Control: 2.4 Ensure an Organizational EC2 Tag Policy has been created
Description
A tag policy enables you to define tag compliance rules to help you maintain consistency in the tags attached to your organization's resources.
You can use an EC2 tag policy to enforce your tag strategy across all of your EC2 resources.
Remediation
From Console:
You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account. To create a tag policy
- Login to the AWS Organizations using https://console.aws.amazon.com/organizations/.
- Left hand side Click on
Policies. - Under
Support policy typesclick onTag policies. - Under
Available policiesclick onCreate policy. - Enter policy name.
- Enter policy description (Indicate this is the EC2 tag policy).
- For New tag key 1, specify the name of a tag key to add.
- For
Tag key capitalization complianceselect the box for Use the capitalization to enable this option mandating a specific capitalization for the tag key using this policy. - For
Resource types to enforcecheck the box forPrevent non-compliant operations for this tag. - Click on
Specify resource types. - Expand EC2.
- Select ec2:image, ec2:instance, ec2:reserved-instances
- Click
Save changes. - Click
Create policy.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.cis_compute_service_v100_2_4Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.cis_compute_service_v100_2_4 --shareSQL
This control uses a named query:
select 'arn:' || partition || ':::' || account_id as resource, 'info' as status, 'Manual verification required.' as reason , account_idfrom aws_account;