Co-written by Dinesh J and Chidhambaram K

 

Have you ever been worried about organizing and effective management of your 1000s of AWS resources? Have you ever been surprised with higher AWS bills with no detail of underlying services? Then AWS Tags is your friend, it can help you by assigning your custom metadata and enables you to categorize your AWS resources by filtering your metadata. It can help you in the identification of resources, budget planning and several more.

This article is based on our collective experience with various clients and briefly talks about some of the best practices for AWS Tagging, strategies, and tools for effective governance.

An increasing number of resources in AWS is being created or destroyed frequently, thereby managing them has become a daunting task. Adding to it, an average cloud environment may contain resources ranging from a few 100s to several 1000s. Managing and governance of AWS environment is critical, and Tags allow you to do so by attaching user-defined metadata in the form of key-value pairs. They help you visualize or programmatically identify the resources and make you understand their purpose. Tags may also help you to group your resources based on environment or technical or business attributes based on the defined metadata, and thus better manage the cost or define budgets. You can also perform automation in bulk based on the tags present in your resources. Tags can also be used to identify business, security, and technical details of the resources, including:

• Information of team members who created the specific AWS resource.
• Identifying the resources that have alerts and backups enabled.
• Filtering temporary created resources.

Considering the above use cases, we can divide and implement tags in some distinct categories and through strategies.

 

What are the different tagging categories?

We have four AWS suggested categories of tags: – Technical, Automation, Business, and Security.

What are the common strategies for tagging?

After learning about the tagging categories, you may have questions about which strategy to consider when applying tags to your AWS resources. There are a few ways that are provided by AWS and followed by Presidio.

• Resource Group Management – This strategy falls under the category of technical tags; You can assign tags based on the name of your application or environment. Let us say you have two environments: Test and Production, then for this you can choose two tag keys: Name and ENV and assign them the respective values. This will help filter your resources based on tags.

 

• Cost Management – You can apply tags from the business tags category, such as using cost center, business unit, customer, project names, and so on to across AWS environments, so you can easily break your detailed AWS billing reports into pieces.
• Automation – You can use some tag’s “key: values” on your resources such as “backup: yes, retention:10, shutdown:12:00” etc., so by using some automation script you can perform actions on these resources. It can help you in disaster recovery, cost-saving and so on.

 

• Security risk management – You can control access to your resources because IAM policies support tag-based conditions. You can create policies that can restrict specific resources in critical environments (such as production).

 

What are the best practices for tagging?

Based on our firsthand experiences with various clients, we follow a set of best practices when we deal with AWS resource tagging.

Every client engagement is different, but we follow standards such as below across all AWS environments.

• Not storing sensitive or confidential information in tags.
• Using standard naming conventions for all AWS resources.
• Configure mandatory tags to all AWS resources we provision and optional ones that depend on use cases
• Mandatory tags are enforced to all AWS resources by using one of the methods described later in the article
• During our initial discussions with customer, we consider various tag categories that meets the demand of multiple purposes\teams, like managing resource access control, cost tracking, automation, and organization.
• We use automated tools to help manage resource tags. Like AWS Resource Groups and the Resource Groups Tagging API enable programmatic control of tags, making it easier to automatically manage, search, and filter tags and resources.

 

How to govern resources for tag compliance?

AWS services and other 3^rd party tools help us to have total control or govern your resources tags. Tags can help us to have control over your resources in Reactive and Proactive approaches.

• Reactive governance- Tools such as the Resource Groups Tagging API, AWS Config Rules, and custom scripts are used to find not properly tagged resources. AWS Tag Editor is used to find resources manually.
  

 

• Proactive governance- Ensuring that your resources are tagged at resource creation consistently using tools such as AWS CloudFormation, AWS Service Catalog, tag policies in AWS Organizations, or IAM resource-level permissions. Proactive governance can be achieved by using the following tools and automate to generate the tags during resource creation.

• • AWS Tag Tamer – It is one of the solutions suggested by AWS, which helps to apply and manage tags on both new and existing AWS resources. It makes use of the pre-built web UI to ensure consistent tagging implementation. AWS CloudFormation template can be used for automating the deployment of tag tamer architecture.
  • Resource tagging with Terraform – As of version 3.38.0 of the Terraform AWS Provider, the Terraform Configuration language also enables provider-level tagging as an alternative to the resource-level tagging methods. This type of tagging will ensure the enforcement of tags to all resources which are created using Terraform.

• • Cloud Custodian– In some of our projects, we are using Cloud Custodian to enforce auto-tagging on AWS Resources. Cloud Custodian provides policy-based auto-tagging so we can write policies in cloud custodian and by using its cli we can implement those policies.

• 
  • Auto-Tagging based on identity or role – Applying your organization’s required tags to newly created resources using an automated workflow. It also creates a rule in Amazon CloudWatch Events, AWS Systems Manager Parameter Store, and an AWS Lambda function.

 

Conclusion:

AWS resource tags can be used for a wide variety of purposes, from implementing a cost allocation process to supporting automation or authorizing access to AWS resources. The right implementation of your tags can add more value and reduce your burden when handling your resources.