This chapter covers Tag Policies in AWS Organizations, a feature that enables centralized enforcement of tagging rules across all accounts in your organization. Tag policies are a critical tool for governance, cost allocation, security, and operational consistency. On the SOA-C02 exam, approximately 5-10% of questions touch on AWS Organizations features, with tag policies being a common topic due to their direct impact on resource management and compliance. You must understand how to create, apply, and evaluate tag policies, as well as how they interact with other AWS services like Resource Groups and Tag Editor.
Jump to a section
Imagine a large public library system with multiple branches. The head librarian (AWS Organizations management account) wants to enforce that every book in every branch must have a specific set of metadata fields: genre, author, publication year, and reading level. This is a tag policy. The librarian creates a rule: "Every book must have a 'genre' tag with a value from the approved list (Fiction, Non-Fiction, Reference). If a book doesn't have it, the cataloging system will automatically add a default 'genre: Unknown' tag, but it will flag the book for review." The rule is distributed to all branches (member accounts). When a new book arrives, the branch librarian (IAM user or resource creator) tries to add tags like 'genre: Sci-Fi' or 'author: Asimov'. The catalog system (AWS API) checks the rule. If 'Sci-Fi' is not in the approved list, the system rejects the tag operation entirely, or it can automatically correct it to 'Fiction' if configured. The system also prevents adding any tag not in the allowed set (e.g., 'popularity'), enforcing strict compliance. The head librarian can see a compliance report showing which books have non-compliant tags. This ensures consistency across all branches, just as tag policies enforce consistent tagging across all accounts in an organization.
What is a Tag Policy?
A tag policy is a rule-based policy in AWS Organizations that specifies the rules for tagging resources across accounts in your organization. Tag policies help you standardize tags, enforce tag compliance, and automate tag management. They are written in JSON format and can include rules such as:
Which tags are allowed or required on specific resource types.
Case sensitivity of tag keys and values.
Allowed values for a tag key.
Whether tags can be inherited from parent resources.
Tag policies are attached to organizational units (OUs) or directly to accounts. They apply to all IAM users and roles in the target accounts, as well as to AWS services that create resources on your behalf. Tag policies do not directly prevent tag operations; instead, they mark resources as noncompliant if tags violate the policy. However, you can use AWS Config rules to enforce compliance by triggering remediation actions.
How Tag Policies Work Internally
When you create or update a tag policy, AWS Organizations replicates the policy to all affected accounts. The policy is stored as a JSON document. When a resource creation or tagging operation occurs, the AWS service checks the tag policy for that account. If the operation violates the policy, the resource is still created or tagged, but it is flagged as noncompliant. The compliance status can be viewed in the Tag Policy console or via the AWS Organizations API.
Tag policies are evaluated based on the resource's AWS account and the region. Each account can have multiple tag policies applied from different OUs, and the policies are merged using a union logic: the most restrictive rule for each tag key is applied. For example, if one policy allows 'Environment' with values 'Prod' and 'Dev', and another allows 'Environment' with values 'Prod' and 'Test', the effective allowed values are 'Prod' only (intersection of allowed values? Actually, it's union of allowed values? Let's clarify: Tag policies use a 'deny' override model. If any policy denies a tag value, it is denied. For allowed values, the effective set is the intersection? No, the documentation states that when multiple policies are applied, the most restrictive combination is used. For allowed values, the intersection is used. For example, if Policy A allows values ['Prod', 'Dev'] and Policy B allows values ['Prod', 'Test'], the effective allowed values are ['Prod'] only. This is a common exam trap.)
Key Components and Defaults
- Tag policy JSON structure: Contains a tags object with tag keys as properties. Each tag key can have:
- tag_key: The tag key name (supports case sensitivity settings).
- tag_value: An array of allowed values, or a wildcard ["*"] to allow any value.
- enforced_for: A list of resource types that the rule applies to. If omitted, it applies to all resource types.
- case_sensitive: Boolean (default true). If false, the tag key and values are case-insensitive.
Inheritance: Tag policies can be inherited from parent OUs. If a policy is attached to the root, it applies to all accounts. If attached to an OU, it applies to that OU and its children. Accounts can have multiple policies from different OUs, and they are merged.
Compliance evaluation: AWS evaluates tag compliance periodically and on-demand. You can use the ListTagsForResource API to see tags, and the GetComplianceDetails API to see noncompliance reasons.
Defaults: There is no default tag policy. You must create one. By default, no tags are enforced. The enforced_for field defaults to all resource types.
Configuration and Verification
To create a tag policy: 1. Sign in to the AWS Organizations console as a management account user. 2. Navigate to Policies > Tag policies. 3. Click Create policy. 4. Provide a name and optional description. 5. Define the policy JSON. Example:
{
"tags": {
"CostCenter": {
"tag_value": [
"CC-100",
"CC-200"
],
"enforced_for": [
"ec2:instance",
"s3:bucket"
]
},
"Environment": {
"tag_value": [
"Prod",
"Dev"
],
"case_sensitive": false
}
}
}Attach the policy to an OU or account.
To verify compliance:
Use the Tag Policy console to view noncompliant resources.
Use AWS CLI:
aws organizations list-policies-for-target --target-id ou-xxxx --filter TAG_POLICY
aws organizations list-targets-for-policy --policy-id p-xxxx
aws organizations describe-policy --policy-id p-xxxxTo see compliance details:
aws organizations list-roots
aws organizations list-children --parent-id r-xxxx --child-type ACCOUNTInteraction with Related Services
AWS Config: You can create AWS Config rules that evaluate tag compliance and trigger remediation (e.g., auto-tag noncompliant resources). This is more proactive than tag policies alone.
Resource Groups & Tag Editor: These tools allow you to manage tags across accounts and regions. Tag policies affect what tags you can assign using Tag Editor.
IAM Policies: IAM policies can restrict tagging actions (e.g., ec2:CreateTags). Tag policies work alongside IAM; if an IAM policy denies tagging, the operation fails regardless of tag policy compliance.
Service Control Policies (SCPs): SCPs can block tagging actions entirely. Tag policies do not override SCPs. For example, an SCP that denies ec2:CreateTags will prevent tag creation, and the resource will not be created with tags.
How Tag Policies Enforce Compliance
Tag policies use a 'deny list' approach for tag keys: if a tag key is not defined in the policy, it is allowed by default? Actually, the default behavior is that any tag key not specified in the policy is allowed. To restrict tags, you must explicitly list the allowed tag keys. For tag values, if you specify allowed values, only those values are permitted; otherwise, any value is allowed. The enforced_for field limits the rule to specific resource types; if a resource type is not listed, the rule does not apply.
Common Exam Scenarios
Case sensitivity: By default, tag keys and values are case-sensitive. If you set case_sensitive: false, then 'Environment' and 'environment' are treated as the same key. The exam may ask about how case sensitivity affects compliance.
Multiple policies: When multiple policies are attached, the most restrictive combination applies. For allowed values, the intersection is used. For tag keys, if one policy allows 'CostCenter' and another does not mention it, 'CostCenter' is allowed (since not mentioned means allowed). But if one policy explicitly lists 'CostCenter' with allowed values, and another policy also lists 'CostCenter' with a different set, the intersection of allowed values is used.
Resource types: The enforced_for field can include wildcards like ec2:* to apply to all EC2 resources. The exam may test that if you omit enforced_for, the rule applies to all resource types.
Inheritance: Tag policies are inherited. If you attach a policy to the root, it applies to all accounts. If you attach a more restrictive policy to an OU, the OU policy takes precedence for that OU's accounts.
Timers and Defaults
Tag policies are evaluated in near real-time. However, compliance status may take a few minutes to update. There is no specific timer; it is event-driven. The maximum size of a tag policy document is 10,000 characters. There is no limit on the number of tag policies per organization, but there is a limit on the number of policies attached to a target (OU or account): up to 10 tag policies per target.
Troubleshooting
Noncompliant resources: Check the compliance details to see which tag rule was violated. Common issues: tag key not allowed, tag value not in allowed list, case mismatch.
Policy not applying: Ensure the policy is attached to the correct OU or account. Verify that the account is in the organization and that the policy is enabled.
IAM permissions: The management account user needs organizations:CreatePolicy, organizations:AttachPolicy, etc. Member account users need no special permissions to be affected by tag policies.
Best Practices
Start with a baseline tag policy that defines mandatory tags (e.g., CostCenter, Environment, Owner).
Use enforced_for to apply rules only to resource types that need them, avoiding unnecessary compliance flags.
Use case-insensitive settings to avoid confusion.
Combine tag policies with AWS Config rules for automated remediation.
Regularly review compliance reports to identify untagged resources.
Advanced: Tag Policy Inheritance and Merging
When multiple tag policies apply to a resource, the effective policy is the union of all tag keys (with restrictions). For each tag key, the effective allowed values are the intersection of allowed values across all policies. If a policy does not specify a tag key, that key is considered unrestricted (any value allowed). However, if any policy denies a tag key (by not listing it? Actually, tag policies do not have a deny mechanism; they only specify allowed keys/values. If a key is not listed, it is allowed. So to restrict a key, you must list it with allowed values. If multiple policies list the same key, the intersection of allowed values is used. If one policy lists the key and another does not, the key is still subject to the restrictions of the policy that lists it. The policy that does not list it does not add any restrictions. Therefore, to fully restrict a tag, you must ensure all policies that apply to the account either list the allowed values or do not mention the key (which means no restriction from that policy). The most restrictive policy for a given key is the one that lists the narrowest allowed values.
Example: Policy A (attached to root) allows Environment: ["Prod", "Dev"]. Policy B (attached to OU) allows Environment: ["Prod", "Test"]. The effective allowed values for accounts in that OU are ["Prod"]. If Policy B did not mention Environment, then the effective allowed values would be ["Prod", "Dev"] from Policy A.
Summary of Key Points for Exam
Tag policies are JSON documents that define allowed tag keys and values for specific resource types.
They are attached to OUs or accounts in AWS Organizations.
They do not block noncompliant tagging; they only mark resources as noncompliant.
To enforce compliance, use AWS Config rules.
Multiple policies merge: allowed values intersect; tag keys are unioned.
Default case-sensitivity is true.
enforced_for defaults to all resource types if omitted.
Tag policies are evaluated per account and region.
The maximum policy size is 10,000 characters.
Up to 10 tag policies can be attached to a single target.
Create Tag Policy JSON
Define the tagging rules in a JSON document. Specify the allowed tag keys and, optionally, their allowed values. Use the `enforced_for` field to limit the rule to specific resource types (e.g., `ec2:instance`). Set `case_sensitive` to `false` if you want case-insensitive matching. The JSON must follow the schema: top-level `tags` object, with each tag key as a property containing `tag_value` (array of strings or `["*"]`), `enforced_for` (array of resource type strings), and `case_sensitive` (boolean). Example: `{"tags":{"Environment":{"tag_value":["Prod","Dev"],"enforced_for":["ec2:instance"],"case_sensitive":false}}}`.
Attach Policy to OU or Account
In the AWS Organizations console, navigate to Policies > Tag policies, select the policy, and choose 'Attach'. You can attach to the root, an OU, or a specific account. The policy is inherited by all child OUs and accounts. You can attach up to 10 tag policies to a single target. When multiple policies are attached, they are merged using intersection of allowed values and union of tag keys. The policy takes effect immediately, but compliance evaluation may take a few minutes.
Resource Creation or Tagging Occurs
When a user or service creates a resource or modifies tags in a member account, the AWS service checks the effective tag policy for that account. If the tags comply with the policy, the operation proceeds normally. If the tags violate the policy (e.g., tag key not allowed, value not in allowed list, case mismatch), the resource is still created or tagged, but it is marked as noncompliant. The operation is not blocked. The compliance status is recorded and can be viewed in the Tag Policy console or via API.
Compliance Evaluation and Reporting
AWS periodically evaluates resources against the effective tag policy. You can also manually trigger an evaluation using the `StartResourceComplianceEvaluation` API (though this is not commonly used). Noncompliant resources are listed in the Tag Policy console under 'Noncompliant resources'. You can view details such as which tag rule was violated. The compliance report can be exported. Use `aws organizations list-policies-for-target` to see applied policies and `aws organizations describe-policy` to view policy details.
Remediation (Optional with AWS Config)
To automatically remediate noncompliant resources, set up AWS Config rules that trigger on tag noncompliance. For example, create a Config rule that evaluates whether required tags exist and have allowed values. Use AWS Systems Manager Automation documents to add or modify tags automatically. This step is not part of tag policies themselves but is a common follow-up. The exam may test that tag policies alone do not enforce; you need Config for enforcement.
In a large enterprise with hundreds of AWS accounts, tag policies are essential for cost allocation and security compliance. For example, a financial services company must tag all resources with CostCenter, Environment, and DataClassification. The cloud governance team creates a tag policy attached to the root OU that requires these three tags on all EC2 instances, S3 buckets, and RDS databases. The policy allows specific values: CostCenter must be one of the predefined cost center codes, Environment must be Prod, Dev, or Test, and DataClassification must be Public, Internal, or Confidential. The policy sets case_sensitive: false to avoid user errors. When developers in a member account launch an EC2 instance without the required tags, the instance is created but appears as noncompliant in the Tag Policy console. The governance team receives a daily compliance report and uses AWS Config rules to automatically stop instances that remain noncompliant for more than 24 hours. This ensures that all resources are properly tagged for cost tracking and security audits.
Another scenario: A healthcare company uses tag policies to enforce tagging standards for HIPAA compliance. They require that any resource containing protected health information (PHI) must have a tag PHI: true. The tag policy defines that the PHI tag key is allowed only with values true or false, and it applies to all resource types. Additionally, they use enforced_for to apply the rule only to services that can store PHI, like S3, DynamoDB, and RDS. This prevents unnecessary compliance flags on resources like Lambda functions. The policy also includes a rule that the Environment tag must be Prod for production resources. When a developer accidentally tags a production S3 bucket with Environment: prod (lowercase), it becomes noncompliant because the policy expects exact case match (since case_sensitive defaults to true). The compliance report flags it, and the developer corrects the tag.
A common misconfiguration is forgetting to attach the tag policy to the correct OU. For instance, if the policy is attached only to the root, but a new OU is created under the root, the policy automatically applies to the new OU via inheritance. However, if the policy is attached to a specific OU and not the root, accounts outside that OU are not affected. This leads to gaps in compliance. Another issue is exceeding the 10-policy attachment limit per target. If you try to attach an 11th policy, the operation fails. Also, if multiple policies have conflicting allowed values, the intersection might result in an empty set, making it impossible to tag any resource with that key. For example, if Policy A allows Environment: ["Prod"] and Policy B allows Environment: ["Dev"], the effective allowed values are empty, so any attempt to tag with Environment will be noncompliant. This can cause widespread noncompliance if not carefully designed.
The SOA-C02 exam tests tag policies under Objective 4.1: 'Implement and manage security and compliance controls using AWS Organizations'. You must know how to create, attach, and evaluate tag policies. The exam questions often present scenarios where you need to choose the correct JSON syntax or interpret the effective policy when multiple policies are attached.
Common wrong answers:
1. 'Tag policies block noncompliant tagging operations.' This is false; they only mark resources as noncompliant. Candidates choose this because they confuse tag policies with SCPs or IAM policies. The exam will present a scenario where a user successfully creates a resource with incorrect tags, and you must explain that the resource is noncompliant but not blocked.
2. 'Tag policies apply to all resource types by default.' While enforced_for defaults to all resource types, candidates may think that if enforced_for is omitted, the rule applies to no resource types. Actually, it applies to all. The exam may give a policy without enforced_for and ask which resources are affected; the answer is all.
3. 'Multiple tag policies are merged using union of allowed values.' The correct behavior is intersection for allowed values. Candidates often assume union because that is common in other policies. The exam will test this with a scenario: Policy A allows values A,B; Policy B allows values B,C; effective is B only.
4. 'Tag policies enforce case-insensitive matching by default.' The default is case_sensitive: true. Candidates may think it's false for user-friendliness.
Specific numbers and terms:
- Maximum policy size: 10,000 characters.
- Maximum policies per target: 10.
- The API action to create a tag policy: CreatePolicy with Type: TAG_POLICY.
- The JSON key: tags at the top level.
- Use ["*"] to allow any value.
- enforced_for accepts resource type strings like ec2:instance, s3:bucket, rds:db-instance.
Edge cases:
- If a tag policy has enforced_for for ec2:instance, but the account has no EC2 instances, the policy has no effect.
- If you attach a tag policy to an account that is not in the organization, the attachment fails.
- Tag policies do not apply to the management account? Actually, they do apply if the policy is attached to the root or an OU that includes the management account. However, by default, the management account is not included in the root OU? The management account is part of the organization but is not in any OU unless you explicitly move it. You can attach policies directly to the management account. The exam may test that the management account can have tag policies attached.
How to eliminate wrong answers: - If an answer says 'prevents tagging', it's wrong because tag policies are non-enforcing. - If an answer says 'union of allowed values', it's wrong; use intersection. - If an answer says 'case-insensitive by default', it's wrong. - If an answer says 'policy applies to all accounts in the organization regardless of attachment', it's wrong; it must be attached.
Always look for the key phrase 'noncompliant' vs 'blocked'. The exam loves to test the difference between tag policies and SCPs.
Tag policies are JSON documents that define allowed tag keys and values for specific resource types.
They are attached to organizational units (OUs) or accounts in AWS Organizations.
Tag policies do not block noncompliant tagging; they only mark resources as noncompliant.
To enforce tag compliance, combine tag policies with AWS Config rules.
Multiple tag policies merge: allowed values use intersection; tag keys use union.
Default case-sensitivity is `true`; set `case_sensitive: false` for case-insensitive matching.
If `enforced_for` is omitted, the rule applies to all resource types.
Maximum policy size is 10,000 characters; maximum attachments per target is 10.
Tag policies are inherited from parent OUs to child OUs and accounts.
The management account can have tag policies attached directly.
These come up on the exam all the time. Here's how to tell them apart.
Tag Policies
Controls tagging rules (allowed keys/values).
Non-enforcing: marks noncompliant resources but does not block.
JSON format with `tags` key.
Attached to OUs or accounts.
Evaluated per resource tagging operation.
Service Control Policies (SCPs)
Controls permissions for all IAM actions.
Enforcing: blocks actions that are not allowed.
JSON format with `Statement` blocks.
Attached to OUs or accounts.
Evaluated at the time of API call.
Mistake
Tag policies prevent users from creating resources with noncompliant tags.
Correct
Tag policies do not block resource creation or tagging operations. They only mark resources as noncompliant after the fact. To block operations, you must use SCPs or IAM policies that explicitly deny tagging actions.
Mistake
Multiple tag policies are merged using a union of allowed tag values.
Correct
When multiple tag policies apply to the same account, the effective allowed values for a given tag key are the intersection of the allowed values from each policy. This is the most restrictive combination.
Mistake
Tag policies are case-insensitive by default.
Correct
By default, tag policies enforce case-sensitive matching for both tag keys and values. To make them case-insensitive, you must explicitly set `"case_sensitive": false` in the policy JSON.
Mistake
If a tag policy does not specify `enforced_for`, it applies to no resource types.
Correct
If the `enforced_for` field is omitted, the rule applies to all resource types that support tagging. The default is all resource types, not none.
Mistake
Tag policies can be attached to individual IAM users or roles.
Correct
Tag policies are attached to organizational entities: the root, OUs, or specific accounts. They cannot be attached to IAM users or roles. They apply to all principals in the target accounts.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
No, tag policies do not block resource creation. They only mark the resource as noncompliant if the tags do not meet the policy rules. To block creation, you need to use an SCP that denies the `CreateTags` or `TagResource` action, or use IAM policies with a condition that requires specific tags. Tag policies are a governance tool for visibility and reporting, not enforcement.
When multiple tag policies are attached to an account (via inheritance from OUs or direct attachment), they are merged. For each tag key, the effective allowed values are the intersection of the allowed values from all policies. If a policy does not mention a tag key, that key is unrestricted (any value allowed) from that policy. The most restrictive combination applies. Tag keys that are not mentioned in any policy are allowed.
The default is `case_sensitive: true`. This means that tag keys and values are case-sensitive. For example, `Environment` and `environment` are considered different keys. To make them case-insensitive, you must explicitly set `"case_sensitive": false` in the policy JSON for that tag key.
Yes, you can use the `enforced_for` field to specify which resource types the rule applies to. For example, `"enforced_for": ["ec2:instance"]` will apply the rule only to EC2 instances. If you omit `enforced_for`, the rule applies to all resource types that support tagging.
You can view noncompliant resources in the AWS Organizations console under Policies > Tag policies > select the policy > Noncompliant resources tab. You can also use the AWS CLI command `aws organizations list-policies-for-target` to see applied policies, and `aws organizations describe-policy` to get policy details. For programmatic access, use the `GetComplianceDetails` API.
You cannot attach a tag policy to an account that is not part of your AWS Organizations. Only accounts within the organization can have tag policies attached. If you attempt to do so, the API will return an error. The account must be a member of the organization or the management account.
Tag policies cannot enforce that a resource has at least one tag. They only define rules for tags that are present. To enforce that resources must have certain tags, you need to use AWS Config rules that evaluate whether the required tags exist. Tag policies can specify allowed values for tags, but they do not require the tag to be present.
You've just covered Tag Policies in AWS Organizations — now see how well it sticks with free SOA-C02 practice questions. Full explanations included, no account needed.
Done with this chapter?