Innova Solutions > Perspectives > AWS Resource Tagging

An Introduction to how Innova uses AWS resource tags to help our customers achieve their cloud goals

What is AWS Resource Tagging?

AWS resources tags are arbitrary key-value pair metadata that can be attached to most resource types. Tags can be used to enforce, report, and track metrics like usage and cost and policies such as data classification, privacy, ownership, purpose, or other criteria. This allows organizations greater visibility and control over their cloud infrastructure resources.

What does Innova use AWS Resource Tags for?

1.1     Saving effort

Tags can be used to integrate support for AWS resources from an ITSM perspective for incident Management and can support operations processes such as backup/restoration and operating system patching by automation through calendar, OS, or type tags.

1.2     Saving time

AWS tags allow organizations to automate processes while limiting changes to only those resources labeled with designated tags. For example, we can create a script that installs certificates only on production hosts. We can automatically filter those production hosts by tags in our hands – automatically, without requiring human intervention, and without risking human error.

1.3     Saving Money

Innova uses Amazon’s AWS Cost Explorer feature to enable our clients to receive insight into resource usage and associated costs. We can break down the total AWS costs by tag in Cost Explorer, allowing us to correlate costs with technical or security dimensions such as specific applications, environments, or compliance programs. Resource tags make it possible to cut the fat and optimize the environment for cost efficiency.

1.4     Staying Secure

1.4.1     Access Control

Tag-based identify and access management (IAM) utilizing AWS resource tagging allows organizations to restrict access to crucial resources to only those who must have them. IAM supports conditions limits based on specific tags and their values so that organizations can be sure that their infrastructure is always in the right hands.

What’s the catch? Not all services support tags for provisioning access via IAM, but the vast majority do! Innova can help your organization craft a cloud solution that fully supports IAM access control tagging so that you can make sure that access to your resources is fully protected.

1.4.2     Compliance

AWS resource tagging allows companies like those in the health sector to ensure that private data is kept confidential. Resources may be tagged based on criticality, for example, if the resources have HIPAA or PCI data. Such tags can ensure that proper access controls are always in place, patch compliance is up to date, and protected information is locked down, keeping organizations in continuous compliance with privacy regulations.

3. How does Innova implement AWS Tags?

3.1 Managing Tags

AWS Organizations provides two features specifically around management and governance of tags across entities (root, Organizational Units, and accounts) in an organization: Tagging Policies and Service Control Policies (SCPs).

3.1.1 Tagging Policies

Using AWS Tagging Policies, we can maintain consistent tags across the organization. Each tag policy contains a set of tag rules, and each direction maps a tag key to the allowable values for that key. This way, we can define what deals a particular tag key can have. The tag policies are checked when we perform operations that affect the tags on an existing resource. Once tag policies are created and attached, we can visit the tag policies page in the AWS Resource Groups console and see which resources are not compliant with the tag policy.

What’s the catch?

AWS tagging policies do not currently support the use of RegEx to define the values of the tag keys. The values must be statically pre-defined in the tagging policies. As a result, only the tag keys with pre-defined tag values may be used in the tagging policies.

3.1.2 Service Control Policies (SCPs)

Tagging policies restrict tag values. However, they do not prevent resources from being created without tags at all. Luckily, AWS Organizations’ service control policies steps in to fill the gap. Using Service Control Policies, we can create rules that prevent the creation of specific resource types without the specified tags – so that organizations’ resource tagging remains consistent and no infrastructure gets lost.
What’s the catch? Services like Lambda, CodePipeline, ElastiCache, and CloudWatch rules do not have tag options while creating resources using the AWS Console, and S3 does not have a tag option in AWS CLI.

3.2 Our recommended Tags

Innova recommends that organizations seeking to implement a robust and effective tagging strategy begin with the following AWS tag types:

3.2.1 Identification Tags

1. Application name
a. these should be “registered” as part of an onboarding process

a. direct link to a CMDB identifier

3. application stage
a. dev, QA, prod

4. security classification
a. confidential, restricted, public, etc.
b. representing infosec data classification

3.2.2 Ownership Tags

5. Application code
a. if there is a cost center or budget code associated with the resources

6. Business unit name
a. representing the overall BU

7. Business unit code
a. defining the overall BU code (if one exists)

8. Created by
a. email Distribution List (DL)
b. defines the DevOps, infrastructure, or application development team that made the resource

3.2.3 Incident, Problem, Change, and Service Management Tags

9. Service owner
a. email DL
b. representing the business contact

10. Support team
a. email DL
b. defining the DevOps, SRE, or infrastructure team contact supporting the resource

11. Application development team
a. email DL
b. representing the application development team

4. Our AWS Tagging Philosophy

4.1 Tag Always

It is essential to employ a consistent approach in tagging AWS resources…or things could go wrong.
For example, if tags are applied on some resources and some are left empty, or if a significant portion of the AWS resources is missing the labels used for cost allocation, the cost analysis, and reporting report will be less accurate. And, as a result, the total cost allocation will be more complicated and even more time-consuming. Likewise, suppose resources are missing a tag that identifies the presence of sensitive data. In that case, organizations may have to assume that all such resources contain sensitive data, increasing the cost and effort to lock down necessary resources.

What’s the catch?

Tags aren’t retroactive! That means that they only begin to track your resources when you apply them. So, it’s important to proactively plan and use a comprehensive tagging strategy if you’d like to get a complete picture of your resources from their inception.

4.2 Tag Everywhere

And everything you can! Since AWS allows tagging of most types of resources that cost money, organizations can expand and apply the cost tags across all resource types, yielding the most accurate financial analysis and reporting data.

5. The Bottom Line

Tags are a fantastic way to categorize, sort, and keep an eye on your AWS resources. But there are several pitfalls even tech-savvy companies may encounter when implementing them. A trusted partner (like Innova Solutions, of course!) can help guide organizations around those obstacles so they can get the full use out of their cloud resource monitoring and management strategy.

6. Case Study

Innova used AWS Resource Tags in conjunction with our MonTag™ tagging enforcement engine to help our client achieve greater visibility over their cloud resource consumption and facilitate fine-grained cost monitoring and management, leading to a significantly improved ability to understand and manage their overall costs.