Resource Tagging Enforcement at Creation

Tags missed at creation are rarely added later. The enforcement at creation that keeps tagging consistent.

IaC enforcement

OPA rules: required tags must be present in Terraform plans.

Plan rejected; PR cannot merge without tags.

API enforcement

AWS Tag Policies fail at API time if required tags are missing.

Catches the rare manual creation through console.

Audit

Daily scan: untagged resources. Surface to account owners.

Most teams clean to <1% untagged within a quarter.