# Tag your Amazon EC2 resources
To help you manage your instances, images, and other Amazon EC2 resources, you can assign your own metadata to each resource in the form of *tags*. Tags enable you to categorize your AWS resources in different ways, for example, by purpose, owner, or environment. This is useful when you have many resources of the same type—you can quickly identify a specific resource based on the tags that you've assigned to it. This topic describes tags and shows you how to create them.
**Warning**
Tag keys and their values are returned by many different API calls. Denying access to `DescribeTags` doesn’t automatically deny access to tags returned by other APIs. As a best practice, we recommend that you do not include sensitive data in your tags.
**Topics**
+ [Tag basics](#tag-basics)
+ [Tag your resources](#tag-resources)
+ [Tag restrictions](#tag-restrictions)
+ [Tags and access management](#tag-resources-access-management)
+ [Tag your resources for billing](#tag-resources-for-billing)
+ [Tag resource permissions](supported-iam-actions-tagging.md)
+ [Add and remove tags](Using_Tags_Console.md)
+ [Filter resources by tag](filtering-the-list-by-tag.md)
+ [View tags using instance metadata](work-with-tags-in-IMDS.md)
## Tag basics
A tag is a label that you assign to an AWS resource. Each tag consists of a *key* and an optional *value*, both of which you define.
Tags enable you to categorize your AWS resources in different ways, for example, by purpose, owner, or environment. For example, you could define a set of tags for your account's Amazon EC2 instances that helps you track each instance's owner and stack level.
The following diagram illustrates how tagging works. In this example, you've assigned two tags to each of your instances—one tag with the key `Owner` and another with the key `Stack`. Each tag also has an associated value.
![\[Tag example\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/images/Tag_Example.png)
We recommend that you devise a set of tag keys that meets your needs for each resource type. Using a consistent set of tag keys makes it easier for you to manage your resources. You can search and filter the resources based on the tags you add. For more information about how to implement an effective resource tagging strategy, see the [Tagging Best Practices AWS Whitepaper](https://docs.aws.amazon.com/whitepapers/latest/tagging-best-practices/tagging-best-practices.html).
Tags don't have any semantic meaning to Amazon EC2 and are interpreted strictly as a string of characters. Also, tags are not automatically assigned to your resources. You can edit tag keys and values, and you can remove tags from a resource at any time. You can set the value of a tag to an empty string, but you can't set the value of a tag to null. If you add a tag that has the same key as an existing tag on that resource, the new value overwrites the old value. If you delete a resource, any tags for the resource are also deleted.
**Note**
After you delete a resource, its tags might remain visible in the console, API, and CLI output for a short period. These tags will be gradually disassociated from the resource and be permanently deleted.
## Tag your resources
When you use the Amazon EC2 console, you can apply tags to resources by using the **Tags** tab on the relevant resource screen, or you can use the **Tags Editor** in the AWS Resource Groups console. Some resource screens enable you to specify tags for a resource when you create the resource; for example, a tag with a key of `Name` and a value that you specify. In most cases, the console applies the tags immediately after the resource is created (rather than during resource creation). The console might organize resources according to the `Name` tag, but this tag doesn't have any semantic meaning to the Amazon EC2 service.
If you're using the Amazon EC2 API, the AWS CLI, or an AWS SDK, you can use the `CreateTags` EC2 API action to apply tags to existing resources. Additionally, some resource-creating actions enable you to specify tags for a resource when the resource is created. If tags cannot be applied during resource creation, we roll back the resource creation process. This ensures that resources are either created with tags or not created at all, and that no resources are left untagged at any time. By tagging resources at the time of creation, you can eliminate the need to run custom tagging scripts after resource creation. For more information about enabling users to tag resources on creation, see [Grant permission to tag Amazon EC2 resources during creation](supported-iam-actions-tagging.md).
You can apply tag-based resource-level permissions in your IAM policies to the Amazon EC2 API actions that support tagging on creation to implement granular control over the users and groups that can tag resources on creation. Your resources are properly secured from creation—tags are applied immediately to your resources, therefore any tag-based resource-level permissions controlling the use of resources are immediately effective. Your resources can be tracked and reported on more accurately. You can enforce the use of tagging on new resources, and control which tag keys and values are set on your resources.
You can also apply resource-level permissions to the `CreateTags` and `DeleteTags` Amazon EC2 API actions in your IAM policies to control which tag keys and values are set on your existing resources. For more information, see [Example: Tag resources](ExamplePolicies_EC2.md#iam-example-taggingresources).
For more information about tagging your resources for billing, see [Using cost allocation tags](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/cost-alloc-tags.html) in the *AWS Billing User Guide*.
## Tag restrictions
The following basic restrictions apply to tags:
+ Maximum number of tags per resource – 50
+ For each resource, each tag key must be unique, and each tag key can have only one value.
+ Maximum key length – 128 Unicode characters in UTF-8
+ Maximum value length – 256 Unicode characters in UTF-8
+ Allowed characters
+ Although EC2 allows for any character in its tags, other AWS services are more restrictive. The allowed characters across all AWS services are: letters (`a-z`, `A-Z`), numbers (`0-9`), and spaces representable in UTF-8, and the following characters: `+ - = . _ : / @`.
+ If you enable instance tags in instance metadata, instance tag *keys* can only use letters (`a-z`, `A-Z`), numbers (`0-9`), and the following characters: `+ - = . , _ : @`. Instance tag *keys* can't contain spaces or `/`, and can't comprise only `.` (one period), `..` (two periods), or `_index`. For more information, see [View tags for your EC2 instances using instance metadata](work-with-tags-in-IMDS.md).
+ Tag keys and values are case-sensitive.
+ The `aws:` prefix is reserved for AWS use. If a tag has a tag key with this prefix, then you can't edit or delete the tag's key or value. Tags with the `aws:` prefix do not count against your tags per resource limit.
You can't terminate, stop, or delete a resource based solely on its tags; you must specify the resource identifier. For example, to delete snapshots that you tagged with a tag key called `DeleteMe`, you must use the `DeleteSnapshots` action with the resource identifiers of the snapshots, such as `snap-1234567890abcdef0`.
When you tag public or shared resources, the tags you assign are available only to your AWS account; no other AWS account will have access to those tags. For tag-based access control to shared resources, each AWS account must assign its own set of tags to control access to the resource.
## Tags and access management
If you're using AWS Identity and Access Management (IAM), you can control which users in your AWS account have permission to create, edit, or delete tags. For more information, see [Grant permission to tag Amazon EC2 resources during creation](supported-iam-actions-tagging.md).
You can also use resource tags to implement attribute-based control (ABAC). You can create IAM policies that allow operations based on the tags for the resource. For more information, see [Control access using attribute-based access](iam-policies-for-amazon-ec2.md#control-access-with-tags).
## Tag your resources for billing
You can use tags to organize your AWS bill to reflect your own cost structure. To do this, sign up to get your AWS account bill with tag key values included. For more information about setting up a cost allocation report with tags, see [Monthly cost allocation report](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/configurecostallocreport.html) in the *AWS Billing User Guide*. To see the cost of your combined resources, you can organize your billing information based on resources that have the same tag key values. For example, you can tag several resources with a specific application name, and then organize your billing information to see the total cost of that application across several services. For more information, see [Using cost allocation tags](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/cost-alloc-tags.html) in the *AWS Billing User Guide*.
**Note**
If you've just enabled reporting, data for the current month is available for viewing after 24 hours.
Cost allocation tags can indicate which resources are contributing to costs, but deleting or deactivating resources doesn't always reduce costs. For example, snapshot data that is referenced by another snapshot is preserved, even if the snapshot that contains the original data is deleted. For more information, see [Amazon Elastic Block Store volumes and snapshots](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/checklistforunwantedcharges.html#checkebsvolumes) in the *AWS Billing User Guide*.
**Note**
Elastic IP addresses that are tagged do not appear on your cost allocation report.
# Grant permission to tag Amazon EC2 resources during creation
Some resource-creating Amazon EC2 API actions enable you to specify tags when you create the resource. You can use resource tags to implement attribute-based control (ABAC). For more information, see [Tag your resources](Using_Tags.md#tag-resources) and [Control access using attribute-based access](iam-policies-for-amazon-ec2.md#control-access-with-tags).
To enable users to tag resources on creation, they must have permissions to use the action that creates the resource, such as `ec2:RunInstances` or `ec2:CreateVolume`. If tags are specified in the resource-creating action, Amazon performs additional authorization on the `ec2:CreateTags` action to verify if users have permissions to create tags. Therefore, users must also have explicit permissions to use the `ec2:CreateTags` action.
In the IAM policy definition for the `ec2:CreateTags` action, use the `Condition` element with the `ec2:CreateAction` condition key to give tagging permissions to the action that creates the resource.
The following example demonstrates a policy that allows users to launch instances and apply any tags to instances and volumes during launch. Users are not permitted to tag any existing resources (they cannot call the `ec2:CreateTags` action directly).
```
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:RunInstances"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": "arn:aws:ec2:us-east-1:111122223333:*/*",
"Condition": {
"StringEquals": {
"ec2:CreateAction" : "RunInstances"
}
}
}
]
}
```
Similarly, the following policy allows users to create volumes and apply any tags to the volumes during volume creation. Users are not permitted to tag any existing resources (they cannot call the `ec2:CreateTags` action directly).
```
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:CreateVolume"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": "arn:aws:ec2:us-east-1:111122223333:*/*",
"Condition": {
"StringEquals": {
"ec2:CreateAction" : "CreateVolume"
}
}
}
]
}
```
The `ec2:CreateTags` action is only evaluated if tags are applied during the resource-creating action. Therefore, a user that has permissions to create a resource (assuming there are no tagging conditions) does not require permissions to use the `ec2:CreateTags` action if no tags are specified in the request. However, if the user attempts to create a resource with tags, the request fails if the user does not have permissions to use the `ec2:CreateTags` action.
The `ec2:CreateTags` action is also evaluated if tags are provided in a launch template. For an example policy, see [Tags in a launch template](ExamplePolicies_EC2.md#iam-example-tags-launch-template).
## Control access to specific tags
You can use additional conditions in the `Condition` element of your IAM policies to control the tag keys and values that can be applied to resources.
The following condition keys can be used with the examples in the preceding section:
+ `aws:RequestTag`: To indicate that a particular tag key or tag key and value must be present in a request. Other tags can also be specified in the request.
+ Use with the `StringEquals` condition operator to enforce a specific tag key and value combination, for example, to enforce the tag `cost-center`=`cc123`:
```
"StringEquals": { "aws:RequestTag/cost-center": "cc123" }
```
+ Use with the `StringLike` condition operator to enforce a specific tag key in the request; for example, to enforce the tag key `purpose`:
```
"StringLike": { "aws:RequestTag/purpose": "*" }
```
+ `aws:TagKeys`: To enforce the tag keys that are used in the request.
+ Use with the `ForAllValues` modifier to enforce specific tag keys if they are provided in the request (if tags are specified in the request, only specific tag keys are allowed; no other tags are allowed). For example, the tag keys `environment` or `cost-center` are allowed:
```
"ForAllValues:StringEquals": { "aws:TagKeys": ["environment","cost-center"] }
```
+ Use with the `ForAnyValue` modifier to enforce the presence of at least one of the specified tag keys in the request. For example, at least one of the tag keys `environment` or `webserver` must be present in the request:
```
"ForAnyValue:StringEquals": { "aws:TagKeys": ["environment","webserver"] }
```
These condition keys can be applied to resource-creating actions that support tagging, as well as the `ec2:CreateTags` and `ec2:DeleteTags` actions. To learn whether an Amazon EC2 API action supports tagging, see [Actions, resources, and condition keys for Amazon EC2](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html).
To force users to specify tags when they create a resource, you must use the `aws:RequestTag` condition key or the `aws:TagKeys` condition key with the `ForAnyValue` modifier on the resource-creating action. The `ec2:CreateTags` action is not evaluated if a user does not specify tags for the resource-creating action.
For conditions, the condition key is not case-sensitive and the condition value is case-sensitive. Therefore, to enforce the case-sensitivity of a tag key, use the `aws:TagKeys` condition key, where the tag key is specified as a value in the condition.
For example IAM policies, see [Example policies to control access the Amazon EC2 API](ExamplePolicies_EC2.md). For more information, see [Conditions with multiple context keys or values](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-logic-multiple-context-keys-or-values.html) in the *IAM User Guide*.
# Add and remove tags for Amazon EC2 resources
When you create an Amazon EC2 resource, such as an Amazon EC2 instance, you can specify the tags to add to the resource. You can also use the Amazon EC2 console to display the tags for a specific Amazon EC2 resource. You can also add or remove tags from an existing Amazon EC2 resource.
You can use the **Tag Editor** in the AWS Resource Groups console to view, add, or remove tags across of all of your AWS resources across all Regions. You can apply or remove tags from multiple types of resources at the same time. For more information, see the [Tagging AWS Resources User Guide](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html).
**Topics**
+ [Add tags using the console](#adding-or-deleting-tags)
+ [Add tags using the AWS CLI](#create-tag-examples)
+ [Add tags using PowerShell](#powershell-add-tag-specifications)
+ [Add tags using CloudFormation](#cloudformation-add-tag-specifications)
## Add tags using the console
You can add tags to an existing resource directly from the page for a resource.
**To add tags to an existing resource**
1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. From the navigation bar, select the Region where the resource is located.
1. In the navigation pane, select a resource type (for example, **Instances**).
1. Select the resource from the list.
1. From the **Tags** tab, choose **Manage tags**.
1. Choose **Add new tag** and enter a key and a value for the tag.
1. Choose **Save**.
## Add tags using the AWS CLI
You can add tags when you create a resource or to an existing resource.
**To add a tag on resource creation**
Use the `-tag-specifications` option to tag a resource on creation. A tag specification requires the type of resource to be tagged, the tag key, and the tag value. The following example creates a tag and adds it to a tag specification.
```
--tag-specifications 'ResourceType=instance,Tags=[{Key=stack,Value=production}]'
```
**To add a tag to an existing resource**
The following examples demonstrate how to add tags to existing resources using the [create-tags](https://docs.aws.amazon.com/cli/latest/reference/ec2/create-tags.html) command.
**Example: Add a tag to a resource**
The following command adds the tag **Stack=production** to the specified image, or overwrites an existing tag for the AMI where the tag key is stack. If the command succeeds, no output is returned.
```
aws ec2 create-tags \
--resources ami-0abcdef1234567890 \
--tags Key=stack,Value=production
```
**Example: Add tags to multiple resources**
This example adds (or overwrites) two tags for an AMI and an instance. One of the tags contains just a key (webserver), with no value (we set the value to an empty string). The other tag consists of a key (stack) and value (**Production**). If the command succeeds, no output is returned.
```
aws ec2 create-tags \
--resources ami-0abcdef1234567890 i-1234567890abcdef0 \
--tags Key=webserver,Value= Key=stack,Value=Production
```
**Example: Add tags with special characters**
This example adds the tag [Group]=test to an instance. The square brackets ([ and ]) are special characters, which must be escaped.
If you are using Linux or OS X, to escape the special characters, enclose the element with the special character with double quotes ("), and then enclose the entire key and value structure with single quotes (').
```
aws ec2 create-tags \
--resources i-1234567890abcdef0 \
--tags 'Key="[Group]",Value=test'
```
If you are using Windows, to escape the special characters, enclose the element that has special characters with double quotes ("), and then precede each double quote character with a backslash (**\$1**) as follows:
```
aws ec2 create-tags ^
--resources i-1234567890abcdef0 ^
--tags Key=\"[Group]\",Value=test
```
If you are using Windows PowerShell, to escape the special characters, enclose the value that has special characters with double quotes (**"**), precede each double quote character with a backslash (**\$1**), and then enclose the entire key and value structure with single quotes (**'**) as follows:
```
aws ec2 create-tags `
--resources i-1234567890abcdef0 `
--tags 'Key=\"[Group]\",Value=test'
```
## Add tags using PowerShell
You can add tags when you create a resource or to an existing resource.
**To add a tag on resource creation**
Use the `-TagSpecification` parameter to tag a resource on creation. A tag specification requires the type of resource to be tagged, the tag key, and the tag value. The following example creates a tag and adds it to a tag specification.
```
$tag = @{Key="stack"; Value="production"}
$tagspec = new-object Amazon.EC2.Model.TagSpecification
$tagspec.ResourceType = "instance"
$tagspec.Tags.Add($tag)
```
The following example specifies this tag in the `-TagSpecification` parameter.
```
-TagSpecification $tagspec
```
**To add a tag to an existing resource**
Use the [New-EC2Tag](https://docs.aws.amazon.com/powershell/latest/reference/items/New-EC2Tag.html) cmdlet. You must specify the resource, the tag key, and the tag value.
```
New-EC2Tag `
-Resource i-1234567890abcdef0 `
-Tag @{Key="purpose"; Value="production"}
```
## Add tags using CloudFormation
With Amazon EC2 resource types, you specify tags using either a `Tags` or `TagSpecifications` property.
The following examples add the tag **Stack=Production** to [AWS::EC2::Instance](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-instance.html) using its `Tags` property.
**Example: Tags in YAML**
```
Tags:
- Key: "Stack"
Value: "Production"
```
**Example: Tags in JSON**
```
"Tags": [
{
"Key": "Stack",
"Value": "Production"
}
]
```
The following examples add the tag **Stack=Production** to [AWS::EC2::LaunchTemplate LaunchTemplateData](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-launchtemplate-launchtemplatedata.html) using its `TagSpecifications` property.
**Example: TagSpecifications in YAML**
```
TagSpecifications:
- ResourceType: "instance"
Tags:
- Key: "Stack"
Value: "Production"
```
**Example: TagSpecifications in JSON**
```
"TagSpecifications": [
{
"ResourceType": "instance",
"Tags": [
{
"Key": "Stack",
"Value": "Production"
}
]
}
]
```
# Filter Amazon EC2 resources by tag
After you add tags, you can filter your Amazon EC2 resources based tag keys and tag values.
------
#### [ Console ]
**To filter resources by tag**
1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. In the navigation pane, select a resource type (for example, **Instances**).
1. Choose the search field.
1. In the list, under **Tags**, choose the tag key.
1. Choose the corresponding tag value from the list.
1. When you are finished, remove the filter.
For more information about using filters in the Amazon EC2 console, see [Find your Amazon EC2 resources](Using_Filtering.md).
------
#### [ AWS CLI ]
**To describe resources of a single type with the specified tag key**
Add the following filter to a `describe` command to describe the resources of that type with a Stack tag, regardless of the value of the tag.
```
--filters Name=tag-key,Values=Stack
```
**To describe resources of a single type with the specified tag**
Add the following filter to a `describe` command to describe the resources of that type with the tag Stack=production.
```
--filters Name=tag:Stack,Values=production
```
**To describe resources of a single type with the specified tag value**
Add the following filter to a `describe` command to describe the resources of that type with a tag with the value production, regardless of the tag key.
```
--filters Name=tag-value,Values=production
```
**To describe all EC2 resources with the specified tag**
Add the following filter to the [describe-tags](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-tags.html) command to describe all EC2 resources with the tag Stack=test.
```
--filters Name=key,Values=Stack Name=value,Values=test
```
------
#### [ PowerShell ]
**To filter resources of a single type by tag key**
Add the following filter to a `Get` cmdlet to describe the resources of that type with a Stack tag, regardless of the value of the tag.
```
-Filter @{Name="tag-key"; Values="Stack"}
```
**To filter resources of a single type by tag**
Add the following filter to a `Get` cmdlet to describe the resources of that type with the tag Stack=production.
```
-Filter @{Name="tag:Stack"; Values="production"}
```
**To filter resources of a single type by tag value**
Add the following filter to a `Get` cmdlet to describe the resources of that type with a tag with the value production, regardless of the value of the tag key.
```
-Filter @{Name="tag-value"; Values="production"}
```
**To filter all EC2 resources by tag**
Add the following filter to the [Get-EC2Tag](https://docs.aws.amazon.com/powershell/latest/reference/items/Get-EC2Tag.html) cmdlet to describe all EC2 resources with the tag Stack=test.
```
-Filter @{Name="tag:Stack"; Values="test"}
```
------
# View tags for your EC2 instances using instance metadata
You can access an instance's tags from the instance metadata. By accessing tags from the instance metadata, you no longer need to use the `DescribeInstances` or `DescribeTags` API calls to retrieve tag information, which reduces your API transactions per second, and lets your tag retrievals scale with the number of instances that you control. Furthermore, local processes that are running on an instance can view the instance's tag information directly from the instance metadata.
By default, tags are not available from the instance metadata; you must explicitly allow access. You can allow access at instance launch, or after launch on a running or stopped instance. You can also allow access to tags by specifying this in a launch template. Instances that are launched by using the template allow access to tags in the instance metadata.
If you add or remove an instance tag, the instance metadata is updated while the instance is running, without needing to stop and then start the instance.
**Topics**
+ [Enable access to tags in instance metadata](#allow-access-to-tags-in-IMDS)
+ [Retrieve tags from instance metadata](#retrieve-tags-from-IMDS)
+ [Disable access to tags in instance metadata](#turn-off-access-to-tags-in-IMDS)
## Enable access to tags in instance metadata
By default, there is no access to instance tags in the instance metadata. For each instance, you must explicitly enable access.
**Note**
If you allow access to tags in instance metadata, instance tag *keys* are subject to specific restrictions. Non-compliance will result in failed launches for new instances or an error for existing instances. The restrictions are:
Can only include letters (`a-z`, `A-Z`), numbers (`0-9`), and the following characters: `+ - = . , _ : @`.
Can't contain spaces or `/`.
Can't consist only of `.` (one period), `..` (two periods), or `_index`.
For more information, see [Tag restrictions](Using_Tags.md#tag-restrictions).
------
#### [ Console ]
**To enable access to tags in instance metadata during instance launch**
1. Follow the procedure to [launch an instance](ec2-launch-instance-wizard.md).
1. Expand **Advanced details**, and for **Allow tags in metadata**, choose **Enable**.
1. In the **Summary panel**, review your instance configuration, and then choose **Launch instance**. For more information, see [Launch an EC2 instance using the launch instance wizard in the console](ec2-launch-instance-wizard.md).
**To enable access to tags in instance metadata after instance launch**
1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. In the navigation pane, choose **Instances**.
1. Select your instance, and then choose** Actions**, **Instance settings**, **Allow tags in instance metadata**.
1. To allow access to tags in instance metadata, select the **Allow** checkbox.
1. Choose **Save**.
------
#### [ AWS CLI ]
**To enable access to tags in instance metadata during instance launch**
Use the [run-instances](https://docs.aws.amazon.com/cli/latest/reference/ec2/run-instances.html) command and add the following `--metadata-options` option.
```
--metadata-options "InstanceMetadataTags=enabled"
```
**To enable access to tags in instance metadata after instance launch**
Use the following [modify-instance-metadata-options](https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-instance-metadata-options.html) command.
```
aws ec2 modify-instance-metadata-options \
--instance-id i-1234567890abcdef0 \
--instance-metadata-tags enabled
```
**To verify that access to tags in instance metadata is enabled**
Use the [describe-instances](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-instances.html) command and check the value of `InstanceMetadataTags`.
```
aws ec2 describe-instances \
--instance-ids i-1234567890abcdef0 \
--query "Reservations[*].Instances[].MetadataOptions[].InstanceMetadataTags"
```
The following is example output. The value is either `enabled` or `disabled`.
```
[
"enabled"
]
```
------
#### [ PowerShell ]
**To enable access to tags in instance metadata during instance launch**
Use the [New-EC2Instance](https://docs.aws.amazon.com/powershell/latest/reference/items/New-EC2Instance.html) cmdlet and add the following `-MetadataOptions_InstanceMetadataTags` parameter.
```
-MetadataOptions_InstanceMetadataTags enabled
```
**To enable access to tags in instance metadata after instance launch**
Use the [Edit-EC2InstanceMetadataOption](https://docs.aws.amazon.com/powershell/latest/reference/items/Edit-EC2InstanceMetadataOption.html) cmdlet.
```
Edit-EC2InstanceMetadataOption `
-InstanceId i-1234567890abcdef0 `
-InstanceMetadataTags enabled
```
**To verify that access to tags in instance metadata is enabled**
Use the [Get-EC2Instance](https://docs.aws.amazon.com/cli/latest/reference/ec2/Get-EC2Instance.html) cmdlet and check the value of `InstanceMetadataTags`.
```
(Get-EC2Instance `
-InstanceId i-1234567890abcdef0).Instances.MetadataOptions.InstanceMetadataTags.Value
```
The following is example output. The value is either `enabled` or `disabled`.
```
enabled
```
------
## Retrieve tags from instance metadata
After you allow access to instance tags in the instance metadata, you can access the `tags/instance` category from the instance metadata. For more information, see [Access instance metadata for an EC2 instance](instancedata-data-retrieval.md).
------
#### [ IMDSv2 ]
**Linux**
Run the following command from your Linux instance to list all the tag keys for the instance.
```
TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"` \
&& curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/tags/instance
```
This example gets the value of a key obtained in the previous example. The IMDSv2 request uses the stored token that was created using the command in the previous example. The token must not be expired.
```
curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/tags/instance/tag-key
```
**Windows**
Run the following cmdlet from your Windows instance to list all the tag keys for the instance.
```
$token = Invoke-RestMethod `
-Headers @{"X-aws-ec2-metadata-token-ttl-seconds" = "21600"} `
-Method PUT -Uri http://169.254.169.254/latest/api/token
```
```
Invoke-RestMethod `
-Headers @{"X-aws-ec2-metadata-token" = $token} `
-Method GET -Uri http://169.254.169.254/latest/meta-data/tags/instance
```
This example gets the value of a key obtained in the previous example. The IMDSv2 request uses the stored token that was created using the command in the previous example. The token must not be expired.
```
Invoke-RestMethod `
-Headers @{"X-aws-ec2-metadata-token" = $token} `
-Method GET -Uri http://169.254.169.254/latest/meta-data/tags/instance/tag-key
```
------
#### [ IMDSv1 ]
**Linux**
Run the following command from your Linux instance to list all the tag keys for the instance.
```
curl http://169.254.169.254/latest/meta-data/tags/instance
```
This example gets the value of a key obtained in the previous example.
```
curl http://169.254.169.254/latest/meta-data/tags/instance/tag-key
```
**Windows**
Run the following cmdlet from your Windows instance to list all the tag keys for the instance.
```
Invoke-RestMethod -Uri http://169.254.169.254/latest/meta-data/tags/instance
```
This example gets the value of a key obtained in the previous example.
```
Invoke-RestMethod -Uri http://169.254.169.254/latest/meta-data/tags/instance/tag-key
```
------
## Disable access to tags in instance metadata
You can disable access to instance tags in the instance metadata. You don't need to disable access to instance tags on instance metadata at launch because it's turned off by default.
------
#### [ Console ]
**To disable access to tags in instance metadata**
1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. In the navigation pane, choose **Instances**.
1. Select an instance, and then choose** Actions**, **Instance settings**, **Allow tags in instance metadata**.
1. To turn off access to tags in instance metadata, clear the **Allow** checkbox.
1. Choose **Save**.
------
#### [ AWS CLI ]
**To disable access to tags in instance metadata**
Use the following [modify-instance-metadata-options](https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-instance-metadata-options.html) command.
```
aws ec2 modify-instance-metadata-options \
--instance-id i-1234567890abcdef0 \
--instance-metadata-tags disabled
```
------
#### [ PowerShell ]
**To disable access to tags in instance metadata**
Use the [Edit-EC2InstanceMetadataOption](https://docs.aws.amazon.com/powershell/latest/reference/items/Edit-EC2InstanceMetadataOption.html) cmdlet.
```
Edit-EC2InstanceMetadataOption `
-InstanceId i-1234567890abcdef0 `
-InstanceMetadataTag disabled
```
------