About TagFixer

TagFixer was born from a simple need: to bring order to the chaos of cloud resource tagging. In complex multi-cloud environments, inconsistent or incorrect tags can lead to billing inaccuracies, governance challenges, and operational headaches. We experienced these problems firsthand and decided to build a solution.

Our Mission

Our mission is to provide a simple, powerful, and secure tool that empowers DevOps engineers, cloud administrators, and IT managers to maintain a pristine and well-organized multi-cloud environment. We believe that good tagging hygiene is the foundation of effective cloud management, and we're here to make it as easy as possible across Azure and AWS platforms.

What We Do

TagFixer scans your Azure subscriptions and AWS accounts, identifies all unique tags, and provides you with an intuitive interface to map incorrect tags to standardized ones. With a single click, you can apply these fixes across thousands of resources in either cloud platform, saving countless hours of manual work.

Multi-Cloud Support

Azure

Full support for Azure subscriptions using Service Principal authentication. Scan and fix tags across all your Azure resources and resource groups.

AWS

Complete AWS support using IAM access keys. Manage tags across EC2 instances, S3 buckets, RDS databases, and other AWS resources.

Our Commitment to Security

We understand that your cloud credentials are sensitive, and we've built our platform with security as a top priority. Our approach ensures the application handles your Azure and AWS credentials safely while empowering you to grant minimal, necessary access.

Encryption at Rest

Your cloud credentials are never stored in plaintext. When you save your Service Principal details (Azure) or IAM credentials (AWS), each component is protected using strong symmetric encryption before being written to the database.

  • We use the Fernet implementation from Python's industry-standard cryptography library to secure your data.
  • Credentials are encrypted upon saving and are only decrypted in memory at the moment they are needed to communicate with the cloud APIs.
  • Azure and AWS credentials are stored separately with individual encryption keys.

Principle of Least Privilege

TagFixer is designed to function with the most restrictive permissions possible across both cloud platforms.

Azure Permissions

We guide our users to create a Service Principal with Azure's built-in "Tag Contributor" role.

  • This role exclusively grants permissions to read and write tags on resources and resource groups.
  • Crucially, the "Tag Contributor" role cannot be used to create or delete resources, modify their configurations, or access any data they contain.

AWS Permissions

For AWS, we recommend creating an IAM user with a custom policy that grants only tag-related permissions.

  • Required permissions: tag:GetResources, tag:TagResources, tag:UntagResources
  • Resource listing permissions for specific services (EC2, S3, RDS, etc.) in read-only mode
  • No permissions to create, delete, or modify actual cloud resources

By combining secure credential storage with a least-privilege access model, we ensure that you can manage your tags safely and with confidence across both Azure and AWS.