What Are Best Practices for Tagging AWS Resources?

There are many use cases for tags, but what are the best practices for tagging AWS resources? In order for your organization to effectively manage resources (and your monthly AWS bill), you need to implement and adopt a thoughtful tagging strategy that makes sense for your business. The more quality information you have about your resources, the easier the management becomes.

As organizations put more workloads in the cloud, it’s easy to lose sight of the resources that you’re running. Spending, utilization, compliance, and security are all at risk if you don’t have a strategy to easily and quickly identify resources. Tagging helps ensure that all cloud resources are identifiable, easily discoverable, and available for reporting so that your organization gets the most value from your deployments.

In this post, we’ll discuss things to keep in mind when tagging your resources and how tags are important for your business.

What is a tag?

Tags are labels in the form of key-value pairs that may be attached to cloud resources such as instances, storage volumes, and databases. They provide additional information and context about that specific resource. Tags may identify who owns the resource, the environment where it is used, and any other technical or business attributes based on your requirements.

This example shows five tags of an EC2 instance that indicate business, technical, and security metadata relating to this particular instance.

five tags of an EC2 instance

Before getting started with tags, it’s essential to establish a single standard that governs how tags will be managed by users across the organization. This should include the creation of a standard convention for naming resources that is easy to follow and that takes into account the policies of the different cloud providers you may be using. Amazon Web Services (AWS), for example, allows up to 50 tags per AWS resource, while Azure allows only 15. Each cloud provider has its own defined tagging guidelines and you’ll want to make sure that your tagging policy is consistent across platforms.

Design your tagging strategy

As cloud deployments grow, teams deal with an increasing amount of resources that are constantly moving, growing, and changing. Projects may be shared between teams or customers and can rely on different regions and platforms. This makes it easy to lose track of what’s being used until the bill comes due. For tags to be actionable at scale, most teams require visibility of exactly which resources are at play at any given time, who is using them, and what they are being used for, and who is responsible for them. Essentially, the more high quality information associated with a resource, the easier it becomes to manage.

Many organizations group tags into different categories. Examples of these categories include:

  • Business
  • Technical
  • Security

Within each of these categories, you can then define your own tags that are specific to your organization for standardization. Some common tags include cost center, department, owner, environment, version, application, compliance, data sensitivity, and encryption.

An example AWS Resource Tagging Hierarchy
An example convention for tagging AWS resources

From a business perspective, we can clearly see who is responsible for the resource and its function within the business along with the cost center for financial reporting. From a technical perspective, we can see that the resource is currently in development and running version 2.1 of the App1 application. Our security tags indicate that this instance requires the data to be encrypted in order to comply with HIPAA compliance, and that we’ve set our internal data sensitivity rating at 4 on a scale from 1-5.

Too often, a resource is simply tagged with a “name.” The specific tags that you standardize across your organization will depend on your business and its structure. A thoughtful approach like the one provided above will give you far more actionable information about the resource down the road.

Best Practices for Tagging AWS Resources

Can’t wrangle your organization into a comprehensive tagging strategy, but want to cover the bases? Here’s what you should do at minimum:

1. Create cost allocation tags

The typical enterprise hosts resources across several cost centers (sales, marketing, finance, HR, etc.), projects, or teams (application developers, business analysts, service desk, training, etc.). Tags that identify or associate a resource with its specific business purpose and owner make it easier to accurately allocate spending.

Before you can use cost allocation tags, you must activate the feature from within the Billing and Cost Management Console:

How to activate AWS-Generated Cost Allocation Tags
Activating Cost Allocation Tags

Once activated, you can then select any of the tags you are using in your account to be included in reports using Cost Explorer. This will allow teams to generate a cost allocation report with the total monthly bill broken down by the enabled tags.

With costs accurately identified and allocated, teams can see which resources are incurring the greatest share of total cost, identify unused or duplicated resources, and identify potential opportunities to save money. In the AWS Billing and Cost Management console, the Cost Explorer tool can show spending by tags and deliver detailed billing reports.

Visit our course Cost Optimization Strategies for the Cloud for more information about how to optimize and reduce your cloud costs.

 

2. Create security and compliance tags

Security should be the priority for any deployment, so adding security-related tags to your resources should become a best practice for your organization.

Many workloads contain sensitive information or data that may be subject to auditing or reporting regulations such as GDPR or HIPPA. By tagging these resources appropriately, organizations can identify which resources require additional focus from a security standpoint.
As we saw in the example above, there was a tag called ‘Compliance’ with a value of ‘HIPAA.’  This easily helps you to identify which resources are being governed by which compliance certifications.

In addition to using tags to identify resources that are subject to a particular security or governance policy, tags can also be used to allow/deny access to resources by using conditions within IAM policies. For example
"Condition": {
"StringEquals": {"ec2:ResourceTag/Compliance": "HIPAA"}

This condition ensures that only resources tagged with a Compliance tag and a value of HIPAA are subject to the IAM policy. For more information on IAM policies and conditions, please see this AWS: Overview of AWS Identity & Access Management (IAM) course and our Hands-on Lab, Using S3 Bucket Policies and Conditions to Restrict Specific Permissions.

 

3. Leverage Resource Groups

Aptly named, Resource Groups are groups of resources bound together by their tags. Resource groups can be accessed and created either by using the AWS Systems Manager Console or by selecting ‘Resource Groups’ from the AWS Management Navigation bar at the top of the screen.

Resource Groups are used to help you manage your resources more effectively and to simplify the automation of tasks when the same task needs to be applied to a group of resources. For example, if you have a large number of EC2 instances all operating at the same layer of an application, you may decide to create a resource group for these instances. Doing so would allow you to implement a patch update to the group via a single task instead of scheduling multiple tasks, one by one.

The following image shows a new group being created that searches for all resources that have a tag of ‘Department’ with a value of ‘Finance’ in addition to a tag of ‘Environment’ and a value of ‘Production’.

Create query-based Resource Group on AWS
Creating a new Resource Group

The interface allows me to easily group together all resources that are associated to Finance and that are currently in Production. Note that you can also filter by resource type, so I could have selected to filter this search purely on EC2 instances if needed.

Once a group is created, the group itself will be identifiable by its ARN which has the following syntax:

arn:aws:resource-groups:region:account:group/group-name

The region, account, and group-name will be yours.

 

4. Use Tag Editor

If you haven’t been tagging your resources as efficiently as you could have and you are now running hundreds or even thousands of resources in your environment, you might be thinking you have a daunting task ahead of you. However, the task becomes a lot easier when you use the Tag Editor.

Tag Editor allows you to search for existing resources based on Region, Resource Types, and existing Tags. Once you have found the resources that you want to apply additional tags to, you can add new Keys and Values in bulk.

Adding Tags Using the AWS Tag Editor
Adding Tags Using Tag Editor

For example, if we add a new Key and Value in the fields in the interface as shown above, it will add the new tags to ALL the resources that matched our search criteria. The Tag Editor can be found by selecting Resource Groups from the AWS navigation bar and then selecting Tag Editor.

There are many use cases for resource tagging. This post has focused on some of the most common and important tactics in order to get a handle on your infrastructure. Standardizing a comprehensive tagging strategy does require some organizational discipline, but it pays off. It is highly recommended that you implement and adopt a tagging strategy that works for you to help manage your resources effectively and efficiently. The more reliable information that you have about your resources, the easier infrastructure management becomes.

Avatar

Written by

Stuart Scott

Stuart is the AWS content lead at Cloud Academy where he has created over 40 courses reaching tens of thousands of students. His content focuses heavily on cloud security and compliance, specifically on how to implement and configure AWS services to protect, monitor and secure customer data and their AWS environment.


Related Posts

Alisha Reyes
Alisha Reyes
— April 9, 2020

New on Cloud Academy: AWS Solutions Architect – Associate Exam Prep, Azure Courses, Google Associate Cloud Engineer Exam Prep, Programming Labs, and Much More

Free content on Cloud Academy More and more customers are relying on our technology and content to keep upskilling their people in these months, and we are doing our best to keep supporting them. While the world fights the COVID-19 pandemic, we wanted to make a small contribution to he...

Read more
  • AWS
  • Azure
  • Google Cloud Platform
  • programming
Joe Nemer
Joe Nemer
— April 3, 2020

Breaking News: All AWS Certification Exams Now Available Online

Remote proctoring for all AWS certifications Cloud Academy is an Advanced AWS Technology Partner, and we are happy to announce all AWS certification exams are available online!  What does this mean for you? You can stay focused on your certification goal. Or you can start a certifica...

Read more
  • AWS
  • AWS certification
  • AWS Certifications
Connie Benton
Connie Benton
— April 1, 2020

How To Build a Career with AWS Certifications

From Iaas and PaaS solutions to digital marketing, cloud computing reshapes the world of technology. As the influence of this technology grows, so does investment. Tens of billions of dollars are being spent on cloud computing-related services each year. This influx is continuing to inc...

Read more
  • AWS
  • Certifications
Vijayakumar Athithan
Vijayakumar Athithan
— March 27, 2020

What is Cognito in AWS?

Web applications usually allow a valid username and password combination for successful sign in to the application. Modern authentication flows incorporate more approaches to ensure user authentication. When using AWS, this is no exception, thanks to the abilities and features offered b...

Read more
  • AWS
  • AWS Cognito
  • Solutions Architect
Avatar
Andrew Larkin
— March 20, 2020

The 12 AWS Certifications: Which is Right for You and Your Team?

As companies increasingly shift workloads to the public cloud, cloud computing has moved from a nice-to-have to a core competency in the enterprise. This shift requires a new set of skills to design, deploy, and manage applications in cloud computing. As the market leader and most ma...

Read more
  • AWS
  • AWS Certifications
Alisha Reyes
Alisha Reyes
— March 17, 2020

Cloud Academy’s Blog Digest: How Do AWS Certifications Increase Your Employability, How to Become a Microsoft Certified Azure Data Engineer, and more

With everything going on right now, it's likely that the only thing you've been reading lately is related to the coronavirus pandemic. It's important to stay informed during these times, but it's also good to jump into something that can take your mind off of the current situation for j...

Read more
  • AWS
  • Azure
  • blog digest
  • Certifications
  • Cloud Academy
  • programming
  • Security
Avatar
Cloud Academy Team
— March 13, 2020

Which Certifications Should I Get?

As we mentioned in an earlier post, the old AWS slogan, “Cloud is the new normal” is indeed a reality today. Really, cloud has been the new normal for a while now and getting credentials has become an increasingly effective way to quickly showcase your abilities to recruiters and compan...

Read more
  • AWS
  • Azure
  • Certifications
  • Cloud Computing
  • Google Cloud Platform
Alisha Reyes
Alisha Reyes
— March 7, 2020

New on Cloud Academy: Intro to GitOps; AWS Courses; Java, Python, Amazon Linux 2, Ubuntu, & Docker Playgrounds; and much more

New Lab Playgrounds This month, our Content Team released six new "playground labs." Our playground labs provide a safe and secure sandbox environment for you to explore your own ideas, follow along with Cloud Academy courses, or answer your own questions — all without having to instal...

Read more
  • AWS
  • Azure
  • gitops
  • Google Cloud Platform
  • lab playground
  • programming
Alisha Reyes
Alisha Reyes
— March 6, 2020

New on Cloud Academy: Intro to GitOps; AWS Courses; Java, Python, Amazon Linux 2, Ubuntu, & Docker Playgrounds; and much more

New Lab Playgrounds This month, our Content Team released six new "playground labs." Our playground labs provide a safe and secure sandbox environment for you to explore your own ideas, follow along with Cloud Academy courses, or answer your own questions — all without having to instal...

Read more
  • AWS
  • Azure
  • gitops
  • Google Cloud Platform
  • lab playground
  • programming
Patrick Navarro
Patrick Navarro
— March 4, 2020

AWS Certifications: How Do They Increase Your Employability and Progress Your Career?

AWS certifications are no walk in the park. They’re designed to validate in-depth, specialist knowledge and comprehensive experience, often requiring months of dedicated studying to earn even for those already working with the cloud platform. But the rewards that AWS professionals ca...

Read more
  • AWS
  • AWS certification
  • certification
Avatar
Chandan Patra
— February 21, 2020

Elasticsearch vs. CloudSearch: AWS Cloud Search Choices

Elasticsearch vs. CloudSearch: What's the main difference? Let's compare AWS-based cloud tools: Elasticsearch vs. CloudSearch. While both services use proven technologies, Elasticsearch is more popular, open source, and has a flexible API to use for customization; in comparison, CloudS...

Read more
  • AWS
  • Azure
  • cloudsearch
  • elasticsearch
Avatar
Andrew Larkin
— February 13, 2020

Cloud Academy Content Roadmap Updates

Welcome to our Q1 2020 roadmap. This is the content we plan to build over the next three months, between February 1 - and April 30, 2020. Let's look at some of our roadmap highlights. Atlassian Bamboo for CI/CD We had a lot of requests for practical guides on how to apply DevOps tool...

Read more
  • Artificial Intelligence
  • AWS
  • Azure
  • Docker
  • Google Cloud Platform
  • Kubernetes
  • Machine Learning