diff --git a/compositions/upbound-aws-provider/s3-irsa/definition.yaml b/compositions/upbound-aws-provider/s3-irsa/definition.yaml
index 6950866b..fb034d10 100644
--- a/compositions/upbound-aws-provider/s3-irsa/definition.yaml
+++ b/compositions/upbound-aws-provider/s3-irsa/definition.yaml
@@ -47,17 +47,9 @@ spec:
                     region:
                       type: string
                     tags:
-                      items:
-                        properties:
-                          key:
-                            type: string
-                          value:
-                            type: string
-                        required:
-                        - key
-                        - value
-                        type: object
-                      type: array
+                      additionalProperties:
+                        type: string
+                      type: object
                   required:
                   - providerConfigName
                   - region
diff --git a/examples/gatekeeper/required-tags-s3/README.md b/examples/gatekeeper/required-tags-s3/README.md
new file mode 100644
index 00000000..d965d420
--- /dev/null
+++ b/examples/gatekeeper/required-tags-s3/README.md
@@ -0,0 +1,13 @@
+### Prevent provisioning resources that do not have the required tags
+
+This example covers a Gatekeeper policy that denies requests for provisioning
+resources without the required tags
+
+Examples and test cases are available under the `samples` directory. 
+Tests can be ran using the [gator cli](https://open-policy-agent.github.io/gatekeeper/website/docs/gator/).
+
+To run tests for this example run:
+```bash
+cd examples/gatekeeper/required-tags/
+gator verify . -v
+```
\ No newline at end of file
diff --git a/examples/gatekeeper/required-tags-s3/constraint.yaml b/examples/gatekeeper/required-tags-s3/constraint.yaml
new file mode 100644
index 00000000..228bc4f6
--- /dev/null
+++ b/examples/gatekeeper/required-tags-s3/constraint.yaml
@@ -0,0 +1,11 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: AwsRequiredTags
+metadata:
+  name: awsrequiredtags
+spec:
+  match:
+    kinds:
+      - apiGroups: ["*"]
+        kinds: ["*"]
+  parameters:
+    tags: ["owner"]
\ No newline at end of file
diff --git a/examples/gatekeeper/required-tags-s3/template.yaml b/examples/gatekeeper/required-tags-s3/template.yaml
new file mode 100644
index 00000000..e1cd72e7
--- /dev/null
+++ b/examples/gatekeeper/required-tags-s3/template.yaml
@@ -0,0 +1,38 @@
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+  name: awsrequiredtags
+spec:
+  crd:
+    spec:
+      names:
+        kind: AwsRequiredTags
+      validation:
+        # Schema for the `parameters` field
+        openAPIV3Schema:
+          type: object
+          properties:
+            tags:
+              type: array
+              items:
+                type: string
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      rego: |
+        package awsrequiredtags
+        import future.keywords.every
+        
+        violation[{"msg": msg}] {
+          endswith(input.review.kind.group, "s3.aws.crossplane.io")
+          not startswith(input.review.kind.kind, "ProviderConfig")
+          not input.review.object.spec.forProvider.tags
+          msg := sprintf("Attempting to provision a resource without tags, the following tags are required '%v'", [input.parameters.tags])
+        }
+
+        violation[{"msg": msg}] {
+          some requested_tag in input.parameters.tags
+          every i in input.review.object.spec.forProvider.tags {
+              requested_tag != i.key
+          }
+          msg := sprintf("Attempting to provision a resource with the following tags '%v', one or more of the required tags '%v' is missing", [input.review.object.spec.forProvider.tags, input.parameters.tags])
+        }
\ No newline at end of file
diff --git a/examples/upbound-aws-provider/composite-resources/s3-irsa/helm-chart/templates/claim.yaml b/examples/upbound-aws-provider/composite-resources/s3-irsa/helm-chart/templates/claim.yaml
index cc33754d..7cba930a 100644
--- a/examples/upbound-aws-provider/composite-resources/s3-irsa/helm-chart/templates/claim.yaml
+++ b/examples/upbound-aws-provider/composite-resources/s3-irsa/helm-chart/templates/claim.yaml
@@ -14,4 +14,8 @@ spec:
   resourceConfig:
     providerConfigName: aws-provider-config
     region: us-east-1
+    {{- with .Values.s3irsa.tags }}
+    tags:
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
 {{- end }}
diff --git a/examples/upbound-aws-provider/composite-resources/s3-irsa/helm-chart/values.yaml b/examples/upbound-aws-provider/composite-resources/s3-irsa/helm-chart/values.yaml
new file mode 100644
index 00000000..5c3f65c6
--- /dev/null
+++ b/examples/upbound-aws-provider/composite-resources/s3-irsa/helm-chart/values.yaml
@@ -0,0 +1,9 @@
+# Default values for checkout.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+s3irsa:
+  enabled: true
+  tags:
+    owner: devops
+    environment: production
\ No newline at end of file