Enforcing Tagging Policies Across Clouds

How do you actually enforce that every resource in AWS, GCP, and Azure gets the required tags? Walk me through what you would put in place.

I think about enforcement in two layers: prevention (block creation without tags) and detection (find violations after the fact). You need both, because 100 percent prevention is impossible and detection alone is too slow. On AWS I use Organizations Tag Policies to standardize keys and values, plus Service Control Policies to deny resource creation without certain tags, plus AWS Config rule required-tags for drift detection. On Azure I use Azure Policy with the deny effect for missing tags, and the modify effect to auto-append tags inherited from the resource group. Azure inheritance is a trap, resources do not auto-inherit resource group tags so you have to add a policy for that. On GCP the native story is weaker. Organization Policy does not enforce labels as cleanly, so I lean on Terraform default labels plus policy-as-code (OPA or Sentinel) in the CI pipeline, and BigQuery billing export queries to catch anything that slipped through. The practical order I follow: first, get 90 percent coverage through Terraform default tags in the provider blocks. Second, add policy engines to block the console cowboys. Third, run nightly scans that flag untagged resources back to the owning team in Slack. If you start with policy engines before fixing Terraform, you will just break deploys.

• What breaks if you enforce a deny policy in a brownfield environment with thousands of existing untagged resources?
• How would you onboard a team that has never tagged anything without blocking all their deploys on day one?
• Why does the Azure policy exclude Microsoft.Resources/deployments and similar types?