In all other roles, tagging is not done implicitly on EC2 instances, it is done when the tagging flag is set to true. The service role should follow the same pattern. This caused a problem on an open source deployment here: https://groups.google.com/forum/#!msg/openedx-ops/GTaZi6tAVOM/CCF_OSpxbsEJ