Profile Applicability:

  • Level 1

Description:

AWS Tag Policies allow organizations to define and enforce rules for the tags that are applied to resources across an AWS Organization. Tagging is a vital practice for cost management, security, and governance. By enabling Tag Policies, AWS Organizations ensures that resources are consistently tagged according to the organization's standards. This SOP ensures that Tag Policies are enabled and attached to the organization, helping maintain governance, reporting, and compliance standards.

Rationale:

  • Governance and Compliance: Tag Policies help enforce consistent tagging practices across multiple accounts, ensuring that tags are applied correctly, which is crucial for resource tracking, cost management, and security.

  • Cost Management: Tags play a key role in cost allocation. With Tag Policies, organizations can enforce the proper tagging of resources for accurate cost allocation.

  • Security: Proper tagging ensures sensitive resources are easily identifiable and helps in applying security policies based on tags.

  • Operational Excellence: Enforcing tagging standards through Tag Policies ensures that resources are categorized correctly for reporting, troubleshooting, and managing large-scale AWS environments.

Impact:

Pros:

  • Improved Resource Management: Ensures uniformity in tagging across multiple accounts and resources, facilitating resource tracking and management.

  • Security & Compliance: Helps in ensuring compliance with organizational standards for resource categorization and cost allocation.

  • Cost Optimization: Helps in tracking and allocating costs correctly by ensuring that resources are tagged in accordance with cost allocation rules.

Cons:

  • Operational Overhead: Setting up and maintaining Tag Policies across multiple accounts may require additional administrative overhead.

  • Configuration Complexity: If not correctly configured, restrictive tag policies can lead to errors in resource deployment or cost misalignment.

Default Value:

By default, Tag Policies are not enabled in an AWS Organization. These policies must be explicitly created and attached to organizational units (OUs) or accounts within AWS Organizations.

Pre-requisite:

  • AWS IAM Permissions:

    • organizations:DescribeOrganization

    • organizations:ListPolicies

    • organizations:DescribePolicy

    • organizations:ListAccounts

  • AWS CLI installed and configured.

  • AWS Organizations set up with multiple Organizational Units (OUs) and accounts.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to AWS Organizations under Security, Identity, & Compliance.

  3. In the Organizations Console, go to Policies.

  4. Look for any Tag Policies listed in the Policies section.

    • Check if the Tag Policies are attached to the root or specific OUs or accounts.

  5. If no Tag Policies are found, proceed with the Implementation Steps to create and apply the policy.

Using AWS CLI:

  1. To list all policies in your AWS Organization, run:

    aws organizations list-policies --filter TAG_POLICY

  2. To describe the details of a specific Tag Policy, run:

    aws organizations describe-policy --policy-id <policy-id>

  3. To check which accounts or OUs the Tag Policies are attached to, run:

    aws organizations list-targets-for-policy --policy-id <policy-id>

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console and navigate to AWS Organizations.

  2. Go to Policies and click Create Policy.

Select Tag Policy and define the policy content based on your organization’s tagging standards. For example:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "*",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:RequestTag/Environment": "Production"
        }
      }
    }
  ]
}

  1. Attach the Tag Policy to the root or specific organizational units (OUs) or accounts by selecting the target OUs and clicking Attach.

Using AWS CLI:

  1. To create a Tag Policy, run:

    aws organizations create-policy --name "EnforceTaggingPolicy" --description "Policy to enforce tagging standards" --type TAG_POLICY --content '{
  "Version": "2012-10-17",
  "Statement": [
    {

      "Effect": "Allow",
      "Action": "*",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:RequestTag/Environment": "Production"

        }
      }
    }
  ]
}

  1. To attach the Tag Policy to the root or specific organizational units (OUs) or accounts, run:

    aws organizations attach-policy --policy-id <policy-id> --target-id <target-id>

  2. Verify the Tag Policy is applied by listing the attached policies:

    aws organizations list-policies --filter TAG_POLICY

Backout Plan:

Using AWS Console:

  1. Go to AWS Organizations > Policies > Tag Policies.

  2. Select the policy and choose Detach from the root or OU.

  3. If needed, delete the policy.

Using AWS CLI:

  1. Detach tag policy:

    aws organizations detach-policy \
  --policy-id <POLICY_ID> \
  --target-id <ROOT_ID>

  1. Delete tag policy (optional):

    aws organizations delete-policy --policy-id <POLICY_ID>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.