AWS Public Sector Blog

Tagging governance using AWS Organizations in the public sector

AWS Branded Background with text "Tagging governance using AWS Organizations in the public sector "

When Department of the Air Force (DAF) software factories scale their cloud operations across mission-critical environments, maintaining consistent resource tagging becomes crucial for security, compliance, and operational effectiveness. For organizations like Kessel Run, a unit that provides capabilities within the DAF Battle Network, ensuring compliance while maintaining rapid deployment capabilities is essential for delivering capabilities to warfighters.

Traditional approaches using reactive cleanup scripts and post-creation enforcement often lead to compliance gaps and significant operational overhead, potentially impacting mission readiness. Kessel Run needed a solution that could enforce tagging standards at resource creation while supporting their complex deployment patterns.

Objectives

Organizations using HAQM Web Services (AWS) at scale need consistent resource tagging for cost allocation, security compliance, and operational management. Reactive tagging enforcement through scheduled jobs and resource termination scripts, rather than native AWS event-driven controls, creates unnecessary operational complexity.

Kessel Run faced several key challenges related to mission-critical resource management:

  • Managing HAQM Elastic Compute Cloud (HAQM EC2) instances across disparate AWS accounts
  • Maintaining compliance with DAF security requirements
  • Eliminating operational overhead from managing AWS Lambda functions used for policy enforcement

Building a preventative solution with AWS Organizations working within requirements, the team developed a preventative control system using service control policies (SCPs) and formal logic principles.

The solution needed to:

  • Enforce tagging at resource creation time
  • Scale across multiple accounts

By choosing to leverage AWS Organizations SCPs, they built a solution that meets these requirements while ensuring extensibility for further use cases including:

  • Ensuring consistent backup policies for mission-critical resources
    • Maintaining different backup policies based on mission criticality
  • Support flexible deployment patterns across security boundaries
    • Including AWS Hybrid Edge deployments

The following illustration demonstrates the tagging governance framework designed by the Kessel Run team. It shows how business requirements directly map to specific required tags, which are then enforced through SCPs at resource creation time. This preventative approach ensures consistent tagging across multiple accounts while supporting specialized use cases.

Figure 1. Tagging governance framework showing how business requirements translate to required tags and enforcement through SCP policy, with AWS Backup plans integration.

The power of De Morgan’s laws in SCP design

The core challenge was implementing complex logical conditions within SCPs while meeting strict security requirements. The requirement to “allow resource creation if valid tags are present OR the resource matches an exception pattern” couldn’t leverage traditional policy statements normally used in SCPs.

Here’s where De Morgan’s laws come into play. Instead of expressing the positive condition, the Kessel Run team inverted the logic:

Original business logic

Transformed using De Morgan’s laws

This transformation allows organizations to implement complex logical conditions while working within SCP constraints. Here’s how it looks in practice:

This policy denies HAQM EC2 instance creation if:

  • The OutpostIdentifier tag is missing AND
  • The DeploymentType tag is not set to either “edge”, “core”, or “hybrid” AND
  • The BackupCompliance tag is not set to either “mission-critical” or “business-critical” AND
  • The BusinessUnit tag doesn’t start with “infra-“

In simpler terms, all HAQM EC2 instances must:

  • Have an OutpostIdentifier tag
  • Be tagged with an approved deployment type
  • Have a valid backup compliance level
  • Belong to an infrastructure business unit

Sample Solution

The following illustration shows the technical implementation of the tagging governance solution. The architecture diagram demonstrates how SCPs enforce tag requirements across both cloud and edge environments. A compliance test Lambda function validates the enforcement mechanism, ensuring that HAQM EC2 instances in both standard VPC and AWS Outposts environments have the required tags before creation. The diagram also shows how backup policies are applied based on tag values, creating an end-to-end governance framework that works consistently across deployment models.

Figure 2. Technical architecture diagram showing SCP enforcement flow and sample Lambda function used to demo the enforcement of the SCP.

To demonstrate this tagging governance solution in practice, a sample implementation package is available that can be deployed in any AWS environment. This allows organizations to experience the tag enforcement mechanism firsthand and validate its effectiveness for their specific use cases.

Implementation steps:

  • Deploy the sample solution using provided templates
  • Create Lambda test events (shown in Figure 3)
  • Test resource creation with compliant and non-compliant tags
  • Observe enforcement behaviors

Figure 3. Creating a test event in the Lambda console.

The following table provides an overview of test scenarios:

Scenario type Test case Tag configuration Expected result
Compliant resource creation Full compliance DeploymentType: ‘edge’
BackupCompliance: ‘mission-critical’
OutpostIdentifier: ‘outpost-east-1’
BusinessUnit: ‘infra-prod’		 Resource creation successful
Non-compliant scenarios Missing tags BackupCompliance: ‘mission-critical’
OutpostIdentifier: ‘outpost-east-1’
(Dep­loymentType and BusinessUnit missing)		 Resource creation denied
Non-compliant scenarios Invalid values DeploymentType: ‘invalid’
BackupCompliance: ‘not-critical’
OutpostIdentifier: ‘outpost-east-1’
BusinessUnit: ‘infra-prod’		 Resource creation denied
Special pattern testing Invalid prefix All standard tags present
BusinessUnit: ‘not-infra-prod’		 Resource creation denied
Special pattern testing Case sensitivity All standard tags present
BusinessUnit: ‘INFRA-PROD’		 Resource creation denied
Comprehensive testing Multiple violations Mixed invalid values
Missing required tags
Incorrect patterns		 Resource creation denied
Comprehensive testing Boundary conditions Empty values
Minimum pattern matching
BusinessUnit: ‘infra-‘		 Resource creation denied

The following Figure 4 shows an HAQM EC2 launch attempt with compliant tags.

Figure 4. Successful HAQM EC2 launch with required tags.

Figure 5 shows an HAQM EC2 launch denial due to missing tags.

Figure 5. Resource creation blocked due to missing required tags.

Conclusion

SCPs represent a significant advancement in AWS resource tagging governance. By enforcing tags at creation time, organizations ensure compliance from the start rather than relying on after-the-fact corrections. This preventative approach eliminates reactive scripts and Lambda functions, reducing both operational overhead and API costs.

The solution scales seamlessly across multiple AWS accounts while maintaining consistent enforcement. Through De Morgan’s laws, organizations can implement complex logical conditions within SCP constraints. The provided sample implementation lets teams validate this approach in a controlled environment before production deployment.

For organizations like Kessel Run, this tagging governance solution delivers both immediate operational benefits and strategic advantages in security and compliance. The framework provides a solid foundation that can evolve with changing cloud governance needs.

TAGS: , , , , ,
Brandon Sneider

Brandon Sneider

Brandon is a seasoned technical lead at Raft and Kessel Run, based in Boston, MA, where he spearheads high-performing teams in delivering enterprise-grade solutions. Holding a Master of Science in Cybersecurity from Northeastern University, Brandon is deeply passionate about architecting secure and efficient systems that drive operational excellence. With extensive experience in cloud infrastructure, DevOps, and cybersecurity, he has a proven track record of enhancing productivity and security postures across organizations. Brandon is also an accomplished speaker and author, sharing insights on AWS security and governance best practices. His expertise spans AWS Commercial and GovCloud offerings, with certifications including AWS Certified Solutions Architect and Security+.

Aneesh Venuturumilli

Aneesh Venuturumilli

Aneesh is a senior platform engineer for Dark Wolf Solutions, working at Kessel Run based in Boston, MA. He is passionate about building secure, scalable, and reliable cloud platforms, with a focus on automation, compliance and infrastructure optimization. Aneesh has built an expertise over 5 years leveraging technologies such as AWS, Terraform, Docker, and Python to deliver efficient, high-impact solutions that strengthen security posture.

David Thrash

David Thrash

David is a senior technical account manager at AWS who bridges technical expertise with strategic customer advocacy. He orchestrates complex solution architectures while serving as the crucial link between AWS capabilities and client business objectives. David's analytical mindset and natural curiosity drive him to explore beyond surface-level challenges. His approach combines infrastructure automation with edge computing expertise, enabling organizations across industries to discover innovative paths in their cloud adoption journeys.

Doug Miller

Doug Miller

Douglas (Doug) is a technical product manager passionate about empowering engineering teams to realize their full potential within the Department of the Air Force's Battle Network: C3BM, in Boston, MA. He excels at fostering collaboration, clear communication, and transparency ensuring projects advance smoothly while balancing stakeholder needs and technical excellence. With over a decade of experience in IT and software development, Doug is a dedicated advocate for Agile methodologies and practices applied to the creation of cloud-based solutions.

Luis Gatillon

Luis Gatillon

Luis Gatillon is the cloud technical lead on the Kessel Run infrastructure team based in Washington, DC. With over 17 years of experience ranging from Software Development, Cloud Architecture, Data Engineering, and Cyber Security in the FinTech and Defense sector. Has designed and implemented software, cloud solutions, and data analytics platforms for enterprise companies and the Defense Department.