Tagging is critical for AWS cost allocation, compliance, and resource management. But not all AWS resources support tagging and AWS doesn't provide a single list of what can't be tagged.
This creates real problems:
- SCP policies fail: when they enforce tags on untaggable resources
- Cost allocation gaps: untagged resources can't be attributed to teams/projects
- Compliance blind spots: you can't enforce what you can't tag
- Manual maintenance hell: keeping track of 534 untaggable resources across 461 services
This tool automatically detects all AWS resources that cannot be tagged by parsing the authoritative source: the IAM Service Authorization Reference.
A resource is considered taggable if:
- It has
aws:ResourceTag/${TagKey}condition key in the Resource types table, OR - It's in scope of TagResource/CreateTags/AddTags action
A resource is untaggable only if it has NEITHER indicator.
Key findings from the latest scan:
- 🔴 534 specific resources cannot be tagged
⚠️ Many services have mixed support (some resources taggable, others not)
# Setup
python3 -m venv venv && source venv/bin/activate
pip install -r requirements.txt
# Run the primary detection tool
python detect_api_taggable.pyOutput is saved to output/ (latest) and history/ (versioned).
| Script | Role | Description |
|---|---|---|
detect_api_taggable.py |
PRIMARY | Authoritative resource-level detection |
detect_service_level.py |
SECONDARY | Quick service-level validation |
cfn_to_iam_mapper.py |
SUPPLEMENTARY | CloudFormation resource mapping |
output/api_taggable_resources.json: Full untaggable resource listoutput/service_level_untaggable.json: Services without tagging APIhistory/: Timestamped versions for change tracking
python diff_runs.py # Compare latest two runsFor SCP tagging policies, you need to exclude untaggable resources from tag enforcement:
- Service-level exclusions: Entire services with no tagging API
- Resource-level exclusions: Specific resources in mixed-support services
Without these exclusions, your SCP policies will block legitimate resource creation.
- Platform/Cloud Engineers building SCP tagging policies
- FinOps Teams identifying cost allocation gaps from untaggable resources
- Compliance Teams understanding tagging enforcement limitations
- Anyone implementing AWS tagging strategies at scale
This tool checks for aws:ResourceTag/${TagKey} condition key presence, not just CreateTags or TagResource action support. Here's why:
- SCPs use
aws:ResourceTagconditions to enforce tagging - A resource could theoretically support
CreateTagsbut lackaws:ResourceTagcondition support - Such resources would fail SCP evaluation even if tagged
- By checking for
aws:ResourceTag, we identify what's compatible with SCP enforcement, not just what's taggable in general
This tool detects untaggable resources, not:
- Usage metrics (API requests, events processed): These are billing aggregations, not resources
- Ephemeral items (Lambda invocations, API calls): Transient actions without persistent state
- Third party or Marketplace products: Not in IAM Service Authorization Reference
- Web scraping dependency: Parses AWS HTML documentation. Structure changes could break detection. Integration tests help catch this early.
- Point in time accuracy: AWS adds and changes services regularly. Run quarterly or on demand for updates.