Secfix automatically reads tags (called labels in GCP) from your connected cloud accounts. These tags help auto-populate key attributes of your cloud resources in the Secfix Inventory. In this article we will provide a full list of cloud tags and how to set them up in your Cloud environment.

Navigate to 👉 AWS Tagging | Azure Tagging | GCP Tagging

AWS Tagging

Secfix Tags

Apply these tags to your AWS resources using Terraform, AWS CloudFormation or just AWS UI directly, and Secfix will update your inventory list.

AWS Resources in Scope

Here is a list of AWS resources that Secfix is fetching. These resources are usually in scope for the audit.

EC2 resources
Auto Scaling resources
Dynamo DB resources
ECR resources
ELB resources
RDS resources
Redshift resources
Elastic Search Domain Resources
Elastic Cache Resources
SNS Topics Resources
SQS Queues Resources
Elastic Beanstalk Resources
Kinesis Firehose Stream Resources
Glacier Vault Resources
KMS Resources
Lambda Function Resources
Athena Resources
S3 Resources
Cloud Front Resources

⚠️ AWS enforces restrictions on tags:

Tag keys cannot be longer than 128 characters
Tag values cannot be longer than 256 characters
Tag keys and values are case sensitive
Comas are not allowed
In general, the allowed characters are:
- Letters
- Numbers
- Spaces
- The following characters: _ . : / = + - @
- Other allowed characters can vary by AWS service

🏷️ AWS Tags

SECFIX TAG	DESCRIPTION
SecfixOwner	Resource owner. This is the email address of the instance's owner, and it should be set to the email address of a user in Secfix. An owner will not be assigned if there is no user in Secfix with the specified email. Example: `SecfixOwner = "[email protected]"`
SecfixNonProd	Specifies if resources are part of your production systems. This tag is true for staging or development resources and false for production resources. If set to true, the asset will be hidden in Secfix. Example: `SecfixNonProd = "true"`
SecfixNoAlert	Secfix will not monitor the resource and exclude it from audit scope (it will be hidden from Inventory). Only add this tag if you're sure the resource is irrelevant to your audit, and please specify the reason why it's being excluded. Typically Secfix customers would tag their temporary, short-living assets like instances within autoscale groups as `SecfixNoAlert` to avoid documenting them every time they are automatically created. Example: `SecfixNoAlert = "This stores our favorite snacks and isn't part of our production systems"`
SecfixContainsUserData	This tag is true if the resource contains user or PII data. Example: `SecfixContainsUserData = "true"`
SecfixUserDataStored	A description of what user data this resource stores. Example: `SecfixUserDataStored = "User emails and passwords"`
SecfixContainsEPHI	This tag is true if the resource contains electronic Protected Health Information (ePHI). Example: `SecfixContainsEPHI = "true"`
SecfixDescription	A description of what the resource is. If used - it should not be left empty. Example: `SecfixDescription = "Archive of ingested events handled by logs queue"`

Azure Cloud Tags

Secfix Tags

Apply these tags to your Azure resources using Terraform or Azure Resource Manager, and Secfix will update your inventory list.

⚠️ Azure enforces restrictions on tags:

Tag keys cannot be longer than 512 characters
- For storage accounts, tag keys cannot be longer than 128 characters
Tag values cannot be longer than 256 characters
Tag keys cannot contain:
- The following characters: < > % & \ ? /
Tag keys are case insensitive

🏷️ Azure Cloud Tags

SECFIX TAG	DESCRIPTION
SecfixOwner	Resource owner. This is the email address of the instance's owner, and it should be set to the email address of a user in Secfix. An owner will not be assigned if there is no user in Secfix with the email specified. Example: `SecfixOwner = "[email protected]"`
SecfixNonProd	Specifies if resources are part of your production systems. This tag is true for staging or development resources and false for production resources. If set to true, the asset will be hidden in Secfix. Example: `SecfixNonProd = "true"`
SecfixNoAlert	Secfix will not monitor the resource and exclude it from audit scope (it will be hidden from Inventory). Only add this tag if you're sure the resource is irrelevant to your audit, and please specify the reason that it's being excluded. Typically Secfix customers would tag their temporary, short-living assets like instances within autoscale groups as `SecfixNoAlert` to avoid documenting them every time they are automatically created. Example: `SecfixNoAlert = "This stores our favorite snacks and isn't part of our production systems"`
SecfixContainsUserData	This tag is true if the resource contains user or PII data. Example: `SecfixContainsUserData = "true"`
SecfixUserDataStored	A description of what user data this resource stores. Example: `SecfixUserDataStored = "User emails and passwords"`
SecfixContainsEPHI	This tag is true if the resource contains electronic Protected Health Information (ePHI). Example: `SecfixContainsEPHI = "true"`
SecfixDescription	A description of what the resource is. If used - it should not be left empty. Example: `SecfixDescription = "Archive of ingested events handled by logs queue"`

GCP Cloud tags (Labels)

Secfix Tags

Apply these as labels (aka tags) to your GCP resources, and Secfix will update your inventory list.

⚠️ GCP enforces restrictions on tags:

Label keys and label values cannot be longer than 63 characters each.
Label keys and label values can only contain:
- Lowercase letters
- International characters
- Numeric characters
- Underscores
- Hyphens
Label keys must start with a lowercase letter or international character.
Label keys cannot be empty.

🏷️ GCP Cloud Tags (Labels)

SECFIX TAG	DESCRIPTION
secfix-owner	The value should be the first part of the resource owner’s company email address (everything before the @). Replace any periods . in the email username with `_dot_` Example 1: if the email is [email protected], `secfix-owner = "michael_dot_scott`" Example 2: `secfix-owner = "michael"`
secfix-non-prod	Specifies if resources are part of your production systems. This tag is true for staging or development resources and false for production resources. If set to true, the asset will be hidden in Secfix. Example: `secfix-non-prod = "true"`
secfix-no-alert	Secfix will not monitor the resource and exclude it from audit scope (it will be hidden from Inventory). Only add this tag if you're sure the resource is irrelevant to your audit, and please specify the reason that it's being excluded. Typically Secfix customers would tag their temporary, short-living assets like instances within autoscale groups as `SecfixNoAlert` to avoid documenting them every time they are automatically created. Example: `secfix-no-alert = "this-stores-our-favorite-foods-and-isnt-part-of-our-production-systems"`
secfix-contains-user-data	This tag is true if the resource contains user or PII data. Example: `secfix-contains-user-data = "true"`
secfix-user-data-stored	A description of what user data this resource stores. Example: `secfix-user-data-stored = "user-emails-and-phone-numbers"`
secfix-contains-ephi	This tag is true if the resource contains electronic Protected Health Information (ePHI). Example: `secfix-contains-ephi = "true"`
secfix-description	A description of what the resource is. If used - it should not be left empty. Example: `secfix-description = "archive-of-ingested-events-handled-by-logs-queue"`

AWS Tagging

AWS Resources in Scope

⚠️ AWS enforces restrictions on tags:

🏷️ AWS Tags

Azure Cloud Tags

⚠️ Azure enforces restrictions on tags:

🏷️ Azure Cloud Tags

GCP Cloud tags (Labels)

⚠️ GCP enforces restrictions on tags:

🏷️ GCP Cloud Tags (Labels)

Related topics