v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/aws_compliance
Overview
32Dashboards
1295Controls
585Queries
4Variables
GitHub

Control: 2.3 Ensure Tag Policies are enabled

Description

Tag policies help you standardize tags on all tagged resources across your organization.

You can use tag policies to define tag keys (including how they should be capitalized) and their allowed values.

Remediation

From Console:

You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account.

  1. Login to AWS Organizations using https://console.aws.amazon.com/organizations/.
  2. In the Left pane click on Policies.
  3. Click on Tag policies.
  4. Click on Enable Tag Policies.
  5. The page is update with a list of the Available policies and the ability to create one.

From Command Line:

You must use an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account.

  1. Run the enable-policy-type command
aws organizations enable-policy-type --root-id <RootID> --policy-type
TAG_POLICIES

The list of PolicyTypes in the output will now include the specified policy type with the Status of ENABLED.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.cis_compute_service_v100_2_3

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.cis_compute_service_v100_2_3 --share

SQL

This control uses a named query:

organizational_tag_policies_enabled

Tags

category = Compliance
cis = true
cis_item_id = 2.3
cis_level = 1
cis_section_id = 2
cis_type = manual
cis_version = v1.0.0
plugin = aws
service = AWS/Organization