Tag Compliance Across Resources (EC2, ASG, ELB, S3, etc)¶
Add or Change Tag Values¶
The
tag
action can apply a tag to a resource. If that tag already exists, the value will be updated.Note
Cloud Custodian tagging operations operate on tag keys specified in the policy. If a policy doesn’t specify a tag key, Custodian will use the
maid_status
tag by default.Prefer explicitly specifying tag keys to avoid confusion.
Here’s an example of changing the value of an extant
CostCenter
tag.policies: - name: ec2-tag-instances resource: ec2 filters: - "tag:CostCenter": foobar actions: - type: tag key: CostCenter value: barrum
Report on Tag Compliance¶
This policy matches any EC2 instances that don’t have
Owner
,CostCenter
, orProject
tags defined.policies: - name: ec2-tag-compliance resource: ec2 comment: | Report on total count of non compliant instances filters: - or: - "tag:Owner": absent - "tag:CostCenter": absent - "tag:Project": absent
Enforce Tag Compliance - EC2¶
All EC2 non-AutoScaling instances that do not have the three required tags (
CostCenter
,Owner
,Project
) will be stopped hourly after 2 days, and terminated after 5 days.This set of policies uses the
c7n_status
tag to plan and execute delayed actions.policies: - name: ec2-tag-compliance-mark resource: ec2 comment: | Find all (non-ASG) instances that are not conformant to tagging policies, and tag them for stoppage in 1 days. filters: - "tag:aws:autoscaling:groupName": absent - "tag:c7n_status": absent - or: - "tag:Owner": absent - "tag:CostCenter": absent - "tag:Project": absent actions: - type: mark-for-op tag: c7n_status op: stop days: 1 - name: ec2-tag-compliance-unmark resource: ec2 comment: | Any instances which have previously been marked as non compliant with tag policies, that are now compliant should be unmarked as non-compliant. filters: - "tag:Owner": not-null - "tag:CostCenter": not-null - "tag:Project": not-null - "tag:c7n_status": not-null actions: - type: remove-tag tags: - c7n_status - name: ec2-tag-compliance-stop resource: ec2 comment: | Stop all non autoscaling group instances previously marked for stoppage by today's date, and schedule termination in 2 days. Also verify that they continue to not meet tagging policies. filters: - "tag:aws:autoscaling:groupName": absent - type: marked-for-op tag: c7n_status op: stop - or: - "tag:Owner": absent - "tag:CostCenter": absent - "tag:Project": absent actions: - stop - type: mark-for-op tag: c7n_status op: terminate days: 3 - name: ec2-tag-compliance-terminate resource: ec2 comment: | Terminate all stopped instances marked for termination by today's date. filters: - "tag:aws:autoscaling:groupName": absent - type: marked-for-op tag: c7n_status op: terminate - or: - "tag:Owner": absent - "tag:CostCenter": absent - "tag:Project": absent actions: - type: terminate force: true - name: ec2-tag-compliance-nag-stop resource: ec2 comment: | Stop all instances marked for termination every hour starting 1 day before their termination. filters: - "tag:aws:autoscaling:groupName": absent - type: marked-for-op tag: c7n_status op: terminate skew: 1 - or: - "tag:CostCenter": absent - "tag:Owner": absent - "tag:Project": absent actions: - stop
Enforce Tag Compliance - AutoScaling Groups¶
All AutoScaling Groups that do not have the 5 required tags: (Resource Contact, Billing Cost Center, Environment, Resource Purpose, Business Unit) will be suspended and stopped once after 24 hours and then hourly after 2 days, and terminated after 3 days. We are using a custom tag named
c7n_tag_compliance
to plan delayed actions, and YAML anchors to reuse the same set of filters across multiple policies in the same file.vars: tag-filters: &tag-compliance-filters - "tag:Resource Contact": absent - "tag:Billing Cost Center": absent - "tag:Environment": absent - "tag:Resource Purpose": absent - "tag:Business Unit": absent policies: - name: asg-tag-compliance-mark-new-day-0 resource: asg mode: type: cloudtrail events: - source: autoscaling.amazonaws.com event: CreateAutoScalingGroup ids: requestParameters.autoScalingGroupName description: | Marks newly launched non-compliant ASGs if missing any of the required tags also tags the owners. comments: | Your ASG and ASG instances do not have all the required tags on them and will be suspended in 24 hours if all the required tags have not been added. If tags are not made compliant after 3 days your ASG and instances will be deleted. filters: - "tag:c7n_tag_compliance": absent - or: *tag-compliance-filters actions: - type: mark-for-op tag: c7n_tag_compliance op: suspend days: 1 - type: auto-tag-user tag: CreatorName principal_id_tag: CreatorId - type: notify template: default.html priority_header: 1 subject: "ASG - Missing Required Tags - [custodian {{ account }} - {{ region }}]" violation_desc: | Your ASG and related servers are missing the required tags and is now marked for suspension if tags not added within 24 hours: action_desc: | "Actions Taken: The ASG is marked to be suspended tomorrow if required tags don't get added to the ASG" to: - CloudCustodian@Company.com - event-owner transport: type: sqs queue: https://sqs.us-east-1.amazonaws.com/XXXXXXXXXX/cloud-custodian-mailer region: us-east-1 - name: asg-tag-compliance-unmark resource: asg mode: type: periodic schedule: "rate(5 minutes)" description: | Any ASG which have previously been marked as non compliant with tag policies, that are now compliant should be unmarked as non-compliant. comments: | Thank you for adding the required tags to your ASG! It is now compliant and has been resumed if it was in a suspended state. filters: - "tag:c7n_tag_compliance": not-null - not: - or: *tag-compliance-filters actions: - type: unmark key: "c7n_tag_compliance" - resume - type: propagate-tags tags: - "Resource Contact" - "Billing Cost Center" - "Environment" - "Resource Purpose" - "Business Unit" - type: notify template: default.html priority_header: 1 subject: "ASG - AutoScaling Group is now compliant - [custodian {{ account }} - {{ region }}]" violation_desc: | "Your ASG which was previously missing required tags is now compliant and won't be suspended:" action_desc: | "Actions Taken: The ASG has been unmarked for suspending as its now compliant with tags" to: - resource-owner transport: type: sqs queue: https://sqs.us-east-1.amazonaws.com/XXXXXXXXXX/cloud-custodian-mailer region: us-east-1 - name: asg-tag-compliance-suspend-day-1 resource: asg mode: type: periodic schedule: "rate(1 hour)" description: | Suspends the ASG and resizes to 0 instances as the tags are still not compliant comments: | Your ASG has been suspended and resized to 0 instances as they do not have all the required tags on them. Please login to AWS and add the required tags to your ASG. Starting tomorrow hourly emails and suspensions will start occuring if the ASG is still not compliant. The following day your ASG will be deleted. filters: - or: *tag-compliance-filters - type: marked-for-op tag: c7n_tag_compliance op: suspend - type: value key: CreatedTime op: gte value_type: age value: 1 actions: - suspend - type: mark-for-op tag: c7n_tag_compliance op: delete days: 2 - type: notify template: default.html priority_header: 1 subject: "ASG - !!!! Missing Required Tags !!!! - [custodian {{ account }} - {{ region }}]" violation_desc: | "Your ASG is missing the required tags and will be deleted in 2 days if still not compliant. Until then the ASG will be suspended every hour until tagged:" action_desc: | "Actions Taken: The ASG has been suspended as it doesn't meet tagging requirements. Please tag your ASG. ASG will be deleted in 2 days if not tagged." to: - resource-owner transport: type: sqs queue: https://sqs.us-east-1.amazonaws.com/XXXXXXXXXX/cloud-custodian-mailer region: us-east-1 - name: asg-tag-compliance-nag-stop-day-2 resource: asg mode: type: periodic schedule: "rate(1 hour)" description: | Suspends ASGT and stops ASG instances every hour starting 1 day before their deletion if tags are still not compliant. filters: - or: *tag-compliance-filters - type: marked-for-op tag: c7n_tag_compliance op: delete skew: 1 - type: value key: CreatedTime op: gte value_type: age value: 2 actions: - suspend - type: notify template: default.html priority_header: 1 subject: "ASG - AutoScaling Group Suspended!!! - [custodian {{ account }} - {{ region }}]" violation_desc: | "Your ASG is missing the required tags and will be deleted in less than 1 day if still not compliant. Until then the ASG will be suspended every hour until tagged or Deleted:" action_desc: | "Actions Taken: The ASG has been suspended and set to 0 instances as it doesn't meet tagging requirements. Please tag your ASG now. ASG will be deleted in less than 1 day if not tagged." to: - resource-owner transport: type: sqs queue: https://sqs.us-east-1.amazonaws.com/XXXXXXXXXX/cloud-custodian-mailer region: us-east-1 - name: asg-tag-compliance-delete-day3 resource: asg mode: type: periodic schedule: "rate(1 hour)" description: | Delete all ASG marked for deletion by today's date. comments: | Your ASG has been deleted as it still did not meet the required tag compliance! filters: - or: *tag-compliance-filters - type: marked-for-op tag: c7n_tag_compliance op: delete - type: value key: CreatedTime op: gte value_type: age value: 3 actions: - type: delete force: true - type: notify template: default.html priority_header: 1 subject: "ASG - ASG Deleted Due To Missing Tags - [custodian {{ account }} - {{ region }}]" violation_desc: "Your ASG is still missing the required tags :" action_desc: | "Actions Taken: The ASG has been Deleted. A new ASG will need to be launched to replace this if needed. Please make sure to tag the new ASG" to: - CloudCustodian@Company.com - resource-owner transport: type: sqs queue: https://sqs.us-east-1.amazonaws.com/XXXXXXXXXX/cloud-custodian-mailer region: us-east-1