Enforce Centralized Tag Compliance Using AWS Service Catalog, DynamoDB, Lambda, and CloudWatch Events
By Sagar Khasnis, Partner Solutions Architect at AWS
By Awaneendra Tiwari, Cloud Architect at Brillio
Some of the customers we work with have a central database where they keep tag values, and they want to enforce tags at provisioning using the tag enforcement capability of AWS Service Catalog.
For example, a customer can have a central location where they keep all of their constantly-updated cost center information, and they use that information as tag values in their AWS Service Catalog portfolios.
In this post, we’ll show you how to implement tag options so the tag option library is automatically updated when new tags are added to Amazon DynamoDB. Using this solution ensures that all the AWS Service Catalog products launched by end users will be automatically tagged with a standard set of values defined by your organization.
Brillio is an AWS Partner Network (APN) Advanced Consulting Partner. Together with AWS, they have worked to restructure and reshape billion-dollar enterprise IT operations into modern and agile digital infrastructure operations.
For example, Brillio is one of five APN Partners featured in the recent AWS WorkLink launch that aims to help companies accelerate secure enterprise mobility.
AWS Services and Definitions
Below is a brief review of the AWS services you’ll need, along with a few specialty terms we’ll be using throughout the post that are required to understand this tag enforcement solution.
AWS Service Catalog enables organizations to create and manage catalogs of IT services that are approved for use on AWS. The following are key concepts relating to AWS Service Catalog:
- A Service Catalog product is a blueprint for building your AWS resources that you want to make available for deployment on AWS, along with the configuration information. You create a product by importing an AWS CloudFormation template or AWS Marketplace AMI and copying the product to AWS Service Catalog. A product can belong to multiple portfolios. To learn more, see the documentation.
- A portfolio is a collection of products together with the configuration information. You can use portfolios to manage user access to specific products, and you can grant portfolio access at an AWS Identity and Access Management (IAM) user, group, and role level. To learn more, see the documentation.
- A provisioned product is a CloudFormation stack with the AWS resources that are created. When an end user launches a product, AWS Service Catalog provisions the product in the form of a CloudFormation stack. To learn more, see the documentation.
- Constraints control the way users deploy a product. With launch constraints, you can specify a role that AWS Service Catalog can assume to launch a product from the portfolio. To learn more, see the documentation.
- A TagOption is a key-value pair managed in AWS Service Catalog. It’s not an AWS tag but serves as a template for creating one based on the TagOption. These TagOptions are applied to provisioned products as AWS tags.
Amazon DynamoDB is a fully managed NoSQL database service that provides fast and predictable performance with seamless scalability.
AWS Lambda is a compute service that lets you run code without provisioning or managing servers.
Amazon Cloudwatch Events deliver a near real-time stream of system events that describe changes in AWS resources. Using simple rules that you can set up in minutes, you can easily route each type of event to one or more targets.
Here is an architecture diagram of the tag enforcement process:
Figure 1 – Tag enforcement architecture using AWS Service Catalog, Lambda, DynamoDB, and CloudWatch Events.
This sample solution will help you set up tag enforcement in your AWS environment and perform the following processes:
- Sync newly-added tags in the DynamoDB table
- When you add a new tag pair in DynamoDB, it will trigger the TagSync Lambda function and create the same tag pair in your TagOption library.
- Additionally, the TagOption created in the previous step will be associated with all your existing portfolios.
- Sync removal of tags from the DynamoDB table
- When you remove a tag pair from DynamoDB, it will trigger the TagSync Lambda function, disassociate the corresponding TagOption from all the associated portfolios, and remove it from your TagOption library.
- Sync updated tags in the DynamoDB table
- When you update a tag pair in DynamoDB, it will trigger the TagSync Lambda function, update the corresponding TagOption your TagOption library and all the associated portfolios.
- Apply all the TagOptions to new portfolios automatically
- When you create a new AWS Service Catalog portfolio, a Cloudwatch event will trigger the TagEnforcement Lambda function and associate all the TagOptions from your TagOption library to the newly-created portfolio.
This mechanism ensures that any tags added in DynamoDB are added to your AWS Service Catalog TagOption library and attached to existing portfolios. Additionally, any newly-created portfolios will automatically contain all the TagOptions in your TagOption library.
There are a few basic actions to take before allowing automatic tag enforcement for your AWS Service Catalog portfolios. The following steps require administrator access to AWS resources via the AWS Management Console.
- Login to the AWS Region in which you want to deploy the automatic tag enforcement solution.
- Verify that AWS Service Catalog is supported in the AWS Region.
- Verify that you have AWS Service Catalog Administrator access.
- You can use the following button to setup the tag enforcement automation in your selected Region. If you have not selected a Region, US East 1 (N. Virginia) will be selected for you:
- On the CloudFormation details screen, the following parameters will be listed. You can use the default values listed for these parameters and click Next:
- BucketName: Name of the Amazon Simple Storage Service (Amazon S3) bucket containing the Lambda code for the two Lambda functions used in this sample: tagEnforcement.zip and tagSync.zip. You can use the default value listed.
- TagSyncLambdaName: The filename of the tag sync Lambda function (which syncs AWS Service Catalog TagOptions with DynamoDB) in your Amazon S3 bucket. You can use the default value listed.
- TagEnforcementLambdaName: The filename of the tag enforcement Lambda function in your Amazon S3 bucket. You can use the default value listed.
- RoleName: Enter the name of the execution role created for the tag enforcement and sync Lambda functions. You can use the default value listed.
- CloudWatchRuleName: Enter the name of the Amazon CloudWatch rule that triggers the TagSyncLambda on creation of a new AWS Service Catalog portfolio. You can use the default value listed.
- Click Next for the Specify Details and Options pages, and then click on the checkbox to acknowledge creation of AWS Identity and Access Management (IAM) resources.
- Finally, click Create to setup your tag enforcement infrastructure.
All of the artifacts for this solution are available in the aws-samples github repository.
Test Your Solution
Follow these steps to ensure your tag enforcement automation is running accurately:
Step 1: Add tag values to DynamoDB
- Go to the DynamoDB table created from the CloudFormation template in the initial setup section. In the items tab, add the following values:
- KEY=Name, VALUE=Tag-Enforcement
- KEY=Team, VALUE=Operations
- KEY=Cost Center, VALUE=100
- KEY=Cost Center, VALUE=200
Figure 2 – How your DynamoDB table should look after entering the tag values.
Step 2: Check the TagOption library for latest tags from DynamoDB
- Step 1 will trigger the TagSync Lambda function, which copies the values from DynamoDB to the AWS Service Catalog TagOption library.
- At this point, the TagOption library in your AWS Service Catalog should automatically contain the tagOptions from your DynamoDB table, as shown in the screen shot below.
Figure 3 – AWS Service Catalog tagOption library with your DynamoDB tags.
Step 3: Create an AWS Service Catalog portfolio
- Create an AWS Service Catalog portfolio called ‘Demo-Portfolio’ in the Region where you setup the tag enforcement automation infrastructure.
- This step triggers the CloudWatch Event for triggering the tag enforcement Lambda function, which applies all the tags in your TagOption library to the new portfolio.
Figure 4 – The process to create a new portfolio in AWS Service Catalog.
Step 4: Add new tags to DynamoDB
- Go to the DynamoDB table for your tags and add the following value to the table:
- KEY=Operation, VALUE=Addition
Figure 5 – How your DynamoDB table would look after adding a new tag.
Step 5: Check the newly-created portfolio for additions in DynamoDB
- Go back to the ‘Demo-Portfolio’ to check the tagOptions associated with it.
- Your newly-created tag in DynamoDB will be associated with the AWS Service Catalog portfolio, as shown in the image below.
Figure 6 – AWS Service Catalog portfolio updated with newly added tags in DynamoDB.
Step 6: Launch a product from the AWS Service Catalog portfolio as an end user
- We added a sample product named “Amazon Elastic Compute Cloud (EC2) Windows” and assigned it to an end user. You can assign IAM users, groups, or roles to a portfolio on the portfolio details screen in the previous step.
- When the end user launches the EC2 product, it will be attached with tagOptions from the previous step.
Figure 7 – The tagOptions screen in AWS Service Catalog during product launch.
Please note the following considerations while using this sample solution:
- It will not import existing TagOptions from AWS Service Catalog to DynamoDB.
- It assumes all the TagOptions in your TagOption library will be created in DynamoDB and does not consider cases where TagOptions are manually created in AWS Service Catalog.
- It will not interfere with manually-created TagOptions unless the same TagOptions are created in the DynamoDB table.
You may want to extend this solution to support portfolio-specific tags, which can be done by adding a portfolio id column in DynamoDB and updating the logic in the TagSync and TagEnforcement Lambda functions.
If you have an idea on how this solution could be extended, we would love to hear your ideas at firstname.lastname@example.org.
In this post, we have provided an example of how you can dynamically update your AWS Service Catalog tag option library using Amazon DynamoDB. We showed you how to deploy the solution architecture using a predefined CloudFormation template, as well as how to run a test scenario to ensure the DynamoDB tags were automatically synced with your AWS Service Catalog TagOptions library and portfolios.
Additionally, we showed the possible extensions you could apply to this solution for your unique compliance use cases. This exercise aims to provide you a head start to your tag compliance strategy and ensure all the AWS Service Catalog products launched by your end users will be tagged with a standard set of values defined by your organization.
If you have questions about implementing the solution described in this post, please contact AWS Support.
Brillio – APN Partner Spotlight
Brillio is an APN Advanced Consulting Partner. They help customers re-imagine their businesses and competitive advantages, and then rapidly develops and deploys disruptive industrial-grade digital solutions.
*Already worked with Brillio? Rate this Partner
*To review an APN Partner, you must be an AWS customer that has worked with them directly on a project.