Resource Tagging

Revision	Date	Description
`1.0`	24.07.2024	Init Changelog

Introduction

Tagging is the act of assigning metadata to the different resources in your AWS environment for a variety of purposes, such as Attribute Based Access Control (RBAC), Cloud Financial Management, and automation (such as patching for select tagged instances). Tagging can also be used to create new resource constructs for visibility or control (such as grouping together resources that make p a micro-service, application, or workload). Tagging is fundamental to providing enterprise-level visibility and control.

In order to keep up with the development and effectively manage large AWS spaces, there are different approaches that you may find helpful:

Infrastructure and resource automation;
Standardized cost tracking;

Tagging Policy

All resources must be tagged. The approach to enforce those tags depends on the resource type:

No EC2, EBS and RDS resources would be allowed to be created without tags.
All other non-compliant resources would be reported via AWS Config and automation could be built later.
Tags must be applied to EBS Volumes attached to EC2s.

Tag values should be validated in terms of format and lists of allowed values. The tag specifying the system id/name (Application) should be consistent with the data in the application info page (docs, IT system repository, etc.).

Tag values validation will be done using AWS Organization Tagging Policies and AWS Config.

Permission to create, edit or delete tags have only small group od Cloud Team architects and developers. Need to verification permissions in IAM management and policy.

KMS encryption is forced from SCP so no tagging is needed about whether the resource requires encryption.

Tags

No.	Tag Name	Tag Category	Required	Details / Purpose	Comments / Examples
1	`Owner`	Business	`True`	Used to Identify who is responsible for the resource	First Name / Last Name / Mail
2	`OrgUnit`	Business	`True`	Tribe name / Organization unit Name	Business Unit (Tribe / section), ex: `Cloud and Supporting Services`
3	`ApplicationId`	Technical	`True`	Ussed to Identify disparate resources that are related to a specific application	The tag on the default VPC will have a value `infra`. Other services, dedicated to application will have a value accordin to th app ID. (ex: `S3013`)
4	`Customer`	Business	`True`	Used to Identify a specific client that a particular group of resources uses	Marked: Internally (Squad name within a Tribe) or externally (Client name if outside organization)
5	`Name`	Technical	`True`	Identify individual resources	Instance, VPC, Subnet, Database, etc.
6	`Project`	Business	`True`	Used to identify the project(s) the resource supports	Project name
7	`Environment`	Technical	`True`	Used to distinguish between development, test, and production infrastructure.	`Sandbox`, `Dev`, `PreProd`, `Prod`
8	`Confidentiality`	Security	`True`	An identifier for the specific data-confidentiality level a resource support
9	`Compliance`	Security	`True`	An identifier for workloads designed to adhere to specific compliance requirements
10	`CreatedBy`	Technical	`True`	Used to identify the method the resource was created by	`provisioner`, `cloudformation`, `terraform`, `servicecatalog`, `serverless`, `hand`, etc.
11	`BackupEnabled`	Technical	`True`	Used to specify whether a resource backup is enabled or not	`True`/`False`
12	`Critical`	Business	`True`	Used to describe Indicator of critical application	`True`/`False`

Tag restrictions

The following basic restrictions apply to tags:

Maximum number of tags per resource - 50.
For each resource, each tag key must bbe unique, and each tag key can have only one value.
Maximum key length - 128 Unicode characters in UTF-8.
Maximum value length - 256 Unicode characters in UTF-8.
Allowed characters:
- Although EC2 allows for any character in its tags, other services are more restrictive. The allowed characters across services are: letters (a-zA-Z), numbers (0-9), and spaces representable in UTF-8, and the following characters: + - = . _ : / @.
- If you enable Instance tags in Instance metadata, instance tag keys can only use letters (a-zA-Z), numbers (0-9), and the following characters: + - = . , _ : @. Instance tag keys can't contain spaces or /, and can't comprise only . (one period), .. (two periods), or _index. For more information, see Work with Instance tags in Instance metadata.
Tag keys and values are case-sensitive.
The aws: prefix is reserved for AWS use. If a tag has a tag key with this prefix, then you can't edit or delete the tag's key or value. Tags with aws: prefix do not count against your tags per resource limit.

You can't terminate, stop, or delete a resource based solely on its tags; You must specify the resource identifier. For example, to delete snapshot that you tagged with a tag key called DeleteMe, you must use the DeleteSnapshots action with the resource identifiers of the snapshots, such as snap-1234567890abcdef0.

When you tag public or shared resources the tags you assign are available only to your AWS account; no other AWS account will have access to those tags. For tag-based access control to shared resources, each AWS account must assign its own set of tags to control access to the resource.

You can't tag all resources. For more information, see Tagging support for Amazon EC2 resources.

Last modified: 17 February 2025