By Ludovic François, CEO – TrackIt
By Shabir Rupani, Partner Solutions Architect – AWS
Tagging resources on Amazon Web Services (AWS) is a topic that doesn’t get the attention it deserves. Although it may not seem like the most direct means of saving money or managing your AWS account, strategic tagging provides AWS users with the necessary visibility to effectively identify, track, and manage their resources.
This, in turn, helps organizations optimize expenses while improving the return on investment (ROI) of their cloud deployments. Tagging also provides an effective means of allocating expenses to the correct cost centers.
Due to the visibility and insights it provides, effective tagging is indispensable for companies keenly interested in optimizing and allocating their cloud costs on AWS.
In our experience working with customers, we have learned there is a general lack of knowledge around tagging and how companies should approach it to effectively manage their AWS resources. We have seen glaring issues in the way companies implement (or don’t implement) their tagging strategies that often jeopardize any chances they have of leveraging the utility of their AWS tags.
This is what Tagbot was designed to address. Tagbot is a simple tool that uses artificial intelligence (AI) and machine learning (ML) to expose the tag coverage in your AWS environment. Built by TrackIt and available on AWS Marketplace, Tagbot addresses the business impact associated with how well-tagged your infrastructure is.
TrackIt is an AWS Advanced Consulting Partner specializing in cloud management, consulting, and software development solutions. They firmly believe that companies deploying resources on AWS can better leverage their tagging efforts if they are provided with the right information, insights, and guidelines from the start.
In this post, we will share TrackIt’s comprehensive take on AWS tagging and how we believe it should be done.
Why Use Tags on AWS?
Tags are metadata that can be assigned to resources on AWS. Each tag is a label consisting of a user-defined key and optional value.
Tags provide users with information and context about specific cloud resources. For instance, tags can be used to identify who owns the resource, the environment in which the resource is used, and any other technical or business attributes the enterprise may require.
As cloud deployments get larger, teams often struggle with increasing amounts of deployed resources that are constantly moving, growing, and evolving.
Projects may be shared between multiple teams and can rely on different regions and platforms. As a result, the larger a cloud deployment gets the harder it is for teams to effectively monitor their resources. This is where tags come in.
Tags allow companies to scale their AWS deployments by providing teams with visibility into the exact resources that are at play at any given time, the people who are using them, and the purpose for which these resources were created. In essence, the more high-quality tags you assign to your resources, the easier it becomes to manage them.
Four Major Categories of AWS Tags
Most companies group tags into four major categories:
Technical Tags on AWS
There are three major Technical tags: Name, Environment, and Version. If implemented correctly, they can help companies get an accurate idea of the spending and overall efficacy of their deployments.
- Name tags are used to identify individual resources and are usually employed effectively by users in their resource management efforts.
- Environment tags, which are used to help distinguish between development, test, and production infrastructure, are often not used adequately by the majority of AWS users. The primary benefit of using Environment tags is they allow you to segment your resources based on the environment they belong to (development, production, test).Environment tags also provide you with a simple means to evaluate each environment independently and simplify the process of pinpointing areas where resource usage is not optimized.
- Version tags come in handy when users need to distinguish between different versions of resources or applications, although often they are not as crucial as the Name and Environment tags.
Automation Tags on AWS
Automation tags serve as the on/off switch for resources partaking in collective automation activities. Automation tags can be used to opt-in or opt-out of automation activities, or to identify specific versions of resources that need to be updated, archived, or deleted.
A typical example that illustrates the usage of Automation tags is that of organizations using start/stop scripts along with Amazon Elastic Compute Cloud (Amazon EC2) instance tags to turn off their development environments during non-working hours to cut costs.
Business Tags on AWS
A typical organization using the cloud often deploys resources across multiple cost centers such as engineering, sales, marketing, finance, and HR.
Business tags allow users to clearly identify who is responsible for a specific resource, for what purpose the resource is being used, and the cost center associated with the resource. These tags provide AWS users with the vital information they need to monitor their deployments and make sound decisions.
Tags used for cost allocation fall under this category. AWS Cost Explorer and the AWS Cost and Usage Report enable users to filter and break down their costs by tag. A commonly used AWS business tag such as “cost center,” for instance, allows organizations to gain a better understanding of their AWS costs across different cost centers.
Security Tags on AWS
Security tags can be leveraged by AWS users to identify and filter resources that require additional monitoring.
Many organizations run workloads that contain sensitive data subject to regulations such as HIPAA or GDPR. In such cases where the security of the deployment is of paramount importance, organizations should use Security tags to identify resources that require additional monitoring.
Security tags can also be used to allow or deny access to specific resources by using conditions within the AWS Identity and Access Management (IAM) policies. These allow users to employ tag-based conditions to regulate permissions based on specific tags and values.
AWS Tagging Use Cases
Tagging helps AWS users effectively identify, filter, and manage their resources. The utility of strategic and appropriate tagging often becomes painfully apparent to organizations when they start having a large number of resources under the same account being used for varied purposes.
Cost management is arguably the most important use case when it comes to tagging resources on AWS. Tags allow AWS users to easily filter resource groups and prepare cost allocation reports broken down based on the selected tags.
Users can easily access cost allocation reports using tags associated with specific technical or business attributes, such as “production” or “sales.” With costs being accurately identified, users gain a comprehensive understanding of their cloud costs, pinpoint resources that are either redundant or aren’t being used, and identify potential opportunities to save money.
The AWS Cost Explorer tool located within the AWS Billing and Cost Management console allows users to access detailed billing reports based on the tags they select.
Tagging is often used for automation, and resources that are grouped using unique tags can be identified and used in collective automation activities.
Examples of automation using tags:
- Automating the termination of temp dev resources at the end of the day.
- Automating the movement of business workflows from one stage to another stage using Amazon Simple Storage Service (Amazon S3) file tags.
- Automating data backup, archiving, and disaster recovery (DR) using cadence tags that set the frequency of these tasks.
Users can leverage tags to establish access control protocols. IAM policies enable owners to define their own conditions and restrict user access using tags.
Examples include using AWS VPN Client tagged groups, and tagging Amazon EC2 instances to restrict access to a specific resource.
Security Risk Management
Tags can be used to monitor resources that require additional security. As mentioned in the paragraph on Security tags, many organizations leverage the cloud to run workflows containing confidential and highly-sensitive information that needs to be protected at all times. Tagging sensitive resources provides users with the necessary visibility they require to monitor their workflows and deployments.
Tagging Best Practices
Identify Tagging Requirements
Tags are used for a variety of purposes, often by multiple departments and stakeholders within an organization. In order to deploy a single tagging strategy that works for everyone, it’s important to first get all of the stakeholder groups together to identify the exact tagging requirements of each group.
Less is More
The simpler the approach to tagging, the easier it is to implement and maintain. Bear in mind that adding redundant tags only complicates the maintenance of the tagging process. Start small and create new tags only when there’s a need for them.
Consistency is key. A lack of consistency in tagging can make the entire process more complicated and time-consuming. For instance, if a significant number of the deployed resources are missing cost allocation tags, the cost analysis that uses cost allocation tags will be inaccurate.
Additional Guidelines for Tagging
Following are a few additional guidelines and limitations to pay attention to:
- AWS tags are case sensitive and must be spelled correctly.
- Each AWS tag should have a key that is less than 127 Unicode characters in UTF-8.
- Each value assigned should be less than 255 Unicode characters in UTF-8.
- AWS tags are simple strings you can assign a value to. Assigning a value does not create any semantic meaning for AWS.
- The value assigned to a tag can be an empty string but it cannot be NULL.
- You are limited to a maximum of 50 tags for most services.
- You cannot use “AWS” as a prefix for the tag since it’s reserved for AWS.
- Characters that are acceptable for tags are letters, spaces, and numbers representable in UTF-8, along with the following special characters: + – = . _ : / @
- There are some AWS resources that can only be tagged using an API or command line interface (CLI).
The following are basic tags that Tagbot believe all AWS users could leverage to manage their resources more effectively:
- Name = <string>
- Environment = <dev|stg|prod>
- Owner = <string>
- Project = <string>
- Workflow = <string>
- Date Of Creation = <date>
And here are some tags users could set up to gain additional insights:
- Department = <string>
- Creator = <string>
- Technical Contact = <string>
- Billing Contact = <string>
- Terraform = <yes|no>
- Reserved = <yes|no>
- Encryption = <yes|no>
- Snapshot = <yes|no>
- Security Review = <date>
How to Set Up Your Tags
The process of adding tags to a resource is straightforward but differs slightly depending on the type of service. Here’s an example with an Amazon EC2 instance:
- Log in to the AWS console.
- Go to the desired service page; EC2 in this example.
Figure 1 – Amazon EC2 service page.
- Navigate to the list of resources. This step may differ slightly depending on the type of service and might not be necessary for some services.
Figure 2 – List of resources.
- Select the resource for which you want to modify the tags, and then navigate to the Tags section or tab.
Figure 3 – Select resource and navigate to the Tags section.
- From there, you can add, remove, or edit tag keys and values.
How Tagbot Simplifies Your Tag Management
When you synchronize your AWS account with Tagbot, a list of your resources is automatically generated. You can then start managing all of your Automation, Technical, Business, and Security tags directly from a single dashboard.
The Tagbot dashboard provides AWS users with an easy-to-use single-page web interface where they can manage all of their tags.
The tag summary allows companies to quickly assess the extent to which their resources have been tagged. Resources are divided into three categories: totally untagged (red), partially tagged (yellow), and fully tagged (green).
Figure 4 – Tagbot dashboard.
To learn more about the Tagbot dashboard, see the Dashboard overview demo video.
Tagbot’s AI automatically scans your resources and provides tag suggestions based on resource information and tags that have been implemented previously. When you select a suggestion, the resources are automatically tagged on AWS.
To learn more about what AI suggestions on Tagbot look like, see the AI suggestion demo video.
Easy Filtering and Sorting of Resources
The Tagbot interface allows users to sort and filter their resources for each column of the dashboard’s table (ID, Type, Region, Owner, Project, Name, Environment, Date of Creation).
To see what filtering resources by Region looks like on Tagbot, watch the Filter Region demo video.
Figure 5 – Filtering by Region.
Technical Tags on Tagbot
Tagbot also enables users to sort and filter their resources by environment (dev, test, prod).
To see what filtering resources by Environment looks like on Tagbot, see the Technical tag demo video.
Figure 6 – Filtering by Environment.
Automation Tags on Tagbot
Tag automation usually requires the use of AWS Lambda functions. As an example of an automation tool, this GitHub repository was created by the TrackIt team to help DevOps engineers manage their untagged Amazon EC2 and Amazon Relational Database Service (Amazon RDS) resources by either stopping them or terminating them.
Users can leverage Tagbot to identify untagged resources in the dashboard. They can then configure the tool to automatically send them a notification on Slack informing them about untagged EC2 and RDS resources. A precise date and time to stop/terminate the resources can then be set up.
Business Tags on Tagbot
Tagbot enables companies to use business tags to quickly and easily filter resources based on projects, owners, cost centers, and more.
To see what filtering resources by name looks like on Tagbot, see the Name tag demo video.
Figure 7 – Filtering by Name.
Security Tags on Tagbot
Tagbot also enables users to leverage security tags to quickly identify and filter resources that require additional monitoring.
To learn how to set up security tags on the AWS console, see the Security tab demo video.
Figure 8 – Adding security tags.
The proper and strategic use of tagging enables organizations to optimize expenses and improve the overall ROI of their cloud deployments.
By implementing a robust tagging strategy that incorporates a tool like Tagbot, organizations can significantly enhance productivity and better manage their deployed AWS resources.
TrackIt – AWS Partner Spotlight
TrackIt is an AWS Advanced Consulting Partner specializing in cloud management, consulting, and software development solutions.
*Already worked with TrackIt? Rate the Partner
*To review an AWS Partner, you must be a customer that has worked with them directly on a project.