December 10th, 2015
Tagging and ARN Path Best Practices
By Rich Uhl
One of the most common questions our customers ask us about is best practices around tagging resources in AWS. Surprisingly, AWS doesn’t provide a best practices guide for tagging like they do for the majority of their services. What follows in this post serves as our own guide to “best practices” for tagging that we’ve compiled through years of working with customers large and small.

 Guidelines and Reminders

Tag Management

Here are some tips for dealing with tags:
  • Determine who has the ability to create and manage tags
  • Educate users that Create/Modify is the same level of access when it comes to tags
  • Consider having tagging completed by an API/Portal in order to better control who has the ability to create and modify tags  (i.e. create/modify = same permission)
  • Enterprise customers concerned with tagging integrity should leverage a toolset like Splunk to track and alert for sensitive tags (i.e. Billing Code or Cost Center)

Path Strategies within ARNs

Paths can be assigned to the following types of Amazon Resource Names (ARNs):
  • IAM: Users, Roles, Policies, etc.
  • S3: Bucket/Folder structures

Documentation Guidelines and Public Samples

Default Path Structure


Sample Path Strategies

/Organization/Department/Application Examples:
  • /Corp/IT/SharedSvcs
  • /BU1/Marketing/Materials
  • /Corp/HR/Confidential
  • /BU1/PMO/Deliverables

Note:  Performance considerations need to come into play when designing a path strategy for S3.  Depending upon your enterprise use case or workload the following guidance may apply.  See •

Path Restrictions

Tagging Examples

Key Value Function
Name Resource Name/Machine Name Management
Environment Development Test QA Staging Production Account/Resource Separation Management
Tier Backend Frontend DMZ Management Account/Resource Separation
CostCenter Department ID CC#12345 Billing Management
Role Web App Domain Controller Management
Application MobileApp1 WebApp1 Management
CodeVersion 3.49 Management
AppPath Application1/component1/Version2.49 Management
PoolName ClusterName WebApp1Pool1 App1DBCluster1 Management
Owner OwnerEmail OwnerDL Management
SecurityLevel VPCAdmin EC2Admin StorageAdmin IAMAdmin DevOpsAdmin DevOpsUser Access Control
Path /Organization/Department/Application Access Control Billing Management Account/Resource Separation
ExpirationDate 2015.12.31 Billing Management
DataProfile Public Confidential Restricted Internal Access Control Management Account/Resource Separation
Although the guidelines and suggestions listed are based on experience and feedback from customers, there is not a “right” or “wrong” way to manage tagging. We do suggest though that a policy for tagging is determined early on even if it’s incomplete. Here are quotes from several of our customers who didn’t use tagging during their first year on AWS:

“It would have been better for us to have used an incomplete, or wrong tagging scheme, instead we ended up with nothing.”

“Knowing what we know now we should have started with some basic tags even if they weren’t complete.”