Activate or Deactivate AWS Monitors Using AWS Resource Tags
Learn how to activate or deactivate specific Sprinto AWS monitors using resource-level AWS tags for precise and customizable compliance monitoring.
Sprinto allows you to activate or deactivate individual AWS monitors at the resource level using AWS tags. This gives you fine-grained control over which EC2 instances, load balancers, or other AWS resources should be evaluated by Sprinto’s monitoring engine.
This feature is particularly useful when:
A resource is non-production, ephemeral, or excluded from your compliance boundary
You want to suppress a specific monitor for a single resource without disabling it globally
Autoscaling behaviour results in noisy or irrelevant alerts
How the Tagging System Works
Sprinto looks for AWS resource tags in the format:
SPRINTO_<MONITOR_KEY>These tags accept the following values:
deactivate
Sprinto will exclude the resource from the selected monitor
activate
Sprinto will force include the resource in the monitor
If no tag is applied, Sprinto uses the default evaluation logic.
Tags must be assigned directly on the AWS resource (EC2, Load Balancer, etc.).
Supported Monitor Keys & Tag Reference
Below is the complete list of monitors (provided by engineering) that support tag-based control, along with their descriptions.
EC2 & Compute monitors
EC2_PUBLIC_ACCESS_PROTECTED
AWS EC2 instance should be protected from direct internet traffic.
EC2_SERVER_CPU_MONITORED
AWS EC2 instance CPU utilization should be monitored.
EC2_SERVER_MEMORY_MONITORED
(monitor present in file; memory utilization monitored).
AWS_UNUSED_CREDENTIALS_DISABLED
AWS credentials not used in last 90 days should be disabled.
LIGHTSAIL_INSTANCE_CPU_MONITORED
AWS Lightsail instance CPU utilization should be monitored.
LIGHTSAIL_DISK_ENCRYPTED
AWS Lightsail disk should be encrypted.
LIGHTSAIL_DISK_BACKUP_ENABLED
AWS Lightsail disk backup should be enabled.
ECS_CPU_UTILIZATION_MONITORED
AWS ECS CPU utilization should be monitored.
ECS_MEMORY_UTILIZATION_MONITORED
AWS ECS memory utilization should be monitored.
Load balancers (ELB / ALB / CLB / NLB)
IS_LOAD_BALANCER_VALID
AWS load balancer should have valid configuration.
LOAD_BALANCER_ERRORS_MONITORED
AWS load balancer errors should be monitored.
CLASSIC_LOAD_BALANCER_ERRORS_MONITORED
AWS classic load balancer errors should be monitored.
LOAD_BALANCER_LATENCY_MONITORED
AWS load balancer latency should be monitored.
CLASSIC_LOAD_BALANCER_LATENCY_MONITORED
AWS classic load balancer latency should be monitored.
LOAD_BALANCER_HEALTHY_HOST_COUNT_MONITORED
AWS load balancer healthy host count should be monitored.
LOAD_BALANCER_HOST_HEALTH_MONITORED
AWS load balancer host health should be monitored.
LOAD_BALANCER_HTTP_TO_HTTPS_REDIRECT_MONITORED
AWS load balancer should redirect traffic from http to https.
ELB_PUBLIC_ACCESS_PROTECTED
AWS application load balancer should be protected from direct internet traffic.
Networking & VPC
VPC_FLOW_LOGS_ENABLED
AWS VPC flowlogs should be captured.
AWS_ON_HTTPS
AWS should be on https.
AWS_REDIRECTS_HTTP_TO_HTTPS
AWS should redirect http to https.
ELASTICACHE_CURRENT_CONNECTIONS_MONITORED
AWS ElastiCache current connections should be monitored.
ELASTICACHE_CPU_MONITORED
AWS ElastiCache datastore CPU utilization should be monitored.
ELASTICACHE_FREEABLE_MEMORY_MONITORED
AWS ElastiCache freeable memory should be monitored.
LOAD_BALANCER_ACTIVE_CONNECTIONS_MONITORED
(if present) Active connections monitored for load balancers.
S3 & Storage
S3_STORAGE_ENCRYPTED
AWS S3 storage bucket should be encrypted.
S3_PUBLIC_ACCESS_BLOCK_ENABLED
AWS S3 bucket public access should be blocked.
S3_STORAGE_VERSIONING_ENABLED
AWS S3 bucket should be versioned.
AWS_S3_ACCESS_LOGGING_ENABLED
AWS S3 server access logging should be enabled for important buckets.
AWS_ACCESS_LOG_RETENTION_VALID
AWS server access logs should be retained for 90 days.
EFS_STORAGE_ENCRYPTED
AWS EFS storage should be encrypted.
EFS_STORAGE_BACKUP_ENABLED
AWS EFS storage backup should be enabled.
FSX_FS_STORAGE_ENCRYPTED
AWS FSX File System storage should be encrypted.
FSX_FS_STORAGE_BACKUP_ENABLED
AWS FSX File System storage backup should be enabled.
EBS_VOLUME_ENCRYPTED
AWS EBS volume should be encrypted.
EBS_VOLUME_BACKUP_ENABLED
AWS EBS volume backup should be enabled.
EBS_HEALTH_MONITORED
AWS EBS health should be monitored.
Databases (RDS / DynamoDB / Redshift / ElastiSearch/OpenSearch)
RDS_BACKUP_ENABLED
AWS RDS database backup should be enabled.
RDS_CPU_MONITORED
AWS RDS database CPU utilization should be monitored.
RDS_STORAGE_ENCRYPTED
AWS RDS database storage should be encrypted.
RDS_FREE_SPACE_ALERT_SET
AWS RDS database freespace should be monitored.
RDS_FREEABLE_MEMORY_MONITORED
AWS RDS Database freeable memory should be monitored.
RDS_DB_IO_MONITORED
AWS RDS database IO utilization should be monitored.
RDS_PUBLIC_ACCESS_PROTECTED
(present in file) RDS instances should block public access.
DYNAMO_DB_ENCRYPTED
AWS DynamoDB should be encrypted.
DYNAMO_DB_BACKUP_ENABLED
AWS DynamoDB backup should be enabled.
DYNAMO_DB_LATENCY_MONITORED
AWS DynamoDB latency should be monitored.
DYNAMO_DB_READ_CAPACITY_MONITORED
AWS DynamoDB read capacity should be monitored.
DYNAMO_DB_WRITE_CAPACITY_MONITORED
AWS DynamoDB write capacity should be monitored.
REDSHIFT_HEALTH_MONITORED
AWS Redshift health should be monitored.
REDSHIFT_CPU_UTILIZATION_MONITORED
AWS Redshift CPU utilization should be monitored.
REDSHIFT_CLUSTER_ENCRYPTED
AWS Redshift cluster should be encrypted.
REDSHIFT_CLUSTER_BACKUP_ENABLED
AWS Redshift cluster backup should be enabled.
ELASTIC_SEARCH_CLUSTER_STATUS_MONITORED
AWS Elasticsearch cluster health should be monitored.
ELASTIC_SEARCH_CPU_UTILIZATION_MONITORED
AWS Elasticsearch cluster CPU utilization should be monitored.
ELASTIC_SEARCH_FREE_SPACE_MONITORED
AWS Elasticsearch cluster freespace should be monitored.
FSX_FS_FREE_SPACE_MONITORED
AWS FSX File System freespace should be monitored.
Messaging & Queueing (SQS / SNS)
SQS_MESSAGES_VISIBLE_MONITORED
AWS SQS messages visibility should be monitored.
SQS_MESSAGES_AGE_MONITORED
AWS SQS messages age should be monitored.
SNS_TOPIC_MONITORED
(if present) SNS / topic monitoring entries appear in file.
Container & Image (ECR)
ECR_REPOSITORY_ENCRYPTED
AWS ECR repository should be encrypted.
API Gateway & Other infra
API_GATEWAY_ERRORS_MONITORED
AWS API gateway V2 errors should be monitored.
API_GATEWAY_V1_ERRORS_MONITORED
AWS API gateway V1 errors should be monitored.
Security & Audit (CloudTrail, GuardDuty, KMS, IAM, password policy, root)
CLOUD_TRAIL_EXISTS
AWS CloudTrail should be enabled.
CLOUD_TRAIL_LOG_FILE_INTEGRITY_VALIDATION_ENABLED
AWS CloudTrail log file integrity validation should be enabled.
CLOUD_TRAIL_S3_LOGGING_ENABLED
AWS Cloud Trail S3 logging bucket access logging should be enabled.
CLOUD_TRAIL_S3_LOG_PUBLIC_ACCESS_PROTECTED
AWS Cloud Trail logging bucket should be protected from direct internet traffic.
GUARD_DUTY_ENABLED
AWS GuardDuty should be enabled.
KMS_KEYS_ROTATION (e.g., KMS_ENCRYPTION_KEYS_ROTATION)
(rotation/rotation-period monitors exist for KMS in file — e.g., 90-day rotation checks).
S3_PUBLIC_ACCESS_BLOCK_ENABLED
AWS S3 bucket public access should be blocked.
AWS_ROOT_ACCOUNT_MFA_ENABLED
AWS root account should have MFA enabled.
AWS_ROOT_ACCOUNT_UNUSED
AWS root account usage should be avoided / root account usage monitored.
AWS_USER_ACCESS_KEYS_ROTATED
AWS user access keys should not be older than 90 days.
AWS_USERS_IAM_POLICIES_NOT_ATTACHED
AWS users should not have attached IAM policies (i.e., policies should be attached to groups).
AWS_PASSWORD_POLICY_CONFIGURED
AWS account password policy should be configured.
AWS_GROUPS_POLICIES_ATTACHED
AWS groups should have at least one IAM policy.
AWS_ACCESS_LOG_RETENTION_VALID
This check confirms S3 server access logs are retained for at least 90 days.
CLOUD_TRAIL_S3_LOGGING_ENABLED (bucket access logging)
AWS Cloud Trail S3 logging bucket access logging should be enabled.
Misc / Other AWS monitors found in file
FIRE_HOSE_THROTTLE_MONITORED
AWS Firehose stream throttling should be monitored.
ECR_REPOSITORY_ENCRYPTED
This check ensures that the AWS ECR repository has appropriate configurations in place to encrypt data both at rest and in transit.
EBS_HEALTH_MONITORED
This check confirms that Amazon EBS volumes have health monitoring enabled.
INFRA_MONITORED_IN_DATADOG
This check confirms Datadog integration is active for infrastructure monitoring.
How to Apply These Tags in AWS
Steps
Open the AWS Console
Navigate to the resource (EC2 instance, Load Balancer, and so on)
Go to the Tags tab
Click Manage Tags → Add Tag
Enter the Sprinto monitor key in the Tag Key field
Set the value to either:
activatedeactivate
Save the tag
Return to Sprinto and click Re-evaluate on the failing check
Examples
Deactivate Load Balancer Latency Monitoring for a Specific ELB
Key:
Value:
Force Activation of EC2 Instance CPU Monitoring
(Useful when Sprinto would normally ignore the resource)
Key:
Value:
Behaviour Notes
Tags override Sprinto logic only for the tagged resource
Removing the tag restores default behaviour
Tags should be added to IaC templates (Terraform, CloudFormation) for autoscaling fleets
If tags do not appear to work, check capitalization and spelling
Troubleshooting
Monitor Still Failing After Tagging?
Check:
Tag key matches exactly (uppercase required)
Tag value is
activateordeactivateonlyTag was applied to the correct AWS resource
The Sprinto monitor has been re-evaluated
AWS pipelines are not overwriting tags
Last updated