Recommended AWS Resource Tagging Strategy
Recommended AWS Resource Tagging Strategy
This document provides a comprehensive tagging framework for AWS EC2 and other AWS resources, including S3, RDS,
Lambda, and networking components. Tagging improves visibility, cost allocation, governance, and automation across environments.
Core Identification Tags
| Tag Key |
Example Value |
Purpose |
| Name |
web-server-prod-01 |
Human-readable identifier for quick recognition. |
| Environment |
dev / test / prod |
Segregate resources by environment. |
| Application |
payment-api / crm-portal |
Group resources by application or service. |
| Project |
migration-wave1 / finops-dashboard |
Track resources by project or initiative. |
| BusinessUnit |
finance / marketing / engineering |
Link usage to department or cost center. |
| Owner |
anuj.varma@company.com |
Assign accountability for resource ownership. |
Cost Allocation & FinOps Tags
| Tag Key |
Example Value |
Purpose |
| CostCenter |
CC1234 |
Enable billing reports and cost allocation. |
| BillingCode |
APP567 |
Alternative identifier for budget association. |
| CreatedBy |
terraform / cloudformation / manual |
Identify resource provisioning source. |
| Purpose |
frontend / backend / analytics |
Categorize resources by business purpose. |
| Lifecycle |
temporary / long-term / archive |
Define expected resource duration. |
Security & Compliance Tags
| Tag Key |
Example Value |
Purpose |
| DataClassification |
confidential / pii / public |
Specify sensitivity for data handling. |
| Compliance |
CIS / HIPAA / SOC2 / ISO27001 |
Associate resource with compliance framework. |
| BackupPolicy |
daily / weekly / none |
Define backup strategy for automation. |
| PatchGroup |
linux-prod / windows-dev |
Group instances for patching baselines. |
| Retention |
30d / 90d / indefinite |
Specify retention period for logs or backups. |
Operations & Automation Tags
| Tag Key |
Example Value |
Purpose |
| Schedule |
office-hours / 24×7 |
Used by schedulers to manage uptime. |
| AutoStop |
true |
Flag for auto-stop of idle resources. |
| MaintenanceWindow |
Sun-02:00-UTC |
Define maintenance or patch time. |
| SupportTier |
gold / silver / bronze |
Define SLA expectations. |
| Monitoring |
datadog / cloudwatch / prometheus |
Identify monitoring tool integration. |
Cloud Migration & Governance Tags
| Tag Key |
Example Value |
Purpose |
| Map.Migrated |
true |
Identify AWS MAP migrated resources. |
| Map.Stage |
wave1 / cutover |
Track migration stage or wave. |
| SourceSystem |
onprem-vsphere / azure / legacy |
Identify source platform for migrations. |
| LandingZone |
shared-vpc / prod-security |
Specify target AWS landing zone or VPC group. |
Networking & Infrastructure Tags
| Tag Key |
Example Value |
Purpose |
| VPC |
shared-vpc-prod |
Identify VPC association. |
| SubnetType |
public / private / isolated |
Classify subnet purpose. |
| SecurityZone |
dmz / core / restricted |
Tag for segmentation and policy enforcement. |
Example Tagging Policy (JSON)
You can enforce tagging consistency via AWS Organizations Tag Policies or AWS Config rules. Example baseline policy:
{
"tags": {
"Environment": { "tag_key": "Environment", "tag_value": ["dev", "test", "prod"] },
"Owner": { "tag_key": "Owner", "tag_value": ".*@company.com" },
"CostCenter": { "tag_key": "CostCenter", "tag_value": "^[A-Z]{2}[0-9]{4}$" }
}
}
Leave a Reply