3.1 Managing Tags
AWS Organizations provides two features specifically around management and governance of tags across entities (root, Organizational Units, and accounts) in an organization: Tagging Policies and Service Control Policies (SCPs).
3.1.1 Tagging Policies
Using AWS Tagging Policies, we can maintain consistent tags across the organization. Each tag policy contains a set of tag rules, and each direction maps a tag key to the allowable values for that key. This way, we can define what deals a particular tag key can have. The tag policies are checked when we perform operations that affect the tags on an existing resource. Once tag policies are created and attached, we can visit the tag policies page in the AWS Resource Groups console and see which resources are not compliant with the tag policy.
What’s the catch?
AWS tagging policies do not currently support the use of RegEx to define the values of the tag keys. The values must be statically pre-defined in the tagging policies. As a result, only the tag keys with pre-defined tag values may be used in the tagging policies.
3.1.2 Service Control Policies (SCPs)
Tagging policies restrict tag values. However, they do not prevent resources from being created without tags at all. Luckily, AWS Organizations’ service control policies steps in to fill the gap. Using Service Control Policies, we can create rules that prevent the creation of specific resource types without the specified tags – so that organizations’ resource tagging remains consistent and no infrastructure gets lost.
What’s the catch? Services like Lambda, CodePipeline, ElastiCache, and CloudWatch rules do not have tag options while creating resources using the AWS Console, and S3 does not have a tag option in AWS CLI.
3.2 Our recommended Tags
Innova recommends that organizations seeking to implement a robust and effective tagging strategy begin with the following AWS tag types:
3.2.1 Identification Tags
1. Application name
a. these should be “registered” as part of an onboarding process
2. CMDB ID
a. direct link to a CMDB identifier
3. application stage
a. dev, QA, prod
4. security classification
a. confidential, restricted, public, etc.
b. representing infosec data classification
3.2.2 Ownership Tags
5. Application code
a. if there is a cost center or budget code associated with the resources
6. Business unit name
a. representing the overall BU
7. Business unit code
a. defining the overall BU code (if one exists)
8. Created by
a. email Distribution List (DL)
b. defines the DevOps, infrastructure, or application development team that made the resource
3.2.3 Incident, Problem, Change, and Service Management Tags
9. Service owner
a. email DL
b. representing the business contact
10. Support team
a. email DL
b. defining the DevOps, SRE, or infrastructure team contact supporting the resource
11. Application development team
a. email DL
b. representing the application development team