This chapter covers AWS Resource Groups and Tag Editor, two critical tools for organizing, managing, and automating AWS resources at scale. For the SOA-C02 exam, these topics appear in about 5-10% of questions, primarily in the Deployment and Security domains. Mastering tags and resource groups is essential because they underpin cost allocation, access control, automation, and operational visibility—concepts the exam heavily emphasizes.
Jump to a section
Imagine a massive warehouse with thousands of boxes, servers, cables, and tools scattered across shelves. Without any labels, finding all boxes related to a specific project would require opening every box and checking its contents. AWS Resource Groups are like a label maker that lets you assign color-coded labels to boxes and then create dynamic groups like 'all red-labeled boxes on the top shelf' or 'all blue-labeled boxes containing networking gear.' The Tag Editor is like a handheld scanner that lets you quickly add or remove labels from many boxes at once, or search for all boxes with a missing label. Just as you could group by label color or by shelf location, Resource Groups can group by tags (key-value pairs) or by AWS CloudFormation stack. Tags are metadata—like a sticker saying 'Project: Apollo'—that you attach to resources. The Tag Editor lets you bulk-apply, remove, or find resources missing specific tags. Once groups are defined, you can view their aggregated metrics in CloudWatch, manage permissions with IAM policies that reference tags, or automate actions using AWS Systems Manager. Without tags, managing thousands of resources is chaotic; with tags, you can instantly isolate a project's entire infrastructure.
What Are Tags and Why Do They Matter?
Tags are metadata labels consisting of a key-value pair (e.g., Environment:Production) that you can attach to most AWS resources. They are not a service but a feature integrated across hundreds of AWS services. Tags enable you to:
Organize resources by project, environment, owner, cost center, etc.
Automate actions using AWS Lambda or Systems Manager based on tag values.
Control access with IAM policies that conditionally allow actions based on tags.
Track costs by grouping resources with specific tags in AWS Cost Explorer.
Tags are free, but there are limits: each resource can have up to 50 tags. Tag keys must be unique per resource, and both keys and values are case-sensitive. AWS does not enforce any tag schema—you define your own naming conventions. However, AWS provides predefined tags for some services (e.g., aws:cloudformation:stack-name).
Resource Groups: Dynamic and Static Grouping
A Resource Group is a collection of AWS resources that match a specified set of criteria. There are two types:
Tag-based Resource Groups: Resources are grouped by shared tags. For example, all resources with tag Project=Alpha. This is dynamic: as you add or remove tags, resources automatically join or leave the group.
CloudFormation Stack-based Resource Groups: All resources created by a specific CloudFormation stack are grouped together. This is static—the group membership is tied to the stack, not tags.
Resource Groups are not containers; they are queries that return a set of resource ARNs. You can perform actions on the group as a whole, such as viewing aggregated CloudWatch metrics or running Systems Manager commands across all instances in the group.
Tag Editor: Bulk Tag Management
Tag Editor is a tool in the AWS Management Console that allows you to:
Search for resources across regions and services by tags or other attributes.
Add, modify, or remove tags on multiple resources at once.
Find resources that do not have a specific tag (tag compliance).
Tag Editor uses the Resource Groups Tagging API (RGT API) behind the scenes. The API supports operations like TagResources, UntagResources, GetResources, and GetTagKeys. The API is rate-limited; for example, TagResources and UntagResources have a maximum of 20 resources per call. For bulk operations, you must iterate.
How Resource Groups Work Internally
When you create a tag-based resource group, you specify a tag key and optionally a tag value. AWS builds a query that is executed against the Resource Groups Tagging API. The group's membership is evaluated each time you view the group or use it in an action—it is not a static snapshot. This means group membership is always up-to-date.
For CloudFormation stack-based groups, the group is linked to the stack ID. When you delete the stack, the group is also deleted (or becomes empty).
Key Components, Values, and Defaults
Tag Limit: 50 tags per resource. This is a hard limit; exceeding it causes the API call to fail.
Tag Key Constraints: Max 128 characters, can contain letters, numbers, spaces, and + - = . _ : / @. Tag values: max 256 characters.
Resource Groups Quotas: Up to 5000 resource groups per account per region. Each group can include up to 5000 resources.
Tag Editor Regions: Tag Editor is global, but it searches resources in selected regions. You can select all regions.
RGT API Limits: GetResources returns up to 100 results per page; TagResources and UntagResources accept up to 20 resource ARNs per call.
Configuration and Verification
Using AWS CLI:
Create a tag-based resource group:
aws resource-groups create-group \
--name MyProjectGroup \
--resource-query '{"Type":"TAG_FILTERS_1_0","Query":"{\"ResourceTypeFilters\":[\"AWS::AllSupported\"],\"TagFilters\":[{\"Key\":\"Project\",\"Values\":[\"Alpha\"]}]}"}'List resources in a group:
aws resource-groups list-group-resources --group MyProjectGroupTag resources using Tag Editor (RGT API):
aws resourcegroupstaggingapi tag-resources \
--resource-arn-list arn:aws:ec2:us-east-1:123456789012:instance/i-abc123 \
--tags Key=Project,Value=AlphaFind resources missing a tag:
aws resourcegroupstaggingapi get-resources \
--tag-filters Key=Project --no-include-compliance-detailsUsing IAM Policies:
To enforce tag-based access, use IAM conditions like aws:ResourceTag and aws:RequestTag. Example policy that allows starting instances only if they have tag Environment=Production:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:StartInstances",
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/Environment": "Production"
}
}
}
]
}Interaction with Related Technologies
AWS Cost Explorer: You can filter costs by tag keys and values. To enable this, tags must be activated in the Billing and Cost Management console.
AWS Systems Manager: Use resource groups as targets for Automation, Run Command, or Patch Manager. For example, patch all instances in a group.
AWS Config: Use Config rules to enforce that resources have specific tags (e.g., required-tags rule).
AWS Organizations: Use tag policies to enforce consistent tagging across accounts.
CloudFormation: Use AWS::ResourceGroups::Group to create resource groups as part of your infrastructure as code.
Common Pitfalls
Case Sensitivity: Tags are case-sensitive. Environment=Production and environment=production are different tags.
Propagation Delay: Tag changes can take up to a few minutes to propagate to resource groups and other services (like Cost Explorer).
Service Support: Not all AWS resources support tagging. Check the documentation for each service.
Tag Editor Permissions: To use Tag Editor, you need permissions for tag:GetResources, tag:TagResources, tag:UntagResources, and tag:GetTagKeys. Additionally, you need permissions on the resources themselves to modify their tags.
Define Tagging Strategy
Before creating any resources, establish a company-wide tagging convention. Decide on mandatory tag keys such as `Environment`, `Project`, `Owner`, `CostCenter`, and `Compliance`. Define allowed values for each key (e.g., Environment can be `Production`, `Staging`, `Development`). Document these in a tag policy using AWS Organizations to enforce compliance. This step is crucial because retroactively tagging resources is error-prone and time-consuming. The exam tests your ability to design a tagging strategy that meets business requirements like cost tracking and access control.
Create Resource Groups
Using the AWS Management Console, CLI, or SDK, create resource groups based on your tags. For example, create a group named `Production-Instances` that includes all EC2 instances with tag `Environment=Production`. The group query is stored as JSON. You can also create a group based on a CloudFormation stack. Resource groups are regional; to group resources across regions, you must create separate groups or use a global tool like Tag Editor. In the exam, know that resource groups are used as targets for Systems Manager actions.
Apply Tags Using Tag Editor
Use Tag Editor to bulk-apply tags to existing resources. First, select the regions and resource types you want to search. Then, use the search filters to find resources that are missing a specific tag. For example, find all EC2 instances without the `CostCenter` tag. Then, add the tag with a value. Tag Editor uses the RGT API, which has a limit of 20 resources per API call. For large numbers of resources, you must script multiple calls. Tag Editor also shows compliance status: resources that have the tag key but not the expected value are considered non-compliant.
Automate with Tags and Groups
Leverage resource groups in automation workflows. For example, use AWS Systems Manager to run a command on all EC2 instances in the `Production-Instances` group. You can also set up AWS Lambda functions that trigger on tag changes (via CloudTrail events) to enforce compliance. For cost tracking, activate tags in Cost Explorer and then view cost breakdowns by tag. IAM policies can use `aws:ResourceTag` conditions to restrict actions based on tags. The exam may ask how to restrict an IAM user to only terminate instances with a specific tag.
Monitor and Audit Tag Compliance
Use AWS Config rules to continuously check that resources have required tags. For example, the `required-tags` managed rule checks that resources have specific tag keys. If a resource is non-compliant, you can trigger automatic remediation via Systems Manager Automation. Additionally, use AWS CloudTrail to audit all tag-related API calls (`TagResource`, `UntagResource`, `CreateGroup`). The exam tests your understanding of how to enforce tagging policies using Config and how to remediate non-compliant resources.
Enterprise Scenario 1: Cost Allocation for Multiple Projects
A large enterprise runs hundreds of EC2 instances, RDS databases, and Lambda functions across multiple projects. Without tags, the finance team cannot attribute costs to specific projects. The company implements a mandatory tag Project with values like Alpha, Beta, Gamma. They use AWS Organizations tag policies to enforce that all new resources must have this tag. Tag Editor is used to backfill tags on existing resources. They then create resource groups per project (e.g., Project-Alpha) and use Cost Explorer to filter costs by the Project tag. This allows accurate chargeback to each business unit. A common misconfiguration is allowing resources to be created without tags, leading to untagged resources that are invisible in cost reports. The company sets up an AWS Config rule to detect untagged resources and triggers a Lambda function to automatically tag them with Project=Unknown. They also use IAM policies to deny creation of resources without the required tag.
Enterprise Scenario 2: Operational Automation with Systems Manager
A DevOps team manages a fleet of 500 EC2 instances spread across multiple environments. They use tags to differentiate environments: Environment=Production, Staging, Development. They create resource groups for each environment, e.g., Staging-Instances. Using AWS Systems Manager, they schedule patching for the staging group on weekends and for production on a different schedule. They also use the resource group as a target for Run Command to execute a script that collects logs. Without resource groups, they would have to manually maintain instance lists or use complex scripts. A common issue is that the resource group query may include instances that are not supposed to be patched (e.g., if tags are incorrectly applied). To mitigate, they use tag policies to enforce consistent tag values. They also set up CloudWatch Events to trigger a Lambda function that validates tags on new instances and alerts if they are missing.
Enterprise Scenario 3: Access Control Using Resource Tags
A security team wants to enforce that only users in the 'developers' group can terminate EC2 instances in the Development environment, but not in Production. They create an IAM policy that allows ec2:TerminateInstances only if the resource tag Environment equals Development. They also add a condition that the request must include the tag Purpose=Testing to prevent accidental termination. This is implemented using aws:ResourceTag and aws:RequestTag conditions. Resource groups are not directly used for access control—tags are. However, resource groups help administrators quickly see all instances in an environment. A common mistake is to use resource group ARNs in IAM policies; resource groups are not resources you can control access to—they are queries. The exam tests this distinction.
What SOA-C02 Tests on Resource Groups and Tag Editor
The SOA-C02 exam objectives for Domain 3 (Deployment) include Objective 3.2: "Implement resource tagging and use AWS Resource Groups and Tag Editor." The exam tests your ability to:
Create and manage tags using the console, CLI, and API.
Use Tag Editor to bulk-edit tags and find resources missing tags.
Create tag-based and CloudFormation-based resource groups.
Use resource groups with Systems Manager, Cost Explorer, and IAM policies.
Understand tag propagation delays and limits.
Common Wrong Answers and Why Candidates Choose Them
1. "Resource groups can be used in IAM policies to grant access."
Wrong because resource groups are not IAM resources. You cannot reference a resource group ARN in a policy's Resource element. Instead, you use tags in condition keys.
2. "Tag Editor can tag resources across all regions in one operation." Partially true: Tag Editor can search across regions, but the tagging operation is performed per region. You must select the regions you want to tag. The exam may present this as a single click, but it's a batch per region.
3. "Resource groups are static collections." Wrong: Tag-based groups are dynamic—membership changes as tags change. Only CloudFormation stack-based groups are static.
4. "Tags are case-insensitive."
Wrong: Tags are case-sensitive. Environment=Prod and environment=prod are different.
Specific Numbers and Terms on the Exam
50 tags per resource
20 resources per API call for TagResources/UntagResources
5000 resource groups per account per region
5000 resources per group
Tag key max 128 chars, value max 256 chars
AWS Resource Groups Tagging API (RGT API)
`aws:ResourceTag` and `aws:RequestTag` condition keys
`tag:GetResources`, `tag:TagResources`, `tag:UntagResources` permissions
Edge Cases and Exceptions
Propagation delay: Tag changes can take up to 5 minutes to appear in resource groups and Cost Explorer. The exam might ask why a resource group doesn't update immediately.
Not all resources support tagging: For example, some older resource types may not support tags. Check service documentation.
Tags on resources created by CloudFormation: CloudFormation can propagate stack tags to resources. If you manually change a tag, CloudFormation may revert it on the next update.
Tag Editor permissions: To use Tag Editor, you need permissions for both the tagging API and the underlying resources. For example, to tag an EC2 instance, you need ec2:CreateTags and tag:TagResources.
How to Eliminate Wrong Answers
If a question asks about using resource groups for access control, eliminate any answer that references resource group ARNs in IAM policies—tags are the correct mechanism.
If a question mentions bulk tagging, look for the limit of 20 resources per API call. Any answer suggesting you can tag thousands at once is wrong.
If a question describes a static group, check if it's based on CloudFormation stack (static) vs tags (dynamic).
Always consider case sensitivity: if two tag keys differ only by case, they are different.
Tags are case-sensitive key-value pairs (max 50 per resource, key 128 chars, value 256 chars).
Resource groups are queries, not containers; tag-based groups are dynamic, CloudFormation stack groups are static.
Tag Editor uses the Resource Groups Tagging API; bulk operations are limited to 20 resources per API call.
Use `aws:ResourceTag` and `aws:RequestTag` in IAM policies for tag-based access control.
Tag changes can take up to 5 minutes to propagate to resource groups and Cost Explorer.
Resource groups can be targets for Systems Manager Automation, Run Command, and Patch Manager.
AWS Config can enforce tagging compliance with rules like `required-tags`.
Tag Editor can find resources missing specific tags and apply tags in bulk across selected regions.
Not all AWS resources support tagging; check service documentation.
Activate tags in Cost Explorer to enable cost allocation by tag.
These come up on the exam all the time. Here's how to tell them apart.
Tag-based Resource Groups
Dynamic membership: resources join/leave as tags change.
Can include resources from multiple stacks or none.
Query uses tag filters; you specify key and optional value.
Useful for grouping by environment, project, etc.
Can be created independently of CloudFormation.
CloudFormation Stack-based Resource Groups
Static membership: resources are those created by the stack.
All resources belong to the same stack.
No tag filters; group is tied to stack ID.
Useful for managing all resources of a stack together.
Group is automatically deleted when stack is deleted.
Mistake
Tags are case-insensitive.
Correct
Tags are case-sensitive. The key `Environment` and `environment` are considered different tags. This is a common source of errors when using tags in IAM policies or cost reports.
Mistake
Resource groups are containers that hold resources.
Correct
Resource groups are queries that return a list of resource ARNs. They are not containers; resources are not 'inside' a group. The group's membership is evaluated dynamically each time it is used.
Mistake
Tag Editor can tag resources in all regions in a single operation.
Correct
Tag Editor searches across regions, but the tagging operation is performed per region. You must select which regions to include. The API call is regional; you cannot tag resources in multiple regions with one API call.
Mistake
You can use resource groups in IAM policies to control access.
Correct
Resource groups are not IAM resources. You cannot reference a resource group ARN in a policy's `Resource` element. Instead, use tag-based conditions like `aws:ResourceTag` to control access.
Mistake
All AWS resources support tagging.
Correct
Not all resources support tags. For example, some older resource types or certain AWS services may not have tagging support. Always verify the service documentation.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Use the `aws resource-groups create-group` command with a `--resource-query` that specifies the tag filters. For example: `aws resource-groups create-group --name MyGroup --resource-query '{"Type":"TAG_FILTERS_1_0","Query":"{\"ResourceTypeFilters\":[\"AWS::AllSupported\"],\"TagFilters\":[{\"Key\":\"Environment\",\"Values\":[\"Production\"]}]}"}'`. The query JSON must be properly escaped. The group is created in the current region.
To use Tag Editor, you need permissions for `tag:GetResources`, `tag:TagResources`, `tag:UntagResources`, and `tag:GetTagKeys`. Additionally, you need permissions on the resources themselves to modify tags (e.g., `ec2:CreateTags` for EC2 instances). The IAM policy must grant both the tagging API actions and the resource-specific tagging actions.
No, you cannot reference resource group ARNs in IAM policies. Instead, use tag-based conditions. For example, to allow starting instances only if they have tag `Environment=Production`, use `"Condition": {"StringEquals": {"aws:ResourceTag/Environment": "Production"}}`. This is a common exam trap.
Tag-based groups are dynamic: resources are included based on their tags, and membership updates as tags change. CloudFormation stack-based groups are static: they include all resources created by a specific stack. The stack-based group is automatically deleted when the stack is deleted. Tag-based groups can include resources from multiple stacks or no stack at all.
Use Tag Editor in the AWS Management Console: select the resource types and regions, then use the search filter to find resources without a specific tag key. Alternatively, use the CLI: `aws resourcegroupstaggingapi get-resources --tag-filters Key=MyTagKey` will return resources that have that tag key. To find resources without a tag, you can use the `--no-include-compliance-details` flag and then compare against a list of all resources (this is more complex). A simpler approach is to use AWS Config with the `required-tags` rule.
You can have up to 50 tags per resource. This is a hard limit; attempting to add a 51st tag will result in an error. Tag keys can be up to 128 characters, and tag values up to 256 characters. The exam may test these limits.
You can use AWS CloudFormation to propagate stack tags to resources. For resources created outside CloudFormation, use AWS Config rules with automatic remediation (e.g., a Systems Manager Automation document that adds tags). You can also use AWS Lambda functions triggered by CloudTrail events (e.g., `RunInstances`) to tag resources as they are created.
You've just covered AWS Resource Groups and Tag Editor — now see how well it sticks with free SOA-C02 practice questions. Full explanations included, no account needed.
Done with this chapter?