In this hands-on workshop, we will explore the implementation of AWS resource tagging strategies using Tagging Policies and Service Control Policies (SCPs). This workshop focuses on the widely used EC2 service as an illustrative example.
AWS resources tagging provides a powerful means to organize, filter, and search for resources. This workshop will demonstrate how to effectively manage and govern resources using tags.
- An active AWS account (with necessary permissions) and access to the AWS Management Console.
- AWS Organization
- Basic familiarity with AWS services, particularly EC2 instances.
Discover how to utilize AWS Tag Policies to enforce a standardized tagging policy. Create policies specifying accepted tag keys and values for resources within the organization.
Follow these steps to create and associate a tag policy for EC2 instances, ensuring adherence to predefined tagging conventions.
- Navigate to the AWS Management Console.
- Open the “AWS Organizations” service.
- Enable Tag policies.
- In the left navigation pane, select “Tag policies.”
- Click on “Create tag policy.”
- Define the tag policy by specifying tag keys and values. Let’s set tag policies for “Environment” and “Project” tags for EC2 Instance. Edit values and set your tag value(s).
- Save the policy.
- Associate the created tag policy with the root or specific organizational unit (OU) or Account.
-
Create a new EC2 instance and verify that the tags specified in the tag policy are enforced during creation.
Note that the Tag Policy solely validates the accepted value of a tag and not its existence. Users with the necessary IAM permissions will still be able to create resources without tags. To restrict the creation of AWS resources lacking the required tags, we will employ Service Control Policies (SCPs) to establish protective boundaries for resource creation requests.
Understand how SCPs provide fine-grained control over AWS services within an organization, allowing administrators to define allowed or denied actions.
Explore how SCPs can be used to deny the creation of resources lacking specific tags. This reinforces governance and cost tracking.
Continue with the previous example and create an SCP that denies the creation of EC2 instances without specific tags.
- Navigate to the AWS Management Console.
- Open the “AWS Organizations” service.
- Enable Service Control policies.
- In the left navigation pane, select “Policies” -> “Service control policies.”
- Click on “Create policy.”
- Define the SCP to deny actions based on conditions, like creating EC2 instances without specific tags. You can use the tabs on the right side to define the Action, Resources, and Conditions or Choose the “JSON” tab and define the SCP to deny actions based on conditions, like creating EC2 instances without specific tags.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyEC2CreationSCP1",
"Effect": "Deny",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"Null": {
"aws:RequestTag/Environment": "true"
}
}
},
{
"Sid": "DenyEC2CreationSCP2",
"Effect": "Deny",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"Null": {
"aws:RequestTag/Project": "true"
}
}
}
]
}- Associate the created SCP with the root or specific organizational unit (OU) or Account.
-
Attempt to create an EC2 instance without the required tags, ensuring that the SCP prevents the action.
| Tag enforcement test | Result | Expected Result |
|---|---|---|
| Without tags | Failed | Yes |
| With random tag key and value | Failed | Yes |
| With tag key Environment and wrong tag value | Failed | Yes |
| With tag key Project only and correct tag value | Failed | Yes |
| With tag key Environment only and correct tag value | Failed | Yes |
| With both tag keys (Environment and Project) and correct tag value | Success | Yes |
By leveraging AWS Tag Policies and Service Control Policies, organizations can standardize tagging practices, enforce policy compliance, and enhance visibility into their AWS resources. This workshop has demonstrated how to apply and enforce standardized tagging during resource creation, as well as how to use SCPs to control resource creation.