Home Cloud Amazon Web Services AWS Tagging Strategy and Best Practices 2019

AWS Tagging Strategy and Best Practices 2019


If we are talking AWS and its cloud services today, we will probably be talking tomorrow as well…… and the discussion never ends. Every time customers feel the need for a particular service or feature, AWS pulls the rabbit out of its hat. As their workloads, resources and infrastructure services keep on mounting, organizations need to scale their cloud environment just in time. Managing and organizing such a vast array of cloud resources then becomes the real challenge.

Implementing AWS Tagging Strategies helps enterprises streamline their cloud resources across several business units and teams. Without a proper tagging strategy in place, it becomes time-consuming to manage your resources. Also, several operational issues stretching across unpredicted cloud costs start rising.

Amazon Web Services (AWS) facilitates its users to allocate metadata to their AWS resources in the form of tags. Each tag is basically a label containing a user-defined key and an optional value that makes it less demanding to manage, search for, and filter out resources accordingly.

AWS Tag Example

AWS-Tagging-Strategies*Image Credit: AWS

In spite of the fact that there are no inbuilt tags, they allow customers to organize and classify resources by:

  • Purpose
  • Environment
  • Owner
  • And on the basis of other criteria as per requirements.

This blog is intended to shed light on commonly used Tagging Strategies and nomenclature (categories) to help AWS customers pick a consistent and effective tagging strategy, worth implementing.

Best ways to create aws tags:

While making a tagging strategy for your AWS resources validate if it accurately exemplifies organizationally relevant dimensions and sticks to the following tagging best practices:

  • Tag dimensions that provide the ability to manage resource access control, automation, cost tracking, and organization or business unit should be considered during tag creation.
  • Always create your tags in a case-sensitive, standardized format, followed by implementing it across all resource types in a consistent manner. Also, use standardized delimiters in your tags as it works well with case-sensitive tags. However, do not include delimiters in your tag values.
  • Find the right balance between, using too many tags and too few tags.

Tagging Nomenclature; Best Practices

AWS suggests some important, must-use tags relevant to your business and categorizes them into following segments:

Technical Tags:

Name – Used to identify individual resources

Application ID – Used to identify disparate resources that are related to a specific application

Application Role – Used to describe the function of a particular resource (e.g. web server, message broker, database)

Cluster – Used to identify resource farms that share a common configuration and that perform a specific function for an application

Environment – Used to distinguish between development, test, and production infrastructure

Version – Used to help distinguish between different versions of resources or applications

Tags for Automation:

Date/Time – Used to identify the date a resource should be started, stopped, deleted, or rotated

Opt-in/Opt-out – Used to indicate whether a resource should be automatically included in an automated activity such as starting, stopping, or resizing instances

Security – Used to determine requirements such as encryption or enabling of VPC Flow Logs, and also to identify route tables or security groups that deserve extra scrutiny

Business Tags:

Owner – Used to identify who is responsible for the resource

Cost Center/Business Unit – Used to identify the cost center or business unit (department in an organization) associated with a resource; typically for cost allocation and tracking

Customer – Used to identify a specific client that a particular group of resources serves

Project – Used to identify the project(s) the resource supports

Security Tags:

Confidentiality – An identifier for the specific data-confidentiality level a resource supports

Compliance – An identifier for workloads designed to adhere to specific compliance requirements

*Citing AWS

The following segments describe common and best-practised tagging strategies to help categorize and manage AWS resources better:

Tags for AWS Console Organization

Tags are an incredible way to keep your AWS resources organized in the AWS Management Console. AWS allows you to create & arrange tags to be displayed with your resources, thus making it easier to manage, search for and filter resources by these tags. The AWS Management Console is by default, organized by AWS services.

Tags for Cost Allocation

AWS Cost Explorer and detailed billing reports hold the ability (or feature in Layman’s term) to break down AWS costs by tags. On a stereotypical note, customers create business tags, for example, customerproject, or cost centre/business unit to relate AWS costs well with existing cost-allocation dimensions.

Tags for Automation

During infrastructure automation processes, service or resource-specific tags are often used to filter resources as time investment matters in such a scenario. However, Automation tags are utilized to opt in or opt out of automated activities or to classify certain types of resources to update, archive or delete.

Tags for Access Control

Identity Access Management (IAM) policies support tag-based conditions, facilitating AWS users to regulate IAM permissions on the basis of tags or allotted tag values. For example, there are some conditions one can apply on IAM role permissions to limit the access to Amazon Virtual Private Cloud (Amazon VPC) networks based on their tags. As AWS mentions, “Support for tag-based, resource-level IAM permissions is service specific”.

Thus, make sure to define and put restrictions on who else can modify the tags for access control.

Governance Achieved in Tagging

Customers use proactive, as well as a reactive approach, to govern the utilization of resource tags within their AWS environments. In reactive governance approach, tools such as Tag Editor, detailed billing reports, AWS Config Rules, etc. are used to filter improperly tagged resources. Proactive governance makes use of AWS Cloud Formation and AWS Service Catalog to make sure that standardized tags are applied consistently at the time of resource creation.

Considering all the above concepts discussed, we can conclude that, to implement tagging strategies more effectively, use of standardized tags in a consistent manner across AWS resources would help AWS customer achieve tagging governance at enterprise-scale.

Cloud Evangelist
Cloud Evangelist
Cloud Evangelists are CMI's in house ambassadors for the entire Cloud ecosystem. They are responsible for propagating the doctrine of cloud computing and help community members make informed decisions.


Cloud Management