Resource not using tags

Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Resource not using tags

Metadata

Id: e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10

Cloud Provider: aws

Framework: Terraform

Severity: Info

Category: Best Practices

Learn More

Provider Reference

Description

AWS resource tagging is an essential best practice that supports resource management, cost tracking, automation, and security enforcement. If only the default Name tag is applied and no additional metadata tags (such as Environment, Owner, or Project) are defined, resources may become difficult to identify, audit, and manage at scale, increasing the risk of misconfiguration or unintended resource exposure. For example, a secure configuration should use a tags block with descriptive tags:

tags = {
  Name        = "example-cert"
  Environment = "production"
  Owner       = "devops-team"
}

Compliant Code Examples

resource "aws_acm_certificate" "cert" {
  domain_name       = "example.com"
  validation_method = "DNS"

  tags = {
    Environment = "test"
  }

  lifecycle {
    create_before_destroy = true
  }
}

resource "aws_acm_certificate_validation" "example" {
  certificate_arn         = aws_acm_certificate.example.arn
  validation_record_fqdns = [for record in aws_route53_record.example : record.fqdn]
}

Non-Compliant Code Examples

resource "aws_acm_certificate" "cert" {
  domain_name       = "example.com"
  validation_method = "DNS"

  lifecycle {
    create_before_destroy = true
  }
}

resource "aws_acm_certificate" "cert_2" {
  domain_name       = "example.com"
  validation_method = "DNS"

  tags = {
    Name = "test"
  }

  lifecycle {
    create_before_destroy = true
  }
}