For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/terraform-aws-team-tag-not-present.md. A documentation index is available at /llms.txt.

Team tag missing on AWS resource

This product is not supported for your selected Datadog site. ().

Metadata

Id: terraform-aws-team-tag-not-present

Provider: AWS

Platform: Terraform

Severity: Low

Category: Best Practices

Learn More

Description

This check ensures that every cloud resource defined in Terraform includes a “Team” tag within the tags attribute, which is critical for tracking resource ownership and accountability. Without a “Team” tag (for example, tags = { Environment = "Production" }), it becomes difficult to determine resource owners, leading to challenges in cost allocation, incident response, and lifecycle management. If left unaddressed, the absence of this tag can result in unmanaged resources remaining active, increasing the risk of security vulnerabilities and unnecessary expenses.

Compliant Code Examples

resource "aws_instance" "good_example" {
  ami           = "ami-123456"
  instance_type = "t2.micro"

  tags = {
    Team        = "DevOps" # ✅ "Team" tag is present
    Environment = "Production"
  }
}

resource "aws_s3_bucket" "good_example" {
  bucket = "my-bucket"

  tags = {
    Team = "Security" # ✅ "Team" tag is present
  }
}

resource "aws_s3_bucket" "good_example" {
  bucket = "my-bucket"

  tags = {
    team = "Security" # ✅ "team" tag is present
  }
}

Non-Compliant Code Examples

resource "aws_instance" "bad_example" {
  ami           = "ami-123456"
  instance_type = "t2.micro"

  tags = {
    Environment = "Production" # ❌ Missing "Team" tag
  }
}

resource "aws_s3_bucket" "bad_example" {
  bucket = "my-bucket"

  # ❌ No tags at all
}