Profile Applicability:
- Level 1
Description:
Tag policies in AWS Organizations allow you to enforce consistent tagging practices across all AWS resources in your organization. These policies help ensure that resources are tagged according to predefined standards, such as the correct tag keys, allowed values, and capitalization. By using tag policies, you can standardize resource tagging, making it easier to manage, search, and report on resources across your entire organization.
Rationale:
Enabling tag policies ensures that all resources are consistently tagged according to the organization's standards. This helps in managing resources at scale, facilitates cost allocation, improves security posture by ensuring necessary tags are present (e.g., compliance, resource owners), and aids in audit and reporting. Tagging policies also help in automating management processes and maintaining organizational compliance.
Impact:
Pros:
Improved resource management by enforcing consistent tagging.
Facilitates cost tracking, reporting, and compliance through standardized tags.
Helps in automation, such as applying security policies or lifecycle management rules based on tags.
Enhanced security by ensuring that all resources have the necessary tags for access control and compliance purposes.
Cons:
Requires initial setup and configuration of tag policies across the organization.
May result in administrative overhead if resources are not tagged correctly, as non-compliant resources need to be corrected.
Default Value:
By default, tag policies are disabled in AWS Organizations, and resources can be tagged without any enforcement or standardization. Enabling tag policies requires an explicit action to enforce tagging standards across the organization.
Pre-requisites:
AWS IAM permissions to manage AWS Organizations and policies:
organizations:ListPolicies, organizations:EnablePolicyType, organizations:DescribePolicy
Remediation:
Test Plan:
Using AWS Console:
Log in to AWS Organizations at AWS Organizations Console.
In the left pane, under Policies, click Tag policies.
Check if Tag policies are enabled. If the status is disabled, proceed to enable tag policies as described below.
Using AWS CLI:
Run the following command to list existing policies:
aws organizations list-policies --filter TAG_POLICY
If the output shows an empty list ([]), this means tag policies are not enabled, and you need to enable them as described below.
Implementation Plan:
Using AWS Console:
Sign in to AWS Organizations at AWS Organizations Console.
In the left pane, click Policies.
Click on Tag policies.
Click on Enable Tag Policies to activate the feature.
The page will update with the list of available policies and the ability to create one. If needed, create new tag policies to enforce naming conventions and tag values.
Using AWS CLI:
Run the following command to enable tag policies in your organization:
aws organizations enable-policy-type --root-id <RootID> --policy-type TAG_POLICIES
Verify that the Tag Policies are now enabled by checking the status:
aws organizations enable-policy-type --root-id <RootID> --policy-type TAG_POLICIES
Backout Plan:
Using AWS Console:
If enabling tag policies causes issues, log in to AWS Organizations.
In the Policies section, click on Tag policies.
Click on Disable to turn off tag policies if necessary.
Using AWS CLI:
If you need to disable tag policies, run the following command:
aws organizations disable-policy-type --root-id <RootID> --policy-type TAG_POLICIES
Verify that the tag policies have been disabled by running:
aws organizations list-policies --filter TAG_POLICY
References:
AWS CLI: list-policies
AWS CLI: enable-policy-type
CIS Controls: