aws tagging strategy
TRANSCRIPT
Tagging Overview
Resource Tags
• Provide the ability to organize and search within and across resources• Filterable and Searchable• Do not appear in Detail Billing Report
Cost Allocation Tags
• Provide the ability to map AWS charges to organizational attributes for accounting purposes• Information presented in Detailed Billing Report and Cost Explorer• Only available on certain services or limited to components within a service (e.g. S3 bucket but not objects)
Tagging Restrictions
• Key (Attribute): 127 Unicode characters• Value (Detail): 255 Unicode characters• Tags per resource: 10 tags
Other Limitations• Tags are account specific• Tag keys and values are case sensitive• Tags are unique per resource• Resources cannot be stopped, terminated or deleted solely based on a tag• Tags cannot begin with “aws:” as a prefix (reserved for AWS use)
Tagging Considerations
• Timing is important! Tags…– Can be applied anytime: Tags can be created/applied after a resource is created, however no information will be captured between the time the resource was created and when the tag was applied
– Are not retroactive: Cost Allocation reports are only available from the point in time they were activated (i.e. if Cost Allocation in activated in October, no information from September will be displayed)
– Are static snapshots in time: Changes made to tags after a report is run will not be reflected in reports previously run
– Must explicitly be denoted for cost allocation: After creating a new tag [key], it must be marked/activated/added as a cost allocation tag (if applicable) otherwise it will not be visible in the DBR or Cost Explorer.
Tag Key Examples
Cost Center
Business Unit
Environ.
Tier
Owner
Dept./ Group
Product / Application
Shutdown Time
Support Contact
Endpoint
Tag Key Examples
• AWS Environment – Tagging schemas to distinguish production, development, and test infrastructure.
• Cluster – Used to identify the set of instances sharing the responsibility for perform a specific function as part of an application. Clustered instances typically share the same configuration and exist behind a load balancer.
• Node – Distinguishes between servers/databases in a cluster with the same role, but party of a separate applications.
• Application –Tags to monitor clusters at the application layer. • User – Tags to identify specific individuals responsible for building/deploying instances.
• Customer – Used to identify the particular client that a particular resource serves.• Cost Allocation – Tags for cost accounting needs.
Tagging Categories
Tagging Strategies
• Tags for Console Organization• Tags for Cost Allocation• Tags for Automation• Tags for Access Control
Tags are your realtime CMDB
Tagging Strategies
• Define naming convention – Tag key names should use upper CamelCase (or PascalCase) for manual creation. CamelCasecombines words/abbreviations by beginning each word with a capital letter such as “MiscMetadata” and “SupportEndpoints”.
• Standardize delimiters and do not use as part of tag values. This works well with case sensitive tags
• Utilize concatenated/compound tagging – combine multiple values for a tag key (i.e. Owner = JohnDoe | [email protected] | 8005551234). Pascal case should be used to standarize compoud tags.
Process Driven Tag Selection
Test & ValidateDesign Tagging
Define Requirements
Identify Key Reports Meet with Report Owners
Map Key Field to Source Origin
Meet with Report Users
Document Key Fields
Identify Which Field Would be Valid Tags
Document Report Specs with
Identified Tag Mapping
Complete Test Pilot on Tags and Reports
(Manual)
Validate Automation
Strategy and Tools
Deploy & Maintain Tagging
Additional Consideration
Automate Applying Tags Using Cloud
Formation
Monitor and Validate Tags with Monitor Scripts
Use Tags as Triggers for Backup
Procedures or to Remove Rogue Resources
Allow a Few Tags for Development
Team Use
Document Report Requirements and
Use Case
Identify Key Reports
• Tags typically align to key fields in important reports• Validate which reports are being used to drive decisions• Look for consistency in how reports break down and roll up
• Start with reviewing legacy reports used by stakeholders.
Identify Key Reports Meet with Report Owners
Meet with Report Users
Document Key Fields
• Document the Key Fields identified for each report• Field Values, Length, Formats• Logical Association of the fields• Typical fields to look for:
– Line Of Business– Cost Center– Version– Owner– Compliance Domain
Meet with Report Users
Document Report Requirements and
Use Case
Document Key Fields
– Name– Environment– Application– Tier
Identify and Format Tags
• Document which items will be stored as tags• Avoid putting fields that drive reports in external sources• Validate the Tag format• Tag Name Best Practices for syntax• Tag Strategy to document your tagging structure
Map Key Field to Source Origin
Identify Which Field Would be Valid Tags
Document Report Specs with
Identified Tag Mapping
Pilot the Tag Structure
• Create test resources with the Tags indicated in the Tag Strategy document
• Generate an AWS Detailed Billing Report(DBR)• Utilize DBR to generate the end user reports• Validate all required data and fields work as expected
Document Report Specs with
Identified Tag Mapping
Complete Test Pilot on Tags and Reports
(Manual)
Validate Automation
Strategy and Tools
Tagging Maintenance Procedures
• Ensure data integrity related to tagging• Document how tags are applied to resources• Identify Tag monitoring procedures• Identify procedure to update or modify tags in routines• Develop simple scripts when high volume updates are required
Complete Test Pilot on Tags and Reports
(Manual)
Validate Automation
Strategy and Tools
Deploy & Maintain Tagging
Additional Considerations
• Use automation to apply tags – it will guarantee integrity and reliability of tagging
• Monitor your tags – identify tags that are not compliant with standards through monitoring tools
• Triggers – Be innovative to identify methods of using tags to automate common routines
• Partner with Dev - Keep a few tags in reserve for Application owners to use as triggers
Additional Consideration
Automate Applying Tags Using Cloud
Formation
Monitor and Validate Tags with Monitor Scripts
Use Tags as Triggers for Backup
Procedures or to Remove Rogue Resources
Allow a Few Tags for Development
Team Use
http://blog.gorillastack.com/gorillastack-presents-auto-tag/
Resources• Working with Tag Editor & Resource Groups
http://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/tag-editor.html• AWS CloudFormation Resource Tags Type
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html
• Using Tags in IAM https://aws.amazon.com/premiumsupport/knowledge-center/iam-ec2-resource-tags/
• AWS Billing and Cost Management http://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-what-is.html
• Resource Groups and Tagging for AWS https://aws.amazon.com/blogs/aws/resource-groups-and-tagging/
• Demystifying EC2 Resource-Level Permissions https://blogs.aws.amazon.com/security/post/Tx2KPWZJJ4S26H6/Demystifying-EC2-Resource-
Level-Permissions• DevOps Backup in Amazon EC2 https://medium.com/aws-activate-startup-blog/devops-backup-in-amazon-ec2-190c6fcce41b
