AWS Config Rule: Required Tags


Fernando Honig

Last Update één jaar geleden

Description: Checks if your resources have the tags that you specify. For example, you can check whether your Amazon EC2 instances have the CostCenter tag. Separate multiple values with commas. You can check up to 6 tags at a time.

Trigger type: Configuration changes

AWS Region: All supported AWS regions

How to Resolve Manually

The supported resource types for this rule are as follows: (Correct at time of publishing August 2nd 2021)

  • ACM::Certificate
  • AutoScaling::AutoScalingGroup
  • CloudFormation::Stack
  • CodeBuild::Project
  • DynamoDB::Table
  • EC2::CustomerGateway
  • EC2::Instance
  • EC2::InternetGateway
  • EC2::NetworkAcl
  • EC2::NetworkInterface
  • EC2::RouteTable
  • EC2::SecurityGroup
  • EC2::Subnet
  • EC2::Volume
  • EC2::VPC
  • EC2::VPNConnection
  • EC2::VPNGateway
  • ElasticLoadBalancing::LoadBalancer
  • ElasticLoadBalancingV2::LoadBalancer
  • RDS::DBInstance
  • RDS::DBSecurityGroup
  • RDS::DBSnapshot
  • RDS::DBSubnetGroup
  • RDS::EventSubscription
  • Redshift::Cluster
  • Redshift::ClusterParameterGroup
  • Redshift::ClusterSecurityGroup
  • Redshift::ClusterSnapshot
  • Redshift::ClusterSubnetGroup
  • S3::Bucket

The AWS Config rules using required-tags typically return results in 20 minutes or less. Results can vary depending on the service or resource type due to downstream dependencies. If the AWS Config rules scope of changes is set to resources, then verify the resource type is specified for the trigger.

An example setup of the Required Tags is as follows;;

Tag Name (Key): Environment

Tag Value(s): Prod / Dev / QA

Description: The environment in which the resource is deployed

In the config rule, we could apply this to Resource types: EC2::Instance - so we would be focusing on the tags attached to EC2 Instances.

If an Instance did not have an Environment Tag, or had the tag with a value not from the list of available values, it would be INCOMPLIANT

For the Instance to be COMPLIANT, it would need to have an Environment Tag with either Prod, Dev or QA as the value.

How to Resolve with StackZone

StackZone can remediate these resources which show as NON_COMPLIANT for you. It completes this by removing any resources which are created without the required tags in place.

This is quite a destructive remediation so should be used with caution.

When this auto-remediation targets an S3 Bucket, we will attempt to empty the bucket first before then deleting the Bucket.

When targeting an Elastic IP, we will first disassociate the EIP from the attached target, before then releasing it from your pool.

When this auto-remediation targets an RDS Instance, we will create the final snapshot before deleting the resource.

To enable this remediation in your StackZone deployment, head on over to Provisioning / Baseline Services / AWS Config Rules Regional and enable Required Tags Remediation.

Want to know more about StackZone and how to make your cloud management simple and secure?

Check our how it works section with easy to follow videos or just create your own StackZone Account here

Was this article helpful?

1 out of 1 liked this article

Still need help? Message Us