保護DataHogo
Security Encyclopedia/Cloud Provider Security
info

Cloud Resource Without Tags

Your cloud resources lack environment, owner, or cost-center tags, making it impossible to track ownership, allocate costs, or quickly identify resources during an incident.

How It Works

Tags are metadata key-value pairs attached to cloud resources. Without them, a security incident becomes a guessing game: 'whose EC2 instance is this? Is it in production? Who do I call?' Cost allocation becomes impossible. Compliance audits fail. Orphaned resources accumulate and you keep paying for them. Tagging is pure operational hygiene with no downside.

Vulnerable Code
# BAD: resources deployed without any tags (Terraform)
resource "aws_instance" "app" {
  ami           = "ami-0c55b159cbfafe1f0"
  instance_type = "t3.medium"
  # No tags — invisible in cost reports, unknown ownership
}
Secure Code
# GOOD: consistent tagging strategy
resource "aws_instance" "app" {
  ami           = "ami-0c55b159cbfafe1f0"
  instance_type = "t3.medium"
  tags = {
    Environment = "production"
    Owner       = "backend-team"
    CostCenter  = "product-eng"
    ManagedBy   = "terraform"
  }
}

Real-World Example

After a security incident, a team spent 4 hours trying to identify all resources belonging to a compromised service because nothing was tagged. What should have been a 10-minute containment turned into a multi-hour guessing game across three AWS accounts.

How to Prevent It

  • Define a company-wide tagging policy with required tags: Environment, Owner, CostCenter, ManagedBy
  • Use AWS Config rule required-tags to enforce tagging compliance automatically
  • Add tags to your Terraform variable defaults so new resources are tagged automatically
  • Use AWS Cost Explorer tag-based cost allocation to track spending by team or project
  • Implement tag-based IAM conditions to restrict resource access by environment tag

Affected Technologies

Node.jsPython

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

S3 Bucket Public Access

critical

Your S3 bucket is publicly readable due to a public ACL, disabled Block Public Access settings, or a wildcard bucket policy — anyone on the internet can list and download your files.

CWE-284OWASP A05:2021

Cloud Metadata SSRF

critical

Your app fetches user-supplied URLs without blocking cloud metadata endpoints like 169.254.169.254, letting attackers steal your cloud credentials via SSRF.

CWE-918OWASP A10:2021

AWS Credentials Hardcoded

critical

AWS access keys (starting with AKIA) or secret access keys are hardcoded in your source code, giving anyone who reads the code full access to your AWS account.

CWE-798OWASP A02:2021

IAM Overly Permissive Policy

high

Your IAM policy uses Action: '*' or Resource: '*', granting far more permissions than needed and turning any credential leak into a full account takeover.

CWE-269OWASP A01:2021