There are an increasing number of APIs where you can do this with IAM conditions but it’s definitely harder than it should be.
The big thing you need is to be comfortable breaking anything you use until someone can update it (maybe forking a third-party IaC project or vendor stack, etc.) so it’s definitely less friction to remediate afterwards.
I'm sure over time they will retrofit their APIs to better support tag policy enforcement. I am glad they err on the side of maintaining a stable API, so I can see why things are the way they are.
For now, we enforce our policy during code review. Everything is deployed via terraform/terragrunt so it is pretty easy. We have plans to mostly automate this via static code analysis.
Ditto — I think tools like Sentinel policies are a great answer here because it doesn't prevent your administrators from doing something in a hurry but it means that your normal flow of releases will catch missed tags. We're already using that for things like tflint/tfsec/Checkov/etc. so it's a familiar workflow.
