Remediate Untagged Resources - Tagging Best Practices

Remediate Untagged Resources

Automation and proactive tag management are important, but are not always effective. Many customers also employ reactive tag governance approaches to identify resources that are not properly tagged and correct them. Reactive tag governance approaches include (1) programmatically using tools such as the Resource Tagging API, AWS Config rules, and custom scripts; or (2) manually using Tag Editor and detailed billing reports.

Tag Editor is a feature of the AWS Management Console that allows you to search for resources using a variety of search criteria and add, modify, or delete tags in bulk. Search criteria can include resources with or without the presence of a particular tag or value. The AWS Resource Tagging API allows you to perform these same functions programmatically.

AWS Config enables you to assess, audit, and evaluate the configurations of your AWS resources. AWS Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against optimal configurations. With AWS Config, you can create rules to check resources for required tags and it will continuously monitor your resources against those rules. Any non-compliant resources are identified on the AWS Config Dashboard and via notifications. In the case where resources are initially tagged properly but their tags are subsequently changed or deleted, AWS Config will find them for you.

You can use AWS Config with CloudWatch Events to trigger automated responses to missing or incorrect tags. An extreme example would be to automatically stop or quarantine non-compliant EC2 instances.

The most suitable governance approach for an organization primarily depends on its AWS maturity model, but even experienced organizations use a combination of proactive and reactive governance techniques.