Skip to main content

Monitoring Tag Compliance

warning
This module is being shut down in March 2025. See Shutdown of Cost and Compliance Modules for more information.

Stax provides several ways to validate the tag compliance of resources within your Stax tenancy.

This guide covers the following approaches to provide tag visibility and governance:

  1. Adding tag compliance Rules to your Organization Rule Bundle
  2. Filter Tag Compliance Rules with Views
  3. Create a mixed dimensions View to filter compliance results

Before You Begin

  • In order to add or edit a Rule within Stax, you'll need to be an admin
  • Configuring new Rules generally takes 5 minutes
  • Once a Rule is added, evaluation of the new Rule(s) may take 2-4 hours
  • It's also important to be aware that when you create a new Rule, any non-compliant resources may trigger notifications to be sent to other Stax users
  • It's also good to know that while an individual Rule can be applied everywhere or to a specific segment, a Rule Bundle will be applied everywhere

Adding Tag Compliance Rules to your Organization Bundle

Adding tag compliance Rules to your Organization Bundle is ideal when you want to monitor tag key and/or value compliance for all resources in your Stax tenancy.

  1. Log in to the Stax Console

  2. Navigate to Rules, then Catalog

  3. From the Rules Catalog, choose the appropriate tag Rule template.

    • To show only tag related Rule templates:
      • Search by keyword "tag"
      • Choose "Standardization" as the category of concern

  4. The following tag compliance Rules are available. See Supported AWS resources types for the list of AWS resources monitored by each rule.

    • EC2 instance tag keys should have specified values
    • EC2 instances should be tagged
    • EC2 instance tag keys should have tag keys
    • ECR repositories should enable immutable image tags
    • Resource tag keys should have specified values
    • Resource tag keys should not have specified values
    • Resource should have specified tag keys
    • Resource should not have specified tag keys

  5. Select the specific rule template to add to your Organization bundle

  6. Provide the input parameters

  7. Give the rule a meaningful name

  8. Once all input has been provided, click Add Rule to Org Bundle

Example 1: Ensuring when a tag Key is present, it only has one of the specified tag values

Example 2: Ensuring a Tag Key is always present

Supported AWS resources types by Rule

Rule NameSupported AWS Resource Types
EC2 instance tag keys should have specified valuesec2
EC2 instances should be taggedec2
EC2 instance tag keys should have tag keysec2
ECR repositories should enable immutable image tagsecr
Resource tag keys should have specified values

Resource tag keys should not have specified values

Resource should have specified tag keys

Resource should not have specified tag keys

cloud-directory

distribution (cloudfront)

streaming-distribution (cloudfront)

cloudhsm-cluster

codebuild

dynamodb-table

dynamodb-backup

ebs-snapshot

ebs (ebs-volume)

ami

asg

ec2

security-group

efs

cache-cluster (elasticache)

cache-snapshot (elasticache)

elb

app-elb

emr

glue-crawler

glue-dev-endpoint

glue-job

kms-key

rds

rds-cluster

rds-cluster-param-group

rds-cluster-snapshot

rds-param-group

rds-proxy

rds-snapshot

rds-subnet-group

rds-subscription

redshift

redshift-snapshot

redshift-subnet-group

healthcheck (route53)

hostedzone (route53)

s3

sns

sns-subscription

storage-gateway

sqs

customer-gateway

internet-gateway

network-acl

route-table

subnet

vpc

vpn-connection

vpn-gateway

workspaces

Filter Tag Compliance Rules with Views

Utilizing Stax Views allows you to scope your tag compliance Rule to only a subset of AWS Accounts, Regions, AWS Products, or a combination of these dimensions.

If you don't already have an existing view, follow this guide to create a view. To combine multiple dimensions using advanced conditions in your view, see Create a Mixed Dimensions View to filter Compliance results.

  1. Log in to the Stax Console
  2. Navigate to Rules, under Compliance in the left-hand nav.
  3. From the Rules dropdown, select "Organization Rules".
  4. From the Global Filter, choose a View then a segment, to filter the compliance page to a single dimension
  5. Select the Rule to view navigate to the Rule Details page for a list of all passing and failing AWS resources

Create a mixed dimensions View to filter compliance results

Utilizing Stax mix dimensional Views, you can create segments that meet specific conditions based on your AWS environment and organizational needs. Combining multiple dimensions, such as Account, Region, Product, and Tag, allows you to customize how you see data for comparison and reporting purposes on the Cost and Wastage pages, as well as for managing your notifications and compliance posture.

To do this, you'll need to create a new mixed dimensions view that allocates resources to segments in that View. The example below shows how a mix of dimensions - Tag, AWS Account, and AWS Product have been used to create conditions to match data.