Validate and enforce required tags in CloudFormation, Terraform and Pulumi with Tag Policies

AWS Organizations Tag Policies

AWS Organizations Tag Policies introduces Reporting for Required Tags, a new validation check that ensures CloudFormation, Terraform, and Pulumi deployments include required tags critical to your business. This feature enforces tagging consistency across AWS environments.

What to do

• Define your tag policy
• Enable validation in each IaC tool

Tag Policies enforce consistent tagging across AWS accounts with proactive compliance, governance, and control. You can specify mandatory tag keys and enforce guardrails for IaC deployments. For example, ensure all EC2 instances have “Environment”, “Owner”, and “Application” tags.

Activate validation by using the AWS::TagPolicies::TaggingComplianceValidator Hook in CloudFormation, adding validation logic in your Terraform plan, or activating the aws-organizations-tag-policies pre-built policy pack in Pulumi. This ensures resources like EC2 instances include the required tags.

You can use this feature via AWS Management Console, AWS CLI, and AWS SDK. This feature is available in AWS Regions where Tag Policies is available.

Source: AWS release notes

If you need further guidance on AWS, our experts are available at AWS@westloop.io. You may also reach us by submitting the Contact Us form.