Can I programmatically find all untagged resources?

Question

The Tag Editor in AWS's web console allows me to search for "All resource types" where a specific tag is not present. For example, I can list everything that is missing the tag "environment".

I'd like to run this as a periodic check, to enforce that no new untagged resources have been created. Some Boto code (running as a Lambda cron job) seems like a good fit. However, the Boto docs only show me how to look at a specific resource type (e.g. EC2 instances).

Is there any API for asking about tags in general? Or do I need to enumerate every resource type?

Answer 1

The answer is accepted, but the AWS Resource Explorer could help as well (see https://docs.aws.amazon.com/resource-explorer/latest/userguide/using-search-query-syntax.html):

aws resource-explorer-2 search --query-string="tag:none region:eu-west-1" >untagged_resources.json

The query above looks for entries that have no tag defined in the region eu-west-1. You can also query for resources that are missing a specific tag:

aws resource-explorer-2 search --query-string="-tag.key:aws* region:eu-west-1" >untagged_resources.json

The - in the tag.key:aws* parameter signifies NOT, meaning that we want results that do not contain any tag that begins with aws in the key.

This solution overcomes the restriction of the AWS Resource Group CLI command, which was mentioned above by @Anoop Philip.

In addition, it seems that the service does not cost anything: https://aws.amazon.com/resourceexplorer/pricing/

Answer 2

You can use AWS Resource Groups from the console, per this write-up, to find resources that have an empty value for a tag. To find resources that have a tag key but no tag value, choose (not tagged).

If you are looking for automated alerting, consider using AWS Config Rules and take a look at this related blog as well. In particular, there is a rule template called "required_tags" that checks for the presence of up to 5 tags. You can run more instances of the rule as needed, or modify the code. Find links that that and other rule templates here.

I also found a nice blog that helps answer the question by using filtering when invoking service APIs via the CLI.

I also found that using AWS Config worked pretty well too. Once AWS Config is setup for a particular AWS Region, you can submit an advanced query to find missing tags, like this one for a missing tag on EC2 resources:

SELECT
  resourceId,
  resourceType,
  configuration.instanceType,
  configuration.placement.tenancy,
  configuration.imageId,
  tags,
  availabilityZone
WHERE
  resourceType = 'AWS::EC2::Instance'
  AND tags.key NOT LIKE 'owner'

Answer 3

Just posting here if someone looks for the same question in the future.

AWS Resource Group offers features like this. You can access Resource Group in AWS console through https://console.aws.amazon.com/resource-groups/home. I didn't find how to use --tag-filters with unTagged value in CLI so used jq to filter out results.

Here is a sample command to get all resources without Environment Tag.

aws resourcegroupstaggingapi get-resources --tags-per-page 100 | jq '.ResourceTagMappingList[] | select(contains({Tags: [{Key: "environment"} ]}) | not)'

Get Resource through resourcegroupstaggingapi reference - https://docs.aws.amazon.com/cli/latest/reference/resourcegroupstaggingapi/get-resources.html

For more information about Resource Group API, Please visit https://docs.aws.amazon.com/resourcegroupstagging/latest/APIReference/API_GetResources.html

Answer 4

There is no API for tags in general. You have to do it for every service type. It is not that difficult. I have a Lambda that gets executed (through S3 PutObject / CloudTrail) which checks for the newly created instances and tags them if needed. It is very easy to extend it other types of AWS services since CloudTrail monitors most of the AWS services. But if you are looking to find all untagged resources, then you have to write a Boto script and query for tags for each service type.