Auto-remediation for missing tags in AWS using Cloud Custodian — Part 1

Automate the missing tag remediation task using the Cloud Custodian.

Cloud Custodian provides several ways of solving the missing tag problem for both existing and newly created AWS resources. Among them, the auto-tag-user action item is very powerful in automatically tagging the resources with missing owner tags. This saves time for the analyst to identify all the resources that are missing the mandatory tag requirement and, more importantly, identify the individual who stood them up to take corrective actions. The auto-tag-user action item is supported for both the public cloud providers AWS and Azure. However, in this story, we will just cover AWS.

We will discuss the benefits and drawbacks of using auto-tag-user action items in the policy through the console and continuous integration (CI/CD) pipeline. The auto-tag-user policy can only be applied to the newly created AWS resources. When you deploy the auto-tag-user policy, it will create a cloud watch event rule (AWS API call via CloudTrail) and lambda function. A CloudWatch log group will get created as soon as the event rule triggers via CloudTrail. An assumed role used by Cloud Custodian to call various APIs must have appropriate read-write permissions to the resources.