Getting started with Tag Editor - Tagging Amazon Resources
Prerequisites
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Getting started with Tag Editor

Tag Editor is one way to tag your resources. View the sections below to understand the prerequisites you must satisfy to use it.

Prerequisites for working with Tag Editor

Before you get started working to tag your resources, be sure you have an active Amazon Web Services account with existing resources and appropriate rights to tag resources and create groups.

Sign up for an Amazon Web Services account

If you do not have an Amazon Web Services account, use the following procedure to create one.

To sign up for Amazon Web Services

  1. Open http://www.amazonaws.cn/ and choose Sign Up.

  2. Follow the on-screen instructions.

Amazon sends you a confirmation email after the sign-up process is complete. At any time, you can view your current account activity and manage your account by going to http://www.amazonaws.cn/ and choosing My Account.

Secure IAM users

After you sign up for an Amazon Web Services account, safeguard your administrative user by turning on multi-factor authentication (MFA). For instructions, see Enable a virtual MFA device for an IAM user (console) in the IAM User Guide.

To give other users access to your Amazon Web Services account resources, create IAM users. To secure your IAM users, turn on MFA and only give the IAM users the permissions needed to perform their tasks.

For more information about creating and securing IAM users, see the following topics in the IAM User Guide:

Create resources

You must have resources in your Amazon Web Services account to tag. For more information about the supported resource types, see the Tag Editor Tagging column under Supported resource types in the Amazon Resource Groups User Guide.

Set up permissions

To make full use of Tag Editor, you might need additional permissions to tag resources or to see a resource's tag keys and values. These permissions are in the following categories:

  • Permissions for individual services so that you can tag resources from those services and include them in resource groups.

  • Permissions that are required to use the Tag Editor console.

If you're an administrator, you can provide permissions for your users by creating policies through the Amazon Identity and Access Management (IAM) service. You first create IAM roles, users, or groups, and then apply the policies with the permissions that they need. For information about creating and attaching IAM policies, see Working with policies.

Permissions for individual services

Important

This section describes permissions that are required if you want to tag resources from other Amazon service consoles and APIs.

To add tags to a resource, you need the permissions required for the service to which the resource belongs. For example, to tag Amazon EC2 instances, you must have permissions to the tagging operations in that service's API, such as the Amazon EC2 CreateTags operation.

Permissions required to use the Tag Editor console

To use the Tag Editor console to list and tag resources, the following permissions must be added to a user's policy statement in IAM. You can add either Amazon managed policies that are maintained and kept up to date by Amazon, or you can create and maintain your own custom policy.

Using Amazon managed policies for Tag Editor permissions

Tag Editor supports the following Amazon managed policies that you can use to provide a predefined set of permissions to your users. You can attach these managed policies to any role, user, or group just as you would any other policy that you create.

ResourceGroupsandTagEditorReadOnlyAccess

This policy grants the attached IAM role or user permission to call the read-only operations for both Amazon Resource Groups and Tag Editor. To read a resource's tags, you must also have permissions for that resource through a separate policy. Learn more in the following Important note.

ResourceGroupsandTagEditorFullAccess

This policy grants the attached IAM role or user permission to call any Resource Groups operation and the read and write tag operations in Tag Editor. To read or write a resource's tags, you must also have permissions for that resource through a separate policy. Learn more in the following Important note.

Important

The two previous policies grant permission to call the Tag Editor operations and use the Tag Editor console. However, you must also have permissions not only to invoke the operation, but also appropriate permissions to the specific resource whose tags you're trying to access. To grant that access to the tags, you must also attach one of the following policies:

  • The Amazon managed policy ReadOnlyAccess grants permissions to the read-only operations for every service's resources. Amazon automatically keeps this policy up to date with new Amazon Web Services as they become available.

  • Many services provide service-specific read-only Amazon managed policies that you can use to limit access to only the resources provided by that service. For example, Amazon EC2 provides AmazonEC2ReadOnlyAccess.

  • You can create your own policy that grants access to only the specific read-only operations for the few services and resources you want your users to access. This policy uses either an allowlist strategy or a denylist strategy.

    An allowlist strategy takes advantage of the fact that access is denied by default until you explicitly allow it in a policy. So, you can use a policy like the following example.

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [ "tag:*" ],
            "Resource": "<ARNs of resources to allow tagging>"
        }
    ]
}

    Alternatively, you could use a denylist strategy that allows access to all resources except those that you explicitly block. This requires a separate policy that applies to the relevant users that allows access. The following example policy then denies access to the specific resources listed by the Amazon Resource Name (ARN).

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
             "Action": [ "tag:*" ],
            "Resource": "<ARNs of resources to disallow tagging>"
        }
    ]
}
Adding Tag Editor permissions manually

  • tag:* (This permission allows all Tag Editor actions. If you instead want to restrict actions that are available to a user, you can replace the asterisk with a specific action, or with a comma-separated list of actions.)

  • tag:GetResources

  • tag:TagResources

  • tag:UntagResources

  • tag:getTagKeys

  • tag:getTagValues

  • resource-explorer:*

  • resource-groups:SearchResources

  • resource-groups:ListResourceTypes

Note

The resource-groups:SearchResources permission allows Tag Editor to list resources when you filter your search using tag keys or values.

The resource-explorer:ListResources permission allows Tag Editor to list resources when you search resources without defining search tags.

Granting permissions for using Tag Editor

To add a policy for using Amazon Resource Groups and Tag Editor to a role, do the following.

  1. Open the IAM console to the Roles page.

  2. Find the role to which you want to grant Tag Editor permissions. Choose the role's name to open the role's Summary page.

  3. On the Permissions tab, choose Add permissions.

  4. Choose Attach existing policies directly.

  5. Choose Create policy.

  6. On the JSON tab, paste the following policy statement.

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "tag:GetResources",
        "tag:TagResources",
        "tag:UntagResources",
        "tag:getTagKeys",
        "tag:getTagValues",
        "resource-explorer:*",
        "resource-groups:SearchResources",
        "resource-groups:ListResourceTypes"
      ],
      "Resource": "*"
    }
  ]
}
    Note

    This example policy statement grants permissions to perform only Tag Editor actions.

  7. Choose Next: Tags and then choose Next: Review.

  8. Enter a name and description for the new policy. For example, AWSTaggingAccess.

  9. Choose Create policy.

Now that the policy is saved in IAM, you can attach it to other principals, such as roles, groups, or users. For more information about how to add a policy to a principal, see Adding and removing IAM identity permissions in the IAM User Guide.

Authorization and access control based on tags

Amazon Web Services support the following:

  • Action-based policies – For example, you can create a policy that allows users to perform GetTagKeys or GetTagValues operations, but no others.

  • Resource-level permissions in policies – Many services support using ARNs to specify individual resources in the policy.

  • Authorization based on tags – Many services support using resource tags in the condition of a policy. For example, you can create a policy that allows users full access to a group that has the same tag as the users. For more information, see What is ABAC for Amazon? in the Amazon Identity and Access Management User Guide.

  • Temporary credentials – Users can assume a role with a policy that allows Tag Editor operations.

Tag Editor doesn't use any service-linked roles.

For more information about how Tag Editor integrates with Amazon Identity and Access Management (IAM), see the following topics in the Amazon Identity and Access Management User Guide: