Check Tag Compliance

Overview

The Check Tag Compliance Action is used to compare resources against a set of Tag Groups to validate if they conform or don't conform, and then notify you of the result.

This is a useful alerting feature for ensuring resources are compliant across your organizations tagging policies, allowing you to identify any resources that do not comply and take corrective action. It is a valuable tool for internal auditing and can be used to support security, governance and cost management.

How it works

AWS: For AWS, it uses a number of Describe* and List* endpoints in the AWS API - see the Customize screen for the Check Tag Compliance Action for a full list of the IAM permissions required.

Azure: For Azure, the default template permissions provide access to the API functions used to list and describe resources and their tags.

GorillaStack regularly aggregates the resources in your environment. The results are stored and used as the input to the Check Tag Compliance Action.

In the Action configuration, you first select one or more resource types to run the check against. You then select one or more Tag Groups that should be used to compare against each resource’s tags, along with a reporting mode that specifies if a resource should be reported when it either matches or does not match the tag group combination.

When the Action runs, it will use the aggregated tag information about your resources to test for tag compliance, and report according to the conditions. You can specify if it should notify you when there are resources reported (matching/not matching) via Slack or email.

Getting Started

You can use the Action by setting up a rule. We recommend setting up a rule with a Schedule Trigger to run the Action on a regular basis (e.g. once a day).

You'll need to have set up one or more Tag Groups you wish to check resources against. They are used to see if the resource’s tags either comply or don't comply with the matching pattern in the tag group in the Conditions

(See the user guide on Tag Groups for more details.)

Action Configuration

There are three tabs used to configure the Action:

  • Resource Types - select the set of resource types you wish to report against
  • Conditions - select the Tag Groups and the reporting mode (matching/not matching)
  • Notifications - select the rules for sending a notification with the results of the check

Resource Types

On this tab, you can select to check all resource types, or just certain resource types to report on.

Conditions

Check Report Type

This changes the reporting mode. You can select to report Resources matching the selected tag groups, or inversely, Resources not matching the selected tag groups.

Tag Groups

This is the set of tag groups to test against. You can combine multiple tag groups with an AND relationship (all tag groups must match/not match) or an OR relationship (one or more of the tag groups must match/not match).

Notifications

When

This selects when to send the notification. For example, you may only wish to send it when resources match the conditions on the Conditions tab, or to always send it. The full results of the Action execution are available in the Event Log.

Destination

This is where to send the report (Slack and/or email). If you don't select a destination, the action will still run but no notification will be sent (the same as selecting Never for the When type).

Tag Compliance Report

The compliance report will be available in summary via Slack and/or email (when they are configured as Notification destinations). For a more detailed summary, you will need to refer to the Event Log and expand the View Raw Data section.