You are currently viewing AWS Tag Policy With Examples

AWS Tag Policy With Examples

AWS Tag Policy With Examples

Hello Everyone

Welcome to CloudAffaire and this is Debjeet.

In the last blog post, we have discussed AWS backup policy.

In this blog post, we will discuss AWS tag policy with examples and how to enforce tags in AWS. You can achieve tag enforcement using tag policy. AWS tag policy helps you standardize tags across resources across all of the accounts in your organization. In a tag policy, you can specify tagging rules for specific resources.

Elements Of Tag Policy:

A tag policy is a plaintext file that is structured according to the rules of JSON. The syntax for tag policies follows the syntax for management policy types and consist of following elements

  • tags: Tag policies always start with this fixed key name tags. It’s the top line in the example policy above.
  • policy_key: A policy key uniquely identifies the policy statement. It must match the value for the tag key, except for the case treatment. Unlike the tag key (described next), the policy value is not case sensitive.
  • tag_key: At least one tag key that specifies the allowed tag key with the capitalization that you want resources to be compliant with. If case treatment isn’t defined, lowercase is the default case treatment for tag keys. The value for the tag key must match the value for the policy key. But since the policy key value is case insensitive, the capitalization can be different.
  • tag_values: A list of one or more acceptable tag values for the tag key. If the tag policy doesn’t specify a tag value for a tag key, any value (including no value at all) is considered compliant.
  • enforced_for: The enforced_for option that indicates whether to prevent any noncompliant tagging operations on specified services and resources. In the console, this is the Prevent noncompliant operations for this tag option in the visual editor for creating tag policies. The default setting for this option is null.
  • Inheritance operators: Inheritance operators control how inherited policies and account policies merge into the account’s effective policy. These operators include value-setting operators and child control operators.
    • Value-setting operators: You can use the following value-setting operators to control how your policy interacts with its parent policies:
      • @@assign: Overwrites any inherited policy settings with the specified settings. If the specified setting isn’t inherited, this operator adds it to the effective policy.
      • @@append: Adds the specified settings (without removing any) to the inherited ones. If the specified setting isn’t inherited, this operator adds it to the effective policy.
      • @@remove: Removes the specified inherited settings from the effective policy, if they exist.
    • Child control operators: Using child control operators is optional. You can use the @@operators_allowed_for_child_policies operator to control which value-setting operators child policies can use. You can allow all operators, some specific operators, or no operators. By default, all operators (@@all) are allowed.
      • “@@operators_allowed_for_child_policies“:[“@@all”]: Child OUs and accounts can use any operator in policies. By default, all operators are allowed in child policies.
      • “@@operators_allowed_for_child_policies“:[“@@assign”, “@@append”, “@@remove”]: Child OUs and accounts can use only the specified operators in child policies. You can specify one or more value-setting operators in this child control operator.
      • “@@operators_allowed_for_child_policies”:[“@@none”]: Child OUs and accounts can’t use operators in policies. You can use this operator to effectively lock in the values that are defined in a parent policy so that child policies can’t add, append, or remove those values.

Example Tag Policy:

This example policy specifies that no values are acceptable for the Uptime tag key. It also specifies that no operators are allowed in child tag policies. Therefore, any Uptime tags on resources in affected accounts are considered non-compliant. However, the enforced_for option actually prevents affected accounts from tagging only EC2 instances with the Uptime tag.

Next, we are going to discuss how to manage AWS organization tag policy using API.


AWS Organization created with multiple OU and member accounts. You can refer below blog post to create the organization. This blog is a continuation from below blog post.

How To Enable Tag Policy In AWS Organization Using AWS CLI

How To Create A New Tag Policy Using AWS CLI

How To Attach A Tag Policy To An Organizational Unit Using AWS CLI

As a result of the above tag policy enforcement, you will not be able to create a new VPC for accounts under Foundation OU with a tag with key defined in the tag policy but with a different value. Let’s test this.

Next, let us explain Tag policy inheritance with an example. We will create a new tag policy and attach to Regulatory OU.

Observe, account inside regulatory OU have inherited tag values from Foundation OU.

How To Update An Tag Policy Using AWS CLI

How To Detach A Tag Policy From An Organizational Unit Using AWS CLI

How To Delete A Tag Policy Using AWS CLI

Hope you have enjoyed this article. To know more about AWS organization, please refer below official documentation

Leave a Reply