AWS Tagging Strategy Guide: 15 Best Practices In 2023

Engineers want to innovate, fix issues, and improve existing code. Finance wants to report accurately on the company's return on technology investment. Yet, the cloud is like a menu without the pricing.

Engineers can practice continuous improvement without slowing down but they can also use up computing resources without being fully aware of the costs they incur, only to be surprised with a higher than usual AWS bill. 

Even worse is not knowing where, what, when, or who is driving up their AWS costs. This can make it difficult for both engineering and finance to understand their cloud costs and what drives their spend.

Enter AWS tagging.

Tagging provides a way for organizations to identify various resources on AWS — and can help companies understand their usage, costs, performance, and more.

A tagging strategy defines specific rules and practices for an organization to follow and implement. This strategy helps your team know exactly how to use tags (including proper formatting), who should create them, and how tagging decisions will be made.

In this guide, we’ll cover the fundamentals of tags — what tags are, when you should use them, and the challenges of tagging — as well as best practices you can use to create a comprehensive AWS tagging strategy.

Table Of Contents

• What Are Tags In AWS?
• Why Would You Use Tags In AWS? (Use Cases)
• Three Major Challenges With Tagging In AWS
• How To Implement A Comprehensive Tagging Strategy
• 15 AWS Tagging Best Practices
• What To Do If Your Tagging Is A Mess

What Are Tags in AWS?

AWS tags are labels that help identify various resources on AWS. AWS resources such as EC2, S3, Redshift, and EFS all support tagging. 

Tags consist of a key and value pair. For each resource, you can create a unique key with only one value. 

Tagging is like keeping a shopping list. You label different items according to their type and use, such as groceries and collard greens. Translate that into business terms. The key would be a business segment such as Team. You could then assign the values of DevOps, Finance, and Marketing to that key.

See the table below for more details.

You can assign more than one value to one key. Keys such as Business Unit, Account, Project, Owner, Environment, and Cost Center are also popular. Tags like these help you identify what team owns a resource, in what environment it runs, and in which business unit it belongs.

The following table shows multiple keys and the unique values they contain:

You can see now that tagging in AWS works by enabling users to add descriptive metadata ("tags") to assets, including EC2 instances, S3 buckets, databases, and Lambda functions in the cloud. 

Tags add context to a resource by providing additional information about its use. This allows organizations to categorize their resource utilization insights, which can be especially helpful when organizing usage and cost data on a large scale. 

---------------------------------------------------------------------------------------------

Want A Free Tagging Toolkit?

All the info and support you need to implement a strategy across your entire cloud environment

---------------------------------------------------------------------------------------------

The two types of AWS tags

There are two types of AWS tags:

• AWS generated tags - These are tags that AWS automatically generates, so you cannot alter them. Their prefix is usually aws: (aws:createdBy), and they typically contain a string of numbers and letters. You can tell who created the resource by looking at the createdBy tag. Subnet IDs and instance IDs are two examples of AWS generated tags.
• User generated tags - These are tags you create, define, and implement as you see fit for your use cases. AWS lets you add 50 tags to a single resource. 

Credit: AWS Docs

Let’s talk about AWS cost allocation tags. 

While they are based on ordinary AWS tags, you need to take an extra step and designate specific tag(s) as cost allocation tag(s) in AWS. Once an account is moved to another organization as a member, you must re-activate the cost allocation tags again. 

Plus, only a management account or a single account that isn’t a member of an organization can access cost allocation tags in Billing and Cost Management.

But that's not all. 

• You can only see your cost allocation tags in Billing and Cost Management if you've also enabled AWS Cost and Usage Reports, AWS Cost Explorer, legacy reports, or AWS Budgets. 
• Resources you created before tagging do not have tags assigned to them. They cannot be backdated.
• Unmetered resources can be tagged, but they do not appear in the Cost Management suite.
• Since Billing and Cost Management does not decode or encode tags for you, you have to manually tag your resources to start collecting and making sense of your AWS spending.

The Three Major Challenges With Tagging

Some common obstacles to implementing proper AWS tagging:

1. Lack of an AWS tagging strategy or late adoption - It can be challenging to develop a comprehensive tagging strategy that requires input from many different parts of the organization. Many companies have yet to undergo this process or are trying to do it as their cloud usage grows.
2. Inadequate governance and enforcement/consistency - As organizations scale and add new teams and cloud services, any existing tagging structures will inevitably break down without effort to hold them in place. 
3. Unaware of available tools and platforms - Tagging can be complex, but you don’t have to go it alone. Platforms like CloudZero are here to help, whether your tagging is perfect or far from it. 

Why Would You Use Tags In AWS? AWS Tagging Use Cases

Tags help organize cloud infrastructure. Let's go back to the earlier shopping list to illustrate this point better. 

Let's say you went to a store, put everything you needed in a cart, and walked to the checkout counter to pay. If the POS system is broken, what might you do? 

The cashier could calculate the lump sum price of the items based on their physical price tags. There wouldn't be a receipt to detail what each item cost. The following month, when you calculate your monthly expenses, you wouldn’t know how much you spent on what items for what specific purposes. 

For instance, you probably wouldn't remember exactly how much money you spent on groceries or toiletries. So you wouldn’t have a reference for budgeting the following months' expenses. 

As most companies do on AWS, you would enter the new month blind, without an idea of how much each shopping category costs, when to prepare to re-order supplies, etc. 

Just as receipts give you a sense of how much you have spent on specific items, tagging resources helps organizations: 

• Know where their AWS budget is going.
• Analyze their resource usage so they can forecast future resource requirements.
• Find ways to reduce their AWS bill using cloud cost optimization methods, like eliminating unused resources. It is impossible to optimize what you do not measure, after all.
• Relate cloud resource utilization to business units, such as departments or projects.
• Use tagging data to identify resources that require updating.
• Use security-related tags and anomaly detection to assess the security of the resources.
• Use owner tags to improve accountability by revealing who has activated which resources, which instances they have activated, and restricting which resources an individual can access.             

As resources are provisioned to serve a mix of purposes in shared cloud accounts, tagging helps differentiate them, revealing how much each part costs regardless of the rest. As a result, engineering, product, and finance teams can search and filter your company's cloud resources more efficiently and report on cost, usage, and performance.

A company can also use tagging to answer questions about their business and product strategies, such as:

• What is the most expensive feature of our product?
• How much does this product cost per user or per instance?
• Which projects cost us the most to support?
• What features do most of our customers use?

Surely you'd like to take advantage of these and other benefits of AWS tagging. So where do you begin?

How To Implement A Comprehensive AWS Tagging Strategy

Your AWS console offers an AWS Tag Editor for tagging different resources. The service allows you to create and/or delete keys and add and remove tags from individual and/or multiple resources at once.

Suppose you deploy resources using an automated method (such as Cloud Formation templates). In that case, you can embed tagging requirements in the template so that resources can launch automatically with the proper tags applied.

As your company grows and develops its cloud environment, you can also use AWS Config rules, which can do anything from alerting you to assets that aren't appropriately tagged to offering developers pre-selected tag values to prevent capitalization or naming mistakes, to preventing assets from launching all together if they are not tagged correctly.

So, how do you implement a suitable tagging strategy for your AWS needs? 

When tagging your public cloud environment, it helps to start at a high level and answer a few questions related to People, Process, and Technology. 

We recommend collaborating across departments to answer these questions, including obtaining feedback from all stakeholders of your organization who are planning to use AWS or relate to it in some other way. 

• People - Do you have buy-in from different business units and leaders? Do you have a dedicated team in place to lead the initiative?
• Process - How complex is your cloud environment, and how complex do you want your tagging strategy to be? What is the process for adding or deleting new tags? What is the organization looking to achieve or to see through its tagging system? What are the reporting needs that we need our tagging structure to support? What prior tagging structures should be retained or changed?
• Technology - Do you (or the team tasked with this initiative) have an understanding of tags and the products and services that support them? What is the team’s overall level of familiarity with AWS Tag Editor and AWS Config? 

After initial planning, a few standard categories and dimensions serve as a great stepping stone for actual tagging. These categories are certainly not exhaustive, and multiple buckets can and should be used simultaneously.

With the answers to these high-level questions, there are many more granular questions related to the tagging itself that you’ll want to consider:

• What casing will you standardize on? (Keys and values are case sensitive in AWS, and we recommend always using a standardized, case sensitive format)
• Will your tags be used for resource control, automation, or both?
• Which tags will be allowed or blocked? 
• Will you use automation such as AWS Config to assist in your tagging? 
• How many tags should you use? As more tags lead to more granularity in reporting, we recommend erring on the side of using too many tags instead of too few. 
• How will future changes to your business impact your tagging strategy? If you use tags to regulate access control, automation, or billing reports, understand how changing those tags will affect the related processes. 
• What naming or service restrictions do you need to take into consideration? 
• How will your tagging strategy promote regulatory compliance, if desired or necessary for your business?

15 AWS Tagging Strategy Best Practices 

Here's a high-level overview of some of the best practices for improving your AWS tagging strategy (in no particular order).

1. Identify and brainstorm tag requirements with a cross-functional team. 
2. Name your tags, so every employee in your organization knows the key, values, and purpose and how to use them consistently.
3. The more tags, the better. The more tags you have, the better your AWS visibility.  
4. Standardize your tagging format to prevent duplications, mix-ups, and inconsistencies.
5. Bulk tag resources with AWS Tag Editor.   
6. Don't use tags to store confidential data, such as your personal information. Because tags are used across many services on AWS, the information could be accidentally shared.
7. Automation tools, such as CloudFormation templates, can help you tag resources proactively, especially as you scale. 
8. Use AWS Identity and Access Management (IAM) to restrict who has access to the resources you tag.
9. Get notified automatically when tags are incorrect or missing.
10. Tag costs with actual business purposes, categories, and segments.
11. Configure alert management and anomaly detection to ensure your team gets rapid alerts. Limit the number of alerts they receive to prevent alert fatigue. 
12. Designate a tag owner - the individual who owns a specific tag and is able to demonstrate its value to the organization.
13. Avoid compound tags (tags with multiple values) in favor of single value tags.     
14. Meet regularly to review, revise, and reinvent AWS tagging best practices based on your changing needs. 
15. Use a platform that meets you where you are in your tagging journey — and can provide cost insight even if your tagging isn’t perfect.

What To Do If Your Tags Are Already A Mess? How To Allocate Costs Without Perfect Tags

Ultimately, no matter how your organization approaches tagging, it’s essential to have a plan and solid understanding of how you will implement your AWS tagging strategy. 

We recommend that you create dynamic documents that outline your organization's answers to the questions above and provide a place for any questions, rules, or rationales related to tagging. 

As time passes and teams evolve, regular check-ins and updates across teams will reinforce your chosen approach. Therefore, this document should be updated regularly and circulated to all relevant teams.

A sample bundle of these planning documents is available for a free download HERE. 

Additionally, we recommend checking out our article, “Messy AWS Tags? Confidently Allocate Costs Without a Perfect Tagging Strategy”, to learn more about ways you can allocate costs without perfect tagging.

Lastly, if cost allocation is a concern for you and you need cost visibility today, CloudZero’s cost allocation solution can provide you with cost intelligence in a matter of hours — versus weeks or months. CloudZero meets you where you are in your tagging strategy — providing immediate visibility whether your tags are perfect, or a total mess.

CloudZero works similar to how you define Infrastructure as Code — we use a code artifact to define how to organize costs. This gives you flexibility and accuracy — even for Kubernetes, shared costs in multi-tenant applications, and non-taggable AWS services.

 to see how it works!