Open menu
-->

Use tags to organize AWS resources

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security
Reliability
Cost
optimisation
Performance
efficiency
Operational
excellence

Risk level: Low (generally tolerable level of risk)

Ensure that user-defined tags (metadata) are being used for labeling, collecting and organizing resources available within your AWS environment. Cloud Conformity recommends the following tagging schema to help you identify and manage your resources:

  • Name: used to identify individual resources.
  • Role: used to describe the function of a specific resource (e.g. web tier, database tier).
  • Environment: used to distinguish between different stages (e.g. development, production).
  • Owner: used to identify the person responsible for the resource.

This rule resolution is part of the Cloud Conformity Base Auditing Package

As your AWS environment is becoming more and more complex, it requires better management strategies. Using a tagging schema will help you to gain more visibility over your account resources and organize them more efficiently. You can use tags for different scenarios such as tracking resources owners and their stack level, identify which resources are incurring the highest AWS costs and filter available resources based on particular deployment stage. Note: this guide will use EC2 instances as resources for tagging in order to demonstrate how to implement a tagging schema like the one listed above. However, you can use the same steps to search and/or assign tags for other AWS resources types as well such as ELBs, Auto-Scaling Groups, CloudFormation stacks, etc.

Audit

To determine if your EC2 instances are using tags (metadata), perform the following (to simplify the process we will use AWS Tag Editor):

Using AWS Console

01 Login to the AWS Management Console.

02 Open the AWS Tag Editor at https://resources.console.aws.amazon.com/r/tags.

03 In the Region dropdown list, select the AWS regions that you want to include in the search process (required field).

04 In the Resource types dropdown list, select EC2 instances as resource types to search for (required field).

05 In Tags section, in order to limit the search for resources to the specified tagging schema only, perform the following:

  1. In the first Tags field, enter Name as the name of the first tag key to search for. In the right field, representing the tag value, select Not tagged to find any EC2 instances that don't have the Name tag assigned.
  2. In the second Tags field, enter Role as the name of the tag key and select Not tagged as the tag value.
  3. In the third Tags field, enter Environment as the name of the tag key and select Not tagged as the tag value.
  4. In the fourth Tags field, enter Owner as the name of the tag key and select Not tagged as the tag value.

Once all fields are completed:

Complete all fields and click Find Resources

07 Click Find Resources to initiate the search process to find all EC2 instances that are not using the specified tagging schema. If one or more resources (EC2 instances) match the search criteria, it will be listed in the search results table at the bottom of the page:

search results table at the bottom of the page

Using AWS CLI

01 Run describe-tags command (OSX/Linux/UNIX) to determine if there are any EC2 instances available in the selected region that use our tagging schema (Name, Role, Environment, Owner):

aws ec2 describe-tags
	--region us-east-1
	--filters
		"Name=key,Values=Name,Role,Environment,Owner"
		"Name=resource-type,Values=instance"
	--output table

If one or more EC2 instances match the criteria and have assigned at least one tag that is specified in the schema, the command output should return a table with the instance(s) metadata (instance ID and the matched tag key name/value):

----------------------------------------------------------
|                      DescribeTags                      |
+--------------------------------------------------------+
||                         Tags                         ||
|+-----+--------------+----------------+----------------+|
|| Key | ResourceId   | ResourceType   |     Value      ||
|+-----+--------------+----------------+----------------+|
||Name |  i-51b90ccc  |  instance      |  web-server-1  ||
|+-----+--------------+----------------+----------------+|

If there aren't any EC2 instances that match the command criteria in the selected region, the command output should return an empty DescribeTags table:

--------------
|DescribeTags|
+------------+

Remediation / Resolution

Case A: to assign tags to your instances without using AWS Tag Editor, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under INSTANCES section, click Instances.

04 Select the EC2 instance that you need to assign tags to.

05 Select the Tags tab from the bottom panel and click Add/Edit Tags button.

06 In the Add/Edit Tags dialog box, click Create Tag to add a new tag key/value pair. Repeat the process for each new tag by using Name, Role, Environment and Owner as tag key names and enter your own metadata as tag key values.

07 Once you create all the necessary tags, click Save to assign the new tags to the selected instance.

08 Repeat step no. 4 – 7 for each instance available in the current AWS region. Change the AWS region from the navigation bar: Change the AWS region from the navigation bar to repeat the process for the other regions.

Using AWS CLI

01 Run describe-instances command (OSX/Linux/UNIX) to expose the ID of each EC2 instance available in the selected region:

aws ec2 describe-instances
	--region us-east-1
	--output table
	--query 'Reservations[*].Instances[*].InstanceId'

The command output should return a table with all instances IDs available in the selected region:

|DescribeInstances|
+-----------------+
|  i-57b90cca     |
|  i-56b90ccb     |
|  i-51b90ccc     |
+-----------------+

02 Run create-tags command (OSX/Linux/UNIX) using the resource ID to assign tags to the selected EC2 instance. The following examples assign 4 tags (Name, Role, Environment, Owner) to an instance with the ID i-57b90cca, available in the US East region:

aws ec2 create-tags
	--resources i-57b90cca
	--tags
		Key=Name,Value=Web-Server-Prod
		Key=Role,Value=Web-Tier
		Key=Environment,Value=Production
		Key=Owner,Value=Web-Admin-Prod

03 Run describe-tags command (OSX/Linux/UNIX) to make sure that the tagging schema has been successfully assigned to the EC2 instance:

aws ec2 describe-tags
	--region us-east-1
	--filters
		"Name=key,Values=Name,Role,Environment,Owner
		"Name=resource-type,Values=instance"
	--output table

The command output should return a table with the instance metadata such as instance ID and the new assigned tags

-------------------------------------------------------------------|
|                           DescribeTags                           |
+------------------------------------------------------------------+
||                              Tags                              ||
|+-------------+-------------+----------------+-------------------+|
||     Key     | ResourceId  | ResourceType   |       Value       ||
|+-------------+-------------+----------------+-------------------+|
||  Environment|  i-57b90cca |  instance      |  Production       ||
||  Name       |  i-57b90cca |  instance      |  Web-Server-Prod  ||
||  Owner      |  i-57b90cca |  instance      |  Web-Admin-Prod   ||
||  Role       |  i-57b90cca |  instance      |  Web-Tier         ||
|+-------------+-------------+----------------+-------------------+|

Case B: to assign tags to your EC2 instances using AWS Tag Editor, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Open the AWS Tag Editor at https://resources.console.aws.amazon.com/r/tags.

03 In the Region dropdown list, select the AWS regions that you want to include in the search process (required field).

04 In the Resource types dropdown list, select EC2 instances as resource types to search for (required field).

05 In Tags section, in order to limit the search for resources to our tagging schema only, perform the following

  1. In the first Tags field, enter Name as the name of the first tag key to search for. In the right field, representing the tag value, select Not tagged to find any EC2 instances that don't have the Name tag assigned.
  2. In the second Tags field, enter Role as the name of the tag key and select Not tagged as the tag value.
  3. In the third Tags field, enter Environment as the name of the tag key and select Not tagged as the tag value.
  4. In the fourth Tags field, enter Owner as the name of the tag key and select Not tagged as the tag value.

06 Once all fields are completed: Complete all fields and click Find Resources, click Find Resources to initiate the search process to find all EC2 instances that are not using the specified tagging schema. The AWS Tag Editor will return a list with all EC2 instances that match the search criteria.

01 Once the list of resulted instances is displayed, perform the following:

  1. To add a new tag to an EC2 instance, click the plus icon under each key name column: click the plus icon under each key name column, add your custom value, then click the check icon: click the check icon to apply the tag to apply the tag.
  2. To assign a new tag to an EC2 instance without specifying a value, click the plus icon under each key name column: click the plus icon under each key name column, then click the check icon: click the check icon without entering a value without entering a value.
  3. To edit a tag value, click the pencil icon next to the existing value: click the pencil icon next to the existing value to edit a value, edit it, then click the check icon to apply the change.
  4. To remove a tag value, just click on the x icon next to the current value: click on the x icon next to the current value to remove a tag value

References

Publication date Apr 21, 2016