Upgrade AWS EKS – Older Version to Latest Otherwise Pay 500%! Learn More

Tags are key and value pairs that act as metadata for organizing your AWS resources. With most AWS resources, you have the option of adding tags when you create the resource. 

Examples of resources include an Amazon Elastic Compute Cloud (Amazon EC2) instance, an Amazon Simple Storage Service (Amazon S3) bucket, or a secret in AWS Secrets Manager.

Importance Of Tags

You can assign metadata to AWS resources in the form of Tags. Each Tag has a key and a value defined by the user. Tags can help you manage, identify, organize, search and filter resources. You can create Tags to classify resources according to their purpose, owner, environment or other criteria.

The Tags are important at the security level since they will allow you:

  • Assign permissions based on tags (Attribute Based Access Control – ABAC), To allow only access to development environments if they are developers (that is, if in the user or in the role assumed there is a tag such as the following (environment:development) or (environment:production) or (environment:testing).
  • Identify the individuals or business units responsible for the resource
  • Adding tags to resources, such as compromised instances, in conjunction with a Deny statement, can prevent accidental deletion of forensics evidence needed by the incident response team once that they identified that an instance is

Tagging Best practices

When you create a tagging strategy for AWS resources, follow the following best practices:

  • Do not store Personally identifiable information (PII) or other confidential information on Tags. Use a standardized format that distinguishes capital letters from tiny for labels and apply it consistently to all types of resources.
  • Take into consideration that the Tagging guidelines should be designed for multiple purposes, such as administering access control to resources, cost monitoring, automation and organization.
  • Use automated tools to help you manage resource labels. AWS resource groups and the AWS Resource Groups Tagging API allows you to control tags through programming, which facilitates automatic administration, search and filtering of labels and resources.
  • It is better to use many tags than few tags.
  • Remember that it is easy to change labels to adapt them to changing business requirements, but take into consideration the consequences of future changes. For example, changes on the attributes that are used for ABAC will require you to update IAM policies related to those tags.