Tag: Governance

Demystifying the Cloud: The Crucial Role of Tagging in AWS

Nivlesh ChandraLeave a comment

Introduction

In the ever-evolving landscape of cloud computing, the ability to efficiently manage and optimise your resources is paramount. Amidst the dynamic and expansive AWS ecosystem, there exists a powerful tool that empowers you to categorise, track, and streamline your digital assets – tagging.

As cloud environments grow in scale and complexity, the importance of tagging transcends mere organisational convenience. It influences cost allocation, budgeting, security, resource optimisation, automation, and much more. Whether you’re a seasoned AWS veteran or just beginning your cloud journey, understanding the art of tagging can lead to more informed decisions, better cost control, and an overall streamlined cloud experience.

In this blog, we’ll delve deep into the multifaceted role of tagging in AWS, uncovering how it acts as a guiding light in the intricate labyrinth of cloud management. As we embark on this journey, l will also introduce valuable tools designed to seamlessly address your tagging requirements, ensuring a comprehensive understanding of this essential practice.

What is Tagging?

Tagging in AWS is a critical organisational and operational practice that involves attaching metadata, known as tags, to your AWS resources. Tags are key-value pairs that provide additional information about your resources. However, it is important to understand that tags can be easily accessed from within your AWS Account, and should not be used to attach private or sensitive data to resources.

Why is Tagging Important?

Now that we know what tagging is, lets find out why it is important.

  1. Resource Management and Identification: Tags help you easily identify, categorise, and locate resources within your AWS environment. With proper tagging, you can quickly distinguish between different types of resources, such as production and development environments, cost centres, application owners, and more.
  2. Cost Allocation and Budgeting: Tags play a crucial role in tracking and allocating costs within your organisation. By assigning tags to resources, you can accurately attribute costs to specific projects, teams, departments, or business units. This makes it easier to manage budgets, optimise spending, and identify areas where cost savings can be achieved.
  3. Optimised Billing and Reporting: With tagged resources, you can generate detailed billing reports that provide insights into your spending patterns. This helps you analyse resource usage, allocate costs accurately, and make informed decisions about resource optimisation.
  4. Automation and Workload Management: Tags are used in automation scripts and policies to automate resource provisioning, management, and scaling. You can use tags to define rules that trigger specific actions, ensuring your resources are properly managed based on predefined criteria.
  5. Security and Compliance: Tags can be used to classify resources based on their security requirements or compliance needs. This allows you to apply consistent security measures and compliance policies across resources with similar tags.
  6. Lifecycle Management: Tags are valuable for tracking the lifecycle of resources. You can use tags to indicate whether a resource is in development, testing, staging, or production. This helps prevent accidental modifications or deletions of critical resources.
  7. Collaboration and Communication: Tags provide a standardised way to communicate information about resources across teams and departments. They facilitate collaboration by ensuring everyone has a clear understanding of the purpose and ownership of resources.
  8. Automation of Governance Policies: Many AWS services, such as AWS Identity and Access Management (IAM), AWS CloudFormation, and AWS Cost Explorer, support tag-based policies. These policies allow you to enforce governance rules and access controls based on tags, ensuring compliance with organisational guidelines.

Types of Tags

In AWS, tags can be broadly categorised into two main types: system tags and user-defined tags. These types help classify tags based on their origin and purpose:

  1. System Tags:
    • AWS-Maintained System Tags: These tags are automatically applied by AWS services to resources for specific purposes. They are used to manage and track resources within AWS services. For example, AWS CloudFormation applies the following system tag to resources it creates “aws:cloudformation:stack-id”.
  2. User-Defined Tags:
    • User-Defined Cost Allocation Tags: These tags are manually created by users to allocate costs and track resource usage. They are often used for billing, cost allocation, and reporting purposes. For instance, a team might use tags like “Environment,” “Project,” or “Owner” to identify the purpose and ownership of resources.
    • User-Defined Metadata Tags: These tags are also manually created by users, but they serve a more descriptive purpose beyond cost allocation. They provide additional context and information about resources. For example, tags like “Application,” “Version,” or “Department” can help in organising and managing resources effectively.

By using a combination of system tags and user-defined tags, organisations can implement effective resource tracking, cost allocation, and management practices across their AWS environment. It’s important to establish tagging policies and standards that align with your organisation’s requirements to ensure consistent and meaningful tagging practices.

How To Create And Attach Tags To Resources?

We start by defining a tagging strategy. This will help answer the requirements from the various stakeholders in your business, for example, the finance team might want to know who owns the resources, so that they can get them to pay for their share of the AWS bill.

This article provides a good foundation on how to create a tagging strategey https://docs.aws.amazon.com/whitepapers/latest/tagging-best-practices/building-your-tagging-strategy.html

When creating a tagging strategy, you should always align to best practices. I have listed some important ones below.

  • Tags are not private and can be accessed by many AWS services. Do not add private or sensitive information in tags, for example, never add personally identifiable information (PII) or other confidential/sensitive information in tags. You can use AWS Secrets Manager or AWS SSM Parameter Store with Secure Strings instead.
  • ensure your tags align to the naming limits and requirements. You can read more about these at https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html.
  • Create a format for the tags, as per your business requirements and apply it consistently across all resource types.
  • Use AWS tools to manage your resource tags (these will be discussed further below in this blog).

For more information about tagging best practices, naming limits and requirements, you can refer to this article https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html.

Tags can be added/updated using the AWS Management Console, AWS CLI or by calling the AWS API. If you are using an automated provisioning solution (CICD pipelines), you can include code to add/update tags whenever the pipeline runs.

Keep in mind that not all AWS services support tags. This article provides a full list of AWS services that do support tags https://docs.aws.amazon.com/resourcegroupstagging/latest/APIReference/supported-services.html.

How To View Tags?

For AWS resources that support tags, you can easily view tags using the AWS Management Console, AWS CLI or AWS API. They appear as an attribute of the AWS resource.

However, if you have multiple services, for which you want to view the tags, for example, Amazon Simple Storage Service (S3) buckets, Amazon Elastic Compute Cloud (EC2) instances etc, it can get quite tiring having to navigate from one portal to another.

A simpler method is to use the AWS Tag Editor. You can use this tool to view, add, remove or replace tags for one or multiple resources. This tool can also be used to find resources that do not have any tags, thereby making it easier to ensure all your resources have been properly tagged.

More information about AWS Tag Editor is available at https://docs.aws.amazon.com/tag-editor/latest/userguide/tag-editor.html.

Enforcing Tag Governance

Once we have developed a good tagging strategy, we need to ensure that it is adopted and used organisation wide. This is where governance procedures come in place. We need to ensure that mandatory tags get applied across all resources and we have the ability to quickly and easily audit all the resources for their tag compliance and be able to quickly remediate any deviations.

So how would you enforce these mandatory tags? Lets look at some AWS tools that enable us to do this.

  • Tag Policies – these policies allow you to specify tagging rules that apply to resources, when they are tagged. For example, you can use these to enforce that the tag names follow a certain case format, and that the values match what the policy defines. A tagging policy can also be set to “enforced”, this prevents any non-compliant tagging requests from completing. To use Tag policies, you need to have AWS Organisations with all features enabled. Tag policies can be managed using AWS Organisations or AWS Resource Groups. You can read more about Tag policies in this article https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html
  • AWS Config – the AWS Config required_tags rule can be used to automatically find resources that are missing mandatory tags. This rule can be further enhanced by enabling automated remediation, where it runs a custom AWS Lambda function to add the missing tags to the resource. You can read more about this AWS Config rule here https://docs.aws.amazon.com/whitepapers/latest/tagging-best-practices/implementing-and-enforcing-tagging.html.
  • AWS Organisations Service Control Polices (SCPs) – SCPs can be used to deny certain permissions when the resources are not compliant with your tagging policies. For example, you can deny ec2:RunInstances requests when Owner, Environment and CostCentre tags are missing from an Amazon EC2 instance. More information about using SCPs for tag enforcement is available in this article https://docs.aws.amazon.com/whitepapers/latest/tagging-best-practices/implementing-and-enforcing-tagging.html

I hope this article provided you with good insights into why tagging strategies are important and how you can enable and enforce them in your own organisation.

Till the next time, stay safe!