Closed e-gineer closed 2 years ago
@e-gineer I agree, it does seem redundant to query the aws_tagging_resource
table when we have individual controls per resource type also.
One alternative approach could be to use the aws_tagging_resource
table exclusively, but there are limitations, as only a subset of services are supported. So it seems like we'd need individual controls for non-supported services anyway.
So I think the following approach would give us the widest coverage while also reducing redundancy:
aws_tagging_resource
table
For my mandatory tags run, I have 8,910 alarms of which 6.962 are from "Tagging resources". This feels wrong.
Should tagging resources be broken up into per-service information? Or is service information redundant relative to this control?
I believe the same problem exists for limit, mandatory, etc: