Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Preferences
Contact Us
Feedback
AWS Documentation
Create an AWS Account

Adding tags to Security Hub resources

PDF
RSS
Focus mode
Adding tags to Security Hub resources - AWS Security Hub

A tag is a label that you can define and assign to AWS resources, including certain types of AWS Security Hub resources. By using tags, you can identify, categorize, and manage resources in different ways, such as by purpose, owner, environment, or other criteria. For example, you can use tags to: apply policies, allocate costs, distinguish between versions of resources, or identify resources that support certain compliance requirements or workflows.

You can add tags to the following types of Security Hub resources:

  • Automation rules

  • Configuration policies

  • Hub resource

A resource can have as many as 50 tags. Each tag consists of a required tag key and an optional tag value. A tag key is a general label that acts as a category for a more specific tag value. A tag value acts as a descriptor for a tag key. For more information about tagging options and requirements, see Tagging fundamentals.

To add tags to a Security Hub resource, you can use the Security Hub console or the Security Hub API. However, the console doesn't support adding tags to the Hub resource.

After adding tags, you can edit the tag and change the tag key or tag value.

To add or edit tags for multiple Security Hub resources at the same time, use the tagging operations of the AWS Resource Groups Tagging API.

Important

Adding tags to a resource can affect access to the resource. Before you add a tag to a resource, review any AWS Identity and Access Management (IAM) policies that might use tags to control access to resources.

Console

To add tags to a Security Hub resource (console)

When you create an automation rule or a configuration policy, the Security Hub console provides options for adding tags to it. You can provide the tag key and tag value in the Tags section.

Security Hub API

To add tags to a Security Hub resource (API)

To create a resource and add one or more tags to it programmatically, use the appropriate operation for the type of resource that you want to create:

In your request, use the tags parameter to specify the tag key and optional tag value for each tag to add to the resource. The tags parameter specifies an array of objects. Each object specifies a tag key and its associated tag value.

To add one or more tags to an existing resource, use the TagResource operation of the Security Hub API or, if you're using the AWS CLI, run the tag-resource command. In your request, specify the Amazon Resource Name (ARN) of the resource that you want to add a tag to. Use the tags parameter to specify the tag key (key) and optional tag value (value) for each tag to add. The tags parameter specifies an array of objects, one object for each tag key and its associated tag value.

For example, the following AWS CLI command adds an Environment tag key with a Prod tag value to the specified configuration policy. This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\) line-continuation character to improve readability.

Example CLI command:

$ aws securityhub tag-resource \
--resource-arn arn:aws:securityhub:us-east-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111 \
--tags '{"Environment":"Prod"}'

Where:

  • resource-arn specifies the ARN of the configuration policy to add a tag to.

  • Environment is the tag key of the tag to add to the rule.

  • Prod is the tag value for the specified tag key (Environment).

In the following example, the command adds several tags to the configuration policy.

$ aws securityhub tag-resource \
--resource-arn arn:aws:securityhub:us-east-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111 \
--tags '{"Environment":"Prod", "CostCenter":"12345", "Owner":"jane-doe"}'

For each object in a tags array, both the key and value arguments are required. However, the value for the value argument can be an empty string. If you don’t want to associate a tag value with a tag key, don't specify a value for the value argument. For example, the following command adds an Owner tag key with no associated tag value:

$ aws securityhub tag-resource \
--resource-arn arn:aws:securityhub:us-east-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111 \
--tags '{"Owner":""}'

If a tagging operation succeeds, Security Hub returns an empty HTTP 200 response. Otherwise, Security Hub returns an HTTP 4xx or 500 response that indicates why the operation failed.

anchoranchor

To add tags to a Security Hub resource (console)

When you create an automation rule or a configuration policy, the Security Hub console provides options for adding tags to it. You can provide the tag key and tag value in the Tags section.

PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.