AWS Tag (IAM)

aws management

AWS Tag service enables you to manage tags on AWS resources for cost allocation, access control, and resource organization.

Common permissions

tag:GetResourcestag:GetTagKeystag:GetTagValuestag:TagResourcestag:UntagResourcestag:GetComplianceSummarytag:ListRequiredTagstag:DescribeReportCreation

Least-privilege example

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "tag:GetResources",
        "tag:GetTagKeys",
        "tag:GetTagValues",
        "tag:TagResources",
        "tag:UntagResources",
        "tag:GetComplianceSummary",
        "tag:ListRequiredTags",
        "tag:DescribeReportCreation"
      ],
      "Resource": "*"
    }
  ]
}

Warnings

Avoid tag:TagResources and tag:UntagResources on all resources — can modify tags on critical resources affecting cost tracking and access policies
Avoid tag:* — grants full control over tagging, which can be used to bypass resource-based policies or cost allocation

Resources

AWS referenceservicereference.us-east-1.amazonaws.com/v1/tag/tag.json ↗

API

full doc /v1/iam/tag