Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Use Default Tags for Cloud Resources

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that your OCI cloud resources are using default tags in order implement consistent resource metadata, improve governance, simplify cost tracking, and accelerate incident response by providing immediate context.

Security
Operational
excellence

Default tags apply to new OCI resources, ensuring consistent tagging from creation. To follow best practices, implement them early at the root compartment for broad coverage, and protect tag namespaces with IAM policies to prevent unauthorized changes. Default tags such as "CreatedBy" provide immediate resource ownership information during incidents, eliminating time-consuming audit log searches. This speeds up incident response and accountability.

As an example, this guide demonstrates how to check and manage the "CreatedBy" default tag.

Audit

To determine if your Oracle Cloud Infrastructure (OCI) resources are using default tags, perform the following operations:

Using OCI Console

01 Sign in to your Oracle Cloud Infrastructure (OCI) account.

02 Navigate to Identity console available at https://cloud.oracle.com/identity/.

03 In the left navigation panel, under List scope, check the Compartment dropdown list to identify the name of the root compartment in your tenancy. The root compartment has (root) in the resource name.

04 In the left navigation panel, under Identity, choose Compartments and click on the name (link) of the root compartment, listed in the Name column.

05 In the Resources navigation panel, choose Tag Defaults to list the default tags defined for your OCI cloud resources.

06 Check the Tag Defaults list for a tag with Default Value set to ${iam.principal.name} and Tag key status set to Active. If no such tag exists, the Oracle Cloud Infrastructure (OCI) resources deployed within your OCI compartment tree are not using default tags.

Using OCI CLI

01 Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the identifier (OCID) of your root compartment (tenancy): 

oci iam compartment list
	--all
	--query 'data[]."compartment-id"'

02 The command output should return the root compartment OCID: 

[
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

03 Run iam tag-default list command (Windows/macOS/Linux) to list the tag defaults for all the active tag definitions in the OCI root compartment: 

oci iam tag-default list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--output table
	--query="data[?\"lifecycle-state\"=='ACTIVE']".{"name:\"tag-definition-name\","value:value""}

04 The command output should return the name and the value defined for each active default tag: 

+-----------+-----------------------+
| name      | value                 |
+-----------+-----------------------+
| CreatedOn | ${oci.datetime}       |
+-----------+-----------------------+

Check the value column to identify the value defined for each tag. If there is no row that contains the value of ${iam.principal.name}, the Oracle Cloud Infrastructure (OCI) resources deployed within your OCI compartment tree are not using default tags.

Remediation / Resolution

To create and configure default tags for your Oracle Cloud Infrastructure (OCI) resources at the root compartment level, perform the following operations:

Using OCI Console

01 Sign in to your Oracle Cloud Infrastructure (OCI) account.

02 Navigate to Tag Namespaces page available at https://cloud.oracle.com/identity/tag-namespaces.

03 In the left navigation panel, under List scope, select the root compartment from the Compartment dropdown menu, to list the tag namespaces created for that compartment. Tag namespaces allow collections of tags within your OCI tenancy to have the same policies. If no tag namespace exists, choose Create Tag Namespace, provide a unique name and a short description, then choose Create Tag Namespace to create a new tag namespace.

04 Click on the name (link) of the tag namespace that you want to configure, listed in the Name column.

05 Choose Create Tag Key Definition and perform the following actions to create a new tag definition:

  1. For Tag Key, enter CreatedBy.
  2. For Description, provide a short description for the new tag.
  3. Check the Cost-Tracking setting checkbox to enable cost tracking capabilities. Cost-tracking tags are passed to the billing system in order to allow you to filter your bill and view usage by tag set.
  4. For Tag Value Type, select Static Value.
  5. Choose Create Tag Key Definition to deploy your new tag definition.

06 Navigate to Identity console available at https://cloud.oracle.com/identity/.

07 In the left navigation panel, choose Compartments, and click on the name (link) of the root compartment, listed in the Name column.

08 In the Resources navigation panel, choose Tag Defaults, select Create Tag Default, and perform the following actions to create a new default tag:

  1. For Tag namespace, select the name of the tag namespace configured in steps no. 4 and 5.
  2. For Tag key, select the name of the tag key definition created in step no. 5.
  3. For Required Tag Value Options, select Default Value.
  4. For Default Value enter ${iam.principal.name}.
  5. Choose Create to create your new OCI default tag.

09 If required, repeat steps no. 2 - 8 to create more default tags at the root compartment level.

Using OCI CLI

01 Run iam tag-namespace create command (Windows/macOS/Linux) to create a new tag namespace in the OCI root compartment. Tag namespaces allow collections of tags within your OCI tenancy to have the same policies: 

oci iam tag-namespace create
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--name 'Project5-Tags'
	--description 'Project5 Tag Namespace'
	--query 'data."id"'

02 The command output should return the identifier (OCID) of the new tag namespace: 

"ocid1.tagnamespace.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"

03 Run iam tag create command (Windows/macOS/Linux) to create a new tag key definition for your OCI tag namespace. The following command creates a tag definition named "CreatedBy": 

oci iam tag create
	--tag-namespace-id 'ocid1.tagnamespace.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--name 'CreatedBy'
	--description 'The name of the IAM principal that created the resource'
	--query 'data."id"'

04 The command output should return the identifier (OCID) of the new tag key definition: 

"ocid1.tagdefinition.oc1..1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234"

05 Run iam tag-default create command (Windows/macOS/Linux) to create a new default tag for your Oracle Cloud Infrastructure (OCI) resources at the root compartment level: 

oci iam tag-default create
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--tag-definition-id 'ocid1.tagdefinition.oc1..1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234'
	--value="\${iam.principal.name}"

06 The command output should return the information available for your new OCI default tag: 

{
	"data": {
		"compartment-id": "ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"id": "ocid1.tagdefault.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"is-required": false,
		"lifecycle-state": "ACTIVE",
		"locks": [],
		"tag-definition-id": "ocid1.tagdefinition.oc1..1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234",
		"tag-definition-name": "CreatedBy",
		"tag-namespace-id": "ocid1.tagnamespace.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"time-created": "2025-03-19T11:21:23.146000+00:00",
		"value": "${iam.principal.name}"
	},
	"etag": "abcdabcdabcdabcdabcdabcdabcdabcdabcdabcd"
}

07 If required, repeat steps no. 1 - 6 to create more default tags at the root compartment level.

References

Publication date Mar 21, 2025

Related IAM rules