Exclusion tags within AWS | Drata Help Center

HERE'S WHY

You may have resources within AWS that should always be ignored by Drata's compliance automation tests. Sometimes these are new resource that spin up each day. The exclusion tag functionality will allow you to exclude these resources with a tag within AWS.

BEFORE DIVING IN

Exclusion tags currently apply to the following resource types. Drata will continue to expand the use of exclusion tags.

RDS instances and clusters
EKS clusters
EC2 instances
S3 buckets
Security groups
SQS queues
IAM users
ECS (Fargate) clusters and services
ElastiCache Redis clusters
- Note: currently this exclusion is only supported on Test 68 - Customer Data is Encrypted at Rest
NoSQL DB (DynamoDB) tables
Elasticsearch (OpenSearch cluster) instance

HERE'S HOW

RDS Instances and Clusters

From RDS -> Databases, choose the failing resource.

2. Click on the Tags tab, then click Add.

3. For the tag's key, choose DrataExclude. This is case-sensitive; drataexclude will not match.

4. When the monitor is run again, this resource will show up in the PASSING results. It will have a new TagList property.

EKS Clusters

From the Amazon EKS service, navigate to Clusters.
Click on the Cluster you want to configure.

3. Click on Configuration, then Tags.

4. Click Manage tags.

5. Add / remove tags as needed. For the tag's key, choose DrataExclude. This is case-sensitive; drataexclude will not match.

Security Groups

NOTE: Security Groups automatically generated by EKS clusters will PASS monitor 119 (Firewall Default Disallows Traffic). This is because they are pre-populated with an instructive tag:

For other security groups, you can still add a tag with a key of DrataExclude to exclude them yourself.

From the VPC service, select Security Groups.

2. Select the offending security group from the list by its checkbox.

3. From the menu below, choose the Tags submenu, then click Manage Tags.

4. From this menu, you can add and remove tags. For the tag's key, choose DrataExclude. This is case-sensitive; drataexclude will not match.

EC2 Instances

From EC2, go to Instances.
Select the failing resource.

3. Navigate to Tags.

4. Click Manage Tags.

5. Click Add Tag.

6. For the tag's key, choose DrataExclude. This is case-sensitive; drataexclude will not match.. The value can be anything you want or leave it empty. Click Save.

EC2 Auto Scaling Groups

Head to EC2, and go to Auto Scaling Groups. Select the Security Group to which you'd like to attach tags.

2. Scroll all the way down to Tags, and click the Edit button.

3. Click on Add Tag. Add the DrataExclude key and verify the Tag new instances field is checked. All new EC2 instances spun up by this security group will now include the DrataExclude tag.

Note: All instances that were spun up by this ASG prior to adding the tag won't include the tag. You'll either have to include the tag manually in that instance or tear it down and wait for ASG to spin up a new one.

S3 Buckets

From the Amazon S3 service, navigate to Buckets.

2. Click on the bucket you want to configure.

3. Click the Properties tab. Scroll down to the Tags section and click Edit.

4. Click Add tag.

5. You can add and remove tags from your bucket from this menu. When adding a tag, create it with a key of DrataExclude. This is case-sensitive; drataexclude will not match.

SQS Queues

1. From the Amazon SQS service, in the Queues list, choose your resource.

2. On that resource, open the Tagging tab and choose Edit.

3. Scroll down to Tags. For the tag's key, choose DrataExclude. This is case-sensitive; drataexclude will not match.

IAM Users

NOTE: If the user had been imported prior to applying the tag, then on the next infrastructure user sync after the tag was added, Drata will automatically mark the user as having access revoked on the Managed Accounts page. You still need to account for it on the Managed Accounts page by either linking it to a corresponding personnel record, or marking it out of scope. If the tag was applied before the first sync, Drata will not import it at all.

1. Go to IAM, then click on Users (either in the left sidebar or the number under IAM resources)

2. Click the username to whom you want to add the tag

3. Click the Tags tab, then click Add tags

4. You can add and remove tags from your user from this menu. When adding a tag, create it with a key of DrataExclude. This is case-sensitive; drataexclude will not match.

ECS (Fargate) Clusters

1. Go to ECS, then click on Clusters

2. Click on the name of the failing cluster

3. Click on the "Tags" tab

4. Click "Edit"

5. You can add and remove tags from your user from this menu. When adding a tag, create it with a key of DrataExclude. This is case-sensitive; drataexclude will not match.

ECS (Fargate) Services

1. Go to ECS, then click on Clusters

2. Click on the name of the failing cluster

3. Click on the "Services" tab

4. Click on the name of the failing service

5. Click on the "Tags" tab

6. Click "Edit"

7. You can add and remove tags from your user from this menu. When adding a tag, create it with a key of DrataExclude. This is case-sensitive; drataexclude will not match.

ElastiCache Redis Clusters

Note: currently this exclusion is only supported on Test 68 - Customer Data is Encrypted at Rest

Go to ElastiCache, then click on "Redis clusters"
Click on the name of the failing cluster
Scroll down and click on the "Tags" tab
Click on "Manage tags"
You can add and remove tags from your cluster from this menu. When adding a tag, create it with a key of DrataExclude. This is case-sensitive; drataexclude will not match.
Click "Apply"

NoSQL DB (DynamoDB) Tables

Go to DynamoDB, then click on "Tables"
Click on the name of the failing table
Scroll to the right, and click on the "Additional settings" tab
Scroll down to the Tags section, and click on "Manage tags"
You can add and remove tags from your cluster from this menu. When adding a tag, create it with a key of DrataExclude. This is case-sensitive; drataexclude will not match.
Click "Save changes"

Elasticsearch (OpenSearch cluster) instance

Go to Amazon OpenSearch Service.
Select a the desired domain from your dashboard.
Select the Tags tab to select Add tags.
For the tag's key, enter DrataExclude and save.
1. This is case-sensitive; drataexclude will not match.