How to Enforce Mandatory Tags Across Your AWS Resources

Amazon Web Services (AWS) tags help developers and teams organize resources. Without proper labeling practices, you could end up with scattered resources and no way to identify their purpose or provenance.

Setting up mandatory tags in AWS standardizes their use within a given environment, as users can’t create new resources unless they add a compliant tag. Enforcing mandatory tags helps you build upon and enrich your cloud management environment. As a result, your team will be able to properly manage your AWS resources and leverage them efficiently.

Blink Automation: Ensure AWS EC2 Instances Have Mandatory Tags

AWS + Slack

Try This Automation

What Are Mandatory Tags in AWS?

An AWS tag consists of a user-defined tag key and a tag value. Below are some of the most common tag types used for AWS resources and related attributes.

Common Types of Mandatory Tags in AWS

Technical tags

• Name: Used to identify an individual resource
• Application ID: Identifies resources associated with a specific application
• Application Role: Describes a resource’s function, like a web server or message broker
• Cluster: Identifies resources farms with standard configurations and functions
• Environment: Identifies whether the resource is associated with a development or production resource
• Version: Distinguishes between different versions of a resource or application

Automation tags

• Date/Time: Identifies the period for when to start, stop, delete, or rotate a resource
• Opt-in/Opt-out: Identifies when to include a resource with an automated activity
• Security: Outlines security requirements and identifies route tables or security groups that require additional review

Business tags

• Project: Identifies project supported by the resource
• Owner: Identifies who’s responsible for managing the resource
• Cost Center/Business Unit: Identifies the business unit or cost center linked to the resource
• Customer: Identifies the client who relies on the resource

Security tags

• Confidentiality: Identifies the data confidentiality level supported by the resource
• Compliance: Identifies workloads required to follow specific compliance requirements

Best Practices for Tagging in AWS Resources

When naming your tags, use a case-sensitive, standardized format and apply those tags consistently across all resources. Be sure your new labels do not contain any sensitive or personally identifiable information and design your tags so that they can be reused for multiple purposes. 

Remember, since the goal of mandatory tagging is to better organize and manage your AWS resources, don't hold back on the number of tags you create. It's better to have too many tags than not enough. Finally, leverage low-code automation tools like Steampipe to simplify your resource management and enforce mandatory AWS tags.

Setting up Mandatory Tags in AWS

Once you’ve designed a tag policy, go into your organization's AWS management account and ensure you have service control policies (SCPs) enabled. Create a new SCP and add all relevant details. Select "Add actions" to select the resources you wish to control. Use "Add condition" to define any condition keys to include with your policy. Alternatively, you can use the JSON editor to manually create an SCP.

How to Enforce Mandatory Tags in AWS

Tools like the Steampipe CLI let you automatically run SQL scripts to check for untagged resources within your AWS environments. Use the following steps to manually check for AWS resources that are missing any mandatory tags. As a prerequisite, you’ll need the AWS Client running on your computer.

Step 1: Install the Steampipe CLI

You can follow the installation steps for installing on Mac, Windows, or Linux. It is a simple one-step installer, so it shouldn’t take long to get started.

You’ll want to also run this command to make sure you have all plugins and updates that you would need for this specific use case: 

steampipe plugin install aws

 Step 2: Clone the mod repository

To clone the mod repository, just run this command:

git clone git@github.com:turbot/steampipe-mod-aws-tags
cd steampipe-mod-aws-tags

Step 3: Check for mandatory tags

Next, you should run this command to check for mandatory tags, customizing the variables as needed:

steampipe check aws_tags.benchmark.mandatory --var 'mandatory_tags=["Application", "Environment", "Department", "Owner"]'

If you want to look into additional customizations for your instance, you can find the relevant information on Steampipe controls here.

Better Cloud Management With Mandatory AWS Tags

AWS tags are great to use in your test environment to ensure you don't accidentally deploy the wrong resources with projects. Furthermore, using mandatory tags throughout your AWS environment makes it easier to search, filter, and organize your resources.

Automate Checks like this with Blink:

For quick checks like this, using a specific CLI tool or script might get the job done, but it can be hard to incorporate into your regular Day 2 practice.

With Blink, you can schedule checks just like this one in a few clicks:
‍

This automation is available in the Blink library. When it runs, it does the following steps:

1. Checks whether all EC2 instances have specific mandatory tags.
2. Sends a report of non-compliant EC2 instances to a specified email address.

This simple automation is easy to customize. Run it on a schedule or send the report via Slack or Teams.

There are over 5K automations in the Blink library to choose from, or you can build your own to match your unique needs.

Get started with Blink today and see how easy automation can be.