Evaluating organization-wide compliance - Tagging Amazon Resources and Tag Editor
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Evaluating organization-wide compliance

You can evaluate your organization's compliance with its effective tag policy. You can generate a report that lists all tagged resources in accounts across your organization and whether each resource is compliant with the effective tag policy.

Important

Untagged resources don't appear as noncompliant in results.

To find untagged resources in your account, use Amazon Resource Explorer with a query that uses tag:none. For more information, see Search for untagged resources in the Amazon Resource Explorer User Guide.

You can generate the report from your organization's management account in the us-east-1 Amazon Web Services Region only. The account generating the report must have access to an Amazon S3 bucket in the US East (N. Virginia) Region. The bucket must have an attached bucket policy as shown in Amazon S3 bucket policy for storing report.

To generate an organization-wide compliance report, you must have the following permissions:

  • organizations:DescribeEffectivePolicy

  • tag:GetComplianceSummary

  • tag:StartReportCreation

  • tag:DescribeReportCreation

  • s3:ListAllMyBuckets

  • s3:GetBucketAcl

  • s3:GetObject

  • s3:PutObject

For an example IAM policy displaying these permissions, review Permissions for evaluating organization-wide compliance.

To generate an organization-wide compliance report (console)

  1. Open the Tag Policies console.

  2. Choose the This organization root tab, and near the bottom of the page, choose Generate report.

  3. On the Generate report screen, specify where to store the report.

  4. Choose Start exporting.

When the report is complete, you can download it from the Noncompliance report section on the Organization root tab.

Notes

Organization-wide compliance is evaluated every 48 hours. This results in the following:

  • It can take up to 48 hours for changes to a tag policy or resources to be shown in the organization-wide compliance report. For example, assume that you have a tag policy that defines a new standardized tag for a resource type. Resources of that type that don't have this tag can show as compliant in the report for up to 48 hours.

  • Although you can generate the report at any time, report results aren't updated until the next evaluation is complete.

  • The NoncompliantKeys column lists tag keys on the resource that are noncompliant with the effective tag policy.

  • The KeysWithNonCompliantValues column lists keys defined in the effective policy that are on the resource with either incorrect case treatment or noncompliant values.

  • If you close an Amazon Web Services account that was a member of the organization, it can continue to appear in the tag compliance report for up to 90 days.

To generate an organization-wide compliance report (Amazon CLI, Amazon API)

Use the following commands and operations to generate an organization-wide compliance report, check on its status, and view the report: