Using AWS-generated tags
The AWS-generated tag createdBy
is a tag that AWS defines and applies to
supported AWS resources for cost allocation purposes. To use the AWS-generated tag, a management account owner must activate it in the Billing and Cost Management console. When a management account owner
activates the tag, the tag is also activated for all member accounts. After the tag is
activated, AWS starts applying the tag to resources that are created after the
AWS-generated tag is activated.
The AWS-generated tag is available only in the Billing and Cost Management console and reports, and doesn't appear
anywhere else in the AWS console, including the AWS Tag Editor. The
createdBy
tag does not count towards your tags per resource
quota.
The aws:createdBy
tags are populated only in the following AWS Regions:
ap-northeast-1
ap-northeast-2
ap-south-1
ap-southeast-1
ap-southeast-2
cn-north-1
eu-central-1
eu-west-1
sa-east-1
us-east-1
us-east-2
us-gov-west-1
us-west-1
us-west-2
Resources created outside of these AWS Regions will not have this tag auto-populated.
The
createdBy
tag uses the following key-value definition:
key = aws:createdBy
value = account-type:account-ID or access-key:user-name or role session name
Not all values include all of the value parameters. For example, the value for a AWS-generated tag for a root account doesn't always have a user name.
Valid values for the account-type
are Root
,
IAMUser
, AssumedRole
, and
FederatedUser
.
If the tag has an account ID, the account-id
tracks the
account number of the root account or federated user who created the resource. If the
tag has an access key, then the access-key
tracks the IAM
access key used and, if applicable, the session role name.
The user-name
is the user name, if one is available.
Here are some examples of tag values:
Root:1234567890 Root: 111122223333 :exampleUser IAMUser: AIDACKCEVSQ6C2EXAMPLE :exampleUser AssumedRole: AKIAIOSFODNN7EXAMPLE :exampleRole FederatedUser:1234567890:exampleUser
For more information about IAM users, roles, and federation, see the IAM User Guide.
AWS generated cost allocation tags are applied on a best-effort basis. Issues with services that AWS-generated tag depends on, such as CloudTrail, can cause a gap in tagging.
The createdBy
tag is applied only to the following services and resources
after the following events.
AWS Product | API or Console Event | Resource Type |
---|---|---|
AWS CloudFormation (AWS CloudFormation) |
|
Stack |
AWS Data Pipeline (AWS Data Pipeline) |
|
Pipeline |
Amazon Elastic Compute Cloud (Amazon EC2) |
|
Customer gateway |
|
DHCP options |
|
|
Image |
|
|
Internet gateway |
|
|
Network ACL |
|
|
Network interface |
|
|
Route table |
|
|
Security group |
|
|
Snapshot |
|
|
Subnet |
|
|
Volume |
|
|
VPC |
|
|
VPC peering connection |
|
|
VPN connection |
|
|
VPN gateway |
|
|
Reserved-instance |
|
|
Spot-instance-request |
|
|
Instance |
|
Amazon ElastiCache (ElastiCache) |
|
Snapshot |
|
Cluster |
|
AWS Elastic Beanstalk (Elastic Beanstalk) |
|
Environment |
|
Application |
|
Elastic Load Balancing (Elastic Load Balancing) |
|
Loadbalancer |
Amazon S3 Glacier (S3 Glacier) |
|
Vault |
Amazon Kinesis (Kinesis) |
|
Stream |
Amazon Relational Database Service (Amazon RDS) |
|
Database |
|
ParameterGroup |
|
|
Snapshot |
|
|
SubnetGroup |
|
|
EventSubscription |
|
|
OptionGroup |
|
|
ReservedDBInstance |
|
|
Database |
|
Amazon Redshift (Amazon Redshift) |
|
ParameterGroup |
|
Snapshot |
|
|
SubnetGroup |
|
|
Cluster |
|
Amazon RouteĀ 53 (RouteĀ 53) |
|
HealthCheck |
|
HostedZone |
|
Amazon Simple Storage Service (Amazon S3) |
|
Bucket |
AWS Storage Gateway (Storage Gateway) |
|
Gateway |
Note
The CreateDBSnapshot
tag isn't applied to the snapshot backup
storage.
AWS Marketplace vendor-provided tags
Certain AWS Marketplace vendors can create tags and associate them with your software usage. These tags will have the prefix aws:marketplace:isv:
. To use the tags, a management account owner must activate the tag in the Billing and Cost Management console. When a management account owner activates the tag, the tag is also activated for all member accounts. Similar to aws:createdBy
tags, these tags appear only in the Billing and Cost Management console and they don't count towards your tags per resource quota. You can find the tag keys that apply to the product on the AWS Marketplace
Restrictions on AWS-generated tags cost allocation tags
The following restrictions apply to the AWS-generated tags:
-
Only a management account can activate AWS-generated tags.
-
You can't update, edit, or delete AWS-generated tags.
-
The maximum active tag keys for Billing and Cost Management reports is 500.
-
AWS-generated tags are created using CloudTrail logs. CloudTrail logs over a certain size cause AWS-generated tag creation to fail.
-
The reserved prefix is
aws:
.AWS-generated tag names and values are automatically assigned the
aws:
prefix, which you can't assign. AWS-generated tag names don't count towards the user-defined resource tag quota of 50. User-defined tag names have the prefixuser:
in the cost allocation report. -
Null tag values will not appear in Cost Explorer and AWS Budgets. If there is only one tag value that is also null, the tag key will also not appear in Cost Explorer or AWS Budgets.