You can assign metadata to AWS resources in the form of Tags. Each Tag has a key and a value defined by the user. Tags can help you manage, identify, organize, search and filter resources. You can create Tags to classify resources according to their purpose, owner, environment or other criteria.
The Tags are important at the security level since they will allow you:
When you create a tagging strategy for AWS resources, follow the following best practices:
Do not store Personally identifiable information (PII) or other confidential information on Tags. Use a standardized format that distinguishes capital letters from tiny for labels and apply it consistently to all types of resources.
Take into consideration that the Tagging guidelines should be designed for multiple purposes, such as administering access control to resources, cost monitoring, automation and organization.
Use automated tools to help you manage resource labels. AWS resource groups and the AWS Resource Groups Tagging API allows you to control tags through programming, which facilitates automatic administration, search and filtering of labels and resources.
It is better to use many tags than few tags.
Remember that it is easy to change labels to adapt them to changing business requirements, but take in consideration the consequences of future changes. For example, changes on the attributes that are used for ABAC will require you to update IAM policies related to those tags.
Whitepaper Tagging Best Practices
Video: How can I tag my AWS resources to divide up my bill by cost center or project?
Video: How do I create an IAM policy to control access to Amazon EC2 resources based on tags?