Using Tag Editor - Tagging AWS Resources

Using Tag Editor

Tags are key and value pairs that act as metadata for organizing your AWS resources. With most AWS resources, you have the option of adding tags when you create the resource. Examples of resources include an Amazon Elastic Compute Cloud (Amazon EC2) instance, an Amazon Simple Storage Service (Amazon S3) bucket, or a secret in AWS Secrets Manager. However, you can also add tags to multiple, supported resources at once by using Tag Editor. You build a query for resources of various types, and then add, remove, or replace tags for the resources in your search results. Tag-based queries assign an AND operator to tags, so any resource that matches the specified resource types and all specified tags is returned by the query.

Important

Do not store personally identifiable information (PII) or other confidential or sensitive information in tags. We use tags to provide you with billing and administration services. Tags are not intended to be used for private or sensitive data.

To add tags to—or edit or delete tags of—multiple resources at once, use Tag Editor. With Tag Editor, you search for the resources that you want to tag, and then manage tags for the resources in your search results.

To start Tag Editor
  1. Sign in to the AWS Management Console.

  2. Perform either of the following steps:

    • Choose Services. Then, under Management & Governance, choose Resource Groups & Tag Editor. In the navigation pane on the left, choose Tag Editor.

    • Use the direct link: AWS Tag Editor console.

Not all resources can have tags applied. For information about which resources Tag Editor supports, see the Tag Editor taggingcolumn at Supported resource types in the AWS Resource Groups User Guide. If a resource type that you want to tag isn't supported, let AWS know by choosing Feedback in the lower left corner of the console window.

For information about permissions and roles that are required to tag resources, see Set up permissions.

Tags and attribute-based access control

Tags can be an important part of your AWS access control strategy. For information about using tags as the attributes in an attribute-based access control (ABAC) strategy, see Controlling access to AWS resources using tags and Controlling access to and for IAM users and roles using tags, both in the IAM User Guide.

There is a comprehensive tutorial that shows how to grant access to different projects and groups using tags at IAM tutorial: Define permissions to access AWS resources based on tags in the AWS Identity and Access Management User Guide.

If you use a SAML-based identity provider (IdP) for single sign-in, you can attach tags to the assumed roles providing access to your users. For more information, see IAM tutorial: Use SAML session tags for ABAC in the AWS Identity and Access Management User Guide.

Best practices for tag names

These are some best practices and naming conventions that we recommend that you use with your tags.

Key names for AWS tags are case sensitive so ensure that they are used consistently. For example, the tags keys CostCenter and costcenter are different. One tag key might be configured as a cost allocation tag for financial analysis and reporting, and the other tag key might not be configured for the same use.

A number of tags are predefined by AWS or created automatically by various AWS services. Many AWS generated tags use key names that are all lowercase, with hyphens separating words in the name, and prefixes followed by colons to identify the source service for the tag. For example, see the following:

  • aws:ec2spot:fleet-request-id is a tag that identifies the Amazon EC2 Spot Instance Request that launched the instance.

  • aws:cloudformation:stack-name is a tag that identifies the AWS CloudFormation stack that created the resource.

  • elasticbeanstalk:environment-name is a tag that identifies the application that created the resource.

Consider naming your tags using the following rules:

  • Use all lowercase for the words.

  • Use hyphens to separate words.

  • Use a prefix followed by a colon to identify the organization name or abbreviated name.

For example, for a fictitious company named AnyCompany, you might define tags such as:

  • anycompany:cost-center to identify the internal Cost Center code.

  • anycompany:environment-type to identify whether the environment is development, test, or production.

  • anycompany:application-id to identify the application that the resource was created for.

The prefix ensures that tags are clearly recognizable as defined by your organization and not by AWS or a third-party tool that you might be using. Using all lowercase with hyphens for separators avoids confusion about how to capitalize a tag name. For example, anycompany:project-id is simpler to remember than ANYCOMPANY:ProjectID, anycompany:projectID, or Anycompany:ProjectId.