AWS Resource Tagging: Enforcement & Compliance
To an untrained eye, tagging might appear insignificant amidst the vast array of resources in AWS. Tagging resources on AWS involves attaching metadata — such as labels or keywords — to resources, enabling easier organization, cost allocation, and management across complex cloud environments. However, proper utilization of tagging can significantly ease long-term account management on multiple fronts. For more information on the effective use of tags, readers can visit our Article on Tagging in the AWS Blog.
After implementing a robust tagging structure for an account, the next crucial step is ensuring tagging enforcement and compliance. This means verifying that tags are applied correctly and consistently. As with any structured system, it is only as good as its adherence.
Our discussions with various individuals from multiple organizations revealed a consensus on the importance of proper enforcement and compliance. However, there was also agreement on the challenges and difficulties encountered when attempting to put these ideas into practice.
Tagging Enforcement
Using AWS Organizations provides access to Service Control Policies (SCPs). SCPs enable the specification of allow and deny actions for various AWS operations at an account-wide level. While SCPs are highly powerful, this article will not delve deeply into their usage.
For the purpose of tagging enforcement, basic logic will be implemented to deny resource creation if tags are missing. This approach ensures that tagging policies are adhered to consistently across the account.
Below is an example of some basic logic in order to deny resource creation if tags are missing.
"Statement": [{
"Sid": "DenyCreateResourceWithNoTagName",
"Effect": "Deny",
"Action": [
"ec2:CreateVpc"
],
"Resource": "*",
"Condition": {
"Null": {
"aws:RequestTag/Name": "true"
}
}
}]
In the above sample statement, the action of “ec2:CreateVpc” is denied if the condition of a tag key of “Name” is not present on the resource i.e. if the VPC does not have a tag called “Name”, the resource cannot be created.
Author’s Note: But hold on, I know this looks great but I said there would be some challenges, remember? :)
Challenge #1 — No single action for all resources
Given the way AWS actions function, there is no universal action that covers all resource creation activities. Therefore, to ensure an action is denied, it is necessary to specify each individual action explicitly. This requirement adds to the complexity and management overhead, as all relevant actions must be identified and included in the policy.
Challenge #2 — When tags are applied to resources
AWS resources don’t follow a uniform pattern in terms of tag application during creation. While some resources apply tags during creation (which is the desired outcome), others are created first and tagged afterward. This difference can pose challenges, as a denial policy based on tag presence may not work for resources that require tagging post-creation. Unfortunately, determining how resources behave in this regard often requires testing and observation.
Challenge #3 — Statement conditions for the resource
As mentioned earlier, the creation process for AWS resources varies, and each action comes with a “Condition key” that specifies the conditions applicable to the action within a policy statement. In order for this statement to work, the condition key of “aws:RequestTag/${TagKey}” must be present for the action. Unfortunately for some actions, for example “s3:CreateBucket” the condition key is missing. As a result, this manner of denying resource creation does not work for S3 buckets.
A full list of actions and condition keys can be found in the AWS Service Authorization Reference.
Challenge #1 involves additional effort, while challenges #2 and #3 highlight limitations that prevent the SCP from being a comprehensive solution for tagging enforcement. This underscores the importance of tagging compliance measures.
Tagging compliance
AWS Config is another powerful tool akin to SCPs, capable of near real-time detection of resource compliance with defined rules. It can automatically remediate non-compliant resources based on these rules. However, details on how to use Config will not be covered in this article.
For tagging compliance, the “required-tags” default rule in AWS Config allows specifying tag keys or values for compliance. In this example, setting a key with the value “Name” ensures compliance. Any resource lacking the tag key “Name” will be flagged as non-compliant.
Unfortunately, due to the dynamic nature of tagging, automated remediation is not feasible in 9 out of 10 cases for resources that are not in compliance with specified rules. This is because it is difficult to identify the specifics of what the tag is supposed to be every single time. However, alerts can be set up as remediation actions, triggering an AWS Lambda function to message external services or sending notifications to subscribed parties via an Amazon SNS topic.
Closing thoughts
With these two actions combined, comprehensive coverage for tagging usage can be achieved. Although it would have been ideal if the SCP could have been able to cover more resources. It’s still not a practical solution on its own. With every year AWS introduces more and more services, so eventually the SCPs will be expanded to cover more actions.
About TrackIt
TrackIt is an international AWS cloud consulting, systems integration, and software development firm headquartered in Marina del Rey, CA.
We have built our reputation on helping media companies architect and implement cost-effective, reliable, and scalable Media & Entertainment workflows in the cloud. These include streaming and on-demand video solutions, media asset management, and archiving, incorporating the latest AI technology to build bespoke media solutions tailored to customer requirements.
Cloud-native software development is at the foundation of what we do. We specialize in Application Modernization, Containerization, Infrastructure as Code and event-driven serverless architectures by leveraging the latest AWS services. Along with our Managed Services offerings which provide 24/7 cloud infrastructure maintenance and support, we are able to provide complete solutions for the media industry.
About Chris Koh
Chris is a DevOps Engineer at TrackIt. He has been in the technology industry for a decade, with the last 7 years working directly with AWS. He started his venture into DevOps as his desire to automate as many workflows as possible grew. Everything from reporting, user management, system management, all the way through CI/CD, if it can be automated it should be automated.
Chris holds 5 of the currently available 12 AWS certifications (Cloud Practitioner, Solutions Architect: Associate, SysOps Administrator: Associate, Security: Specialty and DevOps: Professional). He has his sights set on getting all 12 certifications to get the little known golden jacket. Outside of AWS certifications he is also looking to attain his CCNA and CCNP.