Tagging can be one of the most useful mechanisms to understand and track resources in AWS. Often I find that organizations new to cloud treat tagging as an afterthought or are just unsure where to start. k9 Security provides a nice guide of the types of tags to include as part of a default taxonomy:
This tagging model will help you answer questions like:
- Who owns this resource? What application does it belong to?
- Who should we call when the application is broken?
- Who should pay for this resource? Which applications are driving our costs?
- Do access controls secure this resource appropriately?
- How much risk does our Cloud deployment have? Where is that risk concentrated?
- Which security improvements reduce our risk the most?
Tagging can be useful for cloud operations, finance, security, and new team members to understand your current cloud environment. Most AWS resources now support up to 50 tags. Using tools like AWS Service Catalog, AWS CloudFormation, and AWS Config can help enforce use of tagging either proactively or reactively.
AWS also provides a managed Config Rule, required-tags, that checks whether resources have the set of tags required by your organization. You can also extend this capability by building your own Config Rules. What to do when a resource is not properly tagged? That is an organizational decision, but can range from notification to remediation to deletion.