While AWS IAM is packed with ABAC features, enforcing who-can-tag-what at scale can be frustrating. We’ll introduce the concept of “Control Tags” - a tag based control plane for tagging operations and its applications in Similarweb, most notably enforcing the two-person rule for sensitive actions, resources and 3rd-party systems like EKS and Hashicorp Vault.