Defining and publishing a tagging schema
Employ a consistent approach in tagging your AWS resources, both for mandatory and optional tags. A comprehensive tagging schema helps you to achieve this consistency. The following examples can help get you started:
-
Agree on the mandatory tag keys
-
Define acceptable values and tag naming conventions (upper or lower case, dashes or underscores, hierarchy, and so on)
-
Confirm values would not constitute personally identifiable information (PII)
-
Decide who can define and create new tag keys
-
Agree on how to add new mandatory tag values and how to manage optional tags
Review the following tagging categories table, which can be used as a baseline of what you might include in your tagging schema. You still need to determine the convention you will use for the tag key and what values are permitted for each. The tagging schema is the document in which you define this for your environment.
Table 6 – Example of a definitive tagging schema
Use Case | Tag Key | Rationale | Allowed Values (Listed or value prefix/suffix) | Used for Cost Allocation | Resource Types | Scope | Required |
---|---|---|---|---|---|---|---|
Cost Allocation | example-inc:cost-allocation:ApplicationId |
Track cost vs value generated by each line of business | DataLakeX , RetailSiteX
|
Y | All | All | Mandatory |
Cost Allocation | example-inc:cost-allocation:BusinessUnitId |
Monitor costs by business unit | Architecture , DevOps , Finance
|
Y | All | All | Mandatory |
Cost Allocation | example-inc:cost-allocation:CostCenter |
Monitor costs by cost center | 123-* |
Y | All | All | Mandatory |
Cost Allocation | example-inc:cost-allocation:Owner |
Which budget holder is responsible for this workload | Marketing , RetailSupport
|
Y | All | All | Mandatory |
Access Control | example-inc:access-control:LayerId |
Identify SubComponent / Layer to grant access to resources based on the role | DB_Layer , Web_Layer , App_Layer
|
N | All | All | Optional |
Automation | example-inc:automation:EnvironmentId |
Implement scheduling of test and development environments, also referred to as software development lifecycle (SDLC) stage | Prod , Dev , Test , Sandbox
|
N | EC2, RDS, EBS | All | Mandatory |
DevOps | example-inc:operations:Owner |
Which team/squad is responsible for the creation and maintenance of the resource | Squad01
|
N | All | All | Mandatory |
Disaster Recovery | example-inc:disaster-recovery:rpo |
Define the recovery point objective (RPO) for a resource | 6h , 24h
|
N | S3, EBS | Prod | Mandatory |
Data Classification | example-inc:data:classification |
Classify data for compliance and governance | Public , Private , Confidential ,
Restricted
|
N | S3, EBS | All | Mandatory |
Compliance | example-inc:compliance:framework |
Identifies the compliance framework the workload is subject to | PCI-DSS , HIPAA
|
N | All | Prod | Mandatory |
After the tagging schema is defined, manage the schema in a version-controlled repository that is made accessible to all the relevant stakeholders for easy reference and trackable updates. This approach improves efficiency and allows for agility.