What AWS services does Vigilare monitor?

Vigilare monitors 7+ AWS services: Billing (cost anomalies and usage spikes), IAM (policy drift, root account usage, missing MFA), GuardDuty (threat findings), SES (sending reputation), CloudTrail (suspicious API patterns), Service Quotas (limit utilisation), and Account Health (AWS notifications). Coverage is continuously expanded.

How does Vigilare access my AWS account?

Vigilare uses a read-only cross-account IAM role that you provision using our open-source Terraform module. The role grants only the minimum permissions required for monitoring — no write access, no credential storage, and no data leaves your account except what is needed to display findings in your dashboard.

How quickly will I be alerted?

Depending on your plan, Vigilare scans every 1, 5, or 15 minutes. Alerts are delivered in real time via email, Slack, or PagerDuty the moment a threshold is crossed. The typical end-to-end latency from event to alert is under 90 seconds.

Can I monitor multiple AWS accounts?

Yes. The Solo plan covers 1 account, Team supports up to 10, Agency up to 50, and Enterprise is unlimited. All accounts appear in a single dashboard with per-account risk scores and consolidated alert feeds.

Is my AWS data secure?

All data is encrypted at rest with AES-256 and in transit with TLS 1.2+. Vigilare's control plane runs on AWS infrastructure in dedicated, isolated tenants. We never store raw AWS credentials. The platform is SOC 2 Type II compliant and we provide reports on request for Enterprise customers.

Is there a free trial?

Yes — all paid plans include a 14-day free trial. No credit card is required to get started. You can connect your first AWS account and see findings within 5 minutes of signing up.

What happens if I exceed my account limit?

We'll notify you as you approach your account limit and give you the option to upgrade. We won't stop monitoring your existing accounts without notice.

Can I cancel at any time?

Yes. There are no long-term contracts. You can cancel your subscription at any time from the billing settings page. Your access continues until the end of the current billing period.

AWS Tagging Strategy for Security, Cost, and Compliance

Why Tagging Keeps Failing

Most organizations have a tagging policy. Most of those policies are followed inconsistently. Most of those organizations have environments where 40-60% of resources lack required tags, making cost attribution inaccurate, security policies difficult to enforce, and compliance reporting manual.

The reason tagging programs fail is usually not that teams don't understand the value — it's that tagging is treated as a separate step rather than embedded in the resource creation workflow. Tags applied after creation are optional; tags required before creation succeed. This guide covers both the taxonomy (what to tag and how) and the enforcement strategy (how to make it stick).

The Required Tag Taxonomy

Start with a minimal required set. Every organization is different, but these five tags provide value across security, cost, and operations:

Environment

Values: prod, staging, dev, sandbox

Used for: Security policy enforcement (SCPs blocking production changes from dev roles), cost allocation by environment, alert severity adjustment (dev GuardDuty findings less urgent than prod).

Team / Owner

Values: Team identifier (e.g., platform, data-engineering, frontend)

Used for: Cost chargeback, incident escalation routing, Security Hub finding ownership assignment (see our Security Hub automations guide).

Application / Service

Values: Application or service name (e.g., payment-api, user-service, analytics-pipeline)

Used for: Cost allocation to specific products, grouping findings by application in security tools, capacity planning.

Data Classification

Values: public, internal, confidential, restricted

Used for: Security policy enforcement (stricter controls on restricted resources), compliance evidence (demonstrating that sensitive data is protected), Macie scan prioritization.

Managed By

Values: terraform, cloudformation, cdk, manual

Used for: Identifying resources not managed by IaC (potential security risk — someone created resources manually), drift detection, cleanup automation.

Enforcing Tags with SCPs

Service Control Policies can require tags on resource creation. The most effective approach: deny resource creation for key resource types if required tags are missing:

{
  "Effect": "Deny",
  "Action": [
    "ec2:RunInstances",
    "rds:CreateDBInstance",
    "s3:CreateBucket",
    "lambda:CreateFunction"
  ],
  "Resource": "*",
  "Condition": {
    "Null": {
      "aws:RequestTag/Environment": "true",
      "aws:RequestTag/Team": "true",
      "aws:RequestTag/Application": "true"
    }
  }
}

This SCP blocks the most common resource types unless the required tags are present in the creation request. Terraform, CloudFormation, and CDK all support tags in resource creation — this SCP forces teams to include them. See our SCPs guide for implementation details.

AWS Config Rules for Tag Compliance

For existing resources and resource types not covered by SCPs, Config rules detect tag compliance violations:

aws configservice put-config-rule --config-rule '{
  "ConfigRuleName": "required-tags",
  "Source": {
    "Owner": "AWS",
    "SourceIdentifier": "REQUIRED_TAGS"
  },
  "InputParameters": "{"tag1Key":"Environment","tag2Key":"Team","tag3Key":"Application"}"
}'

The REQUIRED_TAGS managed rule checks EC2 instances, RDS instances, S3 buckets, ELBs, and other resource types. Non-compliant resources appear in Config compliance reports — evidence for auditors that tagging policies are enforced.

Tags for Security Policy Enforcement

Tags enable attribute-based access control (ABAC) in IAM — policies that use resource tags as conditions rather than hard-coded resource ARNs:

{
  "Effect": "Allow",
  "Action": ["ec2:*", "rds:*"],
  "Resource": "*",
  "Condition": {
    "StringEquals": {
      "aws:ResourceTag/Team": "${aws:PrincipalTag/Team}"
    }
  }
}

This policy allows an IAM role to manage EC2 and RDS resources only if the resource's Team tag matches the IAM principal's Team tag. No hard-coded ARNs needed — teams automatically have access to their own resources and not others.

ABAC reduces IAM policy management overhead significantly. Instead of updating policies when new resources are created, the tag automatically grants the right access. See our cross-account access guide for how ABAC extends across accounts.

Tags for Cost Management

AWS Cost Explorer can break down costs by tag. Enable cost allocation tags in Billing settings (tags must be activated as cost allocation tags before they appear in Cost Explorer — there's a 24-hour delay). With Application and Environment tags active:

Create per-application cost reports for product team chargeback
Set budget alerts per environment (alert when dev costs exceed X)
Identify the most expensive applications for optimization targeting

See our cost optimization guide for the full cost management approach.

Tagging Resources Not Created by IaC

The Managed By tag helps identify resources that were created manually. A regular audit of resources with Managed By: manual or no Managed By tag identifies potential security risks:

An EC2 instance nobody owns
An S3 bucket created for a temporary purpose that was never deleted
An IAM role created during an incident that was never cleaned up

Identify these with a CloudTrail query for RunInstances, CreateBucket, etc. where the console was the source (as opposed to a Terraform or CloudFormation role). These resources represent the "shadow infrastructure" that creates untracked security and cost risk.

Tag Governance Operationally

A tag taxonomy only works if teams apply it consistently. Operational practices that help:

IaC templates with required tag variables: Terraform modules that require tag variables at instantiation time, with validation that enforces allowed values
CI/CD pipeline checks: Terraform plan validation that fails the pipeline if required tags are missing
Monthly tag compliance reports: Email to team leads showing their tag compliance percentage and the resources that are non-compliant
Auto-tagging via Lambda: EventBridge rule on resource creation that calls a Lambda to auto-apply tags from the creating principal's context

FAQ

How many required tags is too many?

5-7 required tags is practical. More than that and compliance drops because the friction is too high. Start with the five described here and add others only when you have a specific use case that requires them.

What about tags on IAM resources?

IAM users, roles, and policies can be tagged, and these tags are particularly valuable for ABAC. Tag IAM roles with Team and Environment to enable the ABAC policies described above. Note that IAM tags are not subject to SCPs in the same way as service resource tags.

Can AWS auto-tag resources based on who created them?

Not natively, but you can build it. An EventBridge rule on resource creation events calls a Lambda that looks up the creating principal's tags and applies them to the new resource. This is particularly useful for auto-applying Team and Environment tags based on the IAM role used for creation.

Protect your AWS accounts before it's too late

Vigilare monitors your AWS accounts for suspension risks — billing anomalies, IAM issues, GuardDuty findings, and more — and alerts you before AWS takes action.

See Vigilare pricing Talk to us about securing your AWS Browse documentation →

Written by Viktor B.

Co-founder & CEO