Prompt Title: CloudFormation Propagates Tags.

Yes, CloudFormation propagates tags to resources created by the CloudFormation stack. When you apply tags to a CloudFormation stack, those tags are automatically applied to the resources created by that stack.

This can be useful for managing resources and keeping track of costs. For example, you could use tags to identify resources that are part of a particular project or that are used by a particular team within your organization.

To apply tags to a CloudFormation stack, you can use the Tags property in the CloudFormation template. For example, here's a snippet of a CloudFormation template that applies tags to an EC2 instance:

yamlCopy code
Resources:
  MyEC2Instance:
    Type: AWS::EC2::Instance
    Properties:
      ImageId: ami-0c55b159cbfafe1f0
      InstanceType: t2.micro
      Tags:
        - Key: Environment
          Value: Production
        - Key: Project
          Value: MyProject

In this example, the Tags property specifies two tags to apply to the EC2 instance: Environment: Production and Project: MyProject. These tags will be applied to the EC2 instance created by the CloudFormation stack.

CloudFormation propagates tags to most resources created by the CloudFormation stack. However, there are a few exceptions where CloudFormation does not propagate tags:

1. Resources that do not support tagging: Some AWS resources do not support tagging. For example, AWS CloudFront distributions do not support tags. In such cases, even if you specify tags in the CloudFormation template, CloudFormation will not propagate those tags to the resource.

2. Resources that support limited tags: Some AWS resources support a limited number of tags. For example, Amazon S3 buckets support up to 10 tags per bucket. If you specify more than the allowed number of tags for a resource in your CloudFormation template, CloudFormation will not propagate those additional tags to the resource.

3. Resources that are not created by the CloudFormation stack: If you create resources outside of the CloudFormation stack, those resources will not be tagged by CloudFormation. Similarly, if you modify a resource that was created outside of the CloudFormation stack, CloudFormation will not propagate tags to the modified resource.

It's important to keep in mind that CloudFormation propagates tags only to the resources created by the CloudFormation stack. If you have other resources that you want to tag, you'll need to

CloudFormation propagates stack-level tags to most resources created by the CloudFormation stack. However, there are a few exceptions where CloudFormation does not propagate stack-level tags:

1. Resources that support resource-level tags only: Some AWS resources support resource-level tags only, which means that CloudFormation cannot propagate stack-level tags to these resources. For example, AWS Lambda functions support only resource-level tags.

2. Resources that have their own tagging mechanism: Some AWS resources have their own tagging mechanism that is separate from the AWS resource tagging mechanism. For example, Amazon RDS instances have their own tagging mechanism that is separate from the AWS resource tagging mechanism. In such cases, you can use AWS CloudFormation to tag the AWS resources that support the AWS resource tagging mechanism, but you'll need to use the native tagging mechanism for the resources that have their own tagging mechanism.

3. Resources that are created by CloudFormation but don't support tags: As I mentioned in my previous answer, some AWS resources do not support tagging. In such cases, even if you specify stack-level tags in the CloudFormation template, CloudFormation will not propagate those tags to the resource.

It's important to note that CloudFormation propagates stack-level tags only to the resources created by the CloudFormation stack. If you have other resources that you want to tag, you'll need to tag those resources separately.

Most AWS resources support stack-level tags and CloudFormation propagates these tags to the resources created by the CloudFormation stack. However, there are a few AWS resources that do not support stack-level tags:

1. AWS CloudFormation stacks: CloudFormation stacks do not support stack-level tags. This means that you cannot apply tags to a CloudFormation stack itself.

2. AWS CloudFormation change sets: Similarly, CloudFormation change sets do not support stack-level tags.

3. AWS Identity and Access Management (IAM) roles for CloudFormation: IAM roles for CloudFormation do not support stack-level tags. However, you can apply tags to the IAM roles themselves.

4. AWS CloudFormation WaitCondition resources: WaitCondition resources do not support stack-level tags.

5. AWS CloudFormation WaitConditionHandle resources: WaitConditionHandle resources do not support stack-level tags.

6. AWS CloudFormation Custom Resources: Custom Resources do not support stack-level tags.

It's worth noting that even though stack-level tags are not supported for these resources, you can still apply tags to these resources individually using their own tagging mechanisms. For example, you can apply tags to an IAM role using the IAM tagging mechanism.

Yes, when you use CloudFormation to create or update resources, CloudTrail logs the API calls made by CloudFormation on your behalf, including any stack-level tags that you have specified. This means that you can use CloudTrail to monitor and audit the use of stack-level tags in your CloudFormation stacks.

When CloudFormation makes API calls to create or update resources, it includes the stack ID in the request. CloudTrail logs this stack ID along with the API call details. If you have specified stack-level tags in your CloudFormation template, CloudTrail will log these tags along with the API calls made by CloudFormation.

To view CloudTrail logs for CloudFormation API calls, you can use the CloudTrail console or the AWS CLI. In the CloudTrail console, you can filter the logs by service (CloudFormation) and by event name (CreateStack, UpdateStack, etc.). The CloudTrail logs will show you the API calls made by CloudFormation, including any stack-level tags that were specified.

It's worth noting that CloudTrail logs are stored in Amazon S3 buckets and can be encrypted using Amazon S3 server-side encryption or AWS Key Management Service (KMS). You can also use CloudTrail to send logs to CloudWatch Logs for real-time monitoring and alerting.