Mise en Tag Enforcer
AWS Essential Tags Policy
No enterprise bloat. No complex setup. Just AWS tag enforcement that works.
What This Recipe Does
This recipe deploys an AWS Tag Policy that enforces 4 essential tags on all AWS resources across your organization. Think of it as your sous-chef for tag governance - it ensures every resource in your kitchen (AWS account) is properly labeled and organized.
Unlike enterprise solutions that require weeks of setup and training, this CloudCostChefs recipe gets you tag enforcement in minutes, not months.
The 4 Essential Tags
Every well-organized cloud kitchen needs these fundamental ingredients for cost control and governance
Identifies the deployment environment for proper resource segregation and lifecycle management.
Identifies the team or individual responsible for the resource, enabling accountability and contact for issues.
Enables accurate cost allocation and chargeback to the appropriate business unit or department.
Groups resources by application or workload for better organization and cost tracking.
Supported AWS Resources
Tag enforcement covers all the essential AWS services you use daily
Compute
Storage
Database
Networking
🚀 Quick Start (PowerShell - Recommended)
Get tag enforcement running in under 5 minutes with our automated PowerShell deployment
Prerequisites
- •AWS CLI installed and configured
- •AWS Organizations admin permissions
- •PowerShell 5.1 or later
Download the Script
Download the PowerShell script directly from GitHub or save it as Deploy-EssentialTagsPolicy.ps1
# Download directly from GitHub or save the PowerShell script as Deploy-EssentialTagsPolicy.ps1Deploy to Organization Root
Replace r-xxxxxxxxx with your organization root ID:
# Replace 'r-xxxxxxxxx' with your organization root ID
./Deploy-EssentialTagsPolicy.ps1 -TargetType Root -TargetId "r-xxxxxxxxx"Deploy to Organizational Unit
Replace ou-xxxxxxxxx with your OU ID:
# Replace 'ou-xxxxxxxxx' with your OU ID
./Deploy-EssentialTagsPolicy.ps1 -TargetType OrganizationalUnit -TargetId "ou-xxxxxxxxx"Deploy to Specific Account
Replace 123456789012 with your account ID:
# Replace '123456789012' with your account ID
./Deploy-EssentialTagsPolicy.ps1 -TargetType Account -TargetId "123456789012"Test First (Recommended)
Always test with -WhatIf to see what would happen before applying:
# Dry run to see what would happen
./Deploy-EssentialTagsPolicy.ps1 -TargetType Root -TargetId "r-xxxxxxxxx" -WhatIfAdvanced Options
Custom Tags and Policy Name
Customize the required tags, policy name, and AWS region:
# Custom tags and policy name
./Deploy-EssentialTagsPolicy.ps1 \
-TargetType OrganizationalUnit \
-TargetId "ou-xxxxxxxxx" \
-RequiredTags @("Environment", "Owner", "CostCenter", "Application") \
-PolicyName "my-custom-tag-policy" \
-Region "us-west-2"🖱️ Manual Deployment (AWS Console)
If you prefer clicking buttons (we don't judge), here's how to deploy manually
Step 1: Enable Tag Policies
Navigate to AWS Organizations
Go to AWS Console → Search "Organizations" → Select "AWS Organizations"
Enable Tag Policies
Click "Policies" → "Tag policies" → "Enable tag policies"
If already enabled, you'll see existing policies
Step 2: Create Tag Policy
Create Policy
Click "Create policy"
Policy Details
Policy name: essential-tags-policy
Description: CloudCostChefs Essential Tags Policy - Enforces Environment, Owner, CostCenter, and Application tags
Add Policy Content
Copy and paste the JSON policy from our GitHub repository:
{
"tags": {
"Environment": {
"tag_key": {
"@@assign": "Environment"
},
"tag_value": {
"@@assign": [
"Production",
"Development",
"Test",
"Staging"
]
},
"enforced_for": {
"@@assign": [
"ec2:instance",
"ec2:volume",
"ec2:security-group",
"ec2:vpc",
"ec2:subnet",
"s3:bucket",
"rds:db",
"rds:cluster",
"lambda:function",
"ecs:service",
"ecs:cluster",
"eks:cluster",
"elasticloadbalancing:loadbalancer",
"elasticloadbalancing:targetgroup"
]
}
},
"Owner": {
"tag_key": {
"@@assign": "Owner"
},
"tag_value": {
"@@assign": ".*"
},
"enforced_for": {
"@@assign": [
"ec2:instance",
"ec2:volume",
"ec2:security-group",
"ec2:vpc",
"ec2:subnet",
"s3:bucket",
"rds:db",
"rds:cluster",
"lambda:function",
"ecs:service",
"ecs:cluster",
"eks:cluster",
"elasticloadbalancing:loadbalancer",
"elasticloadbalancing:targetgroup"
]
}
},
"CostCenter": {
"tag_key": {
"@@assign": "CostCenter"
},
"tag_value": {
"@@assign": ".*"
},
"enforced_for": {
"@@assign": [
"ec2:instance",
"ec2:volume",
"ec2:security-group",
"ec2:vpc",
"ec2:subnet",
"s3:bucket",
"rds:db",
"rds:cluster",
"lambda:function",
"ecs:service",
"ecs:cluster",
"eks:cluster",
"elasticloadbalancing:loadbalancer",
"elasticloadbalancing:targetgroup"
]
}
},
"Application": {
"tag_key": {
"@@assign": "Application"
},
"tag_value": {
"@@assign": ".*"
},
"enforced_for": {
"@@assign": [
"ec2:instance",
"ec2:volume",
"ec2:security-group",
"ec2:vpc",
"ec2:subnet",
"s3:bucket",
"rds:db",
"rds:cluster",
"lambda:function",
"ecs:service",
"ecs:cluster",
"eks:cluster",
"elasticloadbalancing:loadbalancer",
"elasticloadbalancing:targetgroup"
]
}
}
}
}Step 3: Attach Policy
Select Target
Choose where to apply the policy: Root, Organizational Unit, or specific Account
Attach Policy
Click "Attach" to enable tag enforcement
Why Tag Enforcement Matters
Proper tagging is the foundation of cloud cost management and governance
Cost Allocation
Accurately track and allocate costs to teams, projects, and business units for proper chargeback and budgeting.
Compliance
Meet regulatory requirements and internal governance policies with consistent resource identification and ownership.
Automation
Enable automated cost optimization, security policies, and operational procedures based on consistent tagging.
Visibility
Gain clear visibility into resource ownership, purpose, and lifecycle for better operational management.
Risk Management
Quickly identify resource owners during incidents and ensure proper accountability for security and compliance.
Reporting
Generate accurate reports for executives, finance teams, and stakeholders with properly categorized cloud spending.
Troubleshooting
Common issues and their solutions
❌ "AWS CLI not configured" Error
Solution: Run aws configure first to set up your credentials.
aws configure
# Enter your Access Key ID, Secret Access Key, Region, and Output format❌ "Organizations not accessible" Error
Solution: Ensure you have appropriate permissions and are running from the management account.
- Verify you're in the AWS Organizations management account
- Check that your IAM user/role has Organizations admin permissions
- Ensure Organizations is enabled in your account
❌ "Tag policies not enabled" Error
Solution: Enable tag policies in AWS Organizations first.
- Go to AWS Organizations console
- Click "Policies" → "Tag policies"
- Click "Enable tag policies"
- Re-run the deployment script
❌ PowerShell Execution Policy Error
Solution: Temporarily allow script execution.
# Allow script execution for current session
Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process
# Then run the deployment script
./Deploy-EssentialTagsPolicy.ps1 -TargetType Root -TargetId "r-xxxxxxxxx"Ready to Enforce Tags Like a Chef?
Get your AWS resources properly tagged and organized with our no-nonsense tag enforcement policy