Tag Policies
Tag policies provide a means to centrally decide which tags are attached to the AWS resources across your organization. A tag policy consists of rules that define for each tag the tag key, including the capitalization preference (for example, costcenter or CostCenter), tag values that are valid (this is optional), and whether non-compliant tagging operations should be prevented. Tag policies combine all the various components of the tag policy into policy documents written in JSON and can be attached to individual accounts, OUs, or your entire organization.
First, tag policies can be used to standardize tagging across your entire organization. They can then be used to define naming conventions, such as deciding which tag name capitalization to apply (for example, CostCenter, Costcenter, costCenter, or costcenter) as well as tag name structure. Tag names can contain alphanumerical characters plus some special characters (+, –, =, ., _, :, /, and @). The aws: prefix is reserved by AWS for their own tags (for instance, aws:createdBy) so you can’t use it for your custom tags. However, you could define your own naming convention based on a format such as <company>:<team>:<key> (for instance, examplecorp:marketing:campaign202101). Keep in mind though that a tag’s total key length (so, in this case, <company>:<team>:<key>) is limited to 128 Unicode characters in Unicode Transformation Format 8 (UTF-8). Further, security policies are also limited in size, which varies depending on the type of policy, as we saw in Chapter 1, Determining an Authentication and Access Control Strategy for Complex Organizations. So, it’s in your own best interest to limit the tag names’ length if you plan to use them in security policies.
Second, tag policies can be used either to enforce tagging correctness or simply to report on incorrect tagging. Be aware that not all AWS resources are supported for tag enforcement, so check the AWS documentation to make sure that the behavior you expect is supported (for example, tag enforcement is supported on Amazon Simple Storage Service (S3) buckets but not on S3 objects). Alternatively, you can simply report on compliant and/or non-compliant resources across your entire organization regarding compliance with your tag policies.
An organization within AWS Organizations is essentially a group of accounts put together. But the AWS Organizations service provides you with more than just the facility to group accounts—you can also manage those accounts. You can decide how these accounts are structured within your organization (more on this in the Organizing Accounts into OUs section), invite accounts to join your organization, or remove accounts from your organization. Inviting and removing accounts gives the organization’s administrator the flexibility to shape the composition of the organization as needed. This can come in handy in situations when a re-organization happens within your organization, or in cases of mergers, acquisitions, or divestitures. Finally, AWS Organizations allows you both to create and close an account.
To create member accounts, you need to be logged in to the management account of your organization. Once a new account is created, it is automatically joined to your organization. This means that you don’t need to invite that account to join afterward, as it automatically becomes a member account of your organization. It is worth noting that upon creation of a member account, AWS Organizations only copies the necessary information (account name, company name, contact email) from the organization to the newly created account so that it can operate within the organization. It does not populate all the information that a standalone account would need to operate on its own (for instance, there is no payment method provided, since billing and payment are centralized). This consideration becomes important if a member account created by the management account of an organization needs to leave the organization. When you don’t need a member account anymore you can simply close it, again from the management account.
All these operations can be performed from the AWS management console but can also be called through the AWS Organizations API or by using the AWS command-line interface (CLI) or AWS software development kits (SDKs) available by the savvy system administrator who wishes to automate as many of the management tasks as possible.
Account creation can also be automated. Automating account creation means you can automatically provision an account on demand for anyone in your organization and, at the same time, provision that account with the right scope and context from the get-go. For instance, you may want to set up a new member account in a specific OU. From that OU, the new member account will inherit properties such as SCPs associated with that OU and its parent OUs.
Using the AWS CLI, you would perform the following action to create an account:
aws organizations create-account –email [email protected] –account-name “Account for Bob”
The above command would create an account named Account for Bob associated with the specified email at the root of your organization. If you want to move this account to a specific OU within your organization, you will typically perform a subsequent action, such as the following:
aws organizations move-account –account-id 121212121212
–source-parent-id r-examplerootid123 –destination-parent-id ou-examplerootid123-exampleouid456
Acedexam Training Policies
Learning resources
Other resources
Our Training Providers
