How to tag at resource and account level in AWS?
All About Tagging
What is Tagging?
A tag is a label that you attach to an AWS resource to meet different requirements. It makes it easy to identify the owner, service, environment, cost center, data classification, and many other details. Each tag has two components- Key and Value. Both are case-sensitive. The maximum number of tags allowed per resource is 50. You can find other tag restrictions here. The below example shows how a resource is tagged-
What are the different assets which can be tagged in AWS?
At the time of writing this story, AWS allows tagging the following assets-
- AWS Resources (for example- ec2, rds, ebs, subnet, vps, and others)
- Root Organizational Units and its Children OUs within AWS Organizations
- AWS Accounts within Organizational Units
- Policies within AWS Organizations
How to address the tagging problem at the AWS account level?
An organization may have several hundreds of AWS accounts intended for specific purposes. Some of them are dedicated for development purposes so engineers and developers can work on the next big thing. Some are production environments. Staging environments are also separated and mimic to production. When the code is pushed, it is first sent to staging before it goes to production. Tracking and managing hundreds of accounts for ownership, data classification, cost center, tier, environment, service, and primary contact is very difficult. It is not efficient to track in an excel file or google doc or any other out-of-band method.
One method to solve this problem is to have tagging included at the account level. This means you can attach the tags to the AWS accounts within AWS Organizations. You can tag AWS accounts using the AWS Organizations console or programmatically. AWS Organizations help to centrally manage, consolidate, and govern all of your AWS accounts, allocate resources, apply policies and simplify billing. Here are instructions to create tags at the organization level — https://docs.aws.amazon.com/organizations/latest/userguide/orgs_tagging.html
Once you tag the account at the AWS Organization level, you can either create a python script to pull those tags or ingest them into the SIEM solution. This will provide you with nice tabular real-time data of all your account's inventory.
How to address the tagging problem at the AWS resource level?
You can tag existing AWS resources or tag them upon creation. But not all resources are supported for tagging. You can find what EC2 resources are supported for tagging here. There are different ways you can handle missing tag problems at the resource level. The most popular method is to declare the tags within Terraform at the AWS provider level. You can read here on how to propagate the tags from the provider level down to all resources using the Terraform template. Cloud Custodian provides several ways of solving the missing tag problem for both existing and newly created AWS resources.
Among them, the auto-tag-user action item is very powerful in automatically tagging the resources upon creation with missing owner tags. This saves time for the analyst to identify all the resources that are missing the mandatory tag requirement and, more importantly, identify the individual who stood them up to take corrective actions. The auto-tag-user action item is supported for both the public cloud providers AWS and Azure. You can read the story here on using the guardrail for doing auto-remediation for missing tags.
Tagging is very important and plays a very critical role in knowing and managing your cloud resources. Don’t get too complex with your tagging that the developers find it difficult to understand when to label what or introduce so many tags that it soon becomes unmanageable and irrelevant. This will result in a number of hours trimming the tag count. Simply; start with the basics and see what works best for your organization.