Ensure AWS resources that support tags have Tags

Error: AWS resources that support tags do not have Tags

Bridgecrew Policy ID: BC_AWS_GENERAL_26
Checkov Check ID: CKV_AWS_CUSTOM_1
Severity: LOW

AWS resources that support tags do not have Tags


Many different types of AWS resources support tags. Tags allow you to add metadata to a resource to help identify ownership, perform cost / billing analysis, and to enrich a resource with other valuable information, such as descriptions and environment names. While there are many ways that tags can be used, we recommend you follow a tagging practice.

View AWS's recommended tagging best practices here.

Fix - Runtime

AWS Console

The procedure varies by resource type. Tags can be added in the AWS console by navigating to the specific resource. There is usually a "tags" tab in the resource view that can be used to view and modify tags.

Example to edit tags for a Security Group:

  1. Navigate to the Amazon EC2 console.
  2. Select Security groups
  3. Select a security group to edit, then click the Tags tab.
  4. Click Manage tags, then Add new tag to add a tag.
  5. Click Save changes.

CLI Command

The following command shows how to add tags for any resource associated with the EC2 service (in this case, a security group). The specific command varies by resource type for non-EC2 services (e.g., RDS).

aws ec2 create-tags --resources sg-000b51bf43c710838 --tags Key=Environment,Value=Dev

Fix - Buildtime


The example below shows how to tag a security group in Terraform. The syntax is generally the same for any taggable resource type.

resource "aws_security_group" "sg" {
  name = "my-sg"
+ tags = {
+   Environment = "dev"
+   Owner = "apps-team"
+ }