Measure, enforce, and evolve
Metrics are necessary to identify improvements in this process, and to evolve the governance. Are measures and KPIs improving over time? Are the envisioned outcomes being realized? Are resources been allocated properly? Is the enforcement mechanism too strong, or weak?
Examples of tagging KPIs include the following:
-
Tag coverage rate (per tag key)
-
Tag coverage rate (aggregate)
-
Percent of total spend tagged
-
Percent non-allocable spend (resources that were not tagged)
Examples of outcome-based KPIs include the following:
-
Number of resources terminated
-
Amount of money saved
-
Time saved (for example, by automating financial allocations)
Proactive enforcement
For proactive enforcement, you can determine which resources must be tagged. Then you can apply tag policies or service control policies (SCPs) using the AWS Organizations console.
A tag policy is applied to an organizational unit (OU) or a target account. For
example, a policy can require a pre-defined tag_value
for Amazon
Elastic Compute Cloud (Amazon EC2) instances and volumes. In this example, if
someone tries to launch an EC2 instance with a value different from
ABC123
or ABC1234
(assigned for
tag_value
), an error message will be returned, because the EC2 instance
isn’t respecting the tag policy.
SCPs are also applied to an OU or a target account. For example, a SCP can require
a predefined tag_key
for Amazon Elastic Compute Cloud (Amazon EC2)
instances and volumes. In this example, if someone tries to launch an EC2 instance
without the requested tag_key
cost-center-id
, an error message will be returned.
Reactive enforcement
Reactive governance is used to find resources that are not properly tagged. You
can use tools such as the Resource Groups Tagging API, AWS Config rules, and Tag
Editor. For example, AWS Config rules can use a managed rule
required-tags
to verify that every asset has been correctly tagged
with a tag named cost-center-id
with allowed values ABC123
or ABC1234
. Any asset identified not having the required tag or the
required values in the tag will be noncompliant.
To fix existing, noncompliant resources, we recommend the following solution:
Cost Explorer
After tagging the resources, you can see them by using AWS Cost
Explorer
To create Cost and Usage Reports that you can use with Amazon QuickSight or Amazon Athena, see Creating Cost and Usage Reports.
Amazon QuickSight
You can visualize your AWS cost and usage by using Amazon QuickSight
To analyze AWS Cost and Usage Reports) with Amazon QuickSight, see How do I ingest and visualize the AWS Cost and Usage Report (CUR) into Amazon
QuickSight?
Amazon Athena
Amazon Athena is another way to analyze the data from your AWS Cost and Usage Reports. Amazon Athena is a serverless query service that supports standard SQL queries. Using Amazon Athena, you can query the data from Cost and Usage Reports stored in Amazon Simple Storage Service (Amazon S3.
To set up Amazon Athena for analyzing Cost and Usage Reports, see Querying Cost and Usage Reports using Amazon Athena.