AWS Resource Taggingfor spend, asset management, and security

Aaron C. Newman

Founder, CloudCheckr

Aaron.Newman@CloudCheckr.com

Why Tag? What is Tagging About?

• Labelling/classifying resources

• So that you can keep track of them

• Allows you to report on what’s being used and who’s doing what

• When you have 1 application, 1 DevOps, 1 customer

• Tagging isn't as critical

• As you added 50+ instances, tagging starts to really help

• As you reach 1,000s of instances, not tagging is disastrous

What does a Resource Tag look like?

• Resource Tags consist of Key-Value Pairs• Eg. CostCenter=proj1

• Eg. Department=Finance

• Tag Key – discreet way to classify a resource• Eg. CostCenter, Department

• Tag Value – specific or group of what you want to classify• Eg. Proj1, Finance

• A resource (EC2 instance, EBS Volume) is “labelled” with a resource tag• Resources can then be filtered by a resource tag

http://docs.aws.amazon.com/AWSEC2/

latest/UserGuide/Using_Tags.html

What is a Tagging Strategy

• How do you want to view/report on asset/resources?

• What are the types of items consider tagging

• Application, Cost center, Charge codes,

• Owner, Department, Expiration Date

• Challenges with tagging

• Tags are case-sensitive and free-form text

• Not all resources can be tagged

• Hard to enforce tagging

• Resources are tagged at the account level

Creating Tagging Rules

• Define the rules for tagging resources

Example: All EC2 instances must be tagged with department

Example: The Department tag must be a valid department

Example: All resources must be tagged with Environment of Prod,

QA, Staging, or Development

• Enforce the tagging rules

• Police untagged resource

• Cross-reference untagged resource to IAM user

• Use CloudTrail to cross-reference

Using Resource Tags

• Two places they can be used

• Through the AWS Management Console• Mainly for asset management

• Through the Detailed Billing Report• Mainly for cost allocation

New AWS Management Console features

• New feature: Resource Groups• https://resources.console.aws.amazon.com/r/group

• New feature: Tag Editor• https://resources.console.aws.amazon.com/r/tags

DEMO

Build a Strategies for Cost Allocation

• Tag your resources so you can allocate costs

• Tie costs to applications and resource owners

• Provides visibility into what you are spending

• Identify and classify costs

• So that you can reduce them

• Locate and eliminate untagged resources

You can’t optimize what you can’t measure

Tagging in the Detailed Billing Report

• What’s tagged in an account flows into the DBR• Need to configure what Tag Keys flow into the DBR from the master payer

• Need to tag the resources in the payee account

• Coordinate both can be complex if different people are managing the 2

accounts

• Configuring Tag Keys for the DBR• Can designate up to 10 Tag Keys to flow thru

• This is for all payees across the consolidated bill

• Unlimited number of Tag Values can flow through

• For example, Stack=Test or Stack=Production, Application=SW1 or

Application=SW2

• Each Tag Key you designate becomes a header in the DBR

Resource Tagging in IAM Policies

• July 2013 Amazon releases support for Resource-based Permissions for

EC2/RDS

• Allows people to define IAM policies with “conditions” such as:

"Condition": { "StringEquals": { "ec2:ResourceTag/YourTagKey":"true" },

• Does not support “ec2:ResourceValue/tag-value”

• Need to do tricks like ${aws:username} or use TagKey as identifier

http://blogs.aws.amazon.com/security/post/Tx29HCT3ABL7LP3/Resource-level-

Permissions-for-EC2-Controlling-Management-Access-on-Specific-Ins

https://aws.amazon.com/blogs/aws/resource-permissions-for-ec2-and-rds-resources/

Example IAM Policies

{

"Version": "2012-10-17",

"Statement":

[

{ "Action":

[ "ec2:StartInstances", "ec2:StopInstances", "ec2:RebootInstances",

"ec2:TerminateInstances" ],

"Condition": {

"StringEquals": {

"ec2:ResourceTag/owner":"${aws:username}" } },

"Resource":

[ "arn:aws:ec2:your_region:your_account_ID:instance/*" ], "Effect": "Allow“

}

]

}

• Amazon Management Console• Configuring Detailed Billing Reports

• CloudCheckr• Allocating costs

• Monitoring your tagging strategy

DEMO

Questions?

Questions on:

• Resource Tagging

• CloudCheckr

Thank You for Attending

Sign up today for free evaluationat http://cloudcheckr.com

Aaron Newman is the Founder of CloudCheckr (www.cloudcheckr.com)

Please contact me with additional questions at:aaron.newman@cloudcheckr.com