AWS Resource Tagging Standard

This section provides information about the AWS Resource Tagging Standard.

What is the AWS Resource Tagging Standard?

Tags are key and value pairs that act as metadata for organizing your AWS resources. With most AWS resources, you have the option of adding tags when you create the resource or after creation. Examples of resources include an Amazon CloudFront distribution, an Amazon Elastic Compute Cloud (Amazon EC2) instance, or a secret in AWS Secrets Manager.

Tags can help you manage, identify, organize, search for, and filter resources.

Each tag has two parts:

You can use tags to categorize resources by purpose, owner, environment, or other criteria.

For instructions on adding tags to AWS resources, see How to add tags to your AWS resource in the AWS Security Hub User Guide.

The AWS Resource Tagging Standard, developed by AWS Security Hub, helps you quickly identify if any of your AWS resources are missing tag keys. You can customize the requiredTagKeys parameter to specify specific tag keys that the controls check for. If specific tags aren't provided, the controls just check for the existence of at least one tag key.

When you enable the AWS Resource Tagging Standard, you'll begin receiving findings in the AWS Security Finding Format (ASFF).

This standard has the following Amazon Resource Name (ARN): arn:aws:securityhub:region::standards/aws-resource-tagging-standard/v/1.0.0.

You can also use the GetEnabledStandards operation of the Security Hub API to find out the ARN of an enabled standard.

Controls in the AWS Resource Tagging Standard

The AWS Resource Tagging Standard includes the following controls. Select a control to view a detailed description of it.