Using AWS Tag Manager for cloud resources inventory management
Volodymyr Rudyi
Amazon Web Services (AWS) allows assigning metadata to clients’ AWS resources using tags. All tags serve as simple labels that consist of a user-defined key and an optional value. Both keys and values are case-sensitive. You can use tags for managing, identifying, organizing, searching for, and filtering resources easier. After all, without using tags, you will find it hard to manage your resources efficiently because the number of AWS services utilized will grow.
The majority of AWS resources provide the opportunity to add tags when creating the resource, such as an Amazon EC2 instance or an Amazon S3 bucket. But you can also apply a Tag Editor for adding tags to various supported resources at once. Thus, you have to build a relevant query for resources of different types, which, in turn, allows adding, removing, or replacing tags for the resources that appear in your search results.
General tagging strategies
The following tagging strategies allow identifying and managing AWS resources.
Resource organization. Tags serve as an efficient approach to organizing AWS resources in your AWS Management Console. For example, you can configure tags for being shown with resources, and you can also search and filter by a specific tag. Thanks to the AWS Resource Groups service, you can organize AWS resources into groups depending on one or more defined tags or some portions of tags. Finally, using Tag Editor allows consolidating and viewing information for applications containing numerous services, resources, and AWS Regions.
Cost allocation. Using AWS Cost Explorer, along with detailed billing reports, enables you to break down your AWS costs by tag. But you have to remember that a cost allocation report may involve any tag. That allows associating costs with technical and security dimensions, including special applications, environments, and compliance programs. Also, for several services, you can apply an AWS-generated createdBy tag for cost allocation goals. That helps account for resources you might not categorize otherwise.
Automation. Organizations often apply resource and service-specific tags for filtering resources during various automation activities. Therefore, automation tags allow opting in or opting out of relevant automated tasks or identifying specific versions of AWS resources you need to archive, update, or delete. For instance, you can perform automated start or stop scripts for turning off development environments. This approach is critical during non-business hours since it helps your company reduce costs.
Access control. IAM (identity and access management) policies tend to support tag-based conditions. That allows constraining IAM permissions depending on specific tags and tag values. For instance, IAM user permissions may involve conditions for limiting EC2 API calls towards the specific environments depending on relevant tags. Besides, you can implement the same strategy for limiting API calls to defined Amazon VPC networks. Lastly, support for tag-based IAM permissions is considered service-specific.
How to use tags for “resource organization”
Imagine such a situation: we have an AWS account with hundreds of resources. After a while, we can create new resources using "infrastructure as code." But in the future, we would like to deploy all resources to another AWS account. Then, we need to identify which resources are created manually using the AWS console and which are created using the "infrastructure as code" tool.
Solution: Use “AWS Tag Editor” to find resources.
Steps:
First, we should understand what we already created by infrastructure as a code tool (AWS CDK or Terraform). Thus, we should assign a tag "Created via" with "AWS CDK" to all resources.
To do that, using AWS CDK should add such code to the main application class:
final App app = new App();
Tags.of(app).add("Created via", "AWS CDK");
Terraform AWS Provider from version 3.38.0 adds the possibility to configure default tags for all resources.
Terraform example:
# Terraform 0.12 and later syntax
provider "aws" {
# ... other configuration ...
default_tags {
tags = {
"Created via" = "Terraform"
}
}
}
The second step is to use “Tag Editor” to find all resources which do not have a tag “Created via” with value “AWS CDK.” For that, we should select the tag's name (“Created via”) and choose the value “Not tagged.”
The screenshot above shows two resources that do not contain a selected tag.
Common best practices
When developing your tagging strategy for AWS resources, you need to consider the following practices:
- Storing personally identifiable information (PII) and other types of confidential or sensitive data in tags is forbidden.
- Using a standardized, case-sensitive format for tasks and implementing it consistently through all resource types is critical.
- Analyzing tag dimensions that support various purposes, including resource access control management, cost tracking, or automation, is highly recommended.
- Using automated tools for managing resource tags is crucial. For example, AWS Resource Groups and the Resource Groups Tagging API provide programmatic control of tags. That makes managing, searching, and filtering tags and resources much easier.
- Applying too many tags is better than using too few tags.
- Changing tags for accommodating evolving business needs is necessary. But although your organization can conduct it easily, you have to analyze the outcomes of potential changes, particularly regarding tag-based access control and automation.
Conclusion
Your organization can use AWS resource tags for various purposes. They help implement a cost allocation process, support automation or authorize access to AWS resources. Applying a good tagging strategy may become a challenging task for some companies due to the many stakeholder groups involved. Such organizations may also have significant concerns about data sourcing or tag governance. But following the mentioned best practices allows starting with a tagging strategy quickly. Ultimately, you can change it since your business needs will evolve.
How AgileVision can help
As an official AWS Consulting Partner, AgileVision has helped companies of different types and sizes manage their AWS services. Are you considering implementing new AWS products and services to meet your specific business requirements or need advice on your current ones?