Profile Applicability:

  • Level 1

Description:
 An EC2 tag policy enables you to define tag compliance rules to ensure consistency and proper management of tags attached to your EC2 resources. Tag policies help enforce the tagging strategy across all EC2 resources, making it easier to organize, manage, and monitor resources at scale.

Rationale:
 Tagging is a fundamental practice for organizing AWS resources. Implementing a tag policy helps ensure that the required tags are consistently applied across your EC2 resources. By using a tag policy for EC2, you can enforce best practices for tagging compliance, which in turn helps with resource management, cost allocation, security audits, and overall organizational governance. Tag policies also prevent non-compliant actions and help to manage resources more effectively.

Impact:
 Pros:

  • Standardizes tagging practices across EC2 resources, making it easier to track and manage.

  • Ensures that EC2 resources are consistently tagged with important metadata, such as cost centers, departments, or owners.

  • Helps maintain compliance and consistency, which is essential for auditing and reporting.

  • Allows enforcement of naming conventions and capitalization compliance for tags.

Cons:

  • Requires administrative effort to configure and maintain tag policies.

  • Incorrectly configured policies may prevent the creation of resources that do not comply with the tagging strategy.

Default Value:
 By default, AWS does not create or enforce any tag policies. Tagging practices need to be manually implemented, and without an organizational tag policy, there is no enforcement of consistent tagging.

Pre-requisites:

  • AWS IAM permissions to manage AWS Organizations and tag policies:
    organizations:ListPolicies,organizations:CreatePolicy,organizations:DescribePolicy, organizations:EnablePolicyType

Remediation:

Test Plan:

Using AWS Console:

  1. Log in to AWS Organizations at AWS Organizations Console.

  2. In the left pane, under Policies, click on Tag policies.

  3. Review the list of Tag policies and ensure there is a policy for EC2 tagging.

  4. Click on the EC2 tag policy and select Edit policy.

  5. Ensure that the following settings are configured:

    • Tag key capitalization compliance: Ensure this option is checked.

    • Prevent non-compliant operations for this tag: This should be checked.

    • Resource types: Ensure that ec2:image, ec2:instance, and ec2:reserved-instances are listed under resource types.

Using AWS CLI:

  1. Run the following command to list all tag policies:

    aws organizations list-policies --filter TAG_POLICY

  2. Review the output to ensure that a tag policy exists for EC2 tagging.

  3. If there is no EC2 tag policy or the policy does not include the correct settings, refer to the remediation steps below.

Implementation Plan:

Using AWS Console:

  1. Log in to AWS Organizations at AWS Organizations Console.

  2. On the left-hand side, click on Policies.

  3. Under Support policy types, click on Tag policies.

  4. Under Available policies, click Create policy.

  5. Enter a policy name (e.g., EC2 Tagging Policy).

  6. Enter a policy description that indicates this is the EC2 tag policy.

  7. For New tag key 1, specify the name of the tag key to add (e.g., OwnerCostCenter).

  8. For Tag key capitalization compliance, select the checkbox to enable this option and mandate specific capitalization for tag keys.

  9. Under Resource types to enforce, check Prevent non-compliant operations for this tag.

  10. Click Specify resource types, expand EC2, and select:

    • ec2:image

    • ec2:instance

    • ec2:reserved-instances

  11. Click Save changes.

  12. Click Create policy to finalize the policy creation.

Using AWS CLI:

  1. Run the following command to enable tag policies for EC2:

    aws organizations create-policy --name "EC2 Tagging Policy" --description "Policy for EC2 resource tagging compliance" --type TAG_POLICY --content file://tag-policy.json

  2. The tag-policy.json file should contain the policy definitions, including the tag key, capitalization rules, and resource types.

Backout Plan:

Using AWS Console:

  1. If the tag policy causes issues, log in to AWS Organizations.

  2. Navigate to Policies and select the Tag policy.

  3. Click Delete policy to remove the tag policy if necessary.

Using AWS CLI:

  1. If issues arise, run the following command to delete the tag policy:

    aws organizations delete-policy --policy-id <policy-id>

References:

  1. AWS Organizations: Tag Policies

  2. AWS CLI: list-policies

  3. AWS CLI: create-policy

CIS Controls:

Version

Control ID

Control Description

v8

1.1

Establish and maintain an inventory of enterprise assets, including EC2 resources, and ensure tagging policies are in place to enforce consistent tagging practices across all EC2 resources.

v7

1.5

Ensure that all enterprise assets, including EC2 resources, are tagged consistently using tag policies that enforce compliance with organizational standards.