AWS Cloud Financial Management

How to create and enforce your tagging strategy for more granular cost visibility

Customers are always looking for ways to better understand their AWS spend. Most want to know how much specific teams are spending, the cost of running certain applications, and savings opportunities across various organizational initiatives. The ability to provide resource level cost transparency is a key benefit of moving to the AWS cloud. The key to achieving this granular visibility is the implementation and enforcement of a comprehensive organizational tagging strategy.

Tools to implement a cost allocation strategy

In this post, we’ll show you what tools you can use, and how you can use them to define, implement, and enforce a tagging strategy that improves your organization’s cost awareness. The first tool is AWS Cost Explorer, which provides analysis and management of your AWS costs and usage with compelling visualizations that can also drive deeper insights into organizational spend. With Cost Explorer, you can get cost data for the past 12 months that is refreshed on a daily basis.  You can filter the data by a number of parameters, including date range, account, service, region and more.

To add granularity to your cost usage data, customers can apply “tags” to their resources. Tags are key-value pairs that allow you to add metadata to your AWS resources and summarize cost usage data by tag values. As key-value pairs, tags provide flexibility to create names (keys) that fit your organization, and use values that mean something to your business. For example, you may use “CostCenter” in your organization to track costs. In AWS, you can assign a tag to a resource with a key of CostCenter, and assign it a value representing the CostCenter to which that resource should be charged (e.g. CostCenter=12345).

We will also review using two features of AWS Organizations called tag policies and service control policies. These policies won’t work retroactively, so to help us identify untagged resources created in the past, we’ll use AWS Tag Editor. Finally, AWS Config will support ongoing compliance of the strategy.

Creating a tagging taxonomy

With tags providing the additional level of granularity, it is important to establish a tagging strategy at an organizational level along with a method to enforce it. As a best practice, an organization can start by defining a tag taxonomy, which lays out the recommended tags for all business units. Tags can be associated with resources for a variety of purposes. Technical tags provide identifying information. Automation tags help with scheduling start/stop times, or if a resource should be automatically backed up. Business tags add ownership and business context, while security tags help us define any data security concerns. Examples of these are outlined below.

Example Tag Categories and Types

Figure 1. Example tag categories and types

When implementing a tagging strategy that will apply across all business units, ensuring the strategy is properly documented is vital. We’ve included an example tag taxonomy document detailing the organization’s required tags below.

Tag taxonomy of required example tags

Figure 2. Tag taxonomy of required example tags

Tagging strategy approaches

Organizations typically follow two distinct paths when implementing a tagging strategy. Either they implement all policies from the top down, or they allow child organizations to define tags for themselves. Both have their pros and cons. The top-down approach can be more time consuming to define and setup, but can lead to improved cost visibility across the organization. Meanwhile, giving child organizations flexibility to determine tagging requirements for themselves can improve their agility, but can lead to a lack of cohesiveness when trying to analyze the entire organization’s AWS spend.

A mix of these two strategies will likely be the most successful approach. For example, at the highest level of an organization, you can enforce a business tagging strategy that all teams and organizational units follow as seen in the image below. Individual units can then have the autonomy and flexibility to implement additional business-specific tags.

You can enforce additional granularity to tags within your tag taxonomy document by defining acceptable key values. For example, in our CostCenter tag example, we added a “Two Digit Division”, which represents a business unit or division. We also added a “Four Digit code” representing a project, application, team, or other grouping to track costs. This way, each business unit is clear on what the proper tagging convention is to properly identify the resource. Once you’ve clearly defined and documented your tagging strategy, you can move to enforcement.

Tag Documentation for Cost Center example tag

Figure 3. Tag documentation for cost center example tag

Enforcing your tagging policy

Once your tagging strategy has been socialized throughout your organization, you can begin the implementation of required tags within your AWS Organization. The goal is to enforce your new, standardized tagging policy during AWS resource creation. For today’s example, we will deny the creation of Amazon EC2 instances if a specific tag is present without its required predefined value. In this case, we’ll use the custom CostCenter tag.

1. The first thing we will need to do is navigate to the AWS Organizations console in the management account, and select “Policies”. Then click “Tag policies”.

AWS Organizations Policies Page, specifically Tag Policies

Figure 4. AWS Organizations policies page, specifically tag policies

2. Next, we’ll create a tag policy for the CostCenter tag, with the values defined from our example above. We will enforce this policy on Amazon EC2 instances, disallowing resources to be created with a CostCenter tag unless it has the values specified by the organization.

  • Name the tag policy at the top of the screen. You have the option of adding a policy description. In the center of this screen, you can add tags to the policy itself to help you track who created the policy (note these are tagging the policy itself, not resources to which the policy applies). Below the “Tags” section, within the “Visual editor” tab, you can define your tag key. In this example, we’ll call it “CostCenter”.
  • Underneath the CostCenter tag key, we will also tick the box that ensures capitalization. This makes the tag case-sensitive, so it has to be typed exactly as specified in the tag key field.
  • In the “Tag value compliance” section, check the box to specify allowed values for the CostCenter tag key. Then add the list of CostCenter values as defined in our example above.
  • Finally, in the “Resource types to enforce section”, click “Prevent noncompliant operations for this tag”. Click the button to “Edit resource types”, then select the checkbox for “EC2 (ec2.*)”. This prevents Amazon EC2 instances from being launched when it contains the CostCenter tag and does not have a valid value per the tagging policy.
Tag Policy Configuration Page

Figure 5. Tag policy configuration page

3. To ensure organizational-wide enforcement of this newly created policy, you must attach it to your organizational units. To do this, navigate back to your Tag policies page and select the “CostCenterTagPolicy you just created. Then, select “Actions”, and click “Attach policy”.

Existing Tag Policies Page, attaching a policy

Figure 6. Existing tag policies page, attaching a policy

4. On the next screen, you can select and confirm that the new tag policy is attached to specific organizational units.

Figure 7. Attaching the tag policy to organizational units

5. Now, let’s navigate to the Amazon EC2 console and try to launch a new Amazon EC2 instance without providing the appropriate CostCenter tag value.

Testing our tagging policy in the EC2 Console

Figure 8. Testing our tagging policy in the EC2 Console

6. If you try to launch this instance without the required tag policy value, you’ll receive an error.

Failed EC2 launch attempt due to unallowed CostCenter tag value

Figure 9. Failed EC2 launch attempt due to unallowed CostCenter tag value

The tag policy has been implemented, preventing our organization from launching resources that don’t follow the value parameters we set for the CostCenter tag within our tag policy. However, this does not prevent resources from being launched without the presence of the CostCenter tag key at all. For that, we can turn to Service Control Policies, or SCPs.

Increasing tag enforcement

For a stricter policy around tagging enforcement, such as not allowing users to launch resources without the inclusion of a specific tag, you can use Service Control Policies (SCPs). SCPs give you central control over the maximum available permissions for all accounts in your organization. With SCPs, you can deny certain actions if a specific tag is not included, such as the CostCenter Tag.

An example of this type of SCP can be seen below. Once created, it can be attached to specific organizational units similar to how we attached the tagging policy we created earlier. To define SCPs, navigate to the AWS Organizations page in the Management Account, click on Policies, then on “Services control Policies”.

Sample Service Control Policy to require CostCenter Tag

Figure 10. Sample Service Control Policy (SCP) to require CostCenter tag

NOTE: Use of SCPs is completely optional and adds a level of governance around tag compliance, among other things. Using SCPs should not be taken lightly. Implementation can affect existing resources. For example, an auto-scaling plan for resources that have not been configured with the now required CostCenter key might be prevented from scaling activities. Be sure to consider this when implementing SCPs in organizations with existing resources.

Understanding tag compliance

To validate the ongoing compliance of this new tagging policy, you can use AWS Config. AWS Config provides a detailed view of the configuration of AWS resources in your AWS account. By using AWS Config rules, specifically the “required-tags” rule, you can check if your resources have the tags that you require (i.e., ensuring your Amazon EC2 instances have the CostCenter tag we created earlier).

To monitor tag compliance, navigate to the AWS Config console page, then select “Rules” from the left navigation menu.

AWS Config Rules Section Screen

Figure 11. AWS Config rules section screen

The details on how to add new rules are outside the scope of this blog, but details on using the required-tags built-in config rule can be found in the AWS Config documentation. Through AWS Config and SCPs, you can further enforce tagging policies across your organization, and validate long-term compliance.

But what about existing resources that may not meet our new tagging policy? How can we bring these resources into compliance?

Identifying untagged resources with Tag Editor

The final step of our tagging policy implementation is addressing resources that have been provisioned in the past without tags. This can be done with the help of Tag Editor.

  1. To use Tag Editor, go to your AWS Management Console, search for and click “AWS Resource Groups & Tag Editor”.
  2. Then click “Tag Editor” in the left-hand navigation under “Tagging”.
  3. On the Tag Editor page, start by selecting the regions where you want to find resources. In this example, we’ll search “All regions”.
  4. Next, configure the resource types you’re searching for. In this example, we’ll search for Amazon EC2 instances.
  5. Last, input the tag you’re searching for. In this case, we’re looking for all Amazon EC2 instances that are not tagged with the CostCenter tag.
  6. You’ll be provided a list of resources that meet your criteria, i.e., a list of all Amazon EC2 instances, across all regions, without the CostCenter tag. You can export the results to a  CSV, and notify employees within the organization to take action.
Tag Editor Configuration Screen

Figure 12. Tag Editor configuration screen

NOTE: Tag Editor can only be run on a single account, not at the organizational level. Each account within your organization will need to use Tag Editor to identify untagged resources.

Activate cost allocation tags

Before you can start analyzing costs in Cost Explorer with your newly implemented tagging strategy, you will need to activate them for cost and usage reporting. Browse to the AWS Billing Console, select “Cost allocation tags”, and activate the newly created CostCenter tag. Until you’ve tagged your resources and activated your tags, AWS Cost Explorer will not show the results of applying these tags.

Activating our Cost Allocation Tags in the AWS Billing Console

Figure 13. Activating our cost allocation tags in the AWS Billing Console

Visualizing and analyzing your spend in AWS Cost Explorer

After implementing your tagging strategy and activating your tags in your AWS Billing Console, you can use AWS Cost Explorer to analyze costs for each individual cost center. In our example, you can view each individual Cost Center’s spend on a per-service basis.

Cost Explorer report with no filters

Figure 14. Cost Explorer report with no filters

As you review your costs using the Cost Explorer, you may be confused when resources you know have been tagged don’t reflect accurately for previous periods. Tagging does not retroactively apply and will only reflect accurately for future cost and usage reporting.

With Cost Explorer, you can analyze which accounts are contributing to the most spend that don’t have the proper CostCenter tag associated with them. You can do this by creating a Cost Explorer report with the dimension “Linked Account”, the tag filter “CostCenter”, and the value “No tag key: CostCenter”.

Cost Explorer Report with "No Tag Key": Cost Center filter

Figure 15. Cost Explorer report with “No Tag Key”: Cost Center filter

With reports like this, your organization can help these specific accounts implement a new tagging strategy. Over time, you’ll be able to create additional Cost Explorer reports that give you a detailed breakdown of your organization’s AWS spend by Cost Center.

Cost Explorer report with the CostCenter tag as a dimension

Figure 16. Cost Explorer report with the CostCenter tag as a dimension

Conclusion

This blog has outlined a process to help you in defining, implementing, and enforcing an organizational tagging strategy, which includes identifying untagged resources within your AWS account. Once completed, you can use Cost Explorer to visualize, understand, manage, and report on your AWS costs and usage using these tags. In the end, this not only increases organizational cost visibility and awareness, but fosters individual business unit cost accountability that can positively impact cloud cost optimization and business value realization.

🏁GET STARTED: Implement and activate your tagging strategy in the AWS Billing Console

Ryan Doty

Ryan Doty

Ryan Doty is a Solutions Architect at AWS, based out of New York. He helps enterprise customers in the Northeast U.S. accelerate their adoption of the AWS Cloud by providing architectural guidelines to design innovative and scalable solutions. Coming from a software development and sales engineering background, the possibilities that the cloud can bring to the world excite him. Outside of work, he loves to play computer games, and support Liverpool FC.

Bert Zahniser, CISSP, CCSP

Bert Zahniser, CISSP, CCSP

Bert Zahniser is a Senior Solutions Architect at AWS based out of the Philadelphia area, with over 30 years of experience in IT infrastructure and a focus on Information Security. He is a strong advocate for cloud adoption, helping customers on their cloud journey to design and implement solutions in AWS with security and governance in mind. Outside of work, he follows baseball, ice hockey, and loves to golf and visit craft beer breweries.

Vishal Manan

Vishal Manan

Vishal Manan is a Specialist Solutions Architect at AWS, based out of Seattle. He helps customers adopt cost effective, performant and sustainable EC2 compute instances using Graviton Processors(arm64 in the cloud). He is excited to apply his platform software development skills and consulting background to the AWS cloud. Outside of work, he loves being dad, cook, play golf and hike.