See below as an example of a policy with a custom tag added:
 

Considerations

In order to tag a policy we must first understand the limitations of policy tagging and how we can apply policy tags.

• Policy tags can only be applied using the Lacework API, specifically the Policies end point. Find details on this here - Policies endpoint

• We can set any tag on a custom policy (Up to 31 characters). However there are restrictions around amending some of the existing tags. These restricted tags are security, tactic, technique, framework, control and identifier. 
• Attempting to use modify any of the reserved tags will result in the following error response:

 “Error: tag key: framework is reserved”

• Tags cannot be removed but instead can be overwritten by a shorter list of tags.

Example steps

In order to apply a tag to a policy we will need to have access to the Lacework API and know the policy name. Once we have these we can use the v2/Policies endpoint and the Patch method. Please refer to the following KB article for further detail regarding the Patch method here

Policy name - lwcs-dhum-default-2
Tag we wish to apply - This is for a test demo
 

API command:

curl --location --request PATCH 'https://ABC123.lacework.net/api/v2/Policies/lwcs-dhum-default-2' \

--header 'Content-Type: application/json' \

--header 'Authorization: TOKEN' \

--data-raw '{

    "tags": [

    "This is for a test demo"

    ]

}'

Once we submit this request we should get the following response. Note that the pre-existing tags are still in place, but as per the PATCH method behavior, we have simply added our custom tag to the list:
 

{"data":{"policyId":"lwcs-dhum-default-2","policyType":"Compliance","queryId":"Test","queryText":"{\n    source {\n        LW_CFG_AZURE_DBFORPOSTGRESQL_SERVERS\n    }\n    filter {\n        URN in {\n            source {\n                LW_CFG_AZURE_DBFORPOSTGRESQL_SERVERS_FIREWALLRULES\n            }\n            filter {\n                ends_with(RESOURCE_ID, 'AllowAllWindowsAzureIps')\n                or (\n                    RESOURCE_CONFIG:endIpAddress = '0.0.0.0'\n                    and RESOURCE_CONFIG:startIpAddress = '0.0.0.0'\n                )\n            }\n            return distinct {\n                URN\n            }\n        }\n    }\n    return distinct {\n        TENANT_ID,\n        TENANT_NAME,\n        SUBSCRIPTION_ID,\n        SUBSCRIPTION_NAME,\n        URN as RESOURCE_KEY,\n        RESOURCE_REGION,\n        RESOURCE_TYPE,\n        RESOURCE_TAGS,\n        'PostgreSQLAllowAccessAzureServicesEnabled' as COMPLIANCE_FAILURE_REASON\n    }\n}","title":"Demo-testing","enabled":true,"description":"testing","remediation":"none","severity":"info","alertEnabled":true,"alertProfile":"","owner":"daniel.hume@lacework.net","lastUpdateTime":"2023-12-29T18:23:28.000Z","lastUpdateUser":"daniel.hume@lacework.net","tags":["This is for a test demo","domain:AZURE","subdomain:Configuration"],"exceptionConfiguration":{"constraintFields":[{"fieldKey":"azureResourceGroup","dataType":"String","multiValue":false},{"fieldKey":"regionNames","dataType":"String","multiValue":true},{"fieldKey":"resourceName","dataType":"String","multiValue":false},{"fieldKey":"resourceTags","dataType":"KVTagPair","multiValue":true},{"fieldKey":"subscriptions","dataType":"String","multiValue":true},{"fieldKey":"tenants","dataType":"String","multiValue":true}]}}}%