December 10th, 2015
Tagging and ARN Path Best Practices
By Rich Uhl

One of the most common questions our customers ask us about is best practices around tagging resources in AWS. Surprisingly, AWS doesn’t provide a best practices guide for tagging like they do for the majority of their services. What follows in this post serves as our own guide to “best practices” for tagging that we’ve compiled through years of working with customers large and small.

 Guidelines and Reminders

Tag Management

Here are some tips for dealing with tags:

  • Determine who has the ability to create and manage tags
  • Educate users that Create/Modify is the same level of access when it comes to tags
  • Consider having tagging completed by an API/Portal in order to better control who has the ability to create and modify tags  (i.e. create/modify = same permission)
  • Enterprise customers concerned with tagging integrity should leverage a toolset like Splunk to track and alert for sensitive tags (i.e. Billing Code or Cost Center)

Path Strategies within ARNs

Paths can be assigned to the following types of Amazon Resource Names (ARNs):

  • IAM: Users, Roles, Policies, etc.
  • S3: Bucket/Folder structures

Documentation Guidelines and Public Samples

http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html

http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html#Identifiers_ARNs

Default Path Structure

arn:aws:service:region:account:resource

Sample Path Strategies

/Organization/Department/Application

Examples:

  • /Corp/IT/SharedSvcs
  • /BU1/Marketing/Materials
  • /Corp/HR/Confidential
  • /BU1/PMO/Deliverables

Note:  Performance considerations need to come into play when designing a path strategy for S3.  Depending upon your enterprise use case or workload the following guidance may apply.  See • http://aws.amazon.com/blogs/aws/amazon-s3-performance-tips-tricks-seattle-hiring-event/

Path Restrictions

http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html

http://docs.aws.amazon.com/IAM/latest/UserGuide/LimitationsOnEntities.html

Tagging Examples

Key Value Function
Name Resource Name/Machine Name Management
Environment Development
Test
QA
Staging
Production
Account/Resource Separation
Management
Tier Backend
Frontend
DMZ
Management
Account/Resource Separation
CostCenter Department ID
CC#12345
Billing
Management
Role Web
App
Domain Controller
Management
Application MobileApp1
WebApp1
Management
CodeVersion 3.49 Management
AppPath Application1/component1/Version2.49 Management
PoolName
ClusterName
WebApp1Pool1
App1DBCluster1
Management
Owner OwnerEmail
OwnerDL
Management
SecurityLevel VPCAdmin
EC2Admin
StorageAdmin
IAMAdmin
DevOpsAdmin
DevOpsUser
Access Control
Path /Organization/Department/Application Access Control
Billing
Management
Account/Resource Separation
ExpirationDate 2015.12.31 Billing
Management
DataProfile Public
Confidential
Restricted
Internal
Access Control
Management
Account/Resource Separation

Although the guidelines and suggestions listed are based on experience and feedback from customers, there is not a “right” or “wrong” way to manage tagging. We do suggest though that a policy for tagging is determined early on even if it’s incomplete. Here are quotes from several of our customers who didn’t use tagging during their first year on AWS:

“It would have been better for us to have used an incomplete, or wrong tagging scheme, instead we ended up with nothing.”

“Knowing what we know now we should have started with some basic tags even if they weren’t complete.”