Best practices for using tag policies
Amazon recommends the following best practices for using tag policies.
Decide on a tag capitalization strategy
Determine how you want to capitalize tags and consistently implement that strategy
across all resource types. For example, decide whether to use Costcenter
,
costcenter
, or CostCenter
, and use the same convention for
all tags. For consistent results in compliance reports, avoid using similar tags with
inconsistent case treatment. This strategy will help you define tag policies for your
organization.
Use the recommended workflow
Start small by creating a simple tag policy. Then attach it to a member account that you can use for testing purposes. Use the workflows described in Getting started with tag policies.
Determine tagging rules
This will depend on your organization's needs. For example, you may want to specify
that when a CostCenter
tag is attached to Amazon Secrets Manager secrets, it must use
the specified case treatment. Create tag policies that define compliant tags and attach
them to the organization entities where you want those tagging rules to be in
effect.
Educate account administrators
When you're ready to expand your use of tag policies, educate account administrators as follows:
-
Communicate your tagging strategy.
-
Emphasize that administrators need to use tags on specific resource types.
This is important, as untagged resources don't show as noncompliant in compliance results.
-
Provide guidance on checking compliance with tag policies. Instruct administrators to find and correct noncompliant tags on resources in their account using the procedure described in Evaluating Compliance for an Account in the Tagging Amazon Resource User Guide. Let them know how often you want them to check for compliance.
Use caution in enforcing compliance
Enforcing compliance could prevent users in your organization's accounts from tagging the resources they need. Review the information in Understanding enforcement. Also see the workflows described in Getting started with tag policies.
Consider creating an SCP to set guardrails around resource creation requests
Resources that have never had tags attached to them don't show as noncompliant in reports. Account administrators can still create untagged resources. In some cases, you can use a service control policy (SCP) to set guardrails around resource creation requests. For an example SCP, see Require a tag on specified created resources.
To learn whether an Amazon service supports controlling access using tags, see Amazon Web Services services That Work with IAM in the IAM User Guide. Look for the services that have Yes in the ABAC (authorization based on tags) column. Choose the name of the service to view the authorization and access control documentation for that service.