Using custom rules for resource tag and label enforcement

  • 17 September 2021
  • 0 replies

Badge +11

Every company uses tagging and resource labeling in their own way. Among other uses, mature labeling practices are a great way to identify resources to their cost centers, keep track of their purpose and contents for compliance requirements and for naming ownership and maintenance responsibilities. Netskope Security Posture Management can help enforce good labeling practices with a few simple custom rules suited to your needs.

How to ensure that every resource of a given type is labeled properly

Most common use case for label policy enforcement is to ensure that resources are labeled at all. For example, if we want to ensure that every EC2 instance in our AWS Cloud carries a label named "org-unit", we can write the following rule for AWS monitoring: 

EC2Instance should have Tags with [ Name eq "orgunit" ]


Once added to a compliance profile and being monitored by a Security Posture Policy, this rule should show in the Security Posture view with findings like this:

Likewise, We can use a single rule to detect violations of multiple tagging practices. E.g. rule

EC2Instance should have Tags with [ Name eq "orgunit" ] and Tags with [ Name eq "owner" ]

would alert if either of the "orgunit" or "owner" tags would be missing.


You can also add more complex logic for tag enforcement. You might want to ensure that no resources carrying a certain label contain severe misconfigurations. To illustrate, we describe multiple rules for detecting public storage buckets that have been labeled to contain Personal Identifiable Information (PII) here.

0 replies

Be the first to reply!