AWS Tagging strategy

1. Building the Tag Strategy
Shiva N – AWS Solution Architect
(narshiva@amazon.com)

2. Tagging Overview
Resource Tags
• Provide the ability to organize and search within and across resources
• Filterable and Searchable
• Do not appear in Detail Billing Report
Cost Allocation
Tags
• Provide the ability to map AWS charges to organizational attributes for accounting purposes
• Information presented in Detailed Billing Report and Cost Explorer
• Only available on certain services or limited to components within a service (e.g. S3 bucket but not
objects)

3. Tagging Restrictions
• Key (Attribute): 127 Unicode characters
• Value (Detail): 255 Unicode characters
• Tags per resource: 10 tags
Other Limitations
• Tags are account specific
• Tag keys and values are case sensitive
• Tags are unique per resource
• Resources cannot be stopped, terminated or deleted solely based on a tag
• Tags cannot begin with “aws:” as a prefix (reserved for AWS use)

4. Tagging Considerations
• Timing is important! Tags…
– Can be applied anytime: Tags can be created/applied after a resource is
created, however no information will be captured between the time the resource
was created and when the tag was applied
– Are not retroactive: Cost Allocation reports are only available from the point in
time they were activated (i.e. if Cost Allocation in activated in October, no
information from September will be displayed)
– Are static snapshots in time: Changes made to tags after a report is run will
not be reflected in reports previously run
– Must explicitly be denoted for cost allocation: After creating a new tag [key],
it must be marked/activated/added as a cost allocation tag (if applicable)
otherwise it will not be visible in the DBR or Cost Explorer.

5. Tag Key Examples
Cost
Center
Business
Unit
Environ.
Tier
Owner
Dept./
Group
Product /
Application
Shutdown
Time
Support
Contact
Endpoint

6. Tag Key Examples
• AWS Environment – Tagging schemas to distinguish production, development, and
test infrastructure.
• Cluster – Used to identify the set of instances sharing the responsibility for perform a
specific function as part of an application. Clustered instances typically share the
same configuration and exist behind a load balancer.
• Node – Distinguishes between servers/databases in a cluster with the same role, but
party of a separate applications.
• Application –Tags to monitor clusters at the application layer.
• User – Tags to identify specific individuals responsible for building/deploying
instances.
• Customer – Used to identify the particular client that a particular resource serves.
• Cost Allocation – Tags for cost accounting needs.

7. Tagging Categories

8. Tagging Strategies
• Tags for Console Organization
• Tags for Cost Allocation
• Tags for Automation
• Tags for Access Control
Tags are your realtime CMDB

9. Tagging Strategies
• Define naming convention – Tag key names should use upper
CamelCase (or PascalCase) for manual creation. CamelCase
combines words/abbreviations by beginning each word with a capital
letter such as “MiscMetadata” and “SupportEndpoints”.
• Standardize delimiters and do not use as part of tag values. This
works well with case sensitive tags
• Utilize concatenated/compound tagging – combine multiple
values for a tag key (i.e. Owner = JohnDoe | johndoe@company.com
| 8005551234). Pascal case should be used to standarize compoud
tags.

10. Process Driven Tag Selection
Test
&
ValidateDesign
Tagging
Define
Requirements
Identify
Key
Reports
Meet
with
Report
Owners
Map
Key
Field
to
Source
Origin
Meet
with
Report
Users
Document
Key
Fields
Identify
Which
Field
Would
be
Valid
Tags
Document
Report
Specs
with
Identified
Tag
Mapping
Complete
Test
Pilot
on
Tags
and
Reports
(Manual)
Validate
Automation
Strategy
and
Tools
Deploy
&
Maintain
Tagging
Additional
Consideration
Automate
Applying
Tags
Using
Cloud
Formation
Monitor
and
Validate
Tags
with
Monitor
Scripts
Use
Tags
as
Triggers
for
Backup
Procedures
or
to
Remove
Rogue
Resources
Allow
a
Few
Tags
for
Development
Team
Use
Document
Report
Requirements
and
Use
Case

11. Identify Key Reports
• Tags typically align to key fields in important reports
• Validate which reports are being used to drive decisions
• Look for consistency in how reports break down and roll
up
• Start with reviewing legacy reports used by stakeholders.
Identify
Key
Reports
Meet
with
Report
Owners
Meet
with
Report
Users

12. Document Key Fields
• Document the Key Fields identified for each report
• Field Values, Length, Formats
• Logical Association of the fields
• Typical fields to look for:
– Line Of Business
– Cost Center
– Version
– Owner
– Compliance Domain
Meet
with
Report
Users
Document
Report
Requirements
and
Use
Case
Document
Key
Fields
– Name
– Environment
– Application
– Tier

13. Identify and Format Tags
• Document which items will be stored as tags
• Avoid putting fields that drive reports in external sources
• Validate the Tag format
• Tag Name Best Practices for syntax
• Tag Strategy to document your tagging structure
Map
Key
Field
to
Source
Origin
Identify
Which
Field
Would
be
Valid
Tags
Document
Report
Specs
with
Identified
Tag
Mapping

14. Pilot the Tag Structure
• Create test resources with the Tags indicated in the Tag
Strategy document
• Generate an AWS Detailed Billing Report(DBR)
• Utilize DBR to generate the end user reports
• Validate all required data and fields work as expected
Document
Report
Specs
with
Identified
Tag
Mapping
Complete
Test
Pilot
on
Tags
and
Reports
(Manual)
Validate
Automation
Strategy
and
Tools

15. Tagging Maintenance Procedures
• Ensure data integrity related to tagging
• Document how tags are applied to resources
• Identify Tag monitoring procedures
• Identify procedure to update or modify tags in routines
• Develop simple scripts when high volume updates are
required
Complete
Test
Pilot
on
Tags
and
Reports
(Manual)
Validate
Automation
Strategy
and
Tools
Deploy
&
Maintain
Tagging

16. Additional Considerations
• Use automation to apply tags – it will guarantee
integrity and reliability of tagging
• Monitor your tags – identify tags that are not compliant
with standards through monitoring tools
• Triggers – Be innovative to identify methods of using
tags to automate common routines
• Partner with Dev -­ Keep a few tags in reserve for
Application owners to use as triggers
Additional
Consideration
Automate
Applying
Tags
Using
Cloud
Formation
Monitor
and
Validate
Tags
with
Monitor
Scripts
Use
Tags
as
Triggers
for
Backup
Procedures
or
to
Remove
Rogue
Resources
Allow
a
Few
Tags
for
Development
Team
Use

17. http://blog.gorillastack.com/gorill
astack-­presents-­auto-­tag/

18. Resources
• Working with Tag Editor & Resource Groups
http://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/tag-­editor.html
• AWS CloudFormation Resource Tags Type
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-­properties-­resource-­
tags.html
• Using Tags in IAM https://aws.amazon.com/premiumsupport/knowledge-­center/iam-­ec2-­resource-­
tags/
• AWS Billing and Cost Management
http://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-­what-­is.html
• Resource Groups and Tagging for AWS https://aws.amazon.com/blogs/aws/resource-­groups-­
and-­tagging/
• Demystifying EC2 Resource-­Level Permissions
https://blogs.aws.amazon.com/security/post/Tx2KPWZJJ4S26H6/Demystifying-­EC2-­Resource-­
Level-­Permissions
• DevOps Backup in Amazon EC2 https://medium.com/aws-­activate-­startup-­blog/devops-­
backup-­in-­amazon-­ec2-­190c6fcce41b

19. Thank You
Shiva N – AWS Solution Architect
(narshiva@amazon.com)