Cloud Tagging strategies - AWS Tagging, Google cloud Tagging and Azure Tagging of resources - for security, business, cost management and automation

How much is this cloud resource costing me?  How much are all my development instances costing me? Was there a security compliance violation on any of my resources or any part of my cloud infrastructure? What cluster does this particular resource belong to? Can  I constrain resources from performing certain actions – in a way that it can be easily replicated to other resources?

The answer to all these is easily available – provided you have correctly tagged your instances. This post will detail the most important tags that belong on any cloud resource. These tags are equally applicable to AWS, Azure or GCP.

As long as you follow an appropriate tagging strategy, you can answer just about any question around your resource.

Tagging Basics

A tag is a label that you assign to an AWS resource. It consists of a key and a value, both of which you define. Google sometimes refers to certain tags as labels.

Tags are categorized logically into categories around their intended use cases.

Apart from simply assigning a tag to a resource, you need to think about how to enforce the tag on resource (what good is a tagging strategy, if it is not enforced?). In other words, IAM users should not be able to bypass the tagging requirement. In addition, certain native security services (such as Security Hub on AWS and Cloud Security Command Center on Google Cloud), can leverage the tags while checking for compliance violations.

Business Tagging, which also includes Billing/Cost Center, is probably the first one to sort out – since it is the most frequently requested feature by cloud customers.

Business Tags (including billing / cost center allocation)

Cost Center/Business Unit — Used to identify the cost center or business unit associated with a resource; typically for cost allocation and tracking (e.g. IT, Accounting…)

Department — Used to identify a specific client that a particular group of resources serves

Project — Used to identify the project(s) the resource supports (e.g. EmployeePortal)

Security Tags, including data classification levels

1. Also read – KMS based data encryption on Google Cloud and AWS 
2. Also read – Security Audits for your AWS accounts

Different companies have different levels of data classification. PROTECTED, PUBLIC, RESTRICTED….there are many variations, but these all mean something specific inside each company.

DataLevel — An identifier for the specific data-confidentiality level a resource supports (e.g. PROTECTED, PUBLIC)

Compliance — An identifier for workloads designed to adhere to specific compliance requirements (e.g. PII, PCI…)

Technical Tags

Name — Used to identify individual resources

Application ID — Used to identify disparate resources that are related to a specific application (e.g. ONLINE_ECOMMERCE)

Application Role — Used to describe the function of a particular resource (e.g. WEBSERVER, MESSAGE_BROKER, DB)

Cluster — Used to identify resource farms that share a common configuration and perform a specific function for an application

Environment — Used to distinguish between development, test, staging and production infrastructure.

Version — Used to help distinguish between different versions of resources or applications

Tags for Automation

Date/Time — Used to identify the date or time a resource should be started, stopped, deleted, or rotated

AutomaticInclusion — Used to indicate whether a resource should be automatically included in an automated activity such as starting, stopping, or resizing instances

Protection — Used to determine requirements such as encryption or enabling of VPC Flow Logs, and also to identify route tables or security groups that deserve extra scrutiny

Enforcing Tags on Resources — Required Tags

In AWS (as on GCP and Azure), one can easily enforce tagging on resources. Simply define the required tags in an AWS Config Rule. In Azure, use a built in Azure policy for tagging

Untagged Resources — Check for Resources that are out of compliance with the Required Tag Rule.

Summary

Resource sprawl is a common problem with customers starting out on the cloud. To have resources spread out across accounts and VPCs, can become a maintenance nightmare. The best way to keep track of your cloud assets is to correctly tag them. This post describes useful resource tags that work for any AWS, GCP or Azure hosted resource.

For an initial security consultation on AWS, Azure or GCP, pick a time here. For a general consultation, Set up a time here .