AWS Config Required Tags

The required-tags rule checks if your resources have the tags that you specify. For example, you can check whether your Amazon EC2 instances have the CostCenter tag, while also checking if all your Amazon RDS instances have a tag. Separate multiple values with commas. You can check up to 6 tags at a time.

You can use this rule to find resources in your account that were not launched with your desired configurations by specifying which resources should have tags and the expected value for each tag. You can also run remediation actions to fix tagging mistakes. However, this rule does not prevent you from creating resources with incorrect tags.

Ensure AWS Config recording is on

  1. Navigate to the AWS Config Dashboard, in the correct region.

  2. Choose Settings in the navigation pane.

  3. Under Recorder view that Recording is on.

Create The Rule

  1. In the navigation pane, choose Rules then choose Add rule.

  2. Select Add AWS Managed rule.

  3. Search for required-tags in the AWS Managed Rules search box.

  4. Select the required-tags rule and choose Next.

  5. Keep the defaults to include all resources.

  6. Under Parameters, enter the following rule parameters:

    • tag1Key : component
    • tag2Key : resource
    • tag2Value : dedicated, shared
    • tag3Key : owner

  7. Choose Remove to remove any additonal tag fields that are unused. Then choose Next.

  8. Review the details of your rule, ensuring to check your Parameter values to see what the rule will assess. Once you have finished reviewing, choose Save.

Review the dashboard

  1. Navigate back to the Config Dashboard to review what has been found by the rule.

  2. You can view the results of the rule you just created under Noncompliant rules by noncompliant resource count.

Investigate The Rule

  1. In the dashboard, under Compliance status, choose the Noncompliant resource(s)* link.

  2. Filter the resources viewed by choosing AWS EC2 InternetGateway under Resource Type.

  3. Under Resource Identifier choose the Internet Gateway link to navigate to the resource.

  4. Choose the Tags tab to see why this resource has flagged as non-compliant according to required-tags rule.

  5. Use the navigation pane and choose Rules and then choose the required-tags rule.

  6. Scroll down to Resources in scope and choose Compliant from the the dropdown menu.

  7. Choose the Internet Gateway that you have that is compliant to navigate to the resource.

  8. Choose the Tags tab to see why this resource has flagged as compliant according to required-tags rule.

Conclusion

In this lab, you have seen how you can use the required-tags AWS Config rule to check your existing account resources meet the requirments set out for the required tags that you have defined. The lab focuses on how to do this in an individual account, but it is also possible to do the same at an organization level if you have an aggregator in place.

Cleaning this section up

To avoid incurring future charges, delete the resources that you have created during the walkthrough:

  • AWS Config rule