

Educate account administrators

When you're ready to expand your use of tag policies, educate account administrators as follows:

  • Communicate your tagging strategy.

  • Emphasize that administrators need to use tags on specific resource types.

    This is important, as untagged resources don't show as noncompliant in compliance results.

  • Provide guidance on checking compliance with tag policies. Instruct administrators to find and correct noncompliant tags on resources in their account using the procedure described in Evaluating Compliance for an Account in the Tagging Amazon Resource User Guide. Let them know how often you want them to check for compliance.

Use caution in enforcing compliance

Enforcing compliance could prevent users in your organization's accounts from tagging the resources they need. Review the information in Enforce tagging consistency. Also see the workflows described in Getting started with tag policies.

Be aware of tagging limits

Amazon services generally have a limit of 50 user-defined tags that cannot be modified. When using features like Report Required Tags, ensure your organization's effective policies don't exceed 50 required tags for any given resource type. Exceeding this limit can cause two issues: resources may be unable to achieve compliance status in compliance summaries, and Infrastructure as Code (IaC) platforms may fail to create resources when more than 50 tags are defined as required.

Consider creating an SCP to set guardrails around resource creation requests

Resources that have never had tags attached to them don't show as noncompliant in reports. Account administrators can still create untagged resources. In some cases, you can use a service control policy (SCP) to set guardrails around resource creation requests.

To learn whether an Amazon service supports controlling access using tags, see Amazon Web Services services That Work with IAM in the IAM User Guide. Look for the services that have Yes in the ABAC (authorization based on tags) column. Choose the name of the service to view the authorization and access control documentation for that service.