# Tagging Macie resources
A *tag* is a label that you can define and assign to AWS resources, including certain types of Amazon Macie resources. Tags can help you identify, categorize, and manage resources in different ways, such as by purpose, owner, environment, or other criteria. For example, you can use tags to: apply policies, allocate costs, distinguish between versions of resources, or identify resources that support certain compliance requirements or workflows.
You can assign tags to the following types of Macie resources: allow lists, custom data identifiers, filter rules and suppression rules for findings, and sensitive data discovery jobs. If you're the Macie administrator for an organization, you can also assign tags to member accounts in your organization.
A resource can have as many as 50 tags. Each tag consists of a required *tag key* and an optional *tag value*. A *tag key* is a general label that acts as a category for a more specific tag value. A *tag value* acts as a descriptor for a tag key.
For example, if you create custom data identifiers and sensitive data discovery jobs to analyze data at different points in a workflow (one set for staged data and another for production data), you might assign a `Stack` tag key to those resources. The tag value for this tag key might be `Staging` for custom data identifiers and jobs that analyze staged data, and `Production` for the others.
**Topics**
+ [Tagging fundamentals](tags-basics.md)
+ [Adding tags to resources](tags-add.md)
+ [Controlling access to resources using tags](tags-iam.md)
+ [Reviewing and editing tags for resources](tags-retrieve-update.md)
+ [Removing tags from resources](tags-remove.md)
# Tagging fundamentals for Macie resources
To identify, categorize, and manage Amazon Macie resources for your account, you can assign tags to the resources. A *tag* is a label that you define and assign to AWS resources, including certain types of Macie resources. Each tag consists of a required *tag key* and an optional *tag value*. A *tag key* is a general label that acts as a category for a more specific tag value. A *tag value* acts as a descriptor for a tag key. A resource can have as many as 50 tags.
You can assign tags to the following types of Macie resources:
+ Allow lists
+ Custom data identifiers
+ Filter rules and suppression rules for findings
+ Sensitive data discovery jobs
If you're the Macie administrator for an organization, you can also assign tags to member accounts in your organization.
By assigning tags to Macie resources, you can identify and manage the resources in different ways, such as by purpose, owner, environment, or other criteria. This can help you perform tasks such as apply policies, allocate costs, distinguish between resources, or identify resources that support certain compliance requirements or workflows. For example, if you create custom data identifiers and sensitive data discovery jobs to analyze data at different points in a workflow (one set for staged data and another for production data), you might assign a `Stack` tag key to those resources. The tag value for this tag key might be `Staging` for custom data identifiers and jobs that analyze staged data, and `Production` for the others.
As you define and assign tags to Macie resources, keep the following in mind:
+ Each resource can have a maximum of 50 tags.
+ For each resource, each tag key must be unique and it can have only one tag value.
+ Tag keys and values are case sensitive. As a best practice, we recommend that you define a strategy for capitalizing tags and implement that strategy consistently across your resources.
+ A tag key can have a maximum of 128 UTF-8 characters. A tag value can have a maximum of 256 UTF-8 characters. The characters can be letters, numbers, spaces, or the following symbols: \$1 . : / = \$1 - @
+ The `aws:` prefix is reserved for use by AWS. You can’t use it in any tag keys or values that you define. In addition, you can't change or remove tag keys or values that use this prefix. Tags that use this prefix don’t count against the quota of 50 tags for a resource.
+ Any tags that you assign are available only for your AWS account and only in the AWS Region in which you assign them.
+ If you delete a resource, any tags that are assigned to the resource are also deleted.
For additional restrictions, tips, and best practices, see the [Tagging AWS Resources User Guide](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html).
**Important**
Do not store confidential or other types of sensitive data in tags. Tags are accessible from many AWS services, including AWS Billing and Cost Management. They aren't intended to be used for sensitive data.
To add and manage tags for Macie resources, you can use Macie or AWS Resource Groups. AWS Resource Groups is a service that's designed to help you group and manage AWS resources as a single unit instead of individually. If you use Macie, you can add tags to a resource when you create the resource. You can also add and manage tags for individual existing resources. If you use AWS Resource Groups, you can add and manage tags in bulk for multiple existing resources spanning multiple AWS services, including Macie. For more information, see the [Tagging AWS Resources User Guide](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html).
# Adding tags to Macie resources
A *tag* is a label that you can define and assign to AWS resources, including certain types of Amazon Macie resources. By using tags, you can identify, categorize, and manage resources in different ways, such as by purpose, owner, environment, or other criteria. For example, you can use tags to: apply policies, allocate costs, distinguish between versions of resources, or identify resources that support certain compliance requirements or workflows.
You can add tags to the following types of Macie resources:
+ Allow lists
+ Custom data identifiers
+ Filter rules and suppression rules for findings
+ Sensitive data discovery jobs
If you're the Macie administrator for an organization, you can also add tags to member accounts in your organization.
A resource can have as many as 50 tags. Each tag consists of a required *tag key* and an optional *tag value*. A *tag key* is a general label that acts as a category for a more specific tag value. A *tag value* acts as a descriptor for a tag key. For more information about tagging options and requirements, see [Tagging fundamentals](tags-basics.md).
You can add tags to Macie resources in several ways. You can use Macie directly. You can also use the Tag Editor on the AWS Resource Groups console or tagging operations of the AWS Resource Groups Tagging API. AWS Resource Groups is a service that's designed to help you group and manage AWS resources as a single unit instead of individually. If you use Macie, you can add tags to a resource when you create the resource. You can also add tags to individual existing resources. With AWS Resource Groups, you can add tags in bulk for multiple existing resources spanning multiple AWS services, including Macie.
**To add tags to a Macie resource**
To add tags to an individual Macie resource, you can use the Amazon Macie console or the Amazon Macie API. To add tags to multiple Macie resources at the same time, use the AWS Resource Groups console or the AWS Resource Groups Tagging API. For more information, see the [Tagging AWS Resources User Guide](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html).
**Important**
Adding tags to a resource can affect access to the resource. Before you add a tag to a resource, review any AWS Identity and Access Management (IAM) policies that might use tags to control access to resources. For more information, see [Controlling access to AWS resources using tags](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html) in the *IAM User Guide*.
------
#### [ Console ]
When you create an allow list, custom data identifier, or sensitive data discovery job, the Amazon Macie console provides options for adding tags to the resource. Follow the instructions on the console to add tags to these types of resources when you create the resources. To add tags to a filter rule, suppression rule, or member account, you have to create the resource before you can add tags to it.
To add one or more tags to an existing resource by using the Amazon Macie console, follow these steps.
**To add a tag to a resource**
1. Open the Amazon Macie console at [https://console.aws.amazon.com/macie/](https://console.aws.amazon.com/macie/).
1. Depending on the type of resource that you want to add a tag to, do one of the following:
+ For an allow list, choose **Allow lists** in the navigation pane. In the table, select the checkbox for the list. Then choose **Manage tags** on the **Actions** menu.
+ For a custom data identifier, choose **Custom data identifiers** in the navigation pane. In the table, select the checkbox for the custom data identifier. Then choose **Manage tags** on the **Actions** menu.
+ For a filter or suppression rule, choose **Findings** in the navigation pane. In the **Saved rules** list, choose the edit icon (![\[The edit icon, which is a blue pencil.\]](http://docs.aws.amazon.com/macie/latest/user/images/icon-edit-resource-blue.png)) next to the rule. Then choose **Manage tags**.
+ For a member account in your organization, choose **Accounts** in the navigation pane. In the table, select the checkbox for the account. Then choose **Manage tags** on the **Actions** menu.
+ For a sensitive data discovery job, choose **Jobs** in the navigation pane. In the table, select the checkbox for the job. Then choose **Manage tags** on the **Actions** menu.
The **Manage tags** window lists all the tags that are currently assigned to the resource.
1. In the **Manage tags** window, choose **Edit tags**.
1. Choose **Add tag**.
1. In the **Key** box, enter the tag key for the tag to add to the resource. Then, in the **Value** box, optionally enter a tag value for the key.
A tag key can contain as many as 128 characters. A tag value can contain as many as 256 characters. The characters can be letters, numbers, spaces, or the following symbols: \$1 . : / = \$1 - @
1. To add another tag to the resource, choose **Add tag**, and then repeat the preceding step. You can assign as many as 50 tags to a resource.
1. When you finish adding tags, choose **Save**.
------
#### [ API ]
To create a resource and add one or more tags to it programmatically, use the appropriate `Create` operation for the type of resource that you want to create:
+ **Allow list** – Use the [CreateAllowList](https://docs.aws.amazon.com/macie/latest/APIReference/allow-lists.html) operation. Or, if you're using the AWS Command Line Interface (AWS CLI), run the [create-allow-list](https://docs.aws.amazon.com/cli/latest/reference/macie2/create-allow-list.html) command.
+ **Custom data identifier** – Use the [CreateCustomDataIdentifier](https://docs.aws.amazon.com/macie/latest/APIReference/custom-data-identifiers.html) operation. Or, if you're using the AWS CLI, run the [create-custom-data-identifier](https://docs.aws.amazon.com/cli/latest/reference/macie2/create-custom-data-identifier.html) command.
+ **Filter or suppression rule** – Use the [CreateFindingsFilter](https://docs.aws.amazon.com/macie/latest/APIReference/findingsfilters.html) operation. Or, if you're using the AWS CLI, run the [create-findings-filter](https://docs.aws.amazon.com/cli/latest/reference/macie2/create-findings-filter.html) command.
+ **Member account** – Use the [CreateMember](https://docs.aws.amazon.com/macie/latest/APIReference/members.html) operation. Or, if you're using the AWS CLI, run the [create-member](https://docs.aws.amazon.com/cli/latest/reference/macie2/create-member.html) command.
+ **Sensitive data discovery job** – Use the [CreateClassificationJob](https://docs.aws.amazon.com/macie/latest/APIReference/jobs.html) operation. Or, if you're using the AWS CLI, run the [create-classification-job](https://docs.aws.amazon.com/cli/latest/reference/macie2/create-classification-job.html) command.
In your request, use the `tags` parameter to specify the tag key (`key`) and optional tag value (`value`) for each tag to add to the resource. The `tags` parameter specifies a string-to-string map of tag keys and their associated tag values.
To add one or more tags to an existing resource, use the [TagResource](https://docs.aws.amazon.com/macie/latest/APIReference/tags-resourcearn.html) operation of the Amazon Macie API or, if you're using the AWS CLI, run the [tag-resource](https://docs.aws.amazon.com/cli/latest/reference/macie2/tag-resource.html) command. In your request, specify the Amazon Resource Name (ARN) of the resource that you want to add a tag to. Use the `tags` parameter to specify the tag key (`key`) and optional tag value (`value`) for each tag to add to the resource. As is the case for `Create` operations and commands, the `tags` parameter specifies a string-to-string map of tag keys and their associated tag values.
For example, the following AWS CLI command adds a `Stack` tag key with a `Production` tag value to the specified job. This example is formatted for Microsoft Windows and it uses the caret (^) line-continuation character to improve readability.
```
C:\> aws macie2 tag-resource ^
--resource-arn arn:aws:macie2:us-east-1:123456789012:classification-job/3ce05dbb7ec5505def334104bexample ^
--tags={\"Stack\":\"Production\"}
```
Where:
+ `resource-arn` specifies the ARN of the job to add a tag to.
+ `Stack` is the tag key of the tag to add to the job.
+ `Production` is the tag value for the specified tag key (`Stack`).
In the following example, the command adds several tags to the job:
```
C:\> aws macie2 tag-resource ^
--resource-arn arn:aws:macie2:us-east-1:123456789012:classification-job/3ce05dbb7ec5505def334104bexample ^
--tags={\"Stack\":\"Production\",\"CostCenter\":\"12345\",\"Owner\":\"jane-doe\"}
```
For each tag in a `tags` map, both the `key` and `value` arguments are required. However, the value for the `value` argument can be an empty string. If you don’t want to associate a tag value with a tag key, don't specify a value for the `value` argument. For example, the following AWS CLI command adds an `Owner` tag key with no associated tag value:
```
C:\> aws macie2 tag-resource ^
--resource-arn arn:aws:macie2:us-east-1:123456789012:classification-job/3ce05dbb7ec5505def334104bexample ^
--tags={\"Owner\":\"\"}
```
If a tagging operation succeeds, Macie returns an empty HTTP 204 response. Otherwise, Macie returns an HTTP 4*xx* or 500 response that indicates why the operation failed.
------
# Controlling access to Macie resources by using tags
After you start tagging Amazon Macie resources, you can define tag-based, resource-level permissions in AWS Identity and Access Management (IAM) policies. By using tags in this way, you can implement granular control of which users and roles in your AWS account have permission to create and tag Macie resources, and which users and roles have permission to add, edit, and remove tags more generally. To control access based on tags, you can use [tag-related condition keys](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmacie.html#amazonmacie-policy-keys) for Macie in the [Condition element](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html) of IAM policies.
For example, you can create a policy that allows a user to have full access to all Macie resources, if the `Owner` tag for the resource specifies their username:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ModifyResourceIfOwner",
"Effect": "Allow",
"Action": "macie2:*",
"Resource": "*",
"Condition": {
"StringEqualsIgnoreCase": {"aws:ResourceTag/Owner": "${aws:username}"}
}
}
]
}
```
------
If you define tag-based, resource-level permissions, the permissions take effect immediately. This means that your resources are more secure as soon as they're created. It also means that you can quickly start enforcing the use of tags for new resources. You can also use resource-level permissions to control which tag keys and values can be associated with new and existing resources. For more information, see [Controlling access to AWS resources using tags](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html) in the *IAM User Guide*.
# Reviewing and editing tags for Macie resources
As your environment or requirements change over time, you can evaluate existing tags for your Amazon Macie resources and change the tags as necessary. A *tag* is a label that you define and assign to one or more AWS resources, including certain types of Macie resources. Each tag consists of a required *tag key* and an optional *tag value*. A *tag key* is a general label that acts as a category for a more specific tag value. A *tag value* acts as a descriptor for a tag key.
Tags can help you identify, categorize, and manage resources in different ways, such as by purpose, owner, environment, or other criteria. For example, you can use tags to: apply policies, allocate costs, distinguish between versions of resources, or identify resources that support certain compliance requirements or workflows.
You can assign tags to the following types of Macie resources:
+ Allow lists
+ Custom data identifiers
+ Filter rules and suppression rules for findings
+ Sensitive data discovery jobs
If you're the Macie administrator for an organization, you can also assign tags to member accounts in your organization. A resource can have as many as 50 tags.
**Topics**
+ [Reviewing tags for resources](#tags-retrieve)
+ [Editing tags for resources](#tags-update)
## Reviewing tags for Macie resources
You can review the tags for an Amazon Macie resource by using Macie or AWS Resource Groups. AWS Resource Groups is a service that's designed to help you group and manage AWS resources as a single unit instead of individually. If you use Macie, you can review the tags for one resource at a time. With AWS Resource Groups, you can review tags in bulk for multiple existing resources spanning multiple AWS services, including Macie.
**To review the tags for a Macie resource**
To review the tags for an individual Macie resource, you can use the Amazon Macie console or the Amazon Macie API. To review tags for multiple Macie resources at the same time, use the Tag Editor on the AWS Resource Groups console or the tagging operations of the AWS Resource Groups Tagging API. For more information, see the [Tagging AWS Resources User Guide](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html).
------
#### [ Console ]
Follow these steps to review a resource's tags by using the Amazon Macie console.
**To review the tags for a resource**
1. Open the Amazon Macie console at [https://console.aws.amazon.com/macie/](https://console.aws.amazon.com/macie/).
1. Depending on the type of resource whose tags you want to review, do one of the following:
+ For an allow list, choose **Allow lists** in the navigation pane. In the table, select the checkbox for the list. Then choose **Manage tags** on the **Actions** menu.
+ For a custom data identifier, choose **Custom data identifiers** in the navigation pane. In the table, select the checkbox for the custom data identifier. Then choose **Manage tags** on the **Actions** menu.
+ For a filter or suppression rule, choose **Findings** in the navigation pane. In the **Saved rules** list, choose the edit icon (![\[The edit icon, which is a blue pencil.\]](http://docs.aws.amazon.com/macie/latest/user/images/icon-edit-resource-blue.png)) next to the rule. Then choose **Manage tags**.
+ For a member account in your organization, choose **Accounts** in the navigation pane. In the table, select the checkbox for the account. Then choose **Manage tags** on the **Actions** menu.
+ For a sensitive data discovery job, choose **Jobs** in the navigation pane. In the table, select the checkbox for the job. Then choose **Manage tags** on the **Actions** menu.
The **Manage tags** window lists all the tags that are currently assigned to the resource. For example, the following image shows the tags that are assigned to a custom data identifier.
![\[The Manage tags window. It has a table that lists the tag key and tag value for each of three tags.\]](http://docs.aws.amazon.com/macie/latest/user/images/scrn-tags-manage-review.png)
In this example, three tags are assigned to the custom data identifier: the **CostCenter** tag key with **12345** as an associated tag value; the **Owner** tag key with no associated tag value (–); and, the **Stack** tag key with **Production** as an associated tag value.
1. When you finish reviewing the tags, choose **Cancel** to close the window.
------
#### [ API ]
To retrieve and review the tags for an existing resource programmatically, you can use the appropriate `Get` or `Describe` operation for the type of resource whose tags you want to review. For example, if you use the [GetCustomDataIdentifier](https://docs.aws.amazon.com/macie/latest/APIReference/custom-data-identifiers-id.html) operation or you run the [get-custom-data-identifier](https://docs.aws.amazon.com/cli/latest/reference/macie2/get-custom-data-identifier.html) command from the AWS Command Line Interface (AWS CLI), the response includes a `tags` object. The object lists all the tags (both tag keys and tag values) that are currently assigned to the resource.
You can also use the [ListTagsForResource](https://docs.aws.amazon.com/macie/latest/APIReference/tags-resourcearn.html) operation of the Amazon Macie API. In your request, use the `resourceArn` parameter to specify the Amazon Resource Name (ARN) of the resource. If you're using the AWS CLI, run the [list-tags-for-resource](https://docs.aws.amazon.com/cli/latest/reference/macie2/list-tags-for-resource.html) command and use the `resource-arn` parameter to specify the ARN of the resource. For example:
```
C:\> aws macie2 list-tags-for-resource --resource-arn arn:aws:macie2:us-east-1:123456789012:classification-job/3ce05dbb7ec5505def334104bexample
```
In the preceding example, *arn:aws:macie2:us-east-1:123456789012:classification-job/3ce05dbb7ec5505def334104bexample* is the ARN of an existing sensitive data discovery job.
If the operation succeeds, Macie returns a `tags` object that lists all the tags (both tag keys and tag values) that are currently assigned to the resource. For example:
```
{
"tags": {
"Stack": "Production",
"CostCenter": "12345",
"Owner": ""
}
}
```
Where `Stack`, `CostCenter`, and `Owner` are the tag keys that are assigned to the resource. `Production` is the tag value that's associated with the `Stack` tag key. `12345` is the tag value that's associated with the `CostCenter` tag key. The `Owner` tag key doesn't have an associated tag value.
To retrieve a list of all the Macie resources that have tags and all the tags that are assigned to each of those resources, use the [GetResources](https://docs.aws.amazon.com/resourcegroupstagging/latest/APIReference/API_GetResources.html) operation of the AWS Resource Groups Tagging API. In your request, set the value for the `ResourceTypeFilters` parameter to `macie2`. To do this by using the AWS CLI, run the [get-resources](https://docs.aws.amazon.com/cli/latest/reference/resourcegroupstaggingapi/get-resources.html) command and set the value for the `resource-type-filters` parameter to `macie2`. For example:
```
C:\> aws resourcegroupstaggingapi get-resources --resource-type-filters "macie2"
```
If the operation succeeds, Resource Groups returns a `ResourceTagMappingList` array that contains the ARNs of all the Macie resources that have tags, and the tag keys and values that are assigned to each of those resources.
------
## Editing tags for Macie resources
To edit the tags (tag keys or tag values) for an Amazon Macie resource, you can use Macie or AWS Resource Groups. If you use Macie, you can edit the tags for one resource at a time. If you use AWS Resource Groups, you can edit tags in bulk for multiple existing resources spanning multiple AWS services, including Macie.
**To edit the tags for a Macie resource**
To edit the tags for an individual Macie resource, you can use the Amazon Macie console or the Amazon Macie API. To edit tags for multiple Macie resources at the same time, use the [Tag Editor](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html) on the AWS Resource Groups console or the tagging operations of the [AWS Resource Groups Tagging API](https://docs.aws.amazon.com/resourcegroupstagging/latest/APIReference/overview.html).
**Important**
Editing the tags for a resource can affect access to the resource. Before you edit a tag key or value for a resource, review any AWS Identity and Access Management (IAM) policies that might use the tag to control access to resources. For more information, see [Controlling access to AWS resources using tags](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html) in the *IAM User Guide*.
------
#### [ Console ]
Follow these steps to edit a resource's tags by using the Amazon Macie console.
**To edit the tags for a resource**
1. Open the Amazon Macie console at [https://console.aws.amazon.com/macie/](https://console.aws.amazon.com/macie/).
1. Depending on the type of resource whose tags you want to edit, do one of the following:
+ For an allow list, choose **Allow lists** in the navigation pane. In the table, select the checkbox for the list. Then choose **Manage tags** on the **Actions** menu.
+ For a custom data identifier, choose **Custom data identifiers** in the navigation pane. In the table, select the checkbox for the custom data identifier. Then choose **Manage tags** on the **Actions** menu.
+ For a filter or suppression rule, choose **Findings** in the navigation pane. In the **Saved rules** list, choose the edit icon (![\[The edit icon, which is a blue pencil.\]](http://docs.aws.amazon.com/macie/latest/user/images/icon-edit-resource-blue.png)) next to the rule. Then choose **Manage tags**.
+ For a member account in your organization, choose **Accounts** in the navigation pane. In the table, select the checkbox for the account. Then choose **Manage tags** on the **Actions** menu.
+ For a sensitive data discovery job, choose **Jobs** in the navigation pane. In the table, select the checkbox for the job. Then choose **Manage tags** on the **Actions** menu.
The **Manage tags** window lists all the tags that are currently assigned to the resource.
1. In the **Manage tags** window, choose **Edit tags**.
1. Do any of the following:
+ To add a tag value to a tag key, enter the value in the **Value** box next to the tag key.
+ To change an existing tag key, choose **Remove** next to the tag. Then choose **Add tag**. In the **Key** box that appears, enter the new tag key. Optionally enter an associated tag value in the **Value** box.
+ To change an existing tag value, choose **X** in the **Value** box that contains the value. Then enter the new tag value in the **Value** box.
+ To remove an existing tag value, choose **X** in the **Value** box that contains the value.
+ To remove an existing tag (both the tag key and tag value), choose **Remove** next to the tag.
A resource can have as many as 50 tags. A tag key can contain as many as 128 characters. A tag value can contain as many as 256 characters. The characters can be letters, numbers, spaces, or the following symbols: \$1 . : / = \$1 - @
1. When you finish editing the tags, choose **Save**.
------
#### [ API ]
When you edit a tag for a resource programmatically, you overwrite the existing tag with new values. Therefore, the best way to edit a tag depends on whether you want to edit a tag key, a tag value, or both. To edit a tag key, [remove the current tag](tags-remove.md) and [add a new tag](tags-add.md).
To edit or remove only the tag value that's associated with a tag key, overwrite the existing value by using the [TagResource](https://docs.aws.amazon.com/macie/latest/APIReference/tags-resourcearn.html) operation of the Amazon Macie API. If you're using the AWS Command Line Interface (AWS CLI), you can do this by running the [tag-resource](https://docs.aws.amazon.com/cli/latest/reference/macie2/tag-resource.html) command. In your request, specify the Amazon Resource Name (ARN) of the resource whose tag value you want to edit or remove.
To edit a tag value for a tag key, use the `tags` parameter to specify the tag key whose tag value you want to change, and specify the new tag value for the key. For example, the following command changes the tag value from `Production` to `Staging` for the `Stack` tag key that's assigned to the specified sensitive data discovery job. This example is formatted for Microsoft Windows and it uses the caret (^) line-continuation character to improve readability.
```
C:\> aws macie2 tag-resource ^
--resource-arn arn:aws:macie2:us-east-1:123456789012:classification-job/3ce05dbb7ec5505def334104bexample ^
--tags={\"Stack\":\"Staging\"}
```
Where:
+ `resource-arn` specifies the job's ARN.
+ `Stack` is the tag key that's associated with the tag value to change.
+ `Staging` is the new tag value for the specified tag key (`Stack`).
To remove a tag value from a tag key, don’t specify a value for the `value` argument in the `tags` parameter. For example:
```
C:\> aws macie2 tag-resource ^
--resource-arn arn:aws:macie2:us-east-1:123456789012:classification-job/3ce05dbb7ec5505def334104bexample ^
--tags={\"Stack\":\"\"}
```
If the operation succeeds, Macie returns an empty HTTP 204 response. Otherwise, Macie returns an HTTP 4*xx* or 500 response that indicates why the operation failed.
------
# Removing tags from Macie resources
If you add tags to an Amazon Macie resource, you can subsequently remove one or more of them. A *tag* is a label that you define and assign to AWS resources, including certain types of Macie resources. You can add, edit, and remove tags from the following types of Macie resources: allow lists, custom data identifiers, filter rules and suppression rules for findings, member accounts in an organization, and sensitive data discovery jobs.
You can remove tags from a Macie resource by using Macie or AWS Resource Groups. AWS Resource Groups is a service that's designed to help you group and manage AWS resources as a single unit instead of individually. If you use Macie, you can remove tags from one resource at a time. With AWS Resource Groups, you can remove tags in bulk for multiple existing resources spanning multiple AWS services, including Macie.
**To remove tags from a Macie resource**
To remove tags from a Macie resource, you can use the Amazon Macie console or the Amazon Macie API. To do this for multiple Macie resources at the same time, use the Tag Editor on the AWS Resource Groups console or the tagging operations of the AWS Resource Groups Tagging API. For more information, see the [Tagging AWS Resources User Guide](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html).
**Important**
Removing tags from a resource can affect access to the resource. Before you remove a tag, review any AWS Identity and Access Management (IAM) policies that might use the tag to control access to resources. For more information, see [Controlling access to AWS resources using tags](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html) in the *IAM User Guide*.
------
#### [ Console ]
Follow these steps to remove one or more tags from a resource by using the Amazon Macie console.
**To remove a tag from a resource**
1. Open the Amazon Macie console at [https://console.aws.amazon.com/macie/](https://console.aws.amazon.com/macie/).
1. Depending on the type of resource that you want to remove a tag from, do one of the following:
+ For an allow list, choose **Allow lists** in the navigation pane. In the table, select the checkbox for the list. Then choose **Manage tags** on the **Actions** menu.
+ For a custom data identifier, choose **Custom data identifiers** in the navigation pane. In the table, select the checkbox for the custom data identifier. Then choose **Manage tags** on the **Actions** menu.
+ For a filter or suppression rule, choose **Findings** in the navigation pane. In the **Saved rules** list, choose the edit icon (![\[The edit icon, which is a blue pencil.\]](http://docs.aws.amazon.com/macie/latest/user/images/icon-edit-resource-blue.png)) next to the rule. Then choose **Manage tags**.
+ For a member account in your organization, choose **Accounts** in the navigation pane. In the table, select the checkbox for the account. Then choose **Manage tags** on the **Actions** menu.
+ For a sensitive data discovery job, choose **Jobs** in the navigation pane. In the table, select the checkbox for the job. Then choose **Manage tags** on the **Actions** menu.
The **Manage tags** window lists all the tags that are currently assigned to the resource.
1. In the **Manage tags** window, choose **Edit tags**.
1. Do any of the following:
+ To remove only the tag value for a tag, choose **X** in the **Value** box that contains the value to remove.
+ To remove both the tag key and tag value (as a pair) for a tag, choose **Remove** next to the tag to remove.
1. To remove additional tags from the resource, repeat the preceding step for each additional tag to remove.
1. When you finish removing tags, choose **Save**.
------
#### [ API ]
To remove one or more tags from a resource programmatically, use the [UntagResource](https://docs.aws.amazon.com/macie/latest/APIReference/tags-resourcearn.html) operation of the Amazon Macie API. In your request, use the `resourceArn` parameter to specify the Amazon Resource Name (ARN) of the resource to remove a tag from. Use the `tagKeys` parameter to specify the tag key of the tag to remove. To remove only a specific tag value (not a tag key) from a resource, [edit the tag](tags-retrieve-update.md#tags-update) instead of removing the tag.
If you're using the AWS Command Line Interface (AWS CLI), run the [untag-resource](https://docs.aws.amazon.com/cli/latest/reference/macie2/untag-resource.html) command and use the `resource-arn` parameter to specify the ARN of the resource to remove a tag from. Use the `tag-keys` parameter to specify the tag key of the tag to remove. For example, the following command removes the `Stack` tag (both the tag key and tag value) from the specified sensitive data discovery job:
```
C:\> aws macie2 untag-resource ^
--resource-arn arn:aws:macie2:us-east-1:123456789012:classification-job/3ce05dbb7ec5505def334104bexample ^
--tag-keys Stack
```
Where `resource-arn` specifies the ARN of the job to remove a tag from, and `Stack` is the tag key of the tag to remove.
To remove multiple tags from a resource, add each additional tag key as an argument for the `tag-keys` parameter. For example:
```
C:\> aws macie2 untag-resource ^
--resource-arn arn:aws:macie2:us-east-1:123456789012:classification-job/3ce05dbb7ec5505def334104bexample ^
--tag-keys Stack Owner
```
Where `resource-arn` specifies the ARN of the job to remove tags from, and `Stack` and `Owner` are the tag keys of the tags to remove.
If the operation succeeds, Macie returns an empty HTTP 204 response. Otherwise, Macie returns an HTTP 4*xx* or 500 response that indicates why the operation failed.
------