Tagging resources in Service Quotas
A tag is a custom attribute label that you add to an AWS resource to make it easier to identify, organize, and search for resources. Each tag has two parts:
-
A tag key, such as
CostCenter
,Environment
, orProject
. Tag keys are case sensitive. -
A tag value, such as
111122223333
orProduction
. You can set the value of a tag to an empty string, but you can't set the value of a tag to null. Omitting the tag value is the same as using an empty string. Like tag keys, tag values are case sensitive.
You can use tags to categorize resources by purpose, owner, environment, or other criteria.
Tags help you do the following:
-
Identify and organize your AWS resources. Many Amazon Web Services support tagging, so you can assign the same tag to resources from different services to indicate that the resources are related.
-
Track your AWS costs. You activate these tags on the AWS Billing and Cost Management dashboard. AWS uses the tags to categorize your costs and deliver a monthly cost allocation report to you. For more information, see Use cost allocation tags in the AWS Billing User Guide.
-
Control access to your AWS resources. For more information, see Controlling access using tags in the IAM User Guide.
Topics
Resources that support tagging in Service Quotas
The Service Quotas resources for tagging support Applied quotas, previously requested quota increases approved by AWS Support.
You can tag quotas only if they have an applied quota value. Quotas with default quota values can’t be tagged.
Don't store personally identifiable information (PII) or other confidential or sensitive information in tags. Tags aren't intended to be used for private or sensitive data.
Tag restrictions
The following restrictions apply to tags on Service Quotas resources:
-
Maximum number of tags that you can assign to a resource – 50
-
Maximum key length – 128 Unicode characters
-
Maximum value length – 256 Unicode characters
-
Valid characters for key and value – a-z, A-Z, 0-9, space, and the following characters: _ . : / = + - and @
-
Keys and values are case sensitive.
-
Don't use
aws:
as a prefix for keys because it's reserved for AWS use.
Permissions required for tagging Service Quotas resources
You must configure permissions to allow your users or roles to manage tags in Service Quotas. The permissions that are required to administer tags usually correspond to the API operations for the task.
To ensure that users and roles can use the Service Quotas console for tagging operations, attach the
ServiceQuotasReadOnlyAccess
AWS managed policy to the entities. For more
information, see Adding permissions to a user in the IAM User Guide.
-
To add tags to applied quotas, you must have the following permissions:
servicequotas:ListTagsForResource
servicequotas:TagResource
-
To view tags for an applied quota, you must have the following permissions:
servicequotas:ListTagsForResource
-
To remove existing tags from an applied quota, you must have the following permissions:
servicequotas:UntagResource
-
To edit existing tag values for applied quotas, you must have the following permissions:
servicequotas:ListTagsForResource
servicequotas:TagResource
servicequotas:UntagResource
Managing Service Quotas tags (console)
You can manage Service Quotas tags by using the AWS Management Console.
Sign in to the AWS Management Console and open the Service Quotas console at https://console.aws.amazon.com/servicequotas/home
. -
In the navigation page, choose AWS services.
-
Choose an AWS service from the list, or type the name of the service in the search box.
-
Choose a service with a value in the Applied quota value column.
-
In the Tags section, choose Manage tags. This option is not available for quotas without an applied quota value.
-
You can add or remove tags, or you can edit tag values for existing tags. Enter a name for the tag in Key. You can add an optional value for the tag in Value.
-
After making all of your changes to tags, choose Save changes.
If the operation is successful, you are returned to the quota details page where you can verify your changes. If the operation fails, please follow the instructions in the error message to resolve it.
Managing Service Quotas tags (AWS CLI)
You can manage Service Quotas tags by using the AWS Command Line Interface (AWS CLI).
-
To add tags to applied quotas
aws service-quotas tag-resource
-
To view tags for an applied quota
aws service-quotas list-tags-for-resource
-
To delete existing tag values for applied quotas
aws service-quotas untag-resource
Managing Service Quotas tags (AWS API)
You can manage Service Quotas tags by using the Service Quotas API.
-
To add tags to applied quotas
-
To view tags for an applied quota
-
To delete existing tag values for applied quotas
Controlling access using Service Quotas tags
To control access to Service Quotas resources based on tags, you provide tag information in the
condition
element of a policy using the
aws:ResourceTag/
,
key-name
aws:RequestTag/
, or
key-name
aws:TagKeys
condition keys. For more information about these condition keys,
see Controlling access to AWS resources using
resource tags in the IAM User Guide.
For example, when you attach the following policy to an AWS Identity and Access Management (IAM) user or role,
that entity can request an increase to Amazon Athena applied quotas that are tagged
with the tag key Owner
and tag value
admin
.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["servicequotas:RequestServiceQuotaIncrease"], "Resource": "arn:aws:servicequotas:*:*:athena/*", "Condition": { "StringEquals": {"aws:ResourceTag/Owner": "admin"} } } ] }
You can also attach tags to IAM entities (users or roles) to use attribute-based access control (ABAC). ABAC is an authorization strategy that defines permissions based on attributes. Tagging entities and resources is the first step of ABAC. Then you design ABAC policies to allow operations when the principal's tag matches the tag on the resource that they're trying to access. ABAC is helpful in environments that are growing rapidly and helps with situations where policy management becomes cumbersome.
For more information about ABAC, see What is ABAC? in the IAM User Guide. To view a tutorial with steps for setting up ABAC, see IAM tutorial: Define permissions to access AWS resources based on tags in the IAM User Guide.