# AWS Organizations tag policies
A [https://docs.aws.amazon.com//organizations/latest/userguide/orgs_manage_policies_tag-policies.html](https://docs.aws.amazon.com//organizations/latest/userguide/orgs_manage_policies_tag-policies.html) is a type of policy that you create in AWS Organizations. You can use tag policies to help standardize tags across the resources in your organization's accounts. To use tag policies, we recommend that you follow the workflows described in [Getting started with tag policies](https://docs.aws.amazon.com//organizations/latest/userguide/orgs_manage_policies_tag-policies-getting-started.html) in the *AWS Organizations User Guide*. As mentioned on that page, the recommended workflows include finding and correcting noncompliant tags. To accomplish these tasks, you use the Tag Editor console.
## Prerequisites and permissions
Before you can evaluate compliance with tag policies in Tag Editor, you must meet the requirements and set the necessary permissions.
**Topics**
+ [Prerequisites for evaluating compliance with tag policies](#tag-policies-prereqs-overview)
+ [Permissions for evaluating compliance for an account](#tag-policies-permissions-account)
+ [Permissions for evaluating organization-wide compliance](#tag-policies-permissions-org)
+ [Amazon S3 bucket policy for report storage](#bucket-policy)
### Prerequisites for evaluating compliance with tag policies
Evaluating compliance with tag policies requires the following:
+ You must first enable the feature in AWS Organizations, and create and attach tag policies. For more information, see the following pages in the *AWS Organizations User Guide*:
+ [Prerequisites and permissions for managing tag policies](https://docs.aws.amazon.com//organizations/latest/userguide/orgs_manage_policies_tag-policies-prereqs.html)
+ [Enabling tag policies](https://docs.aws.amazon.com//organizations/latest/userguide/orgs_manage_policies_enable-disable.html)
+ [Getting started with tag policies](https://docs.aws.amazon.com//organizations/latest/userguide/orgs_manage_policies_tag-policies-getting-started.html)
+ To [**find noncompliant tags on an account's resources**](tag-policies-orgs-finding-noncompliant-tags.md), you need sign-in credentials for that account and the permissions listed in [Permissions for evaluating compliance for an account](#tag-policies-permissions-account).
+ To [**evaluate organization-wide compliance**](tag-policies-orgs-evaluating-org-wide-compliance.md), you need sign-in credentials for the organization's management account and the permissions listed in [Permissions for evaluating organization-wide compliance](#tag-policies-permissions-org). You can request the compliance report from only the AWS Region US East (N. Virginia) .
### Permissions for evaluating compliance for an account
Finding noncompliant tags on an account's resources requires the following permissions:
+ `organizations:DescribeEffectivePolicy` – To get the contents of the effective tag policy for the account.
+ `tag:GetResources` – To get a list of resources that don't comply with the attached tag policy.
+ `tag:TagResources` – To add or update tags. You also need service-specific permissions to create tags. For example, to tag resources in Amazon Elastic Compute Cloud (Amazon EC2), you need permissions for `ec2:CreateTags`.
+ `tag:UnTagResources` – To remove a tag. You also need service-specific permissions to remove tags. For example, to untag resources in Amazon EC2, you need permissions for `ec2:DeleteTags`.
The following example AWS Identity and Access Management (IAM) policy provides permissions for evaluating tag compliance for an account.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "EvaluateAccountCompliance",
"Effect": "Allow",
"Action": [
"organizations:DescribeEffectivePolicy",
"tag:GetResources",
"tag:TagResources",
"tag:UnTagResources"
],
"Resource": "*"
}
]
}
```
------
For more information about IAM policies and permissions, see the [IAM User Guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/).
### Permissions for evaluating organization-wide compliance
Evaluating organization-wide compliance with tag policies requires the following permissions:
+ `organizations:DescribeEffectivePolicy` – To get the contents of the tag policy that's attached to the organization, organizational unit (OU), or account.
+ `tag:GetComplianceSummary` – To get a summary of noncompliant resources in all accounts in the organization.
+ `tag:StartReportCreation` – To export the results of the most recent compliance evaluation to a file. Organization-wide compliance is evaluated every 48 hours.
+ `tag:DescribeReportCreation` – To check the status of report creation.
+ `s3:ListAllMyBuckets` — To assist with accessing the organization-wide compliance report.
+ `s3:GetBucketAcl` – To inspect the Access Control List (ACL) of the Amazon S3 bucket receiving the compliance report.
+ `s3:GetObject` – To retrieve the compliance report from the service-owned Amazon S3 bucket.
+ `s3:PutObject` – To place the compliance report in the specified Amazon S3 bucket.
If the Amazon S3 bucket where the report is being delivered is encrypted via SSE-KMS, you must also have the `kms:GenerateDataKey` permission for that bucket.
The following example IAM policy provides permissions for evaluating organization-wide compliance. Replace each *placeholder* with your own information:
+ *`bucket_name`* – Your Amazon S3 bucket name
+ *`organization_id`* – Your organization's ID
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "EvaluateAccountCompliance",
"Effect": "Allow",
"Action": [
"organizations:DescribeEffectivePolicy",
"tag:StartReportCreation",
"tag:DescribeReportCreation",
"tag:GetComplianceSummary",
"s3:ListAllMyBuckets"
],
"Resource": "*"
},
{
"Sid": "GetBucketAclForReportDelivery",
"Effect": "Allow",
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::bucket_name",
"Condition": {
"StringEquals": {
"aws:CalledViaLast": "tagpolicies.tag.amazonaws.com"
}
}
},
{
"Sid": "GetObjectForReportDelivery",
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::*/tag-policy-compliance-reports/*",
"Condition": {
"StringEquals": {
"aws:CalledViaLast": "tagpolicies.tag.amazonaws.com"
}
}
},
{
"Sid": "PutObjectForReportDelivery",
"Effect": "Allow",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::bucket_name/AwsTagPolicies/organization_id/*",
"Condition": {
"StringEquals": {
"aws:CalledViaLast": "tagpolicies.tag.amazonaws.com"
},
"StringLike": {
"s3:x-amz-copy-source": "*/tag-policy-compliance-reports/*"
}
}
}
]
}
```
------
For more information about IAM policies and permissions, see the [IAM User Guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/).
### Amazon S3 bucket policy for report storage
To create an organization-wide compliance report, the identity that you use to call the `StartReportCreation` API must have access to an Amazon Simple Storage Service (Amazon S3) bucket in the US East (N. Virginia) Region to store the report. Tag Policies uses the credentials of the calling identity to deliver the compliance report to the specified bucket.
If the bucket and the identity being used to call the `StartReportCreation` API *belong to the same account*, additional Amazon S3 bucket policies are not needed for this use case.
If the account associated with the identity used to call the `StartReportCreation` API is *different* from the account that owns the Amazon S3 bucket, the following bucket policy must be attached to the bucket. Replace each *placeholder* with your own information:
+ *`bucket_name`* – Your Amazon S3 bucket name
+ *`organization_id`* – Your organization's ID
+ *`identity_ARN`* – The ARN of the IAM identity used to call the `StartReportCreation` API
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "CrossAccountTagPolicyACL",
"Effect": "Allow",
"Principal": {
"AWS": "identity_ARN"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::bucket_name"
},
{
"Sid": "CrossAccountTagPolicyBucketDelivery",
"Effect": "Allow",
"Principal": {
"AWS": "identity_ARN"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::bucket_name/AwsTagPolicies/organization_id/*"
}
]
}
```
------
# Evaluating compliance for an account
You can evaluate the compliance of an account in your organization with its effective tag policy.
**Important**
Untagged resources don't appear as noncompliant in results.
To find untagged resources in your account, use AWS Resource Explorer with a query that uses **tag:none**. For more information, see [Search for untagged resources](https://docs.aws.amazon.com/resource-explorer/latest/userguide/using-search-query-examples.html#example-1) in the *AWS Resource Explorer User Guide*.
The *[effective tag policy](https://docs.aws.amazon.com//organizations/latest/userguide/orgs_manage_policies_tag-policies-effective.html)* specifies the tagging rules that apply to an account. The effective tag policy is the aggregation of any tag policies that the account inherits, plus any tag policy directly attached to the account. When you attach a tag policy to the organization root, it applies to all accounts in your organization. When you attach a tag policy to an organizational unit (OU), it applies to all accounts and OUs that belong to the OU.
**Note**
If you haven't yet created tag policies, see [Getting started with tag policies](https://docs.aws.amazon.com//organizations/latest/userguide/tag-policies-getting-started.html) in the *AWS Organizations User Guide*.
To find noncompliant tags, you must have the following permissions:
+ `organizations:DescribeEffectivePolicy`
+ `tag:GetResources`
+ `tag:TagResources`
+ `tag:UntagResources`
**To evaluate an account's compliance with its effective tag policy (console)**
1. While signed in to the account whose compliance you want to check, open the [Tag Policies console](https://console.aws.amazon.com/resource-groups/tag-policies/).
1. The **Effective tag policy** section shows when the policy was last updated and the defined tag keys. You can expand a tag key to see information about its values, case treatment, and whether the values are enforced for specific resources types.
**Note**
If you're signed in to the management account, you need to choose an account to see its effective policy and view compliance information.
1. In the **Resources with noncompliant tags** section, specify which AWS Region to search for noncompliant tags. Optionally, you can also search by resource type. Then choose **Search resources**.
Real-time results are shown in the **Search results** section. To change the number of results returned per page or the columns to display, choose the settings icon.
1. In the search results, select a resource with noncompliant tags.
1. In the dialog box that lists the resource's tags, choose the hyperlink to open the AWS service where the resource was created. From that console, correct the noncompliant tag.
**Tip**
If you're not sure which tags are noncompliant, go to the **Effective tag policy** section for the account in the Tag Policies console. You can expand a tag key to view its tagging rules.
1. Repeat the process of finding and correcting tags until the account resources that you care about are compliant in each Region.
**To find noncompliant tags (AWS CLI, AWS API)**
Use the following commands and operations to find noncompliant tags:
+ AWS Command Line Interface (AWS CLI):
+ [https://docs.aws.amazon.com//cli/latest/reference/resourcegroupstaggingapi/get-resources.html](https://docs.aws.amazon.com//cli/latest/reference/resourcegroupstaggingapi/get-resources.html)
+ [https://docs.aws.amazon.com//cli/latest/reference/resourcegroupstaggingapi/tag-resources.html](https://docs.aws.amazon.com//cli/latest/reference/resourcegroupstaggingapi/tag-resources.html)
+ [https://docs.aws.amazon.com//cli/latest/reference/resourcegroupstaggingapi/untag-resources.html](https://docs.aws.amazon.com//cli/latest/reference/resourcegroupstaggingapi/untag-resources.html)
For the complete procedure for using tag policies in the AWS CLI, see [Using tag policies in the AWS CLI](https://docs.aws.amazon.com//organizations/latest/userguide/tag-policy-cli.html) in the *AWS Organizations User Guide*.
+ AWS Resource Groups Tagging API:
+ [https://docs.aws.amazon.com//resourcegroupstagging/latest/APIReference/API_GetResources.html](https://docs.aws.amazon.com//resourcegroupstagging/latest/APIReference/API_GetResources.html)
+ [https://docs.aws.amazon.com//resourcegroupstagging/latest/APIReference/API_TagResources.html](https://docs.aws.amazon.com//resourcegroupstagging/latest/APIReference/API_TagResources.html)
+ [https://docs.aws.amazon.com//resourcegroupstagging/latest/APIReference/API_UntagResources.html](https://docs.aws.amazon.com//resourcegroupstagging/latest/APIReference/API_UntagResources.html)
**Next steps**
We recommend that you repeat the process of finding and correcting compliance issues. Continue until the account's resources that you care about are compliant with the effective tag policy in each Region.
Finding and correcting noncompliant tags is an iterative process for multiple reasons, including the following:
+ Your organization's use of tag policies can evolve over time.
+ It takes time to effect change in your organization when creating resources.
+ Compliance can change anytime that a new resource is created or when new tags are assigned to a resource.
+ An account's effective tag policy is updated whenever a tag policy is attached to or detached from it. The effective tag policy is also updated whenever changes occur to tag the policies that the account inherits.
If you're signed in as the management account in the organization, you can also generate a report. This report shows information about all tagged resources in your organization's accounts. For more information, see [Evaluating organization-wide compliance](tag-policies-orgs-evaluating-org-wide-compliance.md).
# Evaluating organization-wide compliance
You can evaluate your organization's compliance with its effective tag policy. You can generate a report that lists all tagged resources in accounts across your organization and whether each resource is compliant with the effective tag policy.
**Important**
Untagged resources don't appear as noncompliant in results.
To find untagged resources in your account, use AWS Resource Explorer with a query that uses **tag:none**. For more information, see [Search for untagged resources](https://docs.aws.amazon.com/resource-explorer/latest/userguide/using-search-query-examples.html#example-1) in the *AWS Resource Explorer User Guide*.
You can generate the report from your organization's management account in the `us-east-1` AWS Region only. The account generating the report must have access to an Amazon S3 bucket in the US East (N. Virginia) Region. The bucket must have an attached bucket policy as shown in [Amazon S3 bucket policy for storing report](tag-policies-orgs.md#bucket-policy).
To generate an organization-wide compliance report, you must have the following permissions:
+ `organizations:DescribeEffectivePolicy`
+ `tag:GetComplianceSummary`
+ `tag:StartReportCreation`
+ `tag:DescribeReportCreation`
+ `s3:ListAllMyBuckets`
+ `s3:GetBucketAcl`
+ `s3:GetObject`
+ `s3:PutObject`
For an example IAM policy displaying these permissions, review [ Permissions for evaluating organization-wide compliance](https://docs.aws.amazon.com/tag-editor/latest/userguide/tag-policies-orgs.html#tag-policies-permissions-org).
**To generate an organization-wide compliance report (console)**
1. Open the [Tag Policies console](https://console.aws.amazon.com/resource-groups/tag-policies/).
1. Choose the **This organization root** tab, and near the bottom of the page, choose **Generate report**.
1. On the **Generate report** screen, specify where to store the report.
1. Choose **Start exporting**.
When the report is complete, you can download it from the **Noncompliance report** section on the **Organization root** tab.
**Notes**
Organization-wide compliance is evaluated every 48 hours. This results in the following:
It can take up to 48 hours for changes to a tag policy or resources to be shown in the organization-wide compliance report. For example, assume that you have a tag policy that defines a new standardized tag for a resource type. Resources of that type that don't have this tag can show as compliant in the report for up to 48 hours.
Although you can generate the report at any time, report results aren't updated until the next evaluation is complete.
The **NoncompliantKeys** column lists tag keys on the resource that are noncompliant with the effective tag policy.
The **KeysWithNonCompliantValues** column lists keys defined in the effective policy that are on the resource with either incorrect case treatment or noncompliant values.
If you close an AWS account that was a member of the organization, it can continue to appear in the tag compliance report for up to 90 days.
**To generate an organization-wide compliance report (AWS CLI, AWS API)**
Use the following commands and operations to generate an organization-wide compliance report, check on its status, and view the report:
+ AWS Command Line Interface AWS CLI):
+ [https://docs.aws.amazon.com//cli/latest/reference/resourcegroupstaggingapi/start-report-creation.html](https://docs.aws.amazon.com//cli/latest/reference/resourcegroupstaggingapi/start-report-creation.html)
+ [https://docs.aws.amazon.com//cli/latest/reference/resourcegroupstaggingapi/describe-report-creation.html](https://docs.aws.amazon.com//cli/latest/reference/resourcegroupstaggingapi/describe-report-creation.html)
+ [https://docs.aws.amazon.com//cli/latest/reference/resourcegroupstaggingapi/get-compliance-summary.html](https://docs.aws.amazon.com//cli/latest/reference/resourcegroupstaggingapi/get-compliance-summary.html)
For the complete procedure for using tag policies in the AWS CLI, see [Using tag policies in the AWS CLI](https://docs.aws.amazon.com//organizations/latest/userguide/tag-policy-cli.html) in the *AWS Organizations User Guide*.
+ AWS API:
+ [https://docs.aws.amazon.com//resourcegroupstagging/latest/APIReference/API_StartReportCreation.html](https://docs.aws.amazon.com//resourcegroupstagging/latest/APIReference/API_StartReportCreation.html)
+ [https://docs.aws.amazon.com//resourcegroupstagging/latest/APIReference/API_DescribeReportCreation.html](https://docs.aws.amazon.com//resourcegroupstagging/latest/APIReference/API_DescribeReportCreation.html)
+ [https://docs.aws.amazon.com//resourcegroupstagging/latest/APIReference/API_GetComplianceSummary.html](https://docs.aws.amazon.com//resourcegroupstagging/latest/APIReference/API_GetComplianceSummary.html)