Auto-remediation for missing tags in AWS using Cloud Custodian — Part 2

Perform auto-remediation using the open-source tool called Cloud Custodian

In the three-part series of performing automatic remediation for AWS resources with missing owner tags, we will discuss the benefits and some drawbacks which we have come across while using this action item.

Benefits: The action item called #auto-tag-user in Cloud Custodian is a very powerful and reliable solution to a missing tag problem. Developers and Engineers are continuously developing at pace and innovating the next big thing. Cloud Custodian will help them fix the missing tag in case they forget to use it in the terraform template (programmatic) or within the console. This helps organizations satisfy the mandatory tagging policy and meet the compliance requirements (asset identification and ownership).

Challenges that we encounter with the auto-tag approach: There could be several challenges based on your usage, nature of the business, and other factors. However, we’ll discuss a few scenarios here-

(1) A developer provisions the AWS resources by writing the terraform and deploying via the CICD pipeline. During the course, the developer forgets to define the tags within the terraform. Cloud Custodian sees it via the cloud trail events and auto-tag the resources that are missing the tags. When Cloud Custodian auto-tags it, the terraform state file will show a difference from what was deployed the last time. Because of this, the…