# EBS Snapshot Tag Compliance & Cleanup Runbook
# WORK-IN-PROGRESS

A hands-on guide to discovering untagged EBS snapshots, cleaning them up, and enforcing tag policies with SCPs.

---

> ‚ö†Ô∏è **IMPORTANT: READ BEFORE RUNNING IN PRODUCTION**
>
> This runbook is both **guided learning** and **solution implementation** in one document.
>
> **The Risk:** When you enable the SCP in Step 8, any workflow, automation, or service that creates EBS snapshots **without the required tags will break**. This includes:
> - Backup solutions (AWS Backup, third-party tools)
> - CI/CD pipelines that snapshot volumes
> - Lambda functions or scripts that create snapshots
> - AWS services like Data Lifecycle Manager (DLM)
> - Manual snapshots from the console (if tags aren't added)
>
> **Before running in a non-dev environment:**
> 1. Read and understand the entire runbook first
> 2. Identify ALL workflows that create snapshots in your environment
> 3. Update those workflows to include required tags
> 4. Test in a sandbox/dev account before production
> 5. Have a rollback plan (SCP detachment instructions included in Cleanup section)
>
> **Recommendation:** Run through this lab in an isolated AWS account first. Understand what each step does before applying to production workloads.

---

# Overview

**Problem:**

EBS snapshots are piling up without proper tags, making cost allocation and resource management a nightmare.

**Solution:**

1. Make sure your AWS accounts are in an AWS Organization
2. Use AWS Config to find non-compliant snapshots (missing tags OR invalid tag values)
3. Tag them
4. Enforce tagging with an SCP so it never happens again

**Required Tags (customize these as needed):**

* Environment - Accepted values: dev, Dev, development, Development, staging, Staging, prod, Prod, production, Production
* CostCenter (any value accepted)

> **Note: This runbook is expected to be ran sequentially skipping a step will likely break it**

## Requirements 

1. AWSCLI 
2. jq

## Instructions

### 1. Setup: AWS Credentials

Before running anything, you need to authenticate with AWS. Besides what is seen directly below, configuring your AWS credentials is out of scope for this runbook. This runbook is collection of AWSCLI commands. Configuring Juytper notebook is out of scope for this runbook and copying and pasting works just fine.

### 1.1 Environment Variables


In [None]:
export AWS_ACCESS_KEY_ID="AKIAIOSFODNN7EXAMPLE"
export AWS_SECRET_ACCESS_KEY="wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
export AWS_DEFAULT_REGION="us-east-1"

# Optional
export AWS_SESSION_TOKEN="your-session-token"

### 1.1.1 AWS CLI Profile (Alternative)

In [None]:
# Configure default profile
aws configure

### 1.2 Required IAM Permissisons

Your user must be able to complete the following actions in your aws account to be able to complete this runbook

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ConfigPermissions",
            "Effect": "Allow",
            "Action": [
                "config:DescribeConfigurationRecorderStatus",
                "config:DescribeConfigurationRecorders",
                "config:PutConfigurationRecorder",
                "config:PutDeliveryChannel",
                "config:StartConfigurationRecorder",
                "config:PutConfigRule",
                "config:StartConfigRulesEvaluation",
                "config:GetComplianceDetailsByConfigRule",
                "config:DeleteConfigRule"
            ],
            "Resource": "*"
        },
        {
            "Sid": "EC2Permissions",
            "Effect": "Allow",
            "Action": ["ec2:DescribeSnapshots", "ec2:CreateTags"],
            "Resource": "*"
        },
        {
            "Sid": "IAMPermissions",
            "Effect": "Allow",
            "Action": ["iam:GetRole", "iam:CreateRole", "iam:AttachRolePolicy", "iam:PassRole"],
            "Resource": ["arn:aws:iam::*:role/AWSConfigRole"]
        },
        {
            "Sid": "S3Permissions",
            "Effect": "Allow",
            "Action": ["s3:CreateBucket", "s3:PutBucketPolicy", "s3:HeadBucket"],
            "Resource": ["arn:aws:s3:::aws-config-bucket-*"]
        },
        {
            "Sid": "OrganizationsPermissions",
            "Effect": "Allow",
            "Action": [
                "organizations:DescribeOrganization",
                "organizations:ListRoots",
                "organizations:ListOrganizationalUnitsForParent",
                "organizations:ListPolicies",
                "organizations:CreatePolicy",
                "organizations:AttachPolicy",
                "organizations:ListTargetsForPolicy"
            ],
            "Resource": "*"
        }
    ]
}
```

### 2. Configure your environment variables and dependicies

This runbook utilizes the AWSCLI in bash 


### 2.1 Quick test - should return your account info


In [None]:
aws sts get-caller-identity


### 2.2 Configure Tags

In [None]:
#!/usr/bin/env bash

REQUIRED_TAGS=("Environment" "CostCenter")

VALID_ENVIRONMENT_VALUES=(
  dev Dev development Development
  staging Staging
  prod Prod production Production
)

declare -A DEFAULT_TAG_VALUES
DEFAULT_TAG_VALUES[Environment]="dev"
DEFAULT_TAG_VALUES[CostCenter]="needs-review"

CONFIG_RULE_NAME="ebs-snapshot-required-tags"


### 2.4 Lab Setup (Optional): Create Test Snapshots

>üß™ For testing/demo purposes only
This section creates dummy EBS volumes and snapshots so you can run through the entire workflow without needing existing infrastructure.

Create Test EBS Volumes

In [None]:
%%bash
set -euo pipefail

NUM_COMPLIANT=3
NUM_NON_COMPLIANT=5

echo "üß™ Creating lab environment..."
echo

# Get an available AZ
AZ=$(aws ec2 describe-availability-zones \
  --filters Name=state,Values=available \
  --query 'AvailabilityZones[0].ZoneName' \
  --output text)

echo "üìç Using Availability Zone: $AZ"

# Create a 1 GiB gp3 volume
VOLUME_ID=$(aws ec2 create-volume \
  --availability-zone "$AZ" \
  --size 1 \
  --volume-type gp3 \
  --tag-specifications 'ResourceType=volume,Tags=[{Key=Purpose,Value=lab-testing}]' \
  --query 'VolumeId' \
  --output text)

echo "‚úÖ Created test volume: $VOLUME_ID"
echo "   ‚è≥ Waiting for volume to be available..."
aws ec2 wait volume-available --volume-ids "$VOLUME_ID"

CREATED_SNAPSHOTS=()

# NON-COMPLIANT snapshots
echo
echo "üì∏ Creating $NUM_NON_COMPLIANT NON-COMPLIANT snapshots (missing tags)..."

NON_COMPLIANT_DESCRIPTIONS=(
  "backup-daily-server"
  "prod-database-backup"
  "dev-test-snapshot"
  "staging-app-server"
  "random-snapshot-123"
)

for ((i=0; i<NUM_NON_COMPLIANT; i++)); do
  DESC="${NON_COMPLIANT_DESCRIPTIONS[$((i % ${#NON_COMPLIANT_DESCRIPTIONS[@]}))]}"
  SNAP_ID=$(aws ec2 create-snapshot \
    --volume-id "$VOLUME_ID" \
    --description "LAB-${DESC}-${i}" \
    --tag-specifications 'ResourceType=snapshot,Tags=[{Key=Purpose,Value=lab-testing},{Key=CreatedBy,Value=compliance-lab}]' \
    --query 'SnapshotId' \
    --output text)
  CREATED_SNAPSHOTS+=("$SNAP_ID")
  echo "   ‚ùå $SNAP_ID - NO required tags (non-compliant)"
done

# COMPLIANT snapshots
echo
echo "üì∏ Creating $NUM_COMPLIANT COMPLIANT snapshots (with tags)..."

COMPLIANT_ENV=("prod" "Dev" "staging")
COMPLIANT_CC=("12345" "67890" "11111")

for ((i=0; i<NUM_COMPLIANT; i++)); do
  IDX=$((i % 3))
  ENV="${COMPLIANT_ENV[$IDX]}"
  CC="${COMPLIANT_CC[$IDX]}"

  SNAP_ID=$(aws ec2 create-snapshot \
    --volume-id "$VOLUME_ID" \
    --description "LAB-compliant-snapshot-${i}" \
    --tag-specifications "ResourceType=snapshot,Tags=[{Key=Purpose,Value=lab-testing},{Key=CreatedBy,Value=compliance-lab},{Key=Environment,Value=${ENV}},{Key=CostCenter,Value=${CC}}]" \
    --query 'SnapshotId' \
    --output text)
  CREATED_SNAPSHOTS+=("$SNAP_ID")
  echo "   ‚úÖ $SNAP_ID - Environment=$ENV, CostCenter=$CC"
done

# Delete volume
echo
echo "üóëÔ∏è  Cleaning up test volume..."
aws ec2 delete-volume --volume-id "$VOLUME_ID"
echo "   ‚úÖ Deleted volume $VOLUME_ID"

# Summary
echo
echo "üìä Lab Environment Summary:"
echo "   Total snapshots created: ${#CREATED_SNAPSHOTS[@]}"
echo "   Non-compliant: $NUM_NON_COMPLIANT"
echo "   Compliant: $NUM_COMPLIANT"
echo
echo "Snapshot IDs:"
printf ' - %s\n' "${CREATED_SNAPSHOTS[@]}"


### 3. Enable AWS Config

AWS Config needs to be running before we can use Config rules. This section will enable it.

### 3.1 Create IAM Role for AWS Config

AWS Config needs an IAM role to read your resources and write to S3.

In [None]:
%%bash
set -euo pipefail

CONFIG_ROLE_NAME="AWSConfigRole"

echo "üîé Checking for IAM role: $CONFIG_ROLE_NAME"

ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)

ROLE_ARN="arn:aws:iam::${ACCOUNT_ID}:role/${CONFIG_ROLE_NAME}"

if aws iam get-role --role-name "$CONFIG_ROLE_NAME" >/dev/null 2>&1; then
  echo "‚úÖ IAM role '$CONFIG_ROLE_NAME' already exists"
  echo "Role ARN: $ROLE_ARN"
else
  echo "‚ûï Creating IAM role '$CONFIG_ROLE_NAME'..."

  aws iam create-role \
    --role-name "$CONFIG_ROLE_NAME" \
    --assume-role-policy-document '{
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "Service": "config.amazonaws.com"
          },
          "Action": "sts:AssumeRole"
        }
      ]
    }' \
    --description "Role for AWS Config to access resources"

  echo "üîó Attaching AWS managed policy AWS_ConfigRole..."
  aws iam attach-role-policy \
    --role-name "$CONFIG_ROLE_NAME" \
    --policy-arn arn:aws:iam::aws:policy/service-role/AWS_ConfigRole

  echo "‚è≥ Waiting 10 seconds for IAM role propagation..."
  sleep 10

  echo "‚úÖ IAM role created successfully"
  echo "Role ARN: $ROLE_ARN"
fi

### 3.2 Create S3 Bucket for Config
AWS Config needs an S3 bucket to store configuration snapshots and history.

In [None]:
#!/usr/bin/env bash
set -euo pipefail

# Resolve account + region
ACCOUNT_ID="$(aws sts get-caller-identity --query Account --output text)"
REGION="$(aws configure get region)"

if [[ -z "$REGION" || "$REGION" == "None" ]]; then
  REGION="$(aws ec2 describe-availability-zones \
    --query 'AvailabilityZones[0].RegionName' \
    --output text)"
fi

CONFIG_BUCKET_NAME="aws-config-bucket-${ACCOUNT_ID}-${REGION}"

echo "üîé Checking S3 bucket: $CONFIG_BUCKET_NAME"

# head-bucket returns non-zero if bucket does not exist or no access
if aws s3api head-bucket --bucket "$CONFIG_BUCKET_NAME" >/dev/null 2>&1; then
  echo "‚úÖ S3 bucket '$CONFIG_BUCKET_NAME' already exists"
else
  echo "‚ûï Creating S3 bucket '$CONFIG_BUCKET_NAME'..."

  # us-east-1 special case
  if [[ "$REGION" == "us-east-1" ]]; then
    aws s3api create-bucket \
      --bucket "$CONFIG_BUCKET_NAME" >/dev/null
  else
    aws s3api create-bucket \
      --bucket "$CONFIG_BUCKET_NAME" \
      --create-bucket-configuration LocationConstraint="$REGION" \
      >/dev/null
  fi

  echo "üîê Applying AWS Config bucket policy..."

  aws s3api put-bucket-policy \
    --bucket "$CONFIG_BUCKET_NAME" \
    --policy "{
      \"Version\": \"2012-10-17\",
      \"Statement\": [
        {
          \"Sid\": \"AWSConfigBucketPermissionsCheck\",
          \"Effect\": \"Allow\",
          \"Principal\": {\"Service\": \"config.amazonaws.com\"},
          \"Action\": \"s3:GetBucketAcl\",
          \"Resource\": \"arn:aws:s3:::${CONFIG_BUCKET_NAME}\"
        },
        {
          \"Sid\": \"AWSConfigBucketDelivery\",
          \"Effect\": \"Allow\",
          \"Principal\": {\"Service\": \"config.amazonaws.com\"},
          \"Action\": \"s3:PutObject\",
          \"Resource\": \"arn:aws:s3:::${CONFIG_BUCKET_NAME}/AWSLogs/${ACCOUNT_ID}/Config/*\",
          \"Condition\": {
            \"StringEquals\": {
              \"s3:x-amz-acl\": \"bucket-owner-full-control\"
            }
          }
        }
      ]
    }" >/dev/null

  echo "‚úÖ S3 bucket created: $CONFIG_BUCKET_NAME"
fi

echo
echo "Bucket ready: $CONFIG_BUCKET_NAME"


### 3.3 Create Config Recorder and Delivery Channel

Now we set up the actual Config recorder and delivery channel.

In [None]:
%%bash
set -euo pipefail

# ---- Inputs / conventions ----
CONFIG_ROLE_NAME="AWSConfigRole"
RECORDER_NAME="default"
CHANNEL_NAME="default"

ACCOUNT_ID="$(aws sts get-caller-identity --query Account --output text)"
REGION="$(aws configure get region)"
if [[ -z "$REGION" || "$REGION" == "None" ]]; then
  REGION="$(aws ec2 describe-availability-zones --query 'AvailabilityZones[0].RegionName' --output text)"
fi

CONFIG_BUCKET_NAME="aws-config-bucket-${ACCOUNT_ID}-${REGION}"
ROLE_ARN="arn:aws:iam::${ACCOUNT_ID}:role/${CONFIG_ROLE_NAME}"

echo "üîß Using:"
echo "   Account: $ACCOUNT_ID"
echo "   Region:  $REGION"
echo "   Role:    $ROLE_ARN"
echo "   Bucket:  $CONFIG_BUCKET_NAME"
echo

# ---- Determine whether AWS Config is enabled:
#      recorder exists + recorder recording + delivery channel exists ----
RECORDER_EXISTS="false"
IS_RECORDING="false"
CHANNEL_EXISTS="false"

# Recorder exists?
RECORDER_COUNT="$(aws configservice describe-configuration-recorders \
  --query "length(ConfigurationRecorders[?name=='${RECORDER_NAME}'])" \
  --output text 2>/dev/null || echo "0")"
if [[ "$RECORDER_COUNT" != "0" ]]; then
  RECORDER_EXISTS="true"
fi

# Recorder recording?
if [[ "$RECORDER_EXISTS" == "true" ]]; then
  IS_RECORDING="$(aws configservice describe-configuration-recorder-status \
    --query "ConfigurationRecordersStatus[?name=='${RECORDER_NAME}'].recording | [0]" \
    --output text 2>/dev/null || echo "false")"
fi

# Delivery channel exists?
CHANNEL_COUNT="$(aws configservice describe-delivery-channels \
  --query "length(DeliveryChannels[?name=='${CHANNEL_NAME}'])" \
  --output text 2>/dev/null || echo "0")"
if [[ "$CHANNEL_COUNT" != "0" ]]; then
  CHANNEL_EXISTS="true"
fi

# Enabled only if ALL conditions are true
if [[ "$RECORDER_EXISTS" == "true" && "$IS_RECORDING" == "True" && "$CHANNEL_EXISTS" == "true" ]]; then
  CONFIG_ENABLED="true"
else
  CONFIG_ENABLED="false"
fi

echo "üîé AWS Config status:"
echo "   Recorder exists:    $RECORDER_EXISTS"
echo "   Recorder recording: $IS_RECORDING"
echo "   Channel exists:     $CHANNEL_EXISTS"
echo "   config_enabled:     $CONFIG_ENABLED"
echo

# ---- If already enabled, skip setup ----
if [[ "$CONFIG_ENABLED" == "true" ]]; then
  echo "‚úÖ AWS Config is already running - skipping setup"
  exit 0
fi

echo "üì¶ Setting up AWS Config..."
echo

# ---- Sanity checks (role + bucket must exist) ----
aws iam get-role --role-name "$CONFIG_ROLE_NAME" >/dev/null
aws s3api head-bucket --bucket "$CONFIG_BUCKET_NAME" >/dev/null

# ---- Create/Update Delivery Channel FIRST ----
echo "üì¶ Creating/updating delivery channel ($CHANNEL_NAME)..."
aws configservice put-delivery-channel \
  --delivery-channel "{
    \"name\": \"${CHANNEL_NAME}\",
    \"s3BucketName\": \"${CONFIG_BUCKET_NAME}\",
    \"configSnapshotDeliveryProperties\": { \"deliveryFrequency\": \"TwentyFour_Hours\" }
  }" >/dev/null
echo "‚úÖ Delivery channel created/updated"

# ---- Create/Update Configuration Recorder ----
echo "üìº Creating/updating configuration recorder ($RECORDER_NAME)..."
aws configservice put-configuration-recorder \
  --configuration-recorder "{
    \"name\": \"${RECORDER_NAME}\",
    \"roleARN\": \"${ROLE_ARN}\",
    \"recordingGroup\": {
      \"allSupported\": false,
      \"includeGlobalResourceTypes\": false,
      \"resourceTypes\": [\"AWS::EC2::Snapshot\"]
    }
  }" >/dev/null
echo "‚úÖ Config recorder created/updated"

# ---- Start recorder ----
echo "üöÄ Starting Config recorder..."
aws configservice start-configuration-recorder \
  --configuration-recorder-name "$RECORDER_NAME" >/dev/null

echo
echo "‚úÖ AWS Config is now enabled!"
echo "   ‚è≥ Wait a few minutes for initial resource discovery..."


### 3.4 Create the Required Tags Config Rule

This rule will evaluate all EBS snapshots against our required tags.

>**What This Rule Checks:**
>
>1. Tag key `Environment` exists AND value is one of the `allowed values`
>
>2. Tag key `CostCenter` exists (any value)
>
> If either check fails, the snapshot is non-compliant.

In [None]:
%%bash
set -euo pipefail

CONFIG_RULE_NAME="ebs-snapshot-required-tags"
VALID_ENVIRONMENT_VALUES=(dev Dev development Development staging Staging prod Prod production Production)
TAG1_VALUE="$(IFS=,; echo "${VALID_ENVIRONMENT_VALUES[*]}")"
INPUT_PARAMS="{\"tag1Key\":\"Environment\",\"tag1Value\":\"${TAG1_VALUE}\",\"tag2Key\":\"CostCenter\"}"

aws configservice put-config-rule \
  --config-rule "{\"ConfigRuleName\":\"${CONFIG_RULE_NAME}\",\"Description\":\"Checks EBS snapshots for required tags with valid values\",\"Scope\":{\"ComplianceResourceTypes\":[\"AWS::EC2::Snapshot\"]},\"Source\":{\"Owner\":\"AWS\",\"SourceIdentifier\":\"REQUIRED_TAGS\"},\"InputParameters\":\"${INPUT_PARAMS}\"}" \
  >/dev/null

echo "‚úÖ Config rule '${CONFIG_RULE_NAME}' created/updated successfully!"

### 4. Trigger Rule Evaluation

Force an evaluation so we don't have to wait for the periodic check.


In [None]:
%%bash
set -euo pipefail

CONFIG_RULE_NAME="ebs-snapshot-required-tags"

echo "üöÄ Triggering evaluation for Config rule: $CONFIG_RULE_NAME"

aws configservice start-config-rules-evaluation \
  --config-rule-names "$CONFIG_RULE_NAME" \
  >/dev/null

echo "‚úÖ Evaluation triggered for '$CONFIG_RULE_NAME'"
echo "   ‚è≥ Wait 1‚Äì2 minutes for results..."

### 5. Get Non-Compliant Snapshots

Now let's see which snapshots are missing tags.

In [None]:
%%bash
set -euo pipefail

CONFIG_RULE_NAME="ebs-snapshot-required-tags"

echo "üîç Fetching NON-COMPLIANT snapshots for rule: $CONFIG_RULE_NAME"
echo

NON_COMPLIANT_SNAPSHOTS=()
NEXT_TOKEN=""

while :; do
  if [[ -n "$NEXT_TOKEN" ]]; then
    RESPONSE="$(aws configservice get-compliance-details-by-config-rule \
      --config-rule-name "$CONFIG_RULE_NAME" \
      --compliance-types NON_COMPLIANT \
      --next-token "$NEXT_TOKEN")"
  else
    RESPONSE="$(aws configservice get-compliance-details-by-config-rule \
      --config-rule-name "$CONFIG_RULE_NAME" \
      --compliance-types NON_COMPLIANT)"
  fi

  # Extract snapshot IDs
  IDS=($(echo "$RESPONSE" | jq -r \
    '.EvaluationResults[].EvaluationResultIdentifier.EvaluationResultQualifier.ResourceId'))

  NON_COMPLIANT_SNAPSHOTS+=("${IDS[@]}")

  NEXT_TOKEN="$(echo "$RESPONSE" | jq -r '.NextToken // empty')"

  [[ -z "$NEXT_TOKEN" ]] && break
done

COUNT="${#NON_COMPLIANT_SNAPSHOTS[@]}"

echo "‚ùå Found $COUNT non-compliant snapshots"
echo

if [[ "$COUNT" -gt 0 ]]; then
  echo "Snapshot IDs:"
  printf ' - %s\n' "${NON_COMPLIANT_SNAPSHOTS[@]}"
else
  echo "üéâ No non-compliant snapshots found"
fi


### 6. Get Snapshot Details

Let's get more info about these snapshots so we can make smart tagging decisions.

In [None]:
%%bash
set -euo pipefail

# ---- Config ----
CONFIG_RULE_NAME="ebs-snapshot-required-tags"
REQUIRED_TAGS=("Environment" "CostCenter")
BATCH_SIZE=200

# jq is required for parsing JSON
command -v jq >/dev/null || { echo "‚ùå jq is required but not installed."; exit 1; }

echo "üîç Fetching NON_COMPLIANT snapshot IDs from AWS Config rule: $CONFIG_RULE_NAME"

# ---- 1) Get NON_COMPLIANT snapshot IDs (handles pagination) ----
SNAPSHOT_IDS=()
NEXT_TOKEN=""

while :; do
  if [[ -n "$NEXT_TOKEN" ]]; then
    RESP="$(aws configservice get-compliance-details-by-config-rule \
      --config-rule-name "$CONFIG_RULE_NAME" \
      --compliance-types NON_COMPLIANT \
      --next-token "$NEXT_TOKEN")"
  else
    RESP="$(aws configservice get-compliance-details-by-config-rule \
      --config-rule-name "$CONFIG_RULE_NAME" \
      --compliance-types NON_COMPLIANT)"
  fi

  mapfile -t IDS < <(echo "$RESP" | jq -r \
    '.EvaluationResults[].EvaluationResultIdentifier.EvaluationResultQualifier.ResourceId')

  if [[ "${#IDS[@]}" -gt 0 ]]; then
    SNAPSHOT_IDS+=("${IDS[@]}")
  fi

  NEXT_TOKEN="$(echo "$RESP" | jq -r '.NextToken // empty')"
  [[ -z "$NEXT_TOKEN" ]] && break
done

COUNT="${#SNAPSHOT_IDS[@]}"
echo "‚ùå Found $COUNT non-compliant snapshots"
echo

if [[ "$COUNT" -eq 0 ]]; then
  echo "üéâ No snapshots to look up"
  exit 0
fi

# ---- 2) Describe snapshots in batches of 200 and print a readable table ----
echo "üìã Snapshot details (including existing tags + missing required tags)"
echo
printf "%-18s %-18s %-7s %-17s %-52s %-30s %-20s\n" \
  "SnapshotId" "VolumeId" "SizeGB" "StartTime" "Description" "ExistingTags" "MissingTags"
printf "%0.s-" {1..170}; echo

TOTAL_SIZE=0

# helper: join array slice into a space-separated string
for ((i=0; i<COUNT; i+=BATCH_SIZE)); do
  BATCH=("${SNAPSHOT_IDS[@]:i:BATCH_SIZE}")

  # Build args: --snapshot-ids id1 id2 ...
  # shellcheck disable=SC2086
  DESCRIBE="$(aws ec2 describe-snapshots --snapshot-ids "${BATCH[@]}")"

  # Print one line per snapshot
  echo "$DESCRIBE" | jq -r --argjson req '["Environment","CostCenter"]' '
    .Snapshots[]
    | ( .Tags // [] | map("\(.Key)=\(.Value)") | join(",") ) as $tagstr
    | ( .Tags // [] | map(.Key) ) as $tagkeys
    | ( $req | map(select( ($tagkeys | index(.)) | not )) | join(",") ) as $missing
    | [
        .SnapshotId,
        (.VolumeId // "N/A"),
        (.VolumeSize|tostring),
        (.StartTime | tostring | sub("\\..*Z$";"") | sub("T";" ") | .[0:16]),
        ((.Description // "") | gsub("[\\r\\n\\t]+";" ") | .[0:50]),
        ($tagstr | if .=="" then "-" else . end),
        ($missing | if .=="" then "-" else . end)
      ] | @tsv
  ' | while IFS=$'\t' read -r sid vid size st desc tags missing; do
        TOTAL_SIZE=$((TOTAL_SIZE + size))
        printf "%-18s %-18s %-7s %-17s %-52s %-30s %-20s\n" \
          "$sid" "$vid" "$size" "$st" "$desc" "$tags" "$missing"
      done
done

echo
echo "üìä Non-Compliant Snapshots Summary:"
echo "   Total:      $COUNT"
echo "   Total Size: ${TOTAL_SIZE} GB"

### 7. Bulk Tag Snapshots

>‚ö†Ô∏è Why Tag First, Enforce Later?
SCPs are powerful‚Äîyou could block all actions on untagged snapshots right now. But that's risky. You might break automation, backups, or workflows you didn't know existed.
The safer approach:

>Tag everything that exists today (this step)
Then enforce tagging on new snapshots only (Step 9)

>The catch: This approach isn't all-encompassing. The SCP only blocks creation of new untagged snapshots. It won't magically fix snapshots that slip through or get their tags removed later. If you don't stay on top of compliance (Step 8), untagged resources will accumulate again.
Consider setting up ongoing monitoring (Lambda + SNS alerts, or periodic Config evaluations) to catch drift.

Now let's fix these snapshots by Applying default tags to everything

### 7.1 Apply Default Tags to All

In [None]:
%%bash
set -euo pipefail

# ---- Settings ----
CONFIG_RULE_NAME="ebs-snapshot-required-tags"

# Safe defaults (only applied when the tag is MISSING)
DEFAULT_ENV="needs-review"
DEFAULT_COSTCENTER="needs-review"

# Limits
DESCRIBE_BATCH_SIZE=200   # describe-snapshots supports up to 200 snapshot IDs per call
TAG_BATCH_SIZE=500        # create-tags supports up to 1000 resources/call; 500 is safe

command -v jq >/dev/null || { echo "‚ùå jq is required but not installed."; exit 1; }

echo "üõ°Ô∏è  Safe bulk-tagging: ONLY add missing tags (no overwrites)"
echo "   Defaults: Environment=$DEFAULT_ENV, CostCenter=$DEFAULT_COSTCENTER"
echo

# ---- 1) Collect NON_COMPLIANT snapshot IDs from AWS Config (pagination) ----
SNAPSHOT_IDS=()
NEXT_TOKEN=""

while :; do
  if [[ -n "$NEXT_TOKEN" ]]; then
    RESP="$(aws configservice get-compliance-details-by-config-rule \
      --config-rule-name "$CONFIG_RULE_NAME" \
      --compliance-types NON_COMPLIANT \
      --next-token "$NEXT_TOKEN")"
  else
    RESP="$(aws configservice get-compliance-details-by-config-rule \
      --config-rule-name "$CONFIG_RULE_NAME" \
      --compliance-types NON_COMPLIANT)"
  fi

  mapfile -t IDS < <(echo "$RESP" | jq -r \
    '.EvaluationResults[].EvaluationResultIdentifier.EvaluationResultQualifier.ResourceId')

  [[ "${#IDS[@]}" -gt 0 ]] && SNAPSHOT_IDS+=("${IDS[@]}")

  NEXT_TOKEN="$(echo "$RESP" | jq -r '.NextToken // empty')"
  [[ -z "$NEXT_TOKEN" ]] && break
done

TOTAL="${#SNAPSHOT_IDS[@]}"
if [[ "$TOTAL" -eq 0 ]]; then
  echo "‚úÖ No non-compliant snapshots to tag."
  exit 0
fi

echo "‚ùå Found $TOTAL non-compliant snapshots to inspect for missing tags"
echo

# ---- 2) Determine which tags are missing WITHOUT overwriting existing values ----
ENV_MISSING=()
CC_MISSING=()
BOTH_MISSING=()

for ((i=0; i<TOTAL; i+=DESCRIBE_BATCH_SIZE)); do
  BATCH=("${SNAPSHOT_IDS[@]:i:DESCRIBE_BATCH_SIZE}")

  DESCRIBE="$(aws ec2 describe-snapshots --snapshot-ids "${BATCH[@]}")"

  # Output: "<snapshotId>\t<envMissing>\t<ccMissing>"
  # envMissing/ccMissing are 1 when missing, 0 when present
  while IFS=$'\t' read -r sid env_missing cc_missing; do
    if [[ "$env_missing" == "1" && "$cc_missing" == "1" ]]; then
      BOTH_MISSING+=("$sid")
    elif [[ "$env_missing" == "1" ]]; then
      ENV_MISSING+=("$sid")
    elif [[ "$cc_missing" == "1" ]]; then
      CC_MISSING+=("$sid")
    fi
  done < <(echo "$DESCRIBE" | jq -r '
    .Snapshots[]
    | ( (.Tags // []) | map(.Key) ) as $keys
    | [
        .SnapshotId,
        (if ($keys | index("Environment")) == null then "1" else "0" end),
        (if ($keys | index("CostCenter")) == null then "1" else "0" end)
      ]
    | @tsv
  ')
done

echo "üîé Missing-tag breakdown:"
echo "   Missing BOTH (Environment + CostCenter): ${#BOTH_MISSING[@]}"
echo "   Missing Environment only:               ${#ENV_MISSING[@]}"
echo "   Missing CostCenter only:                ${#CC_MISSING[@]}"
echo

# ---- 3) Tag in batches, ONLY where that key is missing ----
SUCCESS=0
FAILED=0

tag_batch() {
  local tag_args=("$@")     # e.g., "Key=Environment,Value=needs-review"
  local -n ids_ref=$IDS     # name-ref to array passed via global var IDS

  local count="${#ids_ref[@]}"
  [[ "$count" -eq 0 ]] && return 0

  for ((j=0; j<count; j+=TAG_BATCH_SIZE)); do
    local batch_ids=("${ids_ref[@]:j:TAG_BATCH_SIZE}")

    if aws ec2 create-tags \
      --resources "${batch_ids[@]}" \
      --tags "${tag_args[@]}" \
      >/dev/null; then
      SUCCESS=$((SUCCESS + ${#batch_ids[@]}))
    else
      FAILED=$((FAILED + ${#batch_ids[@]}))
    fi
  done
}

# Tag BOTH missing
if [[ "${#BOTH_MISSING[@]}" -gt 0 ]]; then
  echo "üè∑Ô∏è  Tagging snapshots missing BOTH required tags..."
  IDS=BOTH_MISSING
  tag_batch "Key=Environment,Value=${DEFAULT_ENV}" "Key=CostCenter,Value=${DEFAULT_COSTCENTER}"
fi

# Tag Environment missing only
if [[ "${#ENV_MISSING[@]}" -gt 0 ]]; then
  echo "üè∑Ô∏è  Tagging snapshots missing Environment..."
  IDS=ENV_MISSING
  tag_batch "Key=Environment,Value=${DEFAULT_ENV}"
fi

# Tag CostCenter missing only
if [[ "${#CC_MISSING[@]}" -gt 0 ]]; then
  echo "üè∑Ô∏è  Tagging snapshots missing CostCenter..."
  IDS=CC_MISSING
  tag_batch "Key=CostCenter,Value=${DEFAULT_COSTCENTER}"
fi

echo
echo "üìä Tagging Complete (missing-only; no overwrites):"
echo "   Success: $SUCCESS"
echo "   Failed:  $FAILED"
echo
echo "‚úÖ Next: re-trigger rule evaluation and re-check non-compliance."


### 8. Verify Compliance

Re-run the evaluation and check that everything is now compliant.

In [None]:
%%bash
set -euo pipefail

CONFIG_RULE_NAME="ebs-snapshot-required-tags"

# ---- Hybrid polling knobs ----
EXPECTED_NON_COMPLIANT=0     # stop immediately when we hit this
MAX_WAIT_SECONDS=300         # hard timeout (5 min)
POLL_SECONDS=15              # poll interval
STABLE_POLLS=3               # also stop if count is unchanged this many polls in a row

# Exit codes:
#   0  = reached EXPECTED_NON_COMPLIANT (success)
#   2  = stabilized but not at expected (needs attention)
#   3  = timed out (likely lag/throttle or stuck)
#   4  = required dependency missing
#   5  = AWS CLI error retrieving status
SUCCESS_EXIT=0
STABLE_EXIT=2
TIMEOUT_EXIT=3
DEP_EXIT=4
AWSERR_EXIT=5

command -v jq >/dev/null || { echo "‚ùå jq is required but not installed."; exit "$DEP_EXIT"; }

log() { echo "[$(date '+%Y-%m-%d %H:%M:%S')] $*"; }

log "üöÄ Triggering re-evaluation for Config rule: $CONFIG_RULE_NAME"
aws configservice start-config-rules-evaluation \
  --config-rule-names "$CONFIG_RULE_NAME" \
  >/dev/null

log "‚è≥ Polling compliance summary (max ${MAX_WAIT_SECONDS}s, every ${POLL_SECONDS}s)"
log "    Stop conditions:"
log "      - SUCCESS: NON_COMPLIANT == ${EXPECTED_NON_COMPLIANT}"
log "      - STABLE:  NON_COMPLIANT unchanged for ${STABLE_POLLS} polls"
log "      - TIMEOUT: exceeded ${MAX_WAIT_SECONDS}s"
echo

start_ts="$(date +%s)"
last_nc=""
stable=0
poll_num=0
final_reason=""

while :; do
  poll_num=$((poll_num + 1))

  # Fetch compliance summary (counts) ‚Äî if this fails, treat as AWS error
  if ! SUMMARY="$(aws configservice describe-compliance-by-config-rule \
      --config-rule-names "$CONFIG_RULE_NAME" 2>/dev/null)"; then
    log "‚ùå Error calling describe-compliance-by-config-rule"
    exit "$AWSERR_EXIT"
  fi

  # Extract NON_COMPLIANT count (default to 0 if missing)
  nc="$(echo "$SUMMARY" | jq -r '
    (.ComplianceByConfigRules[0].Compliance.NonCompliantResourceCount.CappedCount // 0)
  ')"

  # Extra visibility (optional): compliant count
  c="$(echo "$SUMMARY" | jq -r '
    (.ComplianceByConfigRules[0].Compliance.CompliantResourceCount.CappedCount // 0)
  ' 2>/dev/null || echo "0")"

  now="$(date +%s)"
  elapsed=$((now - start_ts))

  # Log the poll
  log "Poll #${poll_num}: NON_COMPLIANT=${nc}, COMPLIANT=${c}, elapsed=${elapsed}s"

  # Condition 1: expected outcome reached
  if [[ "$nc" -eq "$EXPECTED_NON_COMPLIANT" ]]; then
    final_reason="SUCCESS"
    break
  fi

  # Condition 2: stabilization (unchanged count for STABLE_POLLS polls)
  if [[ "$nc" == "$last_nc" ]]; then
    stable=$((stable + 1))
  else
    stable=0
  fi
  last_nc="$nc"

  if [[ "$stable" -ge "$STABLE_POLLS" ]]; then
    final_reason="STABLE"
    break
  fi

  # Condition 3: timeout
  if [[ "$elapsed" -ge "$MAX_WAIT_SECONDS" ]]; then
    final_reason="TIMEOUT"
    break
  fi

  sleep "$POLL_SECONDS"
done

echo
log "üßæ Final: NON_COMPLIANT=${last_nc} (reason=${final_reason})"

if [[ "$final_reason" == "SUCCESS" ]]; then
  log "üéâ All EBS snapshots are now compliant!"
  exit "$SUCCESS_EXIT"
fi

if [[ "$final_reason" == "STABLE" ]]; then
  log "‚ö†Ô∏è  Compliance count stabilized but did not reach ${EXPECTED_NON_COMPLIANT}."
  log "    Still ${last_nc} non-compliant snapshots remaining."
  log "    (This usually means: remaining resources truly non-compliant OR evaluation still catching up.)"
  exit "$STABLE_EXIT"
fi

# TIMEOUT
log "‚è±Ô∏è Timed out waiting for expected compliance state."
log "   Still ${last_nc} non-compliant snapshots remaining."
log "   Consider: increase MAX_WAIT_SECONDS, check Config service limits, or re-run evaluation."
exit "$TIMEOUT_EXIT"


### 9. Enforce with SCP

Once you're compliant, lock it down so nobody creates untagged snapshots again.

> ‚ö†Ô∏è Important: SCPs can only be created from the management account
You must run this step from your AWS Organizations management account. Member accounts cannot create or attach SCPs.


### 9.1 Verify You're in the Management Account

In [None]:
%%bash
set -euo pipefail

# Exit codes:
#  0 = you ARE in the management account
#  1 = you are NOT in the management account
#  2 = AWS Organizations not in use / not enabled
#  3 = other AWS CLI error

ACCOUNT_ID="$(aws sts get-caller-identity --query Account --output text)"

echo "üîé Checking AWS Organizations / management account status..."
echo "   Current Account: $ACCOUNT_ID"
echo

# If Organizations isn't enabled, this will fail.
if ! ORG_ID="$(aws organizations describe-organization --query 'Organization.Id' --output text 2>/dev/null)"; then
  echo "‚ùå AWS Organizations is not enabled for this account (or you lack permissions)."
  # Try to distinguish "not in use" from generic errors (best effort)
  if aws organizations describe-organization 2>&1 | grep -q 'AWSOrganizationsNotInUseException'; then
    exit 2
  fi
  exit 3
fi

MGMT_ACCOUNT_ID="$(aws organizations describe-organization --query 'Organization.MasterAccountId' --output text)"

echo "üìã Organization Info:"
echo "   Org ID:               $ORG_ID"
echo "   Management Account:   $MGMT_ACCOUNT_ID"
echo "   Current Account:      $ACCOUNT_ID"
echo

if [[ "$ACCOUNT_ID"_]()]()


### 9.2 List Organizational Units (OUs)

Before attaching the SCP, you need to know which OUs exist.


In [None]:
%%bash
set -euo pipefail

# Lists the OU tree under the Org Root (like your recursive Python)
# Requires: awscli + jq
command -v jq >/dev/null || { echo "‚ùå jq is required but not installed."; exit 1; }

# Get the root id
ROOT_ID="$(aws organizations list-roots --query 'Roots[0].Id' --output text)"

echo "üìÇ Organization Structure:"
echo
echo "Root: $ROOT_ID"
echo

# Recursive function: print OUs under a parent with indentation
print_children () {
  local parent_id="$1"
  local level="$2"

  local next_token=""
  while :; do
    local resp
    if [[ -n "$next_token" ]]; then
      resp="$(aws organizations list-organizational-units-for-parent \
        --parent-id "$parent_id" \
        --next-token "$next_token")"
    else
      resp="$(aws organizations list-organizational-units-for-parent \
        --parent-id "$parent_id")"
    fi

    # For each OU: print, then recurse
    echo "$resp" | jq -r '
      .OrganizationalUnits[]
      | [.Id, .Name] | @tsv
    ' | while IFS=$'\t' read -r ou_id ou_name; do
        indent=""
        for ((i=0; i<level; i++)); do indent+="  "; done
        echo "${indent}‚îú‚îÄ‚îÄ ${ou_name} (${ou_id})"
        print_children "$ou_id" $((level + 1))
      done

    next_token="$(echo "$resp" | jq -r '.NextToken // empty')"
    [[ -z "$next_token" ]] && break
  done
}

# Start recursion at root, level=1
print_children "$ROOT_ID" 1

### 9.3 The SCP Policy

Save this SCP as a variable

In [None]:
%%bash
set -euo pipefail

# ---- Define SCP policy as a shell variable (JSON) ----
read -r -d '' SCP_POLICY << 'EOF'
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "RequireTagsOnEBSSnapshots",
      "Effect": "Deny",
      "Action": [
        "ec2:CreateSnapshot",
        "ec2:CreateSnapshots"
      ],
      "Resource": "arn:aws:ec2:*::snapshot/*",
      "Condition": {
        "Null": {
          "aws:RequestTag/Environment": "true",
          "aws:RequestTag/CostCenter": "true"
        }
      }
    },
    {
      "Sid": "RequireValidEnvironmentValues",
      "Effect": "Deny",
      "Action": [
        "ec2:CreateSnapshot",
        "ec2:CreateSnapshots"
      ],
      "Resource": "arn:aws:ec2:*::snapshot/*",
      "Condition": {
        "StringNotEquals": {
          "aws:RequestTag/Environment": [
            "dev",
            "Dev",
            "development",
            "Development",
            "staging",
            "Staging",
            "prod",
            "Prod",
            "production",
            "Production"
          ]
        }
      }
    }
  ]
}
EOF

echo "üìã SCP Policy to Apply:"
echo

# Pretty-print if jq exists, otherwise raw JSON
if command -v jq >/dev/null; then
  echo "$SCP_POLICY" | jq .
else
  echo "$SCP_POLICY"
fi

### 10. Create the SCP Policy


In [None]:
%%bash
set -euo pipefail

# Requires: awscli + jq
command -v jq >/dev/null || { echo "‚ùå jq is required but not installed."; exit 1; }

POLICY_NAME="RequireEBSSnapshotTags"
POLICY_DESC="Require Environment and CostCenter tags on EBS snapshots"

# ---- Define SCP policy content (JSON) ----
read -r -d '' SCP_POLICY << 'EOF'
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "RequireTagsOnEBSSnapshots",
      "Effect": "Deny",
      "Action": [
        "ec2:CreateSnapshot",
        "ec2:CreateSnapshots"
      ],
      "Resource": "arn:aws:ec2:*::snapshot/*",
      "Condition": {
        "Null": {
          "aws:RequestTag/Environment": "true",
          "aws:RequestTag/CostCenter": "true"
        }
      }
    },
    {
      "Sid": "RequireValidEnvironmentValues",
      "Effect": "Deny",
      "Action": [
        "ec2:CreateSnapshot",
        "ec2:CreateSnapshots"
      ],
      "Resource": "arn:aws:ec2:*::snapshot/*",
      "Condition": {
        "StringNotEquals": {
          "aws:RequestTag/Environment": [
            "dev",
            "Dev",
            "development",
            "Development",
            "staging",
            "Staging",
            "prod",
            "Prod",
            "production",
            "Production"
          ]
        }
      }
    }
  ]
}
EOF

# ---- Verify management account (SCPs require org management account) ----
ACCOUNT_ID="$(aws sts get-caller-identity --query Account --output text)"

# Best-effort: detect if Organizations is enabled + get management account id
if ! MGMT_ACCOUNT_ID="$(aws organizations describe-organization --query 'Organization.MasterAccountId' --output text 2>/dev/null)"; then
  echo "‚ùå AWS Organizations is not enabled for this account (or you lack permissions)."
  exit 2
fi

echo "üìã Org:"
echo "   Management Account: $MGMT_ACCOUNT_ID"
echo "   Current Account:    $ACCOUNT_ID"
echo

if [[ "$ACCOUNT_ID" != "$MGMT_ACCOUNT_ID" ]]; then
  echo "‚ùå Cannot create SCP - not in the management account."
  echo "   Switch to account $MGMT_ACCOUNT_ID and re-run."
  exit 1
fi

# ---- Check if SCP already exists (by name) ----
echo "üîé Checking if SCP '$POLICY_NAME' already exists..."

EXISTING_ID="$(aws organizations list-policies \
  --filter SERVICE_CONTROL_POLICY \
  --query "Policies[?Name=='${POLICY_NAME}'].Id | [0]" \
  --output text)"

if [[ -n "$EXISTING_ID" && "$EXISTING_ID" != "None" ]]; then
  echo "‚ö†Ô∏è  SCP '$POLICY_NAME' already exists with ID: $EXISTING_ID"
  echo "$EXISTING_ID"
  exit 0
fi

# ---- Create the SCP ----
echo "‚ûï Creating SCP '$POLICY_NAME'..."

CREATE_OUT="$(aws organizations create-policy \
  --name "$POLICY_NAME" \
  --description "$POLICY_DESC" \
  --type SERVICE_CONTROL_POLICY \
  --content "$SCP_POLICY")"

POLICY_ID="$(echo "$CREATE_OUT" | jq -r '.Policy.PolicySummary.Id')"

echo "‚úÖ SCP created with ID: $POLICY_ID"
echo "$POLICY_ID"


### 10. Attach the SCPs to OUs

Creating the SCP doesn't enforce it‚Äîyou must attach it to OUs or accounts. see the üõë USER ACTION REQUIRED section below


In [None]:
%%bash
set -euo pipefail

###############################################################################
# üõë USER ACTION REQUIRED (READ THIS FIRST)
#
# You MUST choose where to attach the SCP before running this cell.
#
# OPTION 1 (Recommended): Attach to specific OUs
#   1. Replace the example OU IDs below with REAL OU IDs from Step 9.2
#   2. Leave ATTACH_TO_ALL_OUS and ATTACH_TO_ROOT set to "false"
#
#   Example:
#     TARGET_OU_IDS=(ou-abcd-12345678 ou-efgh-87654321)
#
# OPTION 2 (Broad): Attach to ALL OUs (excluding root)
#   - Set ATTACH_TO_ALL_OUS="true"
#
# OPTION 3 (VERY DANGEROUS): Attach to ROOT (entire organization)
#   - Set ATTACH_TO_ROOT="true"
#
# ‚ö†Ô∏è Only ONE option should be used at a time.
###############################################################################

# =======================
# ‚úèÔ∏è EDIT THIS SECTION
# =======================

# OPTION 1: Specific OUs (space-separated)
TARGET_OU_IDS=(
  # ou-xxxx-aaaaaaaa
  # ou-yyyy-bbbbbbbb
)

# OPTION 2: All OUs
ATTACH_TO_ALL_OUS="false"

# OPTION 3: Root (VERY dangerous)
ATTACH_TO_ROOT="false"

###############################################################################

command -v jq >/dev/null || { echo "‚ùå jq is required but not installed."; exit 1; }

POLICY_NAME="RequireEBSSnapshotTags"

# ---- Verify management account ----
ACCOUNT_ID="$(aws sts get-caller-identity --query Account --output text)"
MGMT_ACCOUNT_ID="$(aws organizations describe-organization --query 'Organization.MasterAccountId' --output text)"

if [[ "$ACCOUNT_ID" != "$MGMT_ACCOUNT_ID" ]]; then
  echo "‚ùå Must run from the AWS Organizations management account."
  echo "   Management: $MGMT_ACCOUNT_ID"
  echo "   Current:    $ACCOUNT_ID"
  exit 1
fi

# ---- Resolve SCP ID ----
POLICY_ID="$(aws organizations list-policies \
  --filter SERVICE_CONTROL_POLICY \
  --query "Policies[?Name=='${POLICY_NAME}'].Id | [0]" \
  --output text)"

if [[ -z "$POLICY_ID" || "$POLICY_ID" == "None" ]]; then
  echo "‚ùå Could not find SCP named '$POLICY_NAME'. Create it first."
  exit 2
fi

echo "üîê SCP:"
echo "   Name: $POLICY_NAME"
echo "   ID:   $POLICY_ID"
echo

# ---- Helper: attach policy safely ----
attach_policy () {
  local target_id="$1"
  local label="${2:-$target_id}"

  if aws organizations list-policies-for-target \
      --target-id "$target_id" \
      --filter SERVICE_CONTROL_POLICY \
      --query "Policies[?Id=='${POLICY_ID}'] | length(@)" \
      --output text | grep -qE '^[1-9]'; then
    echo "‚ö†Ô∏è  Already attached: $label ($target_id)"
    return 0
  fi

  aws organizations attach-policy \
    --policy-id "$POLICY_ID" \
    --target-id "$target_id" >/dev/null

  echo "‚úÖ Attached: $label ($target_id)"
}

# ---- Root ID ----
ROOT_ID="$(aws organizations list-roots --query 'Roots[0].Id' --output text)"

# ---- Build targets ----
TARGETS=()

if [[ "$ATTACH_TO_ROOT" == "true" ]]; then
  TARGETS+=("$ROOT_ID")
fi

if [[ "$ATTACH_TO_ALL_OUS" == "true" ]]; then
  collect_ous () {
    local parent="$1"
    local next_token=""

    while :; do
      local resp
      if [[ -n "$next_token" ]]; then
        resp="$(aws organizations list-organizational-units-for-parent \
          --parent-id "$parent" --next-token "$next_token")"
      else
        resp="$(aws organizations list-organizational-units-for-parent \
          --parent-id "$parent")"
      fi

      while IFS=$'\t' read -r ou_id ou_name; do
        TARGETS+=("$ou_id")
        collect_ous "$ou_id"
      done < <(echo "$resp" | jq -r '.OrganizationalUnits[] | [.Id,.Name] | @tsv')

      next_token="$(echo "$resp" | jq -r '.NextToken // empty')"
      [[ -z "$next_token" ]] && break
    done
  }

  collect_ous "$ROOT_ID"
fi

# Add explicit OU IDs
if [[ "${#TARGET_OU_IDS[@]}" -gt 0 ]]; then
  TARGETS+=("${TARGET_OU_IDS[@]}")
fi

# De-duplicate
TARGETS=($(printf "%s\n" "${TARGETS[@]}" | awk '!seen[$0]++'))

# ---- Safety check ----
if [[ "${#TARGETS[@]}" -eq 0 ]]; then
  echo "‚ùå No targets selected."
  echo "   Edit the section labeled '‚úèÔ∏è EDIT THIS SECTION' and try again."
  exit 3
fi

echo "üéØ Targets selected:"
printf ' - %s\n' "${TARGETS[@]}"
echo

# ---- Attach SCP ----
for tid in "${TARGETS[@]}"; do
  label="$tid"
  [[ "$tid" == "$ROOT_ID" ]] && label="Root"
  attach_policy "$tid" "$label"
done

echo
echo "‚úÖ SCP attachment complete."


### 10.1 Verify SCP Attachments

In [None]:
%%bash
set -euo pipefail

command -v jq >/dev/null || { echo "‚ùå jq is required but not installed."; exit 1; }

# ---- INPUT: SCP name (used to resolve policy ID) ----
POLICY_NAME="RequireEBSSnapshotTags"

# ---- Resolve SCP ID ----
POLICY_ID="$(aws organizations list-policies \
  --filter SERVICE_CONTROL_POLICY \
  --query "Policies[?Name=='${POLICY_NAME}'].Id | [0]" \
  --output text)"

if [[ -z "$POLICY_ID" || "$POLICY_ID" == "None" ]]; then
  echo "‚ùå Could not find SCP named '$POLICY_NAME'."
  exit 1
fi

echo "üîê SCP:"
echo "   Name: $POLICY_NAME"
echo "   ID:   $POLICY_ID"
echo

# ---- List targets where SCP is attached ----
TARGETS_JSON="$(aws organizations list-targets-for-policy \
  --policy-id "$POLICY_ID")"

COUNT="$(echo "$TARGETS_JSON" | jq '.Targets | length')"

echo "üìé SCP is attached to:"

if [[ "$COUNT" -eq 0 ]]; then
  echo "   ‚ö†Ô∏è  Not attached anywhere yet ‚Äî SCP is NOT enforced!"
  exit 0
fi

echo "$TARGETS_JSON" | jq -r '
  .Targets[]
  | "   - \(.Name) (\(.TargetId)) - \(.Type)"
'


### Full Lab Cleanup (All-in-One)
If you want to clean up everything created during this lab in one go:

In [None]:
%%bash
set -euo pipefail
command -v jq >/dev/null || { echo "‚ùå jq is required but not installed."; exit 1; }

###############################################################################
# üßπ RUNBOOK CLEANUP ‚Äî STRICT MODE
#
# Deletes ONLY resources created by THIS runbook.
#
# STRICT GUARANTEE:
#   - Snapshots MUST have BOTH tags:
#       Purpose=lab-testing
#       CreatedBy=compliance-lab
#   - No description matching
#   - No name heuristics
#
# Safety:
#   - DRY RUN by default
#   - Set DO_CLEANUP="true" to actually delete
###############################################################################

DO_CLEANUP="false"   # <-- CHANGE TO "true" to execute deletions

# ---- Runbook identifiers (authoritative) ----
CONFIG_RULE_NAME="ebs-snapshot-required-tags"
CONFIG_ROLE_NAME="AWSConfigRole"
SCP_POLICY_NAME="RequireEBSSnapshotTags"

LAB_TAG_PURPOSE_KEY="Purpose"
LAB_TAG_PURPOSE_VAL="lab-testing"
LAB_TAG_CREATOR_KEY="CreatedBy"
LAB_TAG_CREATOR_VAL="compliance-lab"

ACCOUNT_ID="$(aws sts get-caller-identity --query Account --output text)"
REGION="$(aws configure get region)"
if [[ -z "$REGION" || "$REGION" == "None" ]]; then
  REGION="$(aws ec2 describe-availability-zones --query 'AvailabilityZones[0].RegionName' --output text)"
fi
CONFIG_BUCKET_NAME="aws-config-bucket-${ACCOUNT_ID}-${REGION}"

log(){ echo "[$(date '+%Y-%m-%d %H:%M:%S')] $*"; }

if [[ "$DO_CLEANUP" != "true" ]]; then
  log "üß™ DRY RUN mode ‚Äî nothing will be deleted."
else
  log "üß® EXECUTION mode ‚Äî deletions WILL occur."
fi

echo
log "üîé Discovering STRICT runbook-created resources..."
echo

###############################################################################
# 1Ô∏è‚É£ Discover lab snapshots (STRICT: tag-based only)
###############################################################################

SNAPSHOT_IDS=()
RESP="$(aws ec2 describe-snapshots \
  --owner-ids self \
  --filters \
    "Name=tag:${LAB_TAG_PURPOSE_KEY},Values=${LAB_TAG_PURPOSE_VAL}" \
    "Name=tag:${LAB_TAG_CREATOR_KEY},Values=${LAB_TAG_CREATOR_VAL}")"

mapfile -t SNAPSHOT_IDS < <(echo "$RESP" | jq -r '.Snapshots[].SnapshotId')

log "üì∏ Lab snapshots found (strict tag match): ${#SNAPSHOT_IDS[@]}"
if [[ "${#SNAPSHOT_IDS[@]}" -gt 0 ]]; then
  printf ' - %s\n' "${SNAPSHOT_IDS[@]}"
fi
echo

###############################################################################
# 2Ô∏è‚É£ SCP discovery (by exact name only)
###############################################################################
ORG_ENABLED="false"
SCP_ID=""
MGMT_ACCOUNT_ID=""

if aws organizations describe-organization >/dev/null 2>&1; then
  ORG_ENABLED="true"
  MGMT_ACCOUNT_ID="$(aws organizations describe-organization --query 'Organization.MasterAccountId' --output text)"

  SCP_ID="$(aws organizations list-policies \
    --filter SERVICE_CONTROL_POLICY \
    --query "Policies[?Name=='${SCP_POLICY_NAME}'].Id | [0]" \
    --output text)"
  [[ "$SCP_ID" == "None" ]] && SCP_ID=""
fi

log "üèõÔ∏è  Organizations enabled: $ORG_ENABLED"
if [[ -n "$SCP_ID" ]]; then
  log "üßæ SCP found: $SCP_POLICY_NAME ($SCP_ID)"
else
  log "üßæ SCP not found by name (safe)"
fi
echo

###############################################################################
# 3Ô∏è‚É£ Config & IAM existence checks (name-based, strict)
###############################################################################
RULE_EXISTS="false"
aws configservice describe-config-rules \
  --config-rule-names "$CONFIG_RULE_NAME" >/dev/null 2>&1 && RULE_EXISTS="true"

REC_EXISTS="$(aws configservice describe-configuration-recorders \
  --query "length(ConfigurationRecorders[?name=='default'])" --output text 2>/dev/null || echo "0")"
CH_EXISTS="$(aws configservice describe-delivery-channels \
  --query "length(DeliveryChannels[?name=='default'])" --output text 2>/dev/null || echo "0")"

BUCKET_EXISTS="false"
aws s3api head-bucket --bucket "$CONFIG_BUCKET_NAME" >/dev/null 2>&1 && BUCKET_EXISTS="true"

ROLE_EXISTS="false"
aws iam get-role --role-name "$CONFIG_ROLE_NAME" >/dev/null 2>&1 && ROLE_EXISTS="true"

log "üìè Config rule exists: $RULE_EXISTS"
log "üìº Recorder exists: $([[ "$REC_EXISTS" != "0" ]] && echo true || echo false)"
log "üì¶ Delivery channel exists: $([[ "$CH_EXISTS" != "0" ]] && echo true || echo false)"
log "ü™£ Config bucket exists: $BUCKET_EXISTS"
log "üë§ IAM role exists: $ROLE_EXISTS"
echo

###############################################################################
# STOP HERE if DRY RUN
###############################################################################
if [[ "$DO_CLEANUP" != "true" ]]; then
  log "‚úÖ DRY RUN complete. Nothing deleted."
  log "   Set DO_CLEANUP=\"true\" to execute."
  exit 0
fi

###############################################################################
# EXECUTION (STRICT ORDER)
###############################################################################

# 1Ô∏è‚É£ Delete lab snapshots (STRICT TAG MATCH ONLY)
if [[ "${#SNAPSHOT_IDS[@]}" -gt 0 ]]; then
  log "1Ô∏è‚É£ Deleting lab snapshots..."
  for sid in "${SNAPSHOT_IDS[@]}"; do
    aws ec2 delete-snapshot --snapshot-id "$sid" \
      && log "   ‚úÖ Deleted $sid" \
      || log "   ‚ùå Failed to delete $sid"
  done
else
  log "1Ô∏è‚É£ No lab snapshots to delete."
fi
echo

# 2Ô∏è‚É£ Detach + delete SCP (only if mgmt account)
if [[ "$ORG_ENABLED" == "true" && -n "$SCP_ID" && "$ACCOUNT_ID" == "$MGMT_ACCOUNT_ID" ]]; then
  log "2Ô∏è‚É£ Detaching SCP from all targets..."
  for tid in $(aws organizations list-targets-for-policy \
      --policy-id "$SCP_ID" \
      --query 'Targets[].TargetId' --output text); do
    aws organizations detach-policy --policy-id "$SCP_ID" --target-id "$tid" \
      && log "   ‚úÖ Detached from $tid"
  done
  aws organizations delete-policy --policy-id "$SCP_ID" \
    && log "   ‚úÖ Deleted SCP"
else
  log "2Ô∏è‚É£ SCP cleanup skipped (not found or not management account)."
fi
echo

# 3Ô∏è‚É£ Delete Config rule
[[ "$RULE_EXISTS" == "true" ]] \
  && aws configservice delete-config-rule --config-rule-name "$CONFIG_RULE_NAME" \
  && log "3Ô∏è‚É£ Deleted Config rule" \
  || log "3Ô∏è‚É£ No Config rule to delete"
echo

# 4Ô∏è‚É£ Recorder / channel
aws configservice stop-configuration-recorder --configuration-recorder-name default >/dev/null 2>&1 || true
aws configservice delete-delivery-channel --delivery-channel-name default >/dev/null 2>&1 || true
aws configservice delete-configuration-recorder --configuration-recorder-name default >/dev/null 2>&1 || true
log "4Ô∏è‚É£ Recorder/channel cleanup attempted"
echo

# 5Ô∏è‚É£ S3 bucket
if [[ "$BUCKET_EXISTS" == "true" ]]; then
  aws s3 rm "s3://${CONFIG_BUCKET_NAME}" --recursive >/dev/null 2>&1 || true
  aws s3api delete-bucket --bucket "$CONFIG_BUCKET_NAME" \
    && log "5Ô∏è‚É£ Deleted Config bucket"
else
  log "5Ô∏è‚É£ No Config bucket to delete"
fi
echo

# 6Ô∏è‚É£ IAM role
if [[ "$ROLE_EXISTS" == "true" ]]; then
  for arn in $(aws iam list-attached-role-policies \
      --role-name "$CONFIG_ROLE_NAME" \
      --query 'AttachedPolicies[].PolicyArn' --output text); do
    aws iam detach-role-policy --role-name "$CONFIG_ROLE_NAME" --policy-arn "$arn"
  done
  aws iam delete-role --role-name "$CONFIG_ROLE_NAME" \
    && log "6Ô∏è‚É£ Deleted IAM role"
else
  log "6Ô∏è‚É£ No IAM role to delete"
fi

echo
log "‚úÖ STRICT RUNBOOK CLEANUP COMPLETE"


### 11 Done!

---

## Summary of What This Runbook Does

### Problem ‚Üí Solution

| Problem | Solution |
|---------|----------|
| Snapshots without tags | AWS Config rule finds them |
| Can't track costs | Required `CostCenter` tag |
| Unknown environments | Required `Environment` tag with validated values |
| People keep creating untagged snapshots | SCP blocks creation without tags |

### What Gets Created

| Resource | Name |
|----------|------|
| IAM Role | `AWSConfigRole` |
| S3 Bucket | `aws-config-bucket-{account}-{region}` |
| Config Recorder | `default` |
| Config Rule | `ebs-snapshot-required-tags` |
| SCP | `RequireEBSSnapshotTags` |

### Services Used

AWS Config ‚Üí S3 ‚Üí IAM ‚Üí CloudTrail ‚Üí Organizations (SCPs)

### Full Cleanup Included

Everything created can be deleted 