1. AWS Organizations — Tag Policies

Enforces a standard tagging format across all accounts in your Organization.

Without Tag Policies: one team writes env: prod, another writes Env: Production — inconsistent, breaks cost tracking.

With Tag Policies: AWS validates every tag before it is saved. Wrong tag = operation blocked.

What it does:

• Standardizes tag keys and allowed values across all accounts
• Helps with Cost Allocation — track spending by tag (department, project)
• Helps with ABAC (Attribute-Based Access Control) — control access based on tags
• Generates a report of tagged and non-compliant resources
• Use EventBridge to alert on non-compliant tags

Note: Tag Policies only enforce on new tagging operations — no effect on existing resources.

Example

{
  "tags": {
    "costcenter": {
      "tag_key": { "@@assign": "CostCenter" },
      "tag_value": { "@@assign": ["100", "200"] },
      "enforced_for": { "@@assign": ["secretsmanager:*"] }
    }
  }
}

Reading this: Tag key must be exactly CostCenter, value must be 100 or 200, enforced on all Secrets Manager resources. Any other value → blocked.

2. IAM Advanced Conditions

Extra conditions you add to IAM policies for more precise access control.

aws:SourceIp — Restrict by caller's IP address

Allow or deny based on where the request is coming FROM.

{
  "Effect": "Deny",
  "Action": "*",
  "Resource": "*",
  "Condition": {
    "NotIpAddress": {
      "aws:SourceIp": ["192.0.2.0/24", "203.0.113.0/24"]
    }
  }
}