Getting started with tag policies
Using tag policies involves working with multiple Amazon services. To get started, review the following pages. Then follow the workflows on this page to get familiar with tag policies and their effects.
Using tag policies for the first time
Follow these steps to get started using tag policies for the first time.
| Task | Account to sign in to | Amazon service console to use |
|---|---|---|
|
The organization's management account.¹ |
||
|
Step 2: Create a tag policy. Keep your first tag policy simple. Enter one tag key in the case treatment you want to use and leave all other options at their defaults. |
The organization's management account.¹ |
|
|
Step 3: Attach a tag policy to a single member account that you can use for testing. You'll need to sign in to this account in the next step. |
The organization's management account.¹ |
|
|
Step 4: Create some resources with compliant tags and some with noncompliant tags. |
The member account that you're using for testing purposes. |
Any Amazon service that you are comfortable with. For example, you
can use Amazon Secrets Manager |
|
Step 5: View the effective tag policy and evaluate the compliance status of the account. |
The member account that you're using for testing purposes. |
Resource Groups If you created resources with compliant and non-compliant tags, you should see the non-compliant tags in the results. |
|
Step 6: Repeat the process of finding and correcting compliance issues until the resources in the test account are compliant with your tag policy. |
The member account that you're using for testing purposes. |
Resource Groups |
|
At any time, you can evaluate organization-wide compliance. |
The organization's management account.¹ |
¹ You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization's management account.
Expanding use of tag policies
You can perform the following tasks in any order to expand your use of tag policies.
| Advanced task | Account to sign in to | Amazon service console to use |
|---|---|---|
|
Create more advanced tag policies. Follow the same process as for first-time users, but try other tasks. For example, define additional keys or values or specify different case treatment for a tag key. You can use the information in Understanding management policy inheritance and Tag policy syntax to create more detailed tag policies. |
The organization's management account.¹ |
|
|
Attach tag policies to additional accounts or OUs. Check the effective tag policy for an account after you attach more policies to it or to any OU in which the account is a member. |
The organization's management account.¹ |
|
|
Create an SCP to require tags when anyone creates new resources. For an example, see Require a tag on specified created resources. |
The organization's management account.¹ |
|
|
A member account with an effective tag policy. |
Resource Groups |
|
|
The organization's management account.¹ |
¹ You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization's management account.
Enforcing tag policies for the first time
To enforce tag policies for the first time, follow a workflow similar to using tag policies for the first time and use a test account.
Warning
Use caution in enforcing compliance. Make sure that you understand the effects of using tag policies and follow the recommended workflow. Test how enforcement works on a test account before expanding it to more accounts. Otherwise, you could prevent users in your organization's accounts from tagging the resources they need. For more information, see Understanding enforcement.
| Enforcement tasks | Account to sign in to | Amazon service console to use |
|---|---|---|
|
Step 1: Create a tag policy. Keep your first enforced tag policy simple. Enter one tag key in the case treatment you want to use, and choose the Prevent noncompliant operations for this tag option. Then specify one resource type to enforce it on. Continuing with our earlier example, you can choose to enforce it on Secrets Manager secrets. |
The organization's management account.¹ |
|
|
The organization's management account.¹ |
||
|
Step 3: Try creating some resources with compliant tags, and some with noncompliant tags. You shouldn't be allowed to create a tag on a resource of the type specified in the tag policy with a noncompliant tag. |
The member account that you're using for testing purposes. |
Any Amazon service that you are comfortable with. For example, you can
use Amazon Secrets Manager |
|
The member account that you're using for testing purposes. |
Resource Groups and the Amazon service where the resource was created. |
|
|
Step 5: Repeat the process of finding and correcting compliance issues until the resources in the test account are compliant with your tag policy. |
The member account that you're using for testing purposes. |
Resource Groups |
|
At any time, you can evaluate organization-wide compliance. |
The organization's management account.¹ |
¹ You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization's management account.