قالب وردپرس درنا توس
Home / Tips and Tricks / Object tagging – CloudSavvy IT

Object tagging – CloudSavvy IT

AWS logo

Tags are fairly simple – they store a single key value pair and are used as metadata for AWS resources to help you stay organized. We show you how to use them and how to set up effective tag policies for your organization.

What is tagging used for?

In a shared account with many AWS resources, it can be difficult to sort through everything. You can physically separate environments by creating new AWS accounts and linking them under the same billing with AWS organizations, but it̵

7;s mostly for dev, test, engineering, and prod environments and as such is limited to four accounts.

Tags present a quick and easy solution to most of these organizational problems. For example, say your organization handles projects for many clients, all under the same AWS account. You may run a couple of EC2 servers per project, some S3 buckets, etc. You can create a “project” tag and assign it to all of these resources based on the project name. Instead of your EC2 Management Console being full of many instances, you can filter quite easily based on the project label:

Filter based on the project label.

Although project-based separation is the simplest problem-solving problem, there are many different tagging strategies you can use. You can use them to differentiate between dev, test, and engineer resources (although you should probably use AWS organizations to physically separate prods, for security reasons), filter by version, or select resources that require specific levels of compliance or confidentiality.

It really is up to you what you use them for. Once you have a clear tagging policy in mind, you can set it in place with the AWS Organizer Console. Resources that do not comply with the tag policy are flagged by the tag editor and can be easily fixed.

How to set and search for tags

In the future, you should set tags when creating resources (setting a tagging policy helps with that), but retroactively tagging resources is fairly simple. In the AWS Management Console, select “Resource Groups” in the top menu bar and open “Tag Editor.”

open tag editor

You can search for resources by region and type or leave them blank for a list of everything. You also search for existing tags.

filter resources

When you select something to tag, you can click “Manage tags of selected resources” to edit their tags.

select and edit tags

Click “Add Tag” to create a new tag and apply it to the selected resources. Select “Review and Apply Changes” and the new tags should be set.

You can also search for tags from AWS CLI with get-resources:

aws resourcegroupstaggingapi get-resources 
--tag-filters Key=Environment,Values=Production 
--tags-per-page 100

Most services also allow you to modify CLI resource tags using add-tags-to-resource and ARN:

aws rds add-tags-to-resource 
    --resource-name arn:aws:rds:us-east-1:123456789012:db:database-mysql 
    --tags "[{"Key": "Name","Value": "MyDatabase"},{"Key": "Environment","Value": "test"}]"

Implement a tag policy

To prevent having to manually tag resources to stay organized, you can enforce an entire account tagging policy that will apply to all new resources created in your account. This will not prevent users from creating resources without proper tags, so you still need to train your employees in your tagging policy, but it will let you see which resources do not meet the requirements and resolve the issue quickly.

To do so, you must enable the feature from the AWS Organization Console. Click “Root” under “Organize Accounts” and enable “Tag Policies” in the sidebar. You can actually set different tagging policies for different accounts if you separate your dev and prod environments.

organization bracket

Under the “Policies” tab, you should now be able to click on “Tag Policies” and create a new policy.

add tagging policy

Give it a name and description and enter the tag key you want to execute. It is probably best to check “Use the size specified” to prevent errors. You can also set a list of allowed values ​​for the tag.

new tag policy

The last option, “Prevent incompatible operations for this tag,” does not prevent the creation of new resources without the tag, but does not prevent updates that do not match the tag.

Click “Create.” You must attach the policy before it takes effect. Click on your root account (or whatever you want to use it on), select “Tag Policies” in the sidebar and attach the newly created policy.

attach tag policy

You must also give the Tag Policies Console access to your organization policy. Click “Settings” and scroll down to find “Tag Policies.” Activate this.

enable tag policy

You should now be able to see resources that do not meet the requirements of the tag editor under Tag Policies> This AWS Account.

take conformity view

Unfortunately, there is no easy way to update the tags from this screen – you need to search for them on the Tag Editor tab, or click on the resources and manually update the tags from the resource management console.

Source link