AWS Resource Management Strategy Using Tags
Using and ensuring that all your AWS resources are tagged appropriately saves you money. It's as simple as that.
Join the DZone community and get the full member experience.Join For Free
Let us start with what tags are from AWS docs:“Tags are key and value pairs that act as metadata for organizing your AWS resources.” They are provided by AWS to simplify resource management and help us in the cost allocation report to track AWS costs. For many "cost optimizer tools," tags are one of the most important and recommended strategies. There is a whitepaper from AWS dedicated to tagging best practices and I highly recommend to use it as reference.
In this post, I will discuss ways to discover a resource that is missing tags and how to enforce tagging.
You may also enjoy: How to Reduce Surging Monthly AWS Cloud Computing Bills
Discovering Resources Without Specific Tags
In a very practical scenario, if your organization is using AWS then multiple developers might be using the same AWS account to create resources. It might have been left running and you'll lose track of the owner until it shows up in billing report.
To avoid these human errors, it is always better to have a plan which at least periodically discovers resources that are missing certain tags.
The most recommended way is to use an AWS service created to address such problems: AWS Config. This is a managed service and is very helpful to check whether resources have the required tags. It has a managed rule called “required-tags” which has a decent list of supported resource types (EC2::Instance, DynamoDB::Table, EC2::VPC, RDS::DBInstance, S3::Bucket, etc). Though you can’t edit the code behind managed rules, you can reduce the number of resources and limit the scope of this rule (which is pretty cool).
In addition, you can also create custom rules and update the resources with necessary default tags. For example, this Python code for lambda will help ensure that EC2 resources have required tags and those tags have valid pre-defined values. You can customize this lambda function and add logic to insert tags if compliance fails.
AWS Config is a safe and reusable option to not only detect missing tags but also insert a default value. This can be exported in an AWS CloudFormation template and used across regions, and generate CloudWatch events to record, when resources were created without tags as well as automate an email to the team to take recommended actions.
Enforcing tagging is one of the best methods to proactively manage and track resources with minimal investment. Please remember, not all resources support tags and not all of them support during creation. For the complete list, visit this link.
1. AWS Service Catalog with TagOptions – This is useful when you need to choose from a pre-defined, corporate-approved catalog of products. With TagOption libraries, you can specify required tags as well as their range of allowable values. You can use TagOption libraries at the portfolio level, or even at the individual product level, to specify the range of allowable values for each tag.
2. Define an IAM policy — A more powerful option, it allows very fine control on resource creations especially when certain conditions are met. When you create IAM policies, you can specify specific permissions for creating and deleting tags. In addition, you can include condition keys, such as
aws:TagKeys , which will prevent resources from being created if specific tags or tag values are not present. I recommend reading this blog which has a few examples and summarizes this feature nicely.
This option is well suited for the following:
- Account-specific – For all resources belonging to users under an account
Group-specific – For all resources belonging to users under a group
3. CloudFormation template - When you create AWS resources using AWS CloudFormation templates, use the “Resource Tags” property to apply tags to certain resource types upon creation. Use this option if you know the tags and their values beforehand.
I look forward to your comments and feedback.
Opinions expressed by DZone contributors are their own.