How to tag at resource and account level in AWS?

What is Tagging?

A tag is a label that you attach to an AWS resource to meet different requirements. It makes it easy to identify the owner, service, environment, cost center, data classification, and many other details. Each tag has two components- Key and Value. Both are case-sensitive. The maximum number of tags allowed per resource is 50. You can find other tag restrictions here. The below example shows how a resource is tagged-

What are the different assets which can be tagged in AWS?

At the time of writing this story, AWS allows tagging the following assets-

  • AWS Resources (for example- ec2, rds, ebs, subnet, vps, and others)
  • Root Organizational Units and its Children OUs within AWS Organizations
  • AWS Accounts within Organizational Units
  • Policies within AWS Organizations

How to address the tagging problem at the AWS account level?

An organization may have several hundreds of AWS accounts intended for specific purposes. Some of them are dedicated for development purposes so engineers and developers can work on the next big thing. Some are production environments. Staging environments are also separated and mimic to production. When the code is pushed, it is first sent to staging before it goes to production. Tracking and managing hundreds of accounts for ownership, data classification, cost center, tier, environment, service, and primary contact is very difficult. It is not efficient to track in an excel file or google doc or any other out-of-band method.

The screenshot is just for illustration purposes only.
Account Inventory in Sumo Logic

How to address the tagging problem at the AWS resource level?

You can tag existing AWS resources or tag them upon creation. But not all resources are supported for tagging. You can find what EC2 resources are supported for tagging here. There are different ways you can handle missing tag problems at the resource level. The most popular method is to declare the tags within Terraform at the AWS provider level. You can read here on how to propagate the tags from the provider level down to all resources using the Terraform template. Cloud Custodian provides several ways of solving the missing tag problem for both existing and newly created AWS resources.

Final Thoughts

Tagging is very important and plays a very critical role in knowing and managing your cloud resources. Don’t get too complex with your tagging that the developers find it difficult to understand when to label what or introduce so many tags that it soon becomes unmanageable and irrelevant. This will result in a number of hours trimming the tag count. Simply; start with the basics and see what works best for your organization.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Aakif Shaikh, CISSP, CEH, CHFI, CISA, GWAPT

Aakif Shaikh, CISSP, CEH, CHFI, CISA, GWAPT

Over 18 years of experience in a wide variety of technical domains within information security including information assurance, compliance, and risk management.