#aws - May 2026

Has anyone gone down the road of offering an image factory of AWS AMIs? I’m currently building out Packer automation to provide hardened images to my organization, but curious if anyone has ran into problems at scale with the approach.

Wanted to provide a follow up after we discussed creating an ImageFactory for AWS AMIs. Ended up combining a mixture of Packer and Terratest to build, scan, and then share the AMIs out to other accounts. Did a little write up on it if anyone needs the pattern in the future: https://rosesecurity.dev/2026/05/20/building-an-image-factory.html

A post turned up on my LinkedIn feed this morning about the tag_policy_compliance provider argument introduced in Terraform AWS provider v6.22.0 (2025-11-20). I knew about tag policies in AWS Organizations (note: this is a different policy type than an SCP) but I'd missed the new Terraform feature.

Once you've defined tag policies, adding tag_policy_compliance = "warning" to your provider configuration produces warnings at plan time. tag_policy_compliance = "error" makes it stick.

Who is using this already?

LinkedIn | AWS blog | AWS sample Terraform code | Terraform AWS provider documentation

Can someone guide me how other teams are handelling this, I am doing a cleanup in my org, initially i thought the cleanup would be straightforward, find AWS resources with no traffic or active usage, validate them, and remove what is no longer needed.
But once I got into it, it was not that simple. Some vpc's had no network traffic for long time, but still had active resources attached. A few resources did not have proper tags, so figuring out who owned them became difficult. Mainly i am worried if something still depends on it.