Region Management

TagOps supports multi-region operations, allowing you to monitor and tag resources across multiple AWS regions. This guide explains how to add or remove regions from an existing AWS account that's already connected to TagOps.

Overview

When you add an AWS account to TagOps, you specify regions during the CloudFormation stack deployment. The onboarding region (where the CloudFormation stack is deployed) is always included, and you can add additional regions using the AWSAdditionalRegions parameter.

After the initial setup, you can modify the regions by updating the CloudFormation stack. TagOps will automatically: - Create EventBridge rules in newly added regions - Remove EventBridge rules from deleted regions - Update the region configuration in TagOps

Adding Regions to an Existing Account

1. Identify Current Regions

Before adding new regions, check which regions are currently configured:

  1. Go to AWS Accounts in TagOps
  2. View the Regions section for your account to see onboarded regions

2. Update Account in TagOps

After CloudFormation update completes, update the account in TagOps:

  1. Login to your AWS account
  2. Go to AWS Accounts page in TagOps
  3. Click Edit for your account
  4. Click on Update CloudFormation Stack, new tab of CloudFormation Stack will open
  5. Choose "Use existing template" and click next
  6. Add new region to "Additional AWS Regions" parameter and Click Next
  7. Select "I acknowledge that AWS CloudFormation might create IAM resources with custom names." and Click Next
  8. Review CloudFormation Stack changes and Click Submit
  9. Wait to the end of CloudFormation Stack provisioning
  10. Go back to TagOps tab and Click Verify Account to refresh region information
  11. Click Update Account
  12. View new region for your account in Region section

3. Verify Region Addition

Confirm the new regions are active:

  1. Go to Settings → Account Settings
  2. Select your account
  3. Click Editbutton in Allowed Regions
  4. Select newly addeded region and Click Save

Removing Regions from an Existing Account

1. Identify Regions to Remove

  1. Go to AWS Accounts in TagOps
  2. View the Regions section for your account to see onboarded regions
  3. Note which regions you want to remove

Onboarding Region Cannot Be Removed

The region where the CloudFormation stack is deployed (onboarding region) cannot be removed. This is the primary region for TagOps operations.

2 Update Account in TagOps

After CloudFormation update completes:

  1. Login to your AWS account
  2. Go to AWS Accounts page in TagOps
  3. Click Edit for your account
  4. Click on Update CloudFormation Stack, new tab of CloudFormation Stack will open
  5. Choose "Use existing template" and click next
  6. Remove region from "Additional AWS Regions" parameter and Click Next
  7. Select "I acknowledge that AWS CloudFormation might create IAM resources with custom names." and Click Next
  8. Review CloudFormation Stack changes and Click Submit
  9. Wait to the end of CloudFormation Stack provisioning
  10. Click Verify Account to refresh region information
  11. Click Update Account
  12. View region is removed from your account in Region section

Resource Inventory

Resources that were previously discovered in removed regions will remain in the TagOps inventory until the next scheduled scan. After the scan, resources from removed regions will be automatically removed from inventory.

Always Include us-east-1

Critical: Include us-east-1 Region

Always onboard the us-east-1 region when setting up TagOps for your AWS account. Global AWS services like IAM, CloudFront, Route 53, and others send CloudTrail events only to the us-east-1 region, regardless of where your resources are located.

Recommendation: - If us-east-1 is not your primary region, still include it in the AWSAdditionalRegions parameter - This ensures complete event coverage for all AWS services - You can deploy the CloudFormation stack in any region, but always add us-east-1 to additional regions