Skip to main content

What Are Best Practices for Tagging AWS Resources?

There are many use cases for tags, but what are the best practices for tagging AWS resources? In order for your organization to effectively manage resources (and your monthly AWS bill), you need to implement and adopt a thoughtful tagging strategy that makes sense for your business. The more quality information you have about your resources, the easier the management becomes.

As organizations put more workloads in the cloud, it’s easy to lose sight of the resources that you’re running. Spending, utilization, compliance, and security are all at risk if you don’t have a strategy to easily and quickly identify resources. Tagging helps ensure that all cloud resources are identifiable, easily discoverable, and available for reporting so that your organization gets the most value from your deployments.

In this post, we’ll discuss things to keep in mind when tagging your resources and how tags are important for your business.

What is a tag?

Tags are labels in the form of key-value pairs that may be attached to cloud resources such as instances, storage volumes, and databases. They provide additional information and context about that specific resource. Tags may identify who owns the resource, the environment where it is used, and any other technical or business attributes based on your requirements.

This example shows five tags of an EC2 instance that indicate business, technical, and security metadata relating to this particular instance.

Before getting started with tags, it’s essential to establish a single standard that governs how tags will be managed by users across the organization. This should include the creation of a standard convention for naming resources that is easy to follow and that takes into account the policies of the different cloud providers you may be using. Amazon Web Services (AWS), for example, allows up to 50 tags per AWS resource, while Azure allows only 15. Each cloud provider has its own defined tagging guidelines and you’ll want to make sure that your tagging policy is consistent across platforms.

Design your tagging strategy

As cloud deployments grow, teams deal with an increasing amount of resources that are constantly moving, growing, and changing. Projects may be shared between teams or customers and can rely on different regions and platforms. This makes it easy to lose track of what’s being used until the bill comes due. For tags to be actionable at scale, most teams require visibility of exactly which resources are at play at any given time, who is using them, and what they are being used for, and who is responsible for them. Essentially, the more high quality information associated with a resource, the easier it becomes to manage.

Many organizations group tags into different categories. Examples of these categories include:

  • Business
  • Technical
  • Security

Within each of these categories, you can then define your own tags that are specific to your organization for standardization. Some common tags include cost center, department, owner, environment, version, application, compliance, data sensitivity, and encryption.

An example AWS Resource Tagging Hierarchy
An example convention for tagging AWS resources

From a business perspective, we can clearly see who is responsible for the resource and its function within the business along with the cost center for financial reporting. From a technical perspective, we can see that the resource is currently in development and running version 2.1 of the App1 application. Our security tags indicate that this instance requires the data to be encrypted in order to comply with HIPAA compliance, and that we’ve set our internal data sensitivity rating at 4 on a scale from 1-5.

Too often, a resource is simply tagged with a “name.” The specific tags that you standardize across your organization will depend on your business and its structure. A thoughtful approach like the one provided above will give you far more actionable information about the resource down the road.

Best Practices for Tagging AWS Resources

Can’t wrangle your organization into a comprehensive tagging strategy, but want to cover the bases? Here’s what you should do at minimum:

1. Create cost allocation tags

The typical enterprise hosts resources across several cost centers (sales, marketing, finance, HR, etc.), projects, or teams (application developers, business analysts, service desk, training, etc.). Tags that identify or associate a resource with its specific business purpose and owner make it easier to accurately allocate spending.

Before you can use cost allocation tags, you must activate the feature from within the Billing and Cost Management Console:

How to activate AWS-Generated Cost Allocation Tags
Activating Cost Allocation Tags

Once activated, you can then select any of the tags you are using in your account to be included in reports using Cost Explorer. This will allow teams to generate a cost allocation report with the total monthly bill broken down by the enabled tags.

With costs accurately identified and allocated, teams can see which resources are incurring the greatest share of total cost, identify unused or duplicated resources, and identify potential opportunities to save money. In the AWS Billing and Cost Management console, the Cost Explorer tool can show spending by tags and deliver detailed billing reports.

Visit our course Cost Optimization Strategies for the Cloud for more information about how to optimize and reduce your cloud costs.

 

2. Create security and compliance tags

Security should be the priority for any deployment, so adding security-related tags to your resources should become a best practice for your organization.

Many workloads contain sensitive information or data that may be subject to auditing or reporting regulations such as GDPR or HIPPA. By tagging these resources appropriately, organizations can identify which resources require additional focus from a security standpoint.
As we saw in the example above, there was a tag called ‘Compliance’ with a value of ‘HIPAA.’  This easily helps you to identify which resources are being governed by which compliance certifications.

In addition to using tags to identify resources that are subject to a particular security or governance policy, tags can also be used to allow/deny access to resources by using conditions within IAM policies. For example
"Condition": {
"StringEquals": {"ec2:ResourceTag/Compliance": "HIPAA"}

This condition ensures that only resources tagged with a Compliance tag and a value of HIPAA are subject to the IAM policy. For more information on IAM policies and conditions, please see this AWS: Overview of AWS Identity & Access Management (IAM) course and our Hands-on Lab, Using S3 Bucket Policies and Conditions to Restrict Specific Permissions.

 

3. Leverage Resource Groups

Aptly named, Resource Groups are groups of resources bound together by their tags. Resource groups can be accessed and created either by using the AWS Systems Manager Console or by selecting ‘Resource Groups’ from the AWS Management Navigation bar at the top of the screen.

Resource Groups are used to help you manage your resources more effectively and to simplify the automation of tasks when the same task needs to be applied to a group of resources. For example, if you have a large number of EC2 instances all operating at the same layer of an application, you may decide to create a resource group for these instances. Doing so would allow you to implement a patch update to the group via a single task instead of scheduling multiple tasks, one by one.

The following image shows a new group being created that searches for all resources that have a tag of ‘Department’ with a value of ‘Finance’ in addition to a tag of ‘Environment’ and a value of ‘Production’.

Create query-based Resource Group on AWS
Creating a new Resource Group

The interface allows me to easily group together all resources that are associated to Finance and that are currently in Production. Note that you can also filter by resource type, so I could have selected to filter this search purely on EC2 instances if needed.

Once a group is created, the group itself will be identifiable by its ARN which has the following syntax:

arn:aws:resource-groups:region:account:group/group-name

The region, account, and group-name will be yours.

 

4. Use Tag Editor

If you haven’t been tagging your resources as efficiently as you could have and you are now running hundreds or even thousands of resources in your environment, you might be thinking you have a daunting task ahead of you. However, the task becomes a lot easier when you use the Tag Editor.

Tag Editor allows you to search for existing resources based on Region, Resource Types, and existing Tags. Once you have found the resources that you want to apply additional tags to, you can add new Keys and Values in bulk.

Adding Tags Using the AWS Tag Editor
Adding Tags Using Tag Editor

For example, if we add a new Key and Value in the fields in the interface as shown above, it will add the new tags to ALL the resources that matched our search criteria. The Tag Editor can be found by selecting Resource Groups from the AWS navigation bar and then selecting Tag Editor.

There are many use cases for resource tagging. This post has focused on some of the most common and important tactics in order to get a handle on your infrastructure. Standardizing a comprehensive tagging strategy does require some organizational discipline, but it pays off. It is highly recommended that you implement and adopt a tagging strategy that works for you to help manage your resources effectively and efficiently. The more reliable information that you have about your resources, the easier infrastructure management becomes.

Written by

Stuart is the AWS content lead at Cloud Academy where he has created over 40 courses reaching tens of thousands of students. His content focuses heavily on cloud security and compliance, specifically on how to implement and configure AWS services to protect, monitor and secure customer data and their AWS environment.

Related Posts

— November 28, 2018

Two New EC2 Instance Types Announced at AWS re:Invent 2018 – Monday Night Live

Let’s look at what benefits these two new EC2 instance types offer and how these two new instances could be of benefit to you. Both of the new instance types are built on the AWS Nitro System. The AWS Nitro System improves the performance of processing in virtualized environments by...

Read more
  • AWS
  • EC2
  • re:Invent 2018
— November 21, 2018

Google Cloud Certification: Preparation and Prerequisites

Google Cloud Platform (GCP) has evolved from being a niche player to a serious competitor to Amazon Web Services and Microsoft Azure. In 2018, research firm Gartner placed Google in the Leaders quadrant in its Magic Quadrant for Cloud Infrastructure as a Service for the first time. In t...

Read more
  • AWS
  • Azure
  • Google Cloud
Khash Nakhostin
— November 13, 2018

Understanding AWS VPC Egress Filtering Methods

Security in AWS is governed by a shared responsibility model where both vendor and subscriber have various operational responsibilities. AWS assumes responsibility for the underlying infrastructure, hardware, virtualization layer, facilities, and staff while the subscriber organization ...

Read more
  • Aviatrix
  • AWS
  • VPC
— November 10, 2018

S3 FTP: Build a Reliable and Inexpensive FTP Server Using Amazon’s S3

Is it possible to create an S3 FTP file backup/transfer solution, minimizing associated file storage and capacity planning administration headache?FTP (File Transfer Protocol) is a fast and convenient way to transfer large files over the Internet. You might, at some point, have conf...

Read more
  • Amazon S3
  • AWS
— October 18, 2018

Microservices Architecture: Advantages and Drawbacks

Microservices are a way of breaking large software projects into loosely coupled modules, which communicate with each other through simple Application Programming Interfaces (APIs).Microservices have become increasingly popular over the past few years. The modular architectural style,...

Read more
  • AWS
  • Microservices
— September 26, 2018

How to Optimize Amazon S3 Performance

Amazon S3 is the most common storage options for many organizations, being object storage it is used for a wide variety of data types, from the smallest objects to huge datasets. All in all, Amazon S3 is a great service to store a wide scope of data types in a highly available and resil...

Read more
  • Amazon S3
  • AWS
— September 18, 2018

How to Optimize Cloud Costs with Spot Instances: New on Cloud Academy

One of the main promises of cloud computing is access to nearly endless capacity. However, it doesn’t come cheap. With the introduction of Spot Instances for Amazon Web Services’ Elastic Compute Cloud (AWS EC2) in 2009, spot instances have been a way for major cloud providers to sell sp...

Read more
  • AWS
  • Azure
  • Google Cloud
— August 23, 2018

What are the Benefits of Machine Learning in the Cloud?

A Comparison of Machine Learning Services on AWS, Azure, and Google CloudArtificial intelligence and machine learning are steadily making their way into enterprise applications in areas such as customer support, fraud detection, and business intelligence. There is every reason to beli...

Read more
  • AWS
  • Azure
  • Google Cloud
  • Machine Learning
— August 17, 2018

How to Use AWS CLI

The AWS Command Line Interface (CLI) is for managing your AWS services from a terminal session on your own client, allowing you to control and configure multiple AWS services.So you’ve been using AWS for awhile and finally feel comfortable clicking your way through all the services....

Read more
  • AWS
Albert Qian
— August 9, 2018

AWS Summit Chicago: New AWS Features Announced

Thousands of cloud practitioners descended on Chicago’s McCormick Place West last week to hear the latest updates around Amazon Web Services (AWS). While a typical hot and humid summer made its presence known outside, attendees inside basked in the comfort of air conditioning to hone th...

Read more
  • AWS
  • AWS Summits
— August 8, 2018

From Monolith to Serverless – The Evolving Cloudscape of Compute

Containers can help fragment monoliths into logical, easier to use workloads. The AWS Summit New York was held on July 17 and Cloud Academy sponsored my trip to the event. As someone who covers enterprise cloud technologies and services, the recent Amazon Web Services event was an insig...

Read more
  • AWS
  • AWS Summits
  • Containers
  • DevOps
  • serverless
— July 11, 2018

AWS Certification Practice Exam: What to Expect from Test Questions

If you’re building applications on the AWS cloud or looking to get started in cloud computing, certification is a way to build deep knowledge in key services unique to the AWS platform. AWS currently offers nine certifications that cover the major cloud roles including Solutions Archite...

Read more
  • AWS