Skip to main content

lacework-global-691

3.2 Use default tags on resources (Automated)

Description

Using default tags is a way to ensure tagging of all resources that support tags during creation. You can base tags on static or computed values. Best practices recommend setting up default tags soon after root compartment creation to ensure all created resources get tagged. Tags belong to Compartments, and Child Compartments inherit the tags. The recommendation is to create default tags like "CreatedBy" at the Root Compartment level to ensure all resources get tagged. When using Tags it is important to protect Tag Namespaces by Identity and Access Management (IAM) Policies as otherwise this allows users to change tags or tag values. Depending on the age of the OCI Tenancy there may already be Tag defaults setup at the Root Level and no need for further action to implement this action.

Impact

There is no performance impact when enabling the described features.

Remediation

From Console:

  1. Login to OCI Console.
  2. From the navigation menu, select Governance & Administration.
  3. Under Tenancy Management, select Tag Namespaces.
  4. Under Compartment, select the root compartment.
  5. If no tag namespace exists, click Create Tag Namespace, enter a name and description and click Create Tag Namespace.
  6. Click the name of a tag namespace.
  7. Click Create Tag Key Definition.
  8. Enter a tag key (for example CreatedBy) and description, and click Create Tag Key Definition.
  9. From the navigation menu, select Identity & Security.
  10. Under Identity, select Compartments.
  11. Click the name of the root compartment.
  12. Under Resources, select Tag Defaults.
  13. Click Create Tag Default.
  14. Select a tag namespace, tag key, and enter ${iam.principal.name} as the tag value.
  15. Click Create.

From CLI:

  1. Create a Tag Namespace in the Root Compartment:

    oci iam tag-namespace create --compartment-id=<tenancy_ocid> --name=<name> --description=<description> --query data.{"\"Tag Namespace Oracle Cloud Identifier (OCID)\":id"} --output table

  2. Note the Tag Namespace OCID and use it when creating the Tag Key Definition:

    oci iam tag create --tag-namespace-id=<tag_namespace_ocid> --name=<tag_key_name> --description=<description> --query data.{"\"Tag Key Definition OCID\":id"} --output table

  3. Note the Tag Key Definition OCID and use it when creating the Tag Default in the Root compartment:

    oci iam tag-default create --compartment-id=<tenancy_ocid> --tag-definition-id=<tag_key_definition_id> --value="\${iam.principal.name}"

Additional Information

  • There is no requirement to use the "Oracle-Tags" namespace to implement this control. A Tag Namespace Administrator can create any namespace and use it for this control.
Last updated on