Treating the Mishmash of Missing Tag Resources in AWS using the Cloud Custodian (Part 1)

PART — 1

Now that your resources are up and running in the AWS cloud, it is very important to know what those resources are? Once you realize it, you’ve found yourself in a big mishmash of resources that are being stood up by your development team. This results in companies not knowing what’s been running and the associated costs.

In this three-part series, we will look at the various aspects of tagging resources and why it’s so important. As well as how to manage tagging correctly using the open-source tool, Cloud Custodian.

Why do you need to tag the resources?

The days are gone where you forecast and budget the number of servers you need with the amount of CPU power, memory, hard disk, interface card, OS, utilities, applications, and many other components. Don’t forget the months it takes for procurement to get the equipment and another couple of months for IT to provision and deploy into the data center. With Cloud, it is very clear that you can launch an instance with just a click of a few buttons and you have a very powerful machine with everything loaded and running.

This enables developers, engineers, and others in the organization to stand up any resources they want, at any time. And soon you lose visibility on what’s out there, who owns it, purpose, what kind of environment, associated cost, cost-center allocation, data security, access control, security misconfiguration, and many other factors which may lead to embarrassment to the organization.

Tagging your AWS resources helps with the following-

  1. Visibility and Purpose: This allows you to identify the type of resources being stood up and their purpose. You can even label the purpose as service.
  2. Data Classification: Easily identify the type of data.
  3. Ownership: Identifies who owns the resources. It can either be an individual or a team name.
  4. Environment: Identifies if the resources were stood up for production or development. In other words, it can label as low, high, or staging tier.
  5. Compliance: Very important to identify the assets that are affected due to compliance and regulatory requirement. For example- PCI asset, FedRAMP asset, GLBA asset, etc.
  6. Cost: Most important data point for the Executives and Management. They want the costs to be low while scaling resources to support the business.

Here’s one of the first tips you’ll want to adapt: Don’t get too complex with your tagging that the developers find it difficult to understand when to label what or introduce so many tags that it soon becomes unmanageable and irrelevant. This will result in a number of hours trimming the tag count. Simply; start with the basics and see what works best for your organization. An example of resource tagging is below-

AWS Resource Tagging Example

What resources should be tagged?

During the course of remediating the missing tags, you could find developers pushing back, asking “How does this improve our security posture”? So the best place to begin is to determine what resources must be tagged and which ones don’t. Begin by establishing a “Cloud Resource Tagging Policy”. This will allow developers to understand the minimum baseline to include in their terraform template. The policy must include tagging all resources supported by AWS. The policy must also consider Cloud Custodian support for the tagging. You must also ensure that you don’t exceed the tagging limit. Based on the AWS documentation, each supported resource can have a maximum of 50 user-created tags. The below command outlines the supported filter and action for resources in AWS. It shows what resources are supported by Cloud Custodian for tagging.

Displays Schema for AWS Only
Displays Schema for AWS, Azure, and GCP

You can break down the resource tagging problem/issue into two divisions; resources that already exist but are missing a tag, and newly created resources (also called on-creation).

Establishing a Cloud Resource Tag Policy Document

A policy document must contain a high-level statement on tagging public cloud resources with various keys and values, describing their naming convention, how untagged resources are handled, an example of tagging using terraform and console, management approval, and lastly revision history.

Asset Management

“Get to know your asset” (GTKYA) in the public cloud is the most important task. When done properly, you can identify the risk and apply security controls to protect your assets. In other words, identifying resources, ownership, and data classification help you understand your resource inventory in the public cloud and thus, understand your risk better. This also helps you meet one of your control objectives as defined in the Annexure A of the ISO 27002 standard, i.e., Asset Management.

In the next part, we will look at the Cloud Custodian, Policy Structure, how to manage the missing tags for the existing resources.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store

Over 18 years of experience in a wide variety of technical domains within information security including information assurance, compliance, and risk management.