Tagging and ARN Path Best Practices

One of the most common questions our customers ask us about is best practices around tagging resources in AWS. Surprisingly, AWS doesn’t provide a best practices guide for tagging like they do for the majority of their services. What follows in this post serves as our own guide to “best practices” for tagging that we’ve compiled through years of working with customers large and small.

 Guidelines and Reminders

• Tag early and often
• Tags don’t maintain history
• Not every service/resource is tag-able
• Limit of 10 custom tags
• List of services that support tagging: http://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/cost-alloc-tags.html

Tag Management

Here are some tips for dealing with tags:

• Determine who has the ability to create and manage tags
• Educate users that Create/Modify is the same level of access when it comes to tags
• Consider having tagging completed by an API/Portal in order to better control who has the ability to create and modify tags  (i.e. create/modify = same permission)
• Enterprise customers concerned with tagging integrity should leverage a toolset like Splunk to track and alert for sensitive tags (i.e. Billing Code or Cost Center)

Path Strategies within ARNs

Paths can be assigned to the following types of Amazon Resource Names (ARNs):

• IAM: Users, Roles, Policies, etc.
• S3: Bucket/Folder structures

Documentation Guidelines and Public Samples

http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html

http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html#Identifiers_ARNs

Default Path Structure

arn:aws:service:region:account:resource

Sample Path Strategies

/Organization/Department/Application Examples:

• /Corp/IT/SharedSvcs
• /BU1/Marketing/Materials
• /Corp/HR/Confidential
• /BU1/PMO/Deliverables

Note:  Performance considerations need to come into play when designing a path strategy for S3.  Depending upon your enterprise use case or workload the following guidance may apply.  See • http://aws.amazon.com/blogs/aws/amazon-s3-performance-tips-tricks-seattle-hiring-event/

Path Restrictions

http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html

http://docs.aws.amazon.com/IAM/latest/UserGuide/LimitationsOnEntities.html

Tagging Examples

Key	Value	Function
Name	Resource Name/Machine Name	Management
Environment	Development Test QA Staging Production	Account/Resource Separation Management
Tier	Backend Frontend DMZ	Management Account/Resource Separation
CostCenter	Department ID CC#12345	Billing Management
Role	Web App Domain Controller	Management
Application	MobileApp1 WebApp1	Management
CodeVersion	3.49	Management
AppPath	Application1/component1/Version2.49	Management
PoolName ClusterName	WebApp1Pool1 App1DBCluster1	Management
Owner	OwnerEmail OwnerDL	Management
SecurityLevel	VPCAdmin EC2Admin StorageAdmin IAMAdmin DevOpsAdmin DevOpsUser	Access Control
Path	/Organization/Department/Application	Access Control Billing Management Account/Resource Separation
ExpirationDate	2015.12.31	Billing Management
DataProfile	Public Confidential Restricted Internal	Access Control Management Account/Resource Separation

Although the guidelines and suggestions listed are based on experience and feedback from customers, there is not a “right” or “wrong” way to manage tagging. We do suggest though that a policy for tagging is determined early on even if it’s incomplete. Here are quotes from several of our customers who didn’t use tagging during their first year on AWS:

“It would have been better for us to have used an incomplete, or wrong tagging scheme, instead we ended up with nothing.”

“Knowing what we know now we should have started with some basic tags even if they weren’t complete.”