AWS Organizations Tag Policies

Overview

The AWS Organizations Tag Policies policy pack is a pre-built policy pack that integrates Pulumi with AWS Organizations. This integration validates your infrastructure as code against Tag Policies configured in AWS Organizations, blocking deployments when required tags are missing. For more information about enforcing tag policies with AWS Organizations Tag Policies, see the AWS documentation.

How it works

Configure tag policies in AWS Organizations: Define your required tags using tag policies, specifying which tags are mandatory for which resource types. The pack reads all tag requirements specified by the report_required_tag_for field in your tag policy configuration.
Enable the pack in Pulumi Cloud: Add the AWS Organizations Tag Policies pack to your Pulumi organization, and configure a policy group. The pack supports two enforcement levels: advisory mode (warns about missing tags without blocking deployments) and mandatory mode (blocks non-compliant deployments).
Validation during deployment: When you run pulumi up, the policy pack retrieves your tag policy requirements from AWS and validates that resources have the specified tags.
Enforcement levels: Start in advisory mode to surface violations without blocking deployments. All policy violations are displayed in the Pulumi Cloud Policy Findings page for monitoring and tracking, enabling a controlled migration to compliance. Once your Pulumi programs are compliant, switch to mandatory mode to block any future non-compliant deployments.

The pack uses AWS Organizations tag policies as the source of truth. Tag requirements are managed in AWS, not in Pulumi configuration.

Prerequisites

Before using this policy pack, complete the following setup in AWS:

Configure tag policies in AWS Organizations

Tag policies must be configured in your AWS Organization to define which tags are required for your resources. For detailed instructions, see the AWS Organizations Tag Policies documentation.

Grant required permissions

The AWS credentials used by your Pulumi stack must have permission to call the AWS Resource Groups Tagging API. Add the following IAM policy to the role or user running Pulumi deployments:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "resourcegroupstaggingapi:ListRequiredTags",
      "Resource": "*"
    }
  ]
}

The policy pack will use the same AWS credentials configured for your stack to fetch the required tags configuration.

Enabling the pack

To enable this policy pack for your organization:

From within your organization, navigate to the Policies tab
Under Policy Packs, select the Available tab
Select AWS Organizations Tag Policies and select Add to organization
From the Organizations tab, apply the policy to a Policy Group to enforce tag validation

For more information about enabling policy packs, see Pre-Built Packs.

Policy reference

This pack includes a single resource policy:

Policy Name	Description	Default Enforcement Level	Severity
aws-tag-policies-compliance-validation	Validates that resources have required tags as defined in AWS Organizations Tag Policies	advisory	low

Supported resources

The pack works with both the AWS (pulumi/aws) and AWS Native (pulumi/aws-native) Pulumi providers.

AWS Native Provider types

The AWS Native Provider (pulumi/aws-native) is based on AWS Cloud Control, and hence is natively supported by the AWS Organizations Tag Policies report_required_tag_for setting. For a complete list of supported resource types, see Supported resources for tag policies enforcement in the AWS documentation.

AWS Provider types

The AWS Provider (pulumi/aws) uses different resource type naming conventions than AWS Cloud Control. The pack automatically maps AWS tag policy resource types (specified in report_required_tag_for) to their corresponding Pulumi AWS resource types. The following table shows the supported mappings:

AWS report_required_tag_for	Pulumi Types
access-analyzer:analyzer	aws:accessanalyzer/analyzer:Analyzer
acm-pca:certificate-authority	aws:acmpca/certificateAuthority:CertificateAuthority
acm:certificate	aws:acm/certificate:Certificate
airflow:environment	aws:mwaa/environment:Environment
amplify:apps	aws:amplify/app:App
app-integrations:data-integration	aws:appintegrations/dataIntegration:DataIntegration
appconfig:application	aws:appconfig/application:Application
appconfig:application/configurationprofile	aws:appconfig/configurationProfile:ConfigurationProfile
appconfig:application/environment	aws:appconfig/environment:Environment
appconfig:deploymentstrategy	aws:appconfig/deploymentStrategy:DeploymentStrategy
appconfig:extension	aws:appconfig/extension:Extension
appflow:flow	aws:appflow/flow:Flow
applicationinsights:application	aws:applicationinsights/application:Application
appmesh:mesh	aws:appmesh/mesh:Mesh
appmesh:mesh/virtualGateway	aws:appmesh/virtualGateway:VirtualGateway
appmesh:mesh/virtualGateway/gatewayRoute	aws:appmesh/gatewayRoute:GatewayRoute
appmesh:mesh/virtualNode	aws:appmesh/virtualNode:VirtualNode
appmesh:mesh/virtualRouter	aws:appmesh/virtualRouter:VirtualRouter
appmesh:mesh/virtualRouter/route	aws:appmesh/route:Route
appmesh:mesh/virtualService	aws:appmesh/virtualService:VirtualService
apprunner:autoscalingconfiguration	aws:apprunner/autoScalingConfigurationVersion:AutoScalingConfigurationVersion
apprunner:observabilityconfiguration	aws:apprunner/observabilityConfiguration:ObservabilityConfiguration
apprunner:service	aws:apprunner/service:Service
apprunner:vpcconnector	aws:apprunner/vpcConnector:VpcConnector
apprunner:vpcingressconnection	aws:apprunner/vpcIngressConnection:VpcIngressConnection
appstream:fleet	aws:appstream/fleet:Fleet
appstream:image-builder	aws:appstream/imageBuilder:ImageBuilder
appstream:stack	aws:appstream/stack:Stack
aps:rulegroupsnamespace	aws:amp/ruleGroupNamespace:RuleGroupNamespace
aps:workspace	aws:amp/workspace:Workspace
athena:capacity-reservation	aws:athena/capacityReservation:CapacityReservation
athena:datacatalog	aws:athena/dataCatalog:DataCatalog
athena:workgroup	aws:athena/workgroup:Workgroup
auditmanager:assessment	aws:auditmanager/assessment:Assessment
backup:backup-plan	aws:backup/plan:Plan
backup:framework	aws:backup/framework:Framework
backup:report-plan	aws:backup/reportPlan:ReportPlan
backup:restore-testing-plan	aws:backup/restoreTestingPlan:RestoreTestingPlan
batch:compute-environment	aws:batch/computeEnvironment:ComputeEnvironment
batch:job-definition	aws:batch/jobDefinition:JobDefinition
batch:job-queue	aws:batch/jobQueue:JobQueue
batch:scheduling-policy	aws:batch/schedulingPolicy:SchedulingPolicy
bcm-data-exports:export	aws:bcmdata/export:Export
bedrock:agent	aws:bedrock/agentAgent:AgentAgent
bedrock:agent-alias	aws:bedrock/agentAgentAlias:AgentAgentAlias
bedrock:application-inference-profile	aws:bedrock/inferenceProfile:InferenceProfile
bedrock:flow	aws:bedrock/agentFlow:AgentFlow
bedrock:guardrail	aws:bedrock/guardrail:Guardrail
bedrock:knowledge-base	aws:bedrock/agentKnowledgeBase:AgentKnowledgeBase
bedrock:prompt	aws:bedrock/agentPrompt:AgentPrompt
budgets:budget	aws:budgets/budget:Budget
budgets:budget/action	aws:budgets/budgetAction:BudgetAction
cassandra:keyspace	aws:keyspaces/keyspace:Keyspace
catalog:portfolio	aws:servicecatalog/portfolio:Portfolio
ce:anomalymonitor	aws:costexplorer/anomalyMonitor:AnomalyMonitor
ce:anomalysubscription	aws:costexplorer/anomalySubscription:AnomalySubscription
ce:costcategory	aws:costexplorer/costCategory:CostCategory
cleanrooms:configuredtable	aws:cleanrooms/configuredTable:ConfiguredTable
cloudformation:stack	aws:cloudformation/stack:Stack
cloudformation:stackset	aws:cloudformation/stackSet:StackSet
cloudfront:distribution	aws:cloudfront/distribution:Distribution
cloudtrail:eventdatastore	aws:cloudtrail/eventDataStore:EventDataStore
cloudtrail:trail	aws:cloudtrail/trail:Trail
cloudwatch:alarm	aws:cloudwatch/metricAlarm:MetricAlarm
cloudwatch:insight-rule	aws:cloudwatch/contributorInsightRule:ContributorInsightRule
cloudwatch:metric-stream	aws:cloudwatch/metricStream:MetricStream
codeartifact:domain	aws:codeartifact/domain:Domain
codeartifact:repository	aws:codeartifact/repository:Repository
codebuild:project	aws:codebuild/project:Project
codebuild:report-group	aws:codebuild/reportGroup:ReportGroup
codecommit:repository	aws:codecommit/repository:Repository
codeconnections:connection	aws:codeconnections/connection:Connection
codedeploy:application	aws:codedeploy/application:Application
codeguru-profiler:profilingGroup	aws:codeguruprofiler/profilingGroup:ProfilingGroup
codeguru-reviewer:association	aws:codegurureviewer/repositoryAssociation:RepositoryAssociation
codepipeline:actiontype	aws:codepipeline/customActionType:CustomActionType
codepipeline:pipeline	aws:codepipeline/pipeline:Pipeline
codepipeline:webhook	aws:codepipeline/webhook:Webhook
codestar-connections:connection	aws:codestarconnections/connection:Connection
codestar-notifications:notificationrule	aws:codestarnotifications/notificationRule:NotificationRule
cognito-identity:identitypool	aws:cognito/identityPool:IdentityPool
cognito-idp:userpool	aws:cognito/userPool:UserPool
comprehend:document-classifier	aws:comprehend/documentClassifier:DocumentClassifier
config:aggregation-authorization	aws:cfg/aggregateAuthorization:AggregateAuthorization
config:config-aggregator	aws:cfg/configurationAggregator:ConfigurationAggregator
config:config-rule	aws:cfg/rule:Rule
connect:instance	aws:connect/instance:Instance
connect:instance/agent	aws:connect/user:User
connect:instance/contact-flow	aws:connect/contactFlow:ContactFlow
connect:instance/flow-module	aws:connect/contactFlowModule:ContactFlowModule
connect:instance/operating-hours	aws:connect/hoursOfOperation:HoursOfOperation
connect:instance/queue	aws:connect/queue:Queue
connect:instance/routing-profile	aws:connect/routingProfile:RoutingProfile
connect:instance/security-profile	aws:connect/securityProfile:SecurityProfile
connect:instance/transfer-destination	aws:connect/quickConnect:QuickConnect
connect:phone-number	aws:connect/phoneNumber:PhoneNumber
cur:definition	aws:cur/reportDefinition:ReportDefinition
datasync:task	aws:datasync/task:Task
datazone:domain	aws:datazone/domain:Domain
dax:cache	aws:dax/cluster:Cluster
detective:graph	aws:detective/graph:Graph
devicefarm:instanceprofile	aws:devicefarm/instanceProfile:InstanceProfile
devicefarm:project	aws:devicefarm/project:Project
devicefarm:testgrid-project	aws:devicefarm/testGridProject:TestGridProject
dlm:policy	aws:dlm/lifecyclePolicy:LifecyclePolicy
dms:cert	aws:dms/certificate:Certificate
dms:endpoint	aws:dms/endpoint:Endpoint
dms:es	aws:dms/eventSubscription:EventSubscription
dms:rep	aws:dms/replicationInstance:ReplicationInstance
dms:replication-config	aws:dms/replicationConfig:ReplicationConfig
dms:subgrp	aws:dms/replicationSubnetGroup:ReplicationSubnetGroup
dms:task	aws:dms/replicationTask:ReplicationTask
dsql:cluster	aws:dsql/cluster:Cluster
dynamodb:table	aws:dynamodb/table:Table
ec2:capacity-reservation	aws:ec2/capacityReservation:CapacityReservation
ec2:carrier-gateway	aws:ec2/carrierGateway:CarrierGateway
ec2:customer-gateway	aws:ec2/customerGateway:CustomerGateway
ec2:dedicated-host	aws:ec2/dedicatedHost:DedicatedHost
ec2:dhcp-options	aws:ec2/vpcDhcpOptions:VpcDhcpOptions
ec2:egress-only-internet-gateway	aws:ec2/egressOnlyInternetGateway:EgressOnlyInternetGateway
ec2:elastic-ip	aws:ec2/eip:Eip
ec2:fleet	aws:ec2/fleet:Fleet
ec2:instance	aws:ec2/instance:Instance
ec2:internet-gateway	aws:ec2/internetGateway:InternetGateway
ec2:ipam	aws:ec2/vpcIpam:VpcIpam
ec2:ipam-pool	aws:ec2/vpcIpamPool:VpcIpamPool
ec2:ipam-resource-discovery	aws:ec2/vpcIpamResourceDiscovery:VpcIpamResourceDiscovery
ec2:ipam-resource-discovery-association	aws:ec2/vpcIpamResourceDiscoveryAssociation:VpcIpamResourceDiscoveryAssociation
ec2:ipam-scope	aws:ec2/vpcIpamScope:VpcIpamScope
ec2:key-pair	aws:ec2/keyPair:KeyPair
ec2:launch-template	aws:ec2/launchTemplate:LaunchTemplate
ec2:local-gateway-route-table-vpc-association	aws:ec2/localGatewayRouteTableVpcAssociation:LocalGatewayRouteTableVpcAssociation
ec2:natgateway	aws:ec2/natGateway:NatGateway
ec2:network-acl	aws:ec2/networkAcl:NetworkAcl
ec2:network-insights-analysis	aws:ec2/networkInsightsAnalysis:NetworkInsightsAnalysis
ec2:network-insights-path	aws:ec2/networkInsightsPath:NetworkInsightsPath
ec2:network-interface	aws:ec2/networkInterface:NetworkInterface
ec2:placement-group	aws:ec2/placementGroup:PlacementGroup
ec2:prefix-list	aws:ec2/managedPrefixList:ManagedPrefixList
ec2:route-table	aws:ec2/routeTable:RouteTable
ec2:security-group	aws:ec2/securityGroup:SecurityGroup
ec2:spot-fleet-request	aws:ec2/spotFleetRequest:SpotFleetRequest
ec2:subnet	aws:ec2/subnet:Subnet
ec2:traffic-mirror-filter	aws:ec2/trafficMirrorFilter:TrafficMirrorFilter
ec2:traffic-mirror-session	aws:ec2/trafficMirrorSession:TrafficMirrorSession
ec2:traffic-mirror-target	aws:ec2/trafficMirrorTarget:TrafficMirrorTarget
ec2:transit-gateway	aws:ec2transitgateway/transitGateway:TransitGateway
ec2:transit-gateway-connect-peer	aws:ec2transitgateway/connectPeer:ConnectPeer
ec2:transit-gateway-multicast-domain	aws:ec2transitgateway/multicastDomain:MulticastDomain
ec2:transit-gateway-route-table	aws:ec2transitgateway/routeTable:RouteTable
ec2:volume	aws:ebs/volume:Volume
ec2:vpc	aws:ec2/vpc:Vpc
ec2:vpc-block-public-access-exclusion	aws:ec2/vpcBlockPublicAccessExclusion:VpcBlockPublicAccessExclusion
ec2:vpc-endpoint	aws:ec2/vpcEndpoint:VpcEndpoint
ec2:vpc-endpoint-service	aws:ec2/vpcEndpointService:VpcEndpointService
ec2:vpc-flow-log	aws:ec2/flowLog:FlowLog
ec2:vpc-peering-connection	aws:ec2/vpcPeeringConnection:VpcPeeringConnection
ec2:vpn-connection	aws:ec2/vpnConnection:VpnConnection
ec2:vpn-gateway	aws:ec2/vpnGateway:VpnGateway
ecr:repository	aws:ecr/repository:Repository
ecs:capacity-provider	aws:ecs/capacityProvider:CapacityProvider
ecs:cluster	aws:ecs/cluster:Cluster
ecs:service	aws:ecs/service:Service
ecs:task-definition	aws:ecs/taskDefinition:TaskDefinition
ecs:task-set	aws:ecs/taskSet:TaskSet
eks:access-entry	aws:eks/accessEntry:AccessEntry
eks:addon	aws:eks/addon:Addon
eks:cluster	aws:eks/cluster:Cluster
eks:fargateprofile	aws:eks/fargateProfile:FargateProfile
eks:identityproviderconfig	aws:eks/identityProviderConfig:IdentityProviderConfig
eks:nodegroup	aws:eks/nodeGroup:NodeGroup
eks:podidentityassociation	aws:eks/podIdentityAssociation:PodIdentityAssociation
elasticache:cluster	aws:elasticache/cluster:Cluster
elasticache:parametergroup	aws:elasticache/parameterGroup:ParameterGroup
elasticache:replicationgroup	aws:elasticache/replicationGroup:ReplicationGroup
elasticache:subnetgroup	aws:elasticache/subnetGroup:SubnetGroup
elasticache:user	aws:elasticache/user:User
elasticache:usergroup	aws:elasticache/userGroup:UserGroup
elasticbeanstalk:application	aws:elasticbeanstalk/application:Application
elasticbeanstalk:applicationversion	aws:elasticbeanstalk/applicationVersion:ApplicationVersion
elasticbeanstalk:environment	aws:elasticbeanstalk/environment:Environment
elasticfilesystem:access-point	aws:efs/accessPoint:AccessPoint
elasticfilesystem:file-system	aws:efs/fileSystem:FileSystem
elasticloadbalancing:listener	aws:alb/listener:Listener aws:lb/listener:Listener
elasticloadbalancing:listener-rule	aws:alb/listenerRule:ListenerRule aws:lb/listenerRule:ListenerRule
elasticloadbalancing:loadbalancer	aws:alb/loadBalancer:LoadBalancer aws:lb/loadBalancer:LoadBalancer
elasticloadbalancing:targetgroup	aws:alb/targetGroup:TargetGroup aws:lb/targetGroup:TargetGroup
elasticloadbalancing:truststore	aws:lb/trustStore:TrustStore
elasticmapreduce:cluster	aws:emr/cluster:Cluster
emr-containers:virtualclusters	aws:emrcontainers/virtualCluster:VirtualCluster
emr-serverless:applications	aws:emrserverless/application:Application
events:event-bus	aws:cloudwatch/eventBus:EventBus
events:rule	aws:cloudwatch/eventRule:EventRule
firehose:deliverystream	aws:kinesis/firehoseDeliveryStream:FirehoseDeliveryStream
fis:experiment-template	aws:fis/experimentTemplate:ExperimentTemplate
fsx:association	aws:fsx/dataRepositoryAssociation:DataRepositoryAssociation
fsx:file-system	aws:fsx/lustreFileSystem:LustreFileSystem aws:fsx/ontapFileSystem:OntapFileSystem aws:fsx/openZfsFileSystem:OpenZfsFileSystem aws:fsx/windowsFileSystem:WindowsFileSystem
fsx:snapshot	aws:fsx/openZfsSnapshot:OpenZfsSnapshot
fsx:storage-virtual-machine	aws:fsx/ontapStorageVirtualMachine:OntapStorageVirtualMachine
fsx:volume	aws:fsx/ontapVolume:OntapVolume aws:fsx/openZfsVolume:OpenZfsVolume
gamelift:alias	aws:gamelift/alias:Alias
gamelift:build	aws:gamelift/build:Build
gamelift:fleet	aws:gamelift/fleet:Fleet
gamelift:gameservergroup	aws:gamelift/gameServerGroup:GameServerGroup
gamelift:gamesessionqueue	aws:gamelift/gameSessionQueue:GameSessionQueue
gamelift:script	aws:gamelift/script:Script
geo:geofence-collection	aws:location/geofenceCollection:GeofenceCollection
geo:map	aws:location/map:Map
geo:place-index	aws:location/placeIndex:PlaceIndex
geo:route-calculator	aws:location/routeCalculation:RouteCalculation
geo:tracker	aws:location/tracker:Tracker
globalaccelerator:accelerator	aws:globalaccelerator/accelerator:Accelerator
globalaccelerator:attachment	aws:globalaccelerator/crossAccountAttachment:CrossAccountAttachment
glue:connection	aws:glue/connection:Connection
glue:crawler	aws:glue/crawler:Crawler
glue:dataQualityRuleset	aws:glue/dataQualityRuleset:DataQualityRuleset
glue:database	aws:glue/catalogDatabase:CatalogDatabase
glue:job	aws:glue/job:Job
glue:mlTransform	aws:glue/mLTransform:MLTransform
glue:registry	aws:glue/registry:Registry
glue:schema	aws:glue/schema:Schema
glue:trigger	aws:glue/trigger:Trigger
grafana:workspaces	aws:grafana/workspace:Workspace
guardduty:detector	aws:guardduty/detector:Detector
guardduty:detector/filter	aws:guardduty/filter:Filter
guardduty:detector/ipset	aws:guardduty/iPSet:IPSet
guardduty:detector/threatintelset	aws:guardduty/threatIntelSet:ThreatIntelSet
guardduty:malware-protection-plan	aws:guardduty/malwareProtectionPlan:MalwareProtectionPlan
iam:instance-profile	aws:iam/instanceProfile:InstanceProfile
iam:mfa	aws:iam/virtualMfaDevice:VirtualMfaDevice
iam:oidc-provider	aws:iam/openIdConnectProvider:OpenIdConnectProvider
iam:role	aws:iam/role:Role
iam:saml-provider	aws:iam/samlProvider:SamlProvider
iam:server-certificate	aws:iam/serverCertificate:ServerCertificate
iam:user	aws:iam/user:User
imagebuilder:component	aws:imagebuilder/component:Component
imagebuilder:container-recipe	aws:imagebuilder/containerRecipe:ContainerRecipe
imagebuilder:distribution-configuration	aws:imagebuilder/distributionConfiguration:DistributionConfiguration
imagebuilder:image	aws:imagebuilder/image:Image
imagebuilder:image-pipeline	aws:imagebuilder/imagePipeline:ImagePipeline
imagebuilder:image-recipe	aws:imagebuilder/imageRecipe:ImageRecipe
imagebuilder:infrastructure-configuration	aws:imagebuilder/infrastructureConfiguration:InfrastructureConfiguration
imagebuilder:lifecycle-policy	aws:imagebuilder/lifecyclePolicy:LifecyclePolicy
imagebuilder:workflow	aws:imagebuilder/workflow:Workflow
inspector2:filter	aws:inspector2/filter:Filter
internetmonitor:monitor	aws:cloudwatch/internetMonitor:InternetMonitor
iot:authorizer	aws:iot/authorizer:Authorizer
iot:billinggroup	aws:iot/billingGroup:BillingGroup
iot:cacert	aws:iot/caCertificate:CaCertificate
iot:policy	aws:iot/policy:Policy
iot:provisioningtemplate	aws:iot/provisioningTemplate:ProvisioningTemplate
iot:rolealias	aws:iot/roleAlias:RoleAlias
iot:rule	aws:iot/topicRule:TopicRule
iot:thinggroup	aws:iot/thingGroup:ThingGroup
iot:thingtype	aws:iot/thingType:ThingType
ivs:channel	aws:ivs/channel:Channel
ivs:playback-key	aws:ivs/playbackKeyPair:PlaybackKeyPair
ivs:recording-configuration	aws:ivs/recordingConfiguration:RecordingConfiguration
kafka:replicator	aws:msk/replicator:Replicator
kafkaconnect:custom-plugin	aws:mskconnect/customPlugin:CustomPlugin
kafkaconnect:worker-configuration	aws:mskconnect/workerConfiguration:WorkerConfiguration
kendra:index	aws:kendra/index:Index
kendra:index/data-source	aws:kendra/dataSource:DataSource
kinesis:stream	aws:kinesis/stream:Stream
kinesis:stream/consumer	aws:kinesis/streamConsumer:StreamConsumer
kinesisanalytics:application	aws:kinesisanalyticsv2/application:Application
kinesisvideo:stream	aws:kinesis/videoStream:VideoStream
kms:key	aws:kms/key:Key
lambda:code-signing-config	aws:lambda/codeSigningConfig:CodeSigningConfig
lambda:event-source-mapping	aws:lambda/eventSourceMapping:EventSourceMapping
lambda:function	aws:lambda/function:Function
lightsail:Bucket	aws:lightsail/bucket:Bucket
lightsail:Certificate	aws:lightsail/certificate:Certificate
lightsail:ContainerService	aws:lightsail/containerService:ContainerService
lightsail:Disk	aws:lightsail/disk:Disk
lightsail:Distribution	aws:lightsail/distribution:Distribution
lightsail:Instance	aws:lightsail/instance:Instance
logs:anomaly-detector	aws:cloudwatch/logAnomalyDetector:LogAnomalyDetector
logs:delivery	aws:cloudwatch/logDelivery:LogDelivery
logs:delivery-destination	aws:cloudwatch/logDeliveryDestination:LogDeliveryDestination
logs:delivery-source	aws:cloudwatch/logDeliverySource:LogDeliverySource
logs:destination	aws:cloudwatch/logDestination:LogDestination
logs:log-group	aws:cloudwatch/logGroup:LogGroup
m2:env	aws:m2/environment:Environment
mediaconvert:queues	aws:mediaconvert/queue:Queue
medialive:inputSecurityGroup	aws:medialive/inputSecurityGroup:InputSecurityGroup
medialive:multiplex	aws:medialive/multiplex:Multiplex
mediapackage:channels	aws:mediapackage/channel:Channel
mediapackagev2:channelGroup	aws:mediapackagev2/channelGroup:ChannelGroup
memorydb:acl	aws:memorydb/acl:Acl
memorydb:cluster	aws:memorydb/cluster:Cluster
memorydb:parametergroup	aws:memorydb/parameterGroup:ParameterGroup
memorydb:subnetgroup	aws:memorydb/subnetGroup:SubnetGroup
memorydb:user	aws:memorydb/user:User
mobiletargeting:apps	aws:pinpoint/app:App
mq:broker	aws:mq/broker:Broker
mq:configuration	aws:mq/configuration:Configuration
network-firewall:firewall	aws:networkfirewall/firewall:Firewall
network-firewall:firewall-policy	aws:networkfirewall/firewallPolicy:FirewallPolicy
network-firewall:stateless-rulegroup	aws:networkfirewall/ruleGroup:RuleGroup
networkmanager:connect-peer	aws:networkmanager/connectPeer:ConnectPeer
networkmanager:core-network	aws:networkmanager/coreNetwork:CoreNetwork
networkmanager:device	aws:networkmanager/device:Device
networkmanager:global-network	aws:networkmanager/globalNetwork:GlobalNetwork
networkmanager:link	aws:networkmanager/link:Link
networkmanager:site	aws:networkmanager/site:Site
oam:sink	aws:oam/sink:Sink
organizations:account	aws:organizations/account:Account
organizations:ou	aws:organizations/organizationalUnit:OrganizationalUnit
organizations:resourcepolicy	aws:organizations/resourcePolicy:ResourcePolicy
osis:pipeline	aws:opensearchingest/pipeline:Pipeline
payment-cryptography:key	aws:paymentcryptography/key:Key
pipes:pipe	aws:pipes/pipe:Pipe
profile:domains	aws:customerprofiles/domain:Domain
ram:resource-share	aws:ram/resourceShare:ResourceShare
rbin:rule	aws:rbin/rule:Rule
rds:cev	aws:rds/customDbEngineVersion:CustomDbEngineVersion
rds:cluster	aws:docdb/cluster:Cluster
rds:cluster-pg	aws:docdb/clusterParameterGroup:ClusterParameterGroup aws:neptune/clusterParameterGroup:ClusterParameterGroup aws:rds/clusterParameterGroup:ClusterParameterGroup
rds:db	aws:docdb/clusterInstance:ClusterInstance aws:neptune/clusterInstance:ClusterInstance aws:rds/clusterInstance:ClusterInstance aws:rds/instance:Instance
rds:db-proxy	aws:rds/proxy:Proxy
rds:db-proxy-endpoint	aws:rds/proxyEndpoint:ProxyEndpoint
rds:es	aws:docdb/eventSubscription:EventSubscription aws:rds/eventSubscription:EventSubscription
rds:global-cluster	aws:rds/globalCluster:GlobalCluster
rds:og	aws:rds/optionGroup:OptionGroup
rds:pg	aws:neptune/parameterGroup:ParameterGroup aws:rds/parameterGroup:ParameterGroup
rds:subgrp	aws:docdb/subnetGroup:SubnetGroup aws:neptune/subnetGroup:SubnetGroup aws:rds/subnetGroup:SubnetGroup
redshift-serverless:namespace	aws:redshiftserverless/namespace:Namespace
redshift-serverless:workgroup	aws:redshiftserverless/workgroup:Workgroup
redshift:cluster	aws:redshift/cluster:Cluster
redshift:eventsubscription	aws:redshift/eventSubscription:EventSubscription
redshift:integration	aws:redshift/integration:Integration
redshift:parametergroup	aws:redshift/parameterGroup:ParameterGroup
redshift:subnetgroup	aws:redshift/subnetGroup:SubnetGroup
rekognition:collection	aws:rekognition/collection:Collection
resiliencehub:resiliency-policy	aws:resiliencehub/resiliencyPolicy:ResiliencyPolicy
resource-groups:group	aws:resourcegroups/group:Group
route53-recovery-control:cluster	aws:route53recoverycontrol/cluster:Cluster
route53-recovery-control:controlpanel	aws:route53recoverycontrol/controlPanel:ControlPanel
route53-recovery-control:controlpanel/safetyrule	aws:route53recoverycontrol/safetyRule:SafetyRule
route53-recovery-readiness:cell	aws:route53recoveryreadiness/cell:Cell
route53-recovery-readiness:readiness-check	aws:route53recoveryreadiness/readinessCheck:ReadinessCheck
route53-recovery-readiness:recovery-group	aws:route53recoveryreadiness/recoveryGroup:RecoveryGroup
route53-recovery-readiness:resource-set	aws:route53recoveryreadiness/resourceSet:ResourceSet
route53:healthcheck	aws:route53/healthCheck:HealthCheck
route53:hostedzone	aws:route53/zone:Zone
route53profiles:profile	aws:route53/profilesProfile:ProfilesProfile
route53profiles:profile-association	aws:route53/profilesAssociation:ProfilesAssociation
route53resolver:firewall-domain-list	aws:route53/resolverFirewallDomainList:ResolverFirewallDomainList
route53resolver:firewall-rule-group	aws:route53/resolverFirewallRuleGroup:ResolverFirewallRuleGroup
route53resolver:firewall-rule-group-association	aws:route53/resolverFirewallRuleGroupAssociation:ResolverFirewallRuleGroupAssociation
route53resolver:resolver-endpoint	aws:route53/resolverEndpoint:ResolverEndpoint
route53resolver:resolver-query-log-config	aws:route53/resolverQueryLogConfig:ResolverQueryLogConfig
route53resolver:resolver-rule	aws:route53/resolverRule:ResolverRule
rum:appmonitor	aws:rum/appMonitor:AppMonitor
s3:accesspoint	aws:s3/accessPoint:AccessPoint
s3:bucket	aws:s3/bucket:Bucket aws:s3/bucketV2:BucketV2
s3express:bucket	aws:s3/directoryBucket:DirectoryBucket
sagemaker:app	aws:sagemaker/app:App
sagemaker:app-image-config	aws:sagemaker/appImageConfig:AppImageConfig
sagemaker:code-repository	aws:sagemaker/codeRepository:CodeRepository
sagemaker:data-quality-job-definition	aws:sagemaker/dataQualityJobDefinition:DataQualityJobDefinition
sagemaker:domain	aws:sagemaker/domain:Domain
sagemaker:endpoint	aws:sagemaker/endpoint:Endpoint
sagemaker:endpoint-config	aws:sagemaker/endpointConfiguration:EndpointConfiguration
sagemaker:feature-group	aws:sagemaker/featureGroup:FeatureGroup
sagemaker:image	aws:sagemaker/image:Image
sagemaker:mlflow-tracking-server	aws:sagemaker/mlflowTrackingServer:MlflowTrackingServer
sagemaker:model	aws:sagemaker/model:Model
sagemaker:model-package-group	aws:sagemaker/modelPackageGroup:ModelPackageGroup
sagemaker:monitoring-schedule	aws:sagemaker/monitoringSchedule:MonitoringSchedule
sagemaker:notebook-instance	aws:sagemaker/notebookInstance:NotebookInstance
sagemaker:notebook-instance-lifecycle-config	aws:sagemaker/notebookInstanceLifecycleConfiguration:NotebookInstanceLifecycleConfiguration
sagemaker:pipeline	aws:sagemaker/pipeline:Pipeline
sagemaker:project	aws:sagemaker/project:Project
sagemaker:space	aws:sagemaker/space:Space
sagemaker:studio-lifecycle-config	aws:sagemaker/studioLifecycleConfig:StudioLifecycleConfig
sagemaker:user-profile	aws:sagemaker/userProfile:UserProfile
sagemaker:workteam	aws:sagemaker/workteam:Workteam
scheduler:schedule-group	aws:scheduler/scheduleGroup:ScheduleGroup
schemas:discoverer	aws:schemas/discoverer:Discoverer
schemas:registry	aws:schemas/registry:Registry
schemas:schema	aws:schemas/schema:Schema
secretsmanager:secret	aws:secretsmanager/secret:Secret
servicecatalog:applications	aws:servicecatalog/appregistryApplication:AppregistryApplication
servicecatalog:attribute-groups	aws:servicecatalog/appregistryAttributeGroup:AppregistryAttributeGroup
servicediscovery:service	aws:servicediscovery/service:Service
ses:configuration-set	aws:sesv2/configurationSet:ConfigurationSet
ses:contact-list	aws:sesv2/contactList:ContactList
ses:dedicated-ip-pool	aws:sesv2/dedicatedIpPool:DedicatedIpPool
ses:identity	aws:sesv2/emailIdentity:EmailIdentity
signer:signing-profiles	aws:signer/signingProfile:SigningProfile
sns:topic	aws:sns/topic:Topic
sqs:queue	aws:sqs/queue:Queue
ssm-incidents:replication-set	aws:ssmincidents/replicationSet:ReplicationSet
ssm-incidents:response-plan	aws:ssmincidents/responsePlan:ResponsePlan
ssm:association	aws:ssm/association:Association
ssm:document	aws:ssm/document:Document
ssm:maintenancewindow	aws:ssm/maintenanceWindow:MaintenanceWindow
ssm:parameter	aws:ssm/parameter:Parameter
ssm:patchbaseline	aws:ssm/patchBaseline:PatchBaseline
states:activity	aws:sfn/activity:Activity
states:stateMachine	aws:sfn/stateMachine:StateMachine
synthetics:canary	aws:synthetics/canary:Canary
synthetics:group	aws:synthetics/group:Group
timestream:database	aws:timestreamwrite/database:Database
timestream:database/table	aws:timestreamwrite/table:Table
timestream:scheduled-query	aws:timestreamquery/scheduledQuery:ScheduledQuery
transfer:agreement	aws:transfer/agreement:Agreement
transfer:certificate	aws:transfer/certificate:Certificate
transfer:connector	aws:transfer/connector:Connector
transfer:profile	aws:transfer/profile:Profile
transfer:server	aws:transfer/server:Server
transfer:user	aws:transfer/user:User
transfer:workflow	aws:transfer/workflow:Workflow
verifiedpermissions:policy-store	aws:verifiedpermissions/policyStore:PolicyStore
vpc-lattice:accesslogsubscription	aws:vpclattice/accessLogSubscription:AccessLogSubscription
vpc-lattice:service	aws:vpclattice/service:Service
vpc-lattice:service/listener	aws:vpclattice/listener:Listener
vpc-lattice:service/listener/rule	aws:vpclattice/listenerRule:ListenerRule
vpc-lattice:servicenetwork	aws:vpclattice/serviceNetwork:ServiceNetwork
vpc-lattice:servicenetworkserviceassociation	aws:vpclattice/serviceNetworkServiceAssociation:ServiceNetworkServiceAssociation
vpc-lattice:servicenetworkvpcassociation	aws:vpclattice/serviceNetworkVpcAssociation:ServiceNetworkVpcAssociation
vpc-lattice:targetgroup	aws:vpclattice/targetGroup:TargetGroup
workspaces-web:browserSettings	aws:workspacesweb/browserSettings:BrowserSettings
workspaces-web:ipAccessSettings	aws:workspacesweb/ipAccessSettings:IpAccessSettings
workspaces-web:networkSettings	aws:workspacesweb/networkSettings:NetworkSettings
workspaces-web:portal	aws:workspacesweb/portal:Portal
workspaces-web:trustStore	aws:workspacesweb/trustStore:TrustStore
workspaces-web:userAccessLoggingSettings	aws:workspacesweb/userAccessLoggingSettings:UserAccessLoggingSettings
workspaces-web:userSettings	aws:workspacesweb/userSettings:UserSettings
workspaces:connectionalias	aws:workspaces/connectionAlias:ConnectionAlias
xray:group	aws:xray/group:Group
xray:sampling-rule	aws:xray/samplingRule:SamplingRule

AWS Organizations Tag Policies

On this page

On this page

Overview

How it works

Prerequisites

Configure tag policies in AWS Organizations

Grant required permissions

Enabling the pack

Policy reference

Supported resources

AWS Native Provider types

AWS Provider types

On this page

On this page

AWS Organizations Tag Policies

On this page

On this page

Overview

How it works

Prerequisites

Configure tag policies in AWS Organizations

Grant required permissions

Enabling the pack

Policy reference

Supported resources

AWS Native Provider types

AWS Provider types

Related documentation

On this page

On this page