As cloud environments scale, governance often becomes more challenging than provisioning itself. Without precise controls, organizations quickly lose visibility into costs, ownership, security, and compliance. Cloud Tag Governance addresses this challenge by enforcing consistent and meaningful tagging at the point of resource creation.
In this article, we walk through a hands-on demo that shows how to enforce tag behavior in AWS using IAM Identity Center (SSO) and permission set inline policies. We will intentionally trigger an authorization failure, analyze the error using AWS CloudShell, and then fix the issue by applying the correct tag. While the demo focuses on AWS, the governance principles apply across cloud platforms.
Demo Overview: What We Will Achieve
The goal of this demo is to prove that Cloud Tag Governance can be enforced at request time, even for SSO users, without relying on manual checks or post-deployment remediation. By the end of this demo, you will see that:
- SSO users are governed by permission set policies
- Invalid or missing tags can block resource creation
- Authorization failures are transparent and debuggable
- Correct tagging immediately resolves the issue
Architecture and Demo Prerequisites
AWS Services Used
This demo uses the following AWS services:
- AWS IAM Identity Center (formerly AWS SSO)
- AWS Organizations
- Amazon EC2
- AWS CloudShell
- AWS Security Token Service (STS)
Governance Model Applied
The governance model in this demo follows these principles:
- SSO-first access model (no IAM users in accounts)
- Group-based assignment
- Permission set–level inline policies
- Tag enforcement using
ec2:CreateTags
Step 1: Creating Users and Groups in IAM Identity Center
First, create one or more users in IAM Identity Center. These users authenticate via the SSO portal and do not exist as IAM users in the target AWS account.
Next, create a group named GroupDeveloper and add the demo users to this group. Using groups instead of individual user assignments ensures scalability and consistent governance as teams grow.
Step 2: Assigning GroupDeveloper to an AWS Account
After creating the group, assign GroupDeveloper to a target AWS account.
During this assignment:
- Select the AWS account
- Assign one or more permission sets to the group
This step establishes the link between users, accounts, and permission sets, which is the foundation of IAM Identity Center’s access model.
Step 3: Configuring Permission Sets for the Demo
In this demo, the group is assigned two permission sets.
Permission Set 1: AmazonEC2FullAccess
The first permission set includes the AWS-managed policy AmazonEC2FullAccess. This allows users to create and manage EC2 resources, but does not bypass tag enforcement.
Permission Set 2: CloudShell and STS Decode Access
The second permission set allows users to:
- Open AWS CloudShell
- Call
sts:DecodeAuthorizationMessage
This permission set is essential for troubleshooting authorization failures caused by explicit deny policies.
Step 4: Adding the Inline Policy for Tag Enforcement
Inside one of the permission sets, add an inline IAM policy to enforce tag values.
The purpose of this policy is to:
- Deny the
ec2:CreateTagsaction - Allow only approved values for the
departmenttag
For example, only the following values are allowed:
- finance
- it
- hr
Because inline policies are evaluated at request time, this rule applies immediately whenever an SSO user creates or modifies EC2 tags.
Step 5: Logging in Through the AWS Access Portal
Now, log in using the IAM Identity Center user portal.
From the portal:
- Select the target AWS account
- Choose the appropriate permission set
- Open the AWS Management Console
At this point, you should be able to:
- Access the EC2 console
- Open AWS CloudShell successfully
Step 6: Attempting to Create an EC2 Instance Without the Required Tag
Next, attempt to launch an EC2 instance.
During the launch process:
- Do not add the
departmenttag - Proceed with the remaining configuration as usual
As expected, the EC2 creation fails. The AWS Console displays a generic authorization error, indicating that the request was explicitly denied.
This failure is intentional and confirms that the tag enforcement policy is working.
Step 7: Investigating the Failure Using AWS CloudShell
To understand the reason for the failure, open AWS CloudShell using the same SSO session.
Run the sts decode-authorization-message command with the encoded authorization message returned by the error.
The decoded output clearly shows:
- An explicit deny
- The denied action:
ec2:CreateTags - The failed condition on
aws:RequestTag/department - The list of allowed values
This step is critical because it demonstrates that Cloud Tag Governance is transparent and explainable, not a black box.
Step 8: Fixing the Issue by Adding the Correct Tag
Now, repeat the EC2 creation process.
This time:
- Add the tag
department = it(or another approved value) - Proceed with the launch
The EC2 instance is created successfully. No other configuration changes are required. The only difference is the presence of a valid tag.
This confirms that the enforcement logic works exactly as intended.
What This Demo Proves About Cloud Tag Governance
This demo highlights several important governance principles:
- Tag enforcement happens at request time
- SSO users are governed by permission set inline policies
- Explicit deny rules provide strong and predictable controls
- AWS CloudShell is invaluable for debugging authorization issues
- Governance can be enforced without reducing developer productivity
Key Takeaways
- Cloud Tag Governance is most effective in SSO-first AWS environments
- Permission set inline policies are the correct enforcement point
- Denying
ec2:CreateTagsprevents invalid or inconsistent tagging - Authorization errors are debuggable and actionable
- This approach scales across accounts and teams
Conclusion
This demo demonstrates that effective Cloud Tag Governance starts with enforced tags, designed correctly around IAM Identity Center and permission sets. By enforcing tagging rules at the identity layer, organizations can achieve consistent governance, accurate cost allocation, and reliable automation at scale.
When combined with Service Control Policies, Tag Policies, and AWS Config, this pattern forms a robust, enterprise-ready governance model that grows with your cloud environment.