Tagging strategy in the cloud
How optimal tagging approaches can save you a lot of organizational headache — includes best practices
Tagging is a way of assigning metadata to resources on the cloud. Each tag is a simple label consisting of a custom-defined key and an optional value that can make it easier to manage, search for, and filter resources by purpose, owner, environment, or other criteria. Tags can be required, conditionally required, or optional.
Note — On Google Cloud, a tag also goes by the name of label, i.e. you can add labels to your cloud resources instead of tag.
In this article we will go through the benefits of using tags for your resources and best practices, while making references on how you can achieve tagging goals on AWS, Azure and Google Cloud.
What is Tagging good for?
Resource Organization — Tags are a great way to organize resources. For example, a common practice is to put resources that are intended for production, staging, or development separately, so you can easily search for resources that belong to each development stage when necessary. Thus adding tags/labels helps you perform more precise searches for your resources.
Cost allocation — Use business tags such as cost center, business unit, or project etc. to associate the resource / service costs with traditional financial reporting dimensions within the organization. This allows you to easily associate costs with technical or security dimensions, such as specific applications, environments, or compliance programs. The following topics are supported by cost-related tags:
- Cloud accounting models
- ROI calculations
- Cost tracking
- Cost Alerts
- Recurring spend tracking and reporting
- Post-implementation optimizations
- Cost-optimization tactics
Here is an example for how to do it for AWS. This video shows you how you can filter for costs of resources with specific labels on Google Cloud. For Azure, you can find information regarding tagging and billing here.
Automation — Since tagging helps you identify / filter out specific resources, you can use this information to run automation tasks. For example, you can run automated start/stop scripts that turn off development environments during non-business hours to reduce costs by identifying resources that are used for development environments using resource tags.
Operations support — Tags can be used to integrate support for resources into day-to-day operations including IT Service Management (ITSM) processes such as Incident Management. For example, Level 1 support teams could use tags to direct workflow and perform business service mapping as part of the triage process when a monitoring system triggers an alarm. For example, tagging for mission criticality is really important for the operations tea. It is also possible to use tags to support processes such as backup/restore and operating system patching.
Governance and regulatory compliance — Maintaining consistency across resources helps identify deviation from agreed-upon policies. You can use tagging to evaluate regulatory compliance and governance, for e.g. you can check for the resources being tagged and compare it to total resources to see if your governance policies are being followed.
Access control — This is more applicable to AWS than Google Cloud or Azure. AWS Identity and Access Management (IAM) policies support tag-based conditions, enabling you to constrain permissions based on specific tags and their values. For example, IAM user or role permissions can include conditions to limit access to specific environments (for example, development, test, or production) or Amazon Virtual Private Cloud (Amazon VPC) networks based on their tags.
Note — A similar feature for Google cloud is under preview as of Feb 2021.
Security — Tags can be assigned to identify resources that require heightened security risk management practices, for e.g, VM instances hosting applications that process sensitive or confidential data. This can also help enable automated compliance checks to ensure that proper access controls are in place, patch compliance is up to date, and so on. Another important aspect is tagging for data classification.
Mnemonic help — The highlighted first characters form the word GOASARC or Goa’s arc.
Let’s look at some example tags:
Best Practices for Tagging
Note — A lot of the best practices mentioned below are derived from this document, however are valid for all clouds.
- Start small — Start with a smaller set of tags that are known to be needed and create new tags as the need arises.
- Constrain tag values — When tags are entered manually, there is the opportunity for human error. If tag values are set by automation, the automation code can be reviewed, tested, and enhanced to ensure that valid tag values are used. For AWS, you can use IAM Policies / AWS Service Catalog to constrain tag values whereas Azure Policy can be used for the same in Azure. For Google Cloud, constraining tag values is in-built into how you define tags — you can find more information about it here.
- Adopt a standardized approach for Tag Names — Allowed tag / label names have different requirements on different clouds, for e.g., AWS tags are case sensitive and allow lowercase / uppercase letters whereas Google Cloud label key / value pair only allow lowercase letters. For Azure, tag keys are case-insensitive whereas tag values are case sensitive. It makes sense to only allow lowercase character for your tag key / value pair— especially if you are using multiple clouds and want to employ similar tagging strategy on both.
- Use Automation to Proactively Tag Resources — It’s important to ensure that tags are consistently applied at the time of resource creation. Use cloud tools to implement proactive tag governance practices. For e.g. in AWS IAM policies you can include condition keys, such as aws:RequestTag and aws:TagKeys, which will prevent resources from being created if specific tags or tag values are not present. Similarly on Azure, you can use Azure Policy to enforce your tagging strategy.
- Employ a Cross-Functional Team to identify tag requirements — Tag stakeholders in an organization typically include IT Finance, Information Security, application owners, cloud automation teams, middleware and database administration teams, and shared services such as patching, backup/restore, monitoring, job scheduling, and disaster recovery.
- Tags should be used consistently — Using tagging inconsistently gives a wrong picture of what’s going on, for example, when generating cost / billing reports. A consistent approach is warranted even for tags identified as optional.
- Assign Owners to Define Tag Value Propositions — Consider tags from a cost/benefit perspective when deciding on a list of required tags. To ensure tags are useful identify an owner for each one. The tag owner has the responsibility to clearly articulate its value proposition.
- Focus on Required and Conditionally Required Tags — When identifying tagging requirements, focus on required and conditionally required tags. Allow for optional tags, as long as they conform to your tag naming and governance policies, to empower your organization to define new tags for unforeseen or bespoke application requirements.
- Lock Down Tags Used for Access Control — If you decide to use tags to supplement your access control policies, you will need to ensure that you restrict access to creating, deleting, and modifying those tags.
- Remediate Untagged Resources — It is imperative to employ reactive tag governance approaches to identify resources that are not properly tagged and correct them.
After all of that is done, the final thing you need to do is to establish a tag governance process. Such a tag governance process should include:
- Impact analysis, approval, and implementation for requests to add, change, or deprecate tags
- Application of existing tagging requirements as new cloud services are adopted by your organization
- Monitoring and remediation of missing or incorrect tags
- Periodic reporting on tagging metrics and key process indicators
And that’s it. I hope this read was worth your while. Till next time, stay safe!