# Tagging Amazon Inspector resources
<a name="tagging-resources"></a>

 A tag is a label you add to an AWS resource. Tags help you categorize AWS resources based on specific criteria. Tags consist of a key-value pair. The tag key is a general label. The tag value is a description of the tag key. With Amazon Inspector, you can tag [suppression rules](https://docs.aws.amazon.com/inspector/latest/user/findings-managing-supression-rules.html) and [CIS scan configurations](https://docs.aws.amazon.com/inspector/latest/user/scanning-cis-create-cis-scan-configuration.html). You can add as many as 50 tags to each of your Amazon Inspector resources. 

# Tagging fundamentals
<a name="tagging-fundamentals"></a>

 A tag consists of a key-value pair. The tag key is a general label. The tag value is a description of the tag key. This topic descibes the fundamentals of tagging Amazon Inspector resources. When tagging Amazon Inspector resources, consider the following: 
+  You can tag [suppression rules](https://docs.aws.amazon.com/inspector/latest/user/findings-managing-supression-rules.html) and [CIS scan configurations](https://docs.aws.amazon.com/inspector/latest/user/scanning-cis-create-cis-scan-configuration.html). 
+  You can add as many as 50 tags to each of your Amazon Inspector resources. 
+  Tag keys must be unique. 
+  A tag key can only have one tag value. 
+  Tag keys and tag values can have a maximum of 128 UTF-8 characters. The characters can be letters, numbers, spaces, or the following symbols: `_` `.` `:` `/` `=` `+` `-` `@`. 
+  You cannot use the `aws` prefix in any of your tags or modify tags with this prefix. Tags with the `aws` prefix are reserved for use by AWS. 
+  Tags assigned to an Amazon Inspector resource are only available in your AWS account and in the AWS Region where you created them. 
+  When you delete a resource, all tags associated with it are deleted, too. 

 For more information about tags, see [Best practices and strategies](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html) in the *Tagging AWS Resources and Tag Editor User Guide*. 

**Note**  
 Tags are not intended to store confidential or sensitive information. Never use tags to store this type of data. Tags can be accessible from other AWS services. 

# Adding tags
<a name="tagging-add"></a>

 You can add tags to Amazon Inspector resources. These resources include suppression rules and CIS scan configurations. Tags help you categorize AWS resources based on specific criteria. This topic describes how to add tags to Amazon Inspector resources. 

## Adding tags to Amazon Inspector resources
<a name="w2aac48c10b5"></a>

 You can tag [suppression rules](https://docs.aws.amazon.com/inspector/latest/user/findings-managing-supression-rules.html) and [CIS scan configurations](https://docs.aws.amazon.com/inspector/latest/user/scanning-cis-create-cis-scan-configuration.html). The following procedures describe how to add tags in the console and with the Amazon Inspector API. 

### Adding tags in the console
<a name="w2aac48c10b5b5"></a>

 You can add tags to Amazon Inspector resources in the console. 

**Adding tags to suppression rules**  
 You can add tags to suppression rules during creation. For more information, see [Creating a suppression rule](https://docs.aws.amazon.com/inspector/latest/user/findings-managing-supression-rules.html#findings-managing-supression-rules-create). 

 You can also edit a suppression rule to include tags. For more information, see [Editing a suppression rule](https://docs.aws.amazon.com/inspector/latest/user/findings-managing-supression-rules.html#findings-managing-supression-rules-change). 

**Adding tags to a CIS scan configuration**  
 You can add tags to a CIS scan configuration during creation. For more information, see [Creating a CIS scan configuration](https://docs.aws.amazon.com/inspector/latest/user/scanning-cis-create-cis-scan-configuration.html). 

 You can also edit a CIS scan configuration to include tags. For more information, see [Editing a CIS scan configuration](https://docs.aws.amazon.com/inspector/latest/user/scanning-cis-view-edit-cis-scan-configuration.html). 

### Adding tags with the Amazon Inspector API
<a name="w2aac48c10b5b7"></a>

 You can add tags to Amazon Inspector resources with the Amazon Inspector API. 

**Adding tags to Amazon Inspector resources**  
 Use the `[TagResource](https://docs.aws.amazon.com/inspector/v2/APIReference/API_TagResource.html)` API to add tags to Amazon Inspector resources. You must include the ARN of the resource and the key-value pair for the tag in the command. The following example command uses an empty resource ARN for a suppression filter. The key is `CostAllocation` and value is `dev`. For information about resource types for Amazon Inspector, see [Actions, resources, and condition keys for Amazon Inspector2](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoninspector2.html#amazoninspector2-resources-for-iam-policies) in the *Service Authorization Reference*. 

```
aws inspector2 tag-resource \
--resource-arn "arn:${Partition}:inspector2:${Region}:${Account}:owner/${OwnerId}/filter/${FilterId}" \
--tags CostAllocation=dev \
--region us-west-2
```

**Adding tags to suppression rules during creation**  
 Use the `[CreateFilter](https://docs.aws.amazon.com/inspector/v2/APIReference/API_CreateFilter.html)` API to add tags to a suppression rule during creation. 

```
aws inspector2 create-filter \
--name "ExampleSuppressionRuleECR" \
--action SUPPRESS \
--filter-criteria 'resourceType=[{comparison="EQUALS", value="AWS_ECR_IMAGE"}]' \
--tags Owner=ApplicationSecurity \
--region us-west-2
```

**Adding tags to a CIS scan configuration**  
 Use the `[CreateCisScanConfiguration](https://docs.aws.amazon.com/inspector/v2/APIReference/API_CreateCisScanConfiguration.html)` API to add a tag to a CIS scan configuration. 

```
aws inspector2 create-cis-scan-configuration \
--scan-name "CreateConfigWithTagsSample" \
--security-level LEVEL_2 \
--targets accountIds=SELF,targetResourceTags={InspectorCisScan=True} \
--schedule 'daily={startTime={timeOfDay=11:10,timezone=UTC}}' \
--tags Owner=SecurityEngineering \
--region us-west-2
```

# Removing tags
<a name="tagging-remove"></a>

 You can remove tags from Amazon Inspector resources. These resources include suppression rules and CIS scan configurations. Tags help you categorize AWS resources based on specific criteria. This topic describes how to remove tags from Amazon Inspector resources. 

## Removing tags from Amazon Inspector resources
<a name="w2aac48c13b5"></a>

 You can remove tags from [suppression rules](https://docs.aws.amazon.com/inspector/latest/user/findings-managing-supression-rules.html) and [CIS scan configurations](https://docs.aws.amazon.com/inspector/latest/user/scanning-cis-create-cis-scan-configuration.html). The following procedures describe how to remove tags in the console and with the Amazon Inspector API. 

### Removing tags in the console
<a name="w2aac48c13b5b5"></a>

 You can remove tags from Amazon Inspector resources in the console. 

**Removing tags from suppression rules**  
 You can remove a tag from a suppression rule by editing the suppression rule to no longer include the tag. For more information, see [Editing a suppression rule](https://docs.aws.amazon.com/inspector/latest/user/findings-managing-supression-rules.html#findings-managing-supression-rules-change). 

**Removing tags from a CIS scan configuration**  
 You can remove a tag from a CIS scan configuration by editing the CIS scan configuration to no longer include the tag. For more information, see [Editing a CIS scan configuration](https://docs.aws.amazon.com/inspector/latest/user/scanning-cis-view-edit-cis-scan-configuration.html). 

### Removing tags with the Amazon Inspector API
<a name="w2aac48c13b5b7"></a>

 You can remove a tag from an Amazon Inspector resource with the Amazon Inspector API. 

**Removing tags from Amazon Inspector resources**  
 Use the `[UntagResource](https://docs.aws.amazon.com/inspector/v2/APIReference/API_UntagResource.html)` API to remove tags from Amazon Inspector resources. 

 The following snippet shows an example of how to remove tag from an Amazon Inspector resource using `UntagResource`. You must include the ARN of the resource and key for tag in the command. The following example uses an empty resource ARN for a suppression filter. The key is `CostAllocation`. For information about resource types for Amazon Inspector, see [Actions, resources, and condition keys for Amazon Inspector2](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoninspector2.html#amazoninspector2-resources-for-iam-policies) in the *Service Authorization Reference*. 

```
aws inspector2 untag-resource \ 
--resource-arn "arn:${Partition}:inspector2:${Region}:${Account}:owner/${OwnerId}/cis-configuration/${CISScanConfigurationId}" \ 
--tag-keys CostAllocation \
--region us-west-2
```