Compliance Frameworks
BETA// Beta Mapping Disclaimer
Framework mappings are currently in beta. These references are generated based on technical specifications and common industry alignments. Mappings may be incomplete or inaccurate; always consult with a qualified auditor for official compliance validation.
Overview
Define and enforce a mandatory tagging strategy across all Landing Zone accounts to enable accurate cost attribution, financial accountability, asset ownership tracking, and environment-aware governance. Tags are enforced at resource creation via SCPs and monitored for drift via AWS Config.
A well-defined tagging strategy is the foundation of cloud financial management and operational governance. This control defines the mandatory tag key set, acceptable values, and enforcement mechanisms for all taggable AWS resources across the Landing Zone. The mandatory tag schema covers four governance dimensions:
Financial Attribution
CostCenter- Maps the resource to an internal cost center code (e.g., CC-1042). Used for chargeback and showback reporting in Cost Explorer.Project- Associates the resource with a specific project or product initiative (e.g., proj-payments-api). Enables per-project spend visibility.BudgetCode- Links the resource to an approved budget line item for finance reconciliation (e.g., FY26-INFRA-003).
Ownership & Accountability
Owner- Email address or team alias of the resource owner responsible for cost and operational decisions (e.g., platform-team@company.com).SupportTeam- Email address or team alias of the support team responsible for handling incidents and requests (e.g., support-team@company.com).ManagedBy- Indicates whether the resource is managed by Terraform, CDK, manual provisioning, or another IaC tool (e.g., terraform, cdk, manual). Supports drift detection and audit workflows.
Environment & Classification
Environment- Deployment tier with a controlled value set:production,staging,development,sandbox. Used by SCPs to apply differentiated guardrails per tier.AssetSeverity- Business criticality classification of the resource:critical,high,medium,low. Critical and high assets trigger stricter backup, monitoring, and change management policies. This tag is the primary signal for automated runbook routing and incident prioritization.DataClassification- Sensitivity level of data processed or stored:confidential,internal,public. Feeds DSPM tooling and S3 bucket policy enforcement.
Lifecycle Management
ExpiryDate- ISO 8601 date (YYYY-MM-DD) after which the resource is eligible for automated decommission review (e.g., 2026-12-31). Mandatory for sandbox and development environments.
SCPs enforce the presence of mandatory tags (CostCenter, Owner, Environment,
AssetSeverity) at resource creation for covered services. AWS Config rules provide
continuous drift detection for resources that were created before the SCP was applied
or where tags were subsequently removed.
Without a consistent tagging strategy, cost attribution becomes opaque, ownership is ambiguous, and automated governance policies lose their targeting signal. Tags are the connective tissue between financial reporting, security posture, and operational runbooks. Establishing the schema and enforcing it at creation time is significantly cheaper than retroactively tagging an estate of thousands of resources.
Remediation Strategy
Define the mandatory tag schema, activate cost allocation tags in the Billing console, deploy SCPs to enforce tag presence at resource creation, and configure AWS Config rules to detect and alert on tag drift across existing resources.
Finalize and document the mandatory tag schema (keys, permitted values, and owning team) in the organization's internal governance wiki.
Activate all mandatory tag keys as Cost Allocation Tags in the Billing & Cost Management console under the Management account.
Deploy the SCP at the Organization root or relevant OU to deny resource creation for covered services when mandatory tags are absent.
Deploy the AWS Config required-tags managed rule to detect existing resources missing mandatory tags.
Configure Cost Explorer tag-grouped reports for CostCenter and Project to validate attribution coverage after activation.
Establish a remediation workflow (ticket or automated Lambda) triggered by Config non-compliance findings for untagged resources.
Communicate the tag schema and enforcement date to all account teams with a minimum 30-day lead time before SCP activation.
# SCP: Deny resource creation if mandatory tags are absent
# Attach to the root OU or individual workload OUs.
# Covers the most commonly untagged high-cost services.
# Extend the condition block to add further services as needed.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyCreateWithoutMandatoryTags",
"Effect": "Deny",
"Action": [
"ec2:RunInstances",
"ec2:CreateVolume",
"rds:CreateDBInstance",
"s3:CreateBucket",
"lambda:CreateFunction",
"eks:CreateCluster",
"ecs:CreateService",
"dynamodb:CreateTable",
"elasticache:CreateCacheCluster"
],
"Resource": "*",
"Condition": {
"Null": {
"aws:RequestTag/CostCenter": "true",
"aws:RequestTag/Owner": "true",
"aws:RequestTag/Environment": "true",
"aws:RequestTag/AssetSeverity": "true"
}
}
},
{
"Sid": "DenyInvalidEnvironmentValues",
"Effect": "Deny",
"Action": [
"ec2:RunInstances",
"rds:CreateDBInstance",
"eks:CreateCluster"
],
"Resource": "*",
"Condition": {
"StringNotEqualsIfExists": {
"aws:RequestTag/Environment": [
"production",
"staging",
"development",
"sandbox"
]
}
}
},
{
"Sid": "DenyInvalidAssetSeverityValues",
"Effect": "Deny",
"Action": [
"ec2:RunInstances",
"rds:CreateDBInstance",
"eks:CreateCluster"
],
"Resource": "*",
"Condition": {
"StringNotEqualsIfExists": {
"aws:RequestTag/AssetSeverity": [
"critical",
"high",
"medium",
"low"
]
}
}
}
]
}Enforcement Logic
Two detection layers run in parallel. The SCP prevents net-new non-compliant resources at creation time. AWS Config evaluates existing resources continuously against the required-tags rule and marks them NON_COMPLIANT when mandatory tags are absent or contain invalid values. Cost Explorer unblended cost reports grouped by CostCenter and Owner surface untagged spend as a secondary financial signal.
# List Config non-compliant resources for the required-tags rule
aws configservice get-compliance-details-by-config-rule \
--config-rule-name lz-required-tags-mandatory \
--compliance-types NON_COMPLIANT \
--query 'EvaluationResults[].{
Resource: EvaluationResultIdentifier.EvaluationResultQualifier.ResourceId,
Type: EvaluationResultIdentifier.EvaluationResultQualifier.ResourceType
}'
# Identify untagged spend in Cost Explorer (last 30 days)
aws ce get-cost-and-usage \
--time-period Start=$(date -d '-30 days' +%Y-%m-%d),End=$(date +%Y-%m-%d) \
--granularity MONTHLY \
--metrics UnblendedCost \
--group-by Type=TAG,Key=CostCenter \
--query 'ResultsByTime[].Groups[?Keys[0]==`CostCenter$`]'