All Collections
Integrations
Exclusion tags within AWS
Exclusion tags within AWS

Implementing exclusion tags for specific resources

Ashley Hyman avatar
Written by Ashley Hyman
Updated over a week ago

HERE'S WHY

You may have resources within AWS that should always be ignored by Drata's compliance automation tests. Sometimes these are new resource that spin up each day. The exclusion tag functionality will allow you to exclude these resources with a tag within AWS.

BEFORE DIVING IN

Exclusion tags currently apply to the following resource types. Drata will continue to expand the use of exclusion tags.

  • RDS instances and clusters

  • EKS clusters

  • EC2 instances

  • S3 buckets

  • Security groups

  • SQS queues

  • IAM users

  • ECS (Fargate) clusters and services

  • ElastiCache Redis clusters

    • Note: currently this exclusion is only supported on Test 68 - Customer Data is Encrypted at Rest

  • NoSQL DB (DynamoDB) tables

  • Elasticsearch (OpenSearch cluster) instance

HERE'S HOW

RDS Instances and Clusters

  1. From RDS -> Databases, choose the failing resource.

User-uploaded Image

2. Click on the Tags tab, then click Add.

User-uploaded Image

3. For the tag's key, choose DrataExclude. This is case-sensitive; drataexclude will not match.

User-uploaded Image

4. When the monitor is run again, this resource will show up in the PASSING results. It will have a new TagList property.

EKS Clusters

  1. From the Amazon EKS service, navigate to Clusters.

  2. Click on the Cluster you want to configure.

User-uploaded Image
User-uploaded Image

3. Click on Configuration, then Tags.

User-uploaded Image

4. Click Manage tags.

User-uploaded Image

5. Add / remove tags as needed. For the tag's key, choose DrataExclude. This is case-sensitive; drataexclude will not match.

User-uploaded Image

Security Groups

NOTE: Security Groups automatically generated by EKS clusters will PASS monitor 119 (Firewall Default Disallows Traffic). This is because they are pre-populated with an instructive tag:

User-uploaded Image

For other security groups, you can still add a tag with a key of DrataExclude to exclude them yourself.

  1. From the VPC service, select Security Groups.

User-uploaded Image

2. Select the offending security group from the list by its checkbox.

3. From the menu below, choose the Tags submenu, then click Manage Tags.

User-uploaded Image

4. From this menu, you can add and remove tags. For the tag's key, choose DrataExclude. This is case-sensitive; drataexclude will not match.

User-uploaded Image

EC2 Instances

  1. From EC2, go to Instances.

  2. Select the failing resource.

User-uploaded Image

3. Navigate to Tags.

User-uploaded Image

4. Click Manage Tags.

User-uploaded Image

5. Click Add Tag.

User-uploaded Image

6. For the tag's key, choose DrataExclude. This is case-sensitive; drataexclude will not match.. The value can be anything you want or leave it empty. Click Save.

User-uploaded Image

EC2 Auto Scaling Groups

  1. Head to EC2, and go to Auto Scaling Groups. Select the Security Group to which you'd like to attach tags.

User-uploaded Image

2. Scroll all the way down to Tags, and click the Edit button.

User-uploaded Image

3. Click on Add Tag. Add the DrataExclude key and verify the Tag new instances field is checked. All new EC2 instances spun up by this security group will now include the DrataExclude tag.

Note: All instances that were spun up by this ASG prior to adding the tag won't include the tag. You'll either have to include the tag manually in that instance or tear it down and wait for ASG to spin up a new one.

User-uploaded Image

S3 Buckets

  1. From the Amazon S3 service, navigate to Buckets.

User-uploaded Image

2. Click on the bucket you want to configure.

User-uploaded Image

3. Click the Properties tab. Scroll down to the Tags section and click Edit.

User-uploaded Image
User-uploaded Image

4. Click Add tag.

User-uploaded Image

5. You can add and remove tags from your bucket from this menu. When adding a tag, create it with a key of DrataExclude. This is case-sensitive; drataexclude will not match.

SQS Queues

1. From the Amazon SQS service, in the Queues list, choose your resource.

2. On that resource, open the Tagging tab and choose Edit.

3. Scroll down to Tags. For the tag's key, choose DrataExclude. This is case-sensitive; drataexclude will not match.

IAM Users

NOTE: If the user had been imported prior to applying the tag, then on the next infrastructure user sync after the tag was added, Drata will automatically mark the user as having access revoked on the Managed Accounts page. You still need to account for it on the Managed Accounts page by either linking it to a corresponding personnel record, or marking it out of scope. If the tag was applied before the first sync, Drata will not import it at all.

1. Go to IAM, then click on Users (either in the left sidebar or the number under IAM resources)

User-uploaded Image

2. Click the username to whom you want to add the tag

User-uploaded Image

3. Click the Tags tab, then click Add tags

4. You can add and remove tags from your user from this menu. When adding a tag, create it with a key of DrataExclude. This is case-sensitive; drataexclude will not match.

ECS (Fargate) Clusters

1. Go to ECS, then click on Clusters

2. Click on the name of the failing cluster

3. Click on the "Tags" tab

4. Click "Edit"

5. You can add and remove tags from your user from this menu. When adding a tag, create it with a key of DrataExclude. This is case-sensitive; drataexclude will not match.

ECS (Fargate) Services

1. Go to ECS, then click on Clusters

2. Click on the name of the failing cluster

3. Click on the "Services" tab

4. Click on the name of the failing service

5. Click on the "Tags" tab

6. Click "Edit"

7. You can add and remove tags from your user from this menu. When adding a tag, create it with a key of DrataExclude. This is case-sensitive; drataexclude will not match.

ElastiCache Redis Clusters

Note: currently this exclusion is only supported on Test 68 - Customer Data is Encrypted at Rest

  1. Go to ElastiCache, then click on "Redis clusters"

  2. Click on the name of the failing cluster

  3. Scroll down and click on the "Tags" tab

  4. Click on "Manage tags"

  5. You can add and remove tags from your cluster from this menu. When adding a tag, create it with a key of DrataExclude. This is case-sensitive; drataexclude will not match.

  6. Click "Apply"

NoSQL DB (DynamoDB) Tables

  1. Go to DynamoDB, then click on "Tables"

  2. Click on the name of the failing table

  3. Scroll to the right, and click on the "Additional settings" tab

  4. Scroll down to the Tags section, and click on "Manage tags"

  5. You can add and remove tags from your cluster from this menu. When adding a tag, create it with a key of DrataExclude. This is case-sensitive; drataexclude will not match.

  6. Click "Save changes"

Elasticsearch (OpenSearch cluster) instance

  1. Go to Amazon OpenSearch Service.

  2. Select a the desired domain from your dashboard.

  3. Select the Tags tab to select Add tags.

  4. For the tag's key, enter DrataExclude and save.

    1. This is case-sensitive; drataexclude will not match.

Did this answer your question?