Back to Blog

Enforcing Mandatory Tags Across Your AWS Resources

Mandatory tags can be a good way to standardize how your organization creates and labels resources. This post looks at how you can check the tags on your AWS resources.


Amazon Web Services (AWS) tags help developers and teams organize resources. Without proper labeling practices, you could end up with scattered resources and no way to identify their purpose or provenance.

Setting up mandatory tags in AWS standardizes their use within a given environment, as users can’t create new resources unless they add a compliant tag. Enforcing mandatory tags helps you build upon and enrich your cloud management environment. As a result, your team will be able to properly manage your AWS resources and leverage them efficiently.

What Are Mandatory Tags in AWS?

An AWS tag consists of a user-defined tag key and a tag value. Below are some of the most common tag types used for AWS resources and related attributes.

Common Types of Mandatory Tags in AWS

Technical tags
  • Name: Used to identify an individual resource
  • Application ID: Identifies resources associated with a specific application
  • Application Role: Describes a resource’s function, like a web server or message broker
  • Cluster: Identifies resources farms with standard configurations and functions
  • Environment: Identifies whether the resource is associated with a development or production resource
  • Version: Distinguishes between different versions of a resource or application
Automation tags
  • Date/Time: Identifies the period for when to start, stop, delete, or rotate a resource
  • Opt-in/Opt-out: Identifies when to include a resource with an automated activity
  • Security: Outlines security requirements and identifies route tables or security groups that require additional review
Business tags
  • Project: Identifies project supported by the resource
  • Owner: Identifies who’s responsible for managing the resource
  • Cost Center/Business Unit: Identifies the business unit or cost center linked to the resource
  • Customer: Identifies the client who relies on the resource
Security tags
  • Confidentiality: Identifies the data confidentiality level supported by the resource
  • Compliance: Identifies workloads required to follow specific compliance requirements

Best Practices for Tagging in AWS Resources

When naming your tags, use a case-sensitive, standardized format and apply those tags consistently across all resources. Be sure your new labels do not contain any sensitive or personally identifiable information and design your tags so that they can be reused for multiple purposes. 

Remember, since the goal of mandatory tagging is to better organize and manage your AWS resources, don't hold back on the number of tags you create. It's better to have too many tags than not enough. Finally, leverage low-code automation tools like Steampipe to simplify your resource management and enforce mandatory AWS tags.

Setting up Mandatory Tags in AWS

Once you’ve designed a tag policy, go into your organization's AWS management account and ensure you have service control policies (SCPs) enabled. Create a new SCP and add all relevant details. Select "Add actions" to select the resources you wish to control. Use "Add condition" to define any condition keys to include with your policy. Alternatively, you can use the JSON editor to manually create an SCP.

How to Enforce Mandatory Tags in AWS

Tools like the Steampipe CLI let you automatically run SQL scripts to check for untagged resources within your AWS environments. Use the following steps to manually check for AWS resources that are missing any mandatory tags. As a prerequisite, you’ll need the AWS Client running on your computer.

Step 1: Install the Steampipe CLI

You can follow the installation steps for installing on Mac, Windows, or Linux. It is a simple one-step installer, so it shouldn’t take long to get started.

You’ll want to also run this command to make sure you have all plugins and updates that you would need for this specific use case: 

steampipe plugin install aws
 Step 2: Clone the mod repository

To clone the mod repository, just run this command:

git clone
cd steampipe-mod-aws-tags

Step 3: Check for mandatory tags

Next, you should run this command to check for mandatory tags, customizing the variables as needed:

steampipe check aws_tags.benchmark.mandatory --var 'mandatory_tags=["Application", "Environment", "Department", "Owner"]'

If you want to look into additional customizations for your instance, you can find the relevant information on Steampipe controls here.

Better Cloud Management With Mandatory AWS Tags

AWS tags are great to use in your test environment to ensure you don't accidentally deploy the wrong resources with projects. Furthermore, using mandatory tags throughout your AWS environment makes it easier to search, filter, and organize your resources.

Automate Checks like this with Blink:

For quick checks like this, using a specific CLI tool or script might get the job done, but it can be hard to incorporate into your regular Day 2 practice. With a free Blink account, you can schedule checks just like this one in a few clicks.

Get started and create your free Blink account today.

Simplify your cloud operations

Sign up for Blink today

Transform your cloud operations today with a library of purpose-built DevOps and SecOps playbooks and hundreds of integrations.

Sign up