One of the most common questions our customers ask us about is best practices around tagging resources in AWS. Surprisingly, AWS doesn’t provide a best practices guide for tagging like they do for the majority of their services. What follows in this post serves as our own guide to “best practices” for tagging that we’ve compiled through years of working with customers large and small.
Guidelines and Reminders
- Tag early and often
- Tags don’t maintain history
- Not every service/resource is tag-able
- Limit of 10 custom tags
- List of services that support tagging: http://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/cost-alloc-tags.html
Tag Management
Here are some tips for dealing with tags:
- Determine who has the ability to create and manage tags
- Educate users that Create/Modify is the same level of access when it comes to tags
- Consider having tagging completed by an API/Portal in order to better control who has the ability to create and modify tags (i.e. create/modify = same permission)
- Enterprise customers concerned with tagging integrity should leverage a toolset like Splunk to track and alert for sensitive tags (i.e. Billing Code or Cost Center)
Path Strategies within ARNs
Paths can be assigned to the following types of Amazon Resource Names (ARNs):
- IAM: Users, Roles, Policies, etc.
- S3: Bucket/Folder structures
Documentation Guidelines and Public Samples
http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html#Identifiers_ARNs
Default Path Structure
arn:aws:service:region:account:resource
Sample Path Strategies
/Organization/Department/Application
Examples:
- /Corp/IT/SharedSvcs
- /BU1/Marketing/Materials
- /Corp/HR/Confidential
- /BU1/PMO/Deliverables
Note: Performance considerations need to come into play when designing a path strategy for S3. Depending upon your enterprise use case or workload the following guidance may apply. See • http://aws.amazon.com/blogs/aws/amazon-s3-performance-tips-tricks-seattle-hiring-event/
Path Restrictions
http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html
http://docs.aws.amazon.com/IAM/latest/UserGuide/LimitationsOnEntities.html
Tagging Examples
| Key | Value | Function |
|---|---|---|
| Name | Resource Name/Machine Name | Management |
| Environment | Development Test QA Staging Production |
Account/Resource Separation Management |
| Tier | Backend Frontend DMZ |
Management Account/Resource Separation |
| CostCenter | Department ID CC#12345 |
Billing Management |
| Role | Web App Domain Controller |
Management |
| Application | MobileApp1 WebApp1 |
Management |
| CodeVersion | 3.49 | Management |
| AppPath | Application1/component1/Version2.49 | Management |
| PoolName ClusterName |
WebApp1Pool1 App1DBCluster1 |
Management |
| Owner | OwnerEmail OwnerDL |
Management |
| SecurityLevel | VPCAdmin EC2Admin StorageAdmin IAMAdmin DevOpsAdmin DevOpsUser |
Access Control |
| Path | /Organization/Department/Application | Access Control Billing Management Account/Resource Separation |
| ExpirationDate | 2015.12.31 | Billing Management |
| DataProfile | Public Confidential Restricted Internal |
Access Control Management Account/Resource Separation |
Although the guidelines and suggestions listed are based on experience and feedback from customers, there is not a “right” or “wrong” way to manage tagging. We do suggest though that a policy for tagging is determined early on even if it’s incomplete. Here are quotes from several of our customers who didn’t use tagging during their first year on AWS:
“It would have been better for us to have used an incomplete, or wrong tagging scheme, instead we ended up with nothing.”
“Knowing what we know now we should have started with some basic tags even if they weren’t complete.”
