Tagging Strategy

Importance of tags

You can assign metadata to AWS resources in the form of Tags. Each Tag has a key and a value defined by the user. Tags can help you manage, identify, organize, search and filter resources. You can create Tags to classify resources according to their purpose, owner, environment or other criteria.

The Tags are important at the security level since they will allow you:

  • Assign permissions based on tags (Attribute Based Access Control - ABAC), To allow only access to development environments if they are developers (that is, if in the user or in the role assumed there is a tag such as the following environment:development).
  • Identify the individuals or business units responsible for the resource
  • Adding tags to resources, such as compromised instances, in conjunction with a Deny statement, can prevent accidental deletion of forensics evidence needed by the incident response team once that they identified that an instance is compromised.

Documentation

Tagging Best practices

When you create a tagging strategy for AWS resources, follow the following best practices:

  • Do not store Personally identifiable information (PII) or other confidential information on Tags. Use a standardized format that distinguishes capital letters from tiny for labels and apply it consistently to all types of resources.

  • Take into consideration that the Tagging guidelines should be designed for multiple purposes, such as administering access control to resources, cost monitoring, automation and organization.

  • Use automated tools to help you manage resource labels. AWS resource groups and the AWS Resource Groups Tagging API allows you to control tags through programming, which facilitates automatic administration, search and filtering of labels and resources.

  • It is better to use many tags than few tags.

  • Remember that it is easy to change labels to adapt them to changing business requirements, but take in consideration the consequences of future changes. For example, changes on the attributes that are used for ABAC will require you to update IAM policies related to those tags.

Whitepaper Tagging Best Practices

Implementation

Video: How can I tag my AWS resources to divide up my bill by cost center or project?

Video: How do I create an IAM policy to control access to Amazon EC2 resources based on tags?