The Tag Editor in AWS's web console allows me to search for "All resource types" where a specific tag is not present. For example, I can list everything that is missing the tag "environment".
I'd like to run this as a periodic check, to enforce that no new untagged resources have been created. Some Boto code (running as a Lambda cron job) seems like a good fit. However, the Boto docs only show me how to look at a specific resource type (e.g. EC2 instances).
Is there any API for asking about tags in general? Or do I need to enumerate every resource type?
Select perticular region or All regions from Regions drop down. Select specific resource or All supported resource types from Resource types drop down. Tags – Optional: You can specify key, value details to search for specific tags. Since we are searching for resources that are not tagged lets keep it blank.
Sign in to the AWS Management Console , choose Resource Groups, and then choose Tag Editor. (optional) Choose regions in which to search for resources to tag. By default, your current region is selected.
For tag-based access control to shared resources, each AWS account must assign its own set of tags to control access to the resource. You can't tag all resources.
Services like sns,sqs - do not have tagging option.
Just posting here if someone looks for the same question in the future.
AWS Resource Group offers features like this. You can access Resource Group in AWS console through https://console.aws.amazon.com/resource-groups/home.
I didn't find how to use --tag-filters
with unTagged value in CLI so used jq
to filter out results.
Here is a sample command to get all resources without Environment Tag.
aws resourcegroupstaggingapi get-resources --tags-per-page 100 | jq '.ResourceTagMappingList[] | select(contains({Tags: [{Key: "environment"} ]}) | not)'
Get Resource through resourcegroupstaggingapi
reference - https://docs.aws.amazon.com/cli/latest/reference/resourcegroupstaggingapi/get-resources.html
For more information about Resource Group API, Please visit https://docs.aws.amazon.com/resourcegroupstagging/latest/APIReference/API_GetResources.html
You can use AWS Resource Groups from the console, per this write-up, to find resources that have an empty value for a tag. To find resources that have a tag key but no tag value, choose (not tagged).
If you are looking for automated alerting, consider using AWS Config Rules and take a look at this related blog as well. In particular, there is a rule template called "required_tags" that checks for the presence of up to 5 tags. You can run more instances of the rule as needed, or modify the code. Find links that that and other rule templates here.
I also found a nice blog that helps answer the question by using filtering when invoking service APIs via the CLI.
I also found that using AWS Config worked pretty well too. Once AWS Config is setup for a particular AWS Region, you can submit an advanced query to find missing tags, like this one for a missing tag on EC2 resources:
SELECT
resourceId,
resourceType,
configuration.instanceType,
configuration.placement.tenancy,
configuration.imageId,
tags,
availabilityZone
WHERE
resourceType = 'AWS::EC2::Instance'
AND tags.key NOT LIKE 'owner'
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With