Cost Allocation Blog Series #3: Enforce and Validate AWS Resource Tags

This blog post is contributed by Roberto Meda, Senior Consultant of High Performance Computing, AWS

As I shared in the blog “Cost Allocation Basics That You Need to Know”, tagging is one of the most foundational steps that you need to take in order to establish a meaningful cost allocation model.  Tags can also control access to AWS resources, be applied to IAM users and roles, and locate AWS resources, either via AWS APIs or directly in the AWS console.

Customers asked us how you can ensure teams consistently create and apply the resources tags based on the tagging strategy.  We talked about how you can use AWS-generated and user-defined cost allocation tags and how they fit your tagging needs.  In this blog, Roberto Meda, Senior Consultant of High Performance Computing, will share recommendations on how your team, especially your AWS administrators, can enforce and validate your resource tags.

Centrally adding and managing resources tags

Let’s first refresh your knowledge about how you can centrally add and manage resource tags.

If you are programmatically ruling AWS resources, you can tag resources upon creation and modify existing tags by looping through them.

If you are using AWS Console, you’ll need to singularly select each AWS resource and manage its tags.  For example, if you want to add Project tags to an existing EC2 instance, you go to AWS Console → EC2 → Instances, then select the target instance and specify your tags under the lower Tags tab.

This procedure becomes time consuming if there are many tags to be updated. Luckily, you can use AWS Resource Groups to quickly search AWS resources and manage resource tags with Tag Editor. Using the instance tag example above, you can instead go to AWS Console → AWS Resource Groups → Tagging → Tag editor, do a quick search for resource type AWS::EC2::Instance , select all the instances you need to tag, and modify tags all at once.

Key Concepts

• Enforce tags usage: ensure that your users create and attach resource tags to the AWS resources they plan to deploy / are using
• Validate tags values: verify whether the tag values your users define are consistent with your company’s tagging strategies

Service Overview

To enforce and validate AWS resource tags, we’ll primarily use two AWS services: AWS Organizations and AWS IAM.

AWS Organizations helps you centrally govern your environment as you grow and scale your workloads on AWS. Whether you are a growing startup or a large enterprise, AWS Organizations helps you centrally manage billing; control access, compliance, and security; and share resources across your AWS accounts.

To enforce tags usage, we’ll use AWS Organizations Service control policies (SCPs). SCPs are a specific, customizable set of policies that offer central control over the maximum available permissions for all accounts in your organization, allowing you to ensure your accounts stay within your organization’s access control guidelines.

To validate tags values, we’ll use AWS Organizations Tag Policies. Tag Policies enable you to maintain consistent tags, including the preferred case treatment of tag keys and tag values.

AWS Identity and Access Management (IAM) enables you to manage access to AWS services and resources securely. Using IAM, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources.

Requirements

We assume you are familiar with AWS Organizations, and you manage an organization with at least two AWS accounts, one root account and one member account. For simplicity, in this blog, we’ll explain how to enforce and validate tags for the member accounts, but the same procedure can be applied to any other account or organizational unit (OU) you may have in place.  You should have administrator role over the root account.

If you already manage an AWS Landing Zone, you’re probably already familiar with AWS Organizations.

If you are missing any of these requirement, you may want to check this Tutorial: Creating and configuring an organization.

Enforce tags

In our example, we will enforce users to create and attach a Project tag with a set of pre-defined values to any CloudFormation stack that they want to create.

We’ll begin checking if Service control policies are enabled in your AWS Organizations:

• Go to AWS Console and select AWS Organizations
• On the Organize accounts tab, choose Root in the left navigation pane
• In the details pane on the right side, next to Service control policies, choose Enable
• Under What is a service control policy?, choose Enable service control polices

After you complete these steps, your root account details pane should mention Service control policies are now enabled:

Now, you can switch to the Policies tab, and click on Service control policies: there you will find the default, pre-set policy FullAWSAccess that grants access to every operation.

You can add a new policy that will implement the tags requirements by clicking on Create Policy.

In this example, we will specify the required options such as policy name, e.g. EnforceProjectTag and a description. As a policy example you’ll enforce the presence of a Project tag to all CloudFormation stacks your users may want to create.

In this case, the policy JSON will be the following:

This policy basically says: prevent the creation of any CloudFormation stack (deny cloudformation:CreateStack operation) if the user doesn’t assign a Project tag to it.

You can check AWS IAM Actions, Resources and Conditions for a complete reference.

As the final step, let’s attach the newly created policy to your member account(s) or OU(s):

• Return to AWS Organizations home page
• Select the target account(s) or OU(s) that will be affected
• Choose Service control policies on the left
• Attach the new policy

With this change, any member account user who does not specify a Project tag for a CloudFormation stack he/she wants to create, will get an error like the following:

Validate tags

As what we did with enforcing tags, the first step is to check that Tag Policies are enabled for the Root account.

• Go to AWS Console and select AWS Organizations
• On the Organize accounts tab, choose Root in the left navigation pane
• In the details pane on the right side, next to Tag Policies, choose Enable

Now you can create a new policy to define allowed values for specific tags. Continuing with our example, let’s impose that the Project tag may only assume one of those three values: ProjectA, ProjectB, or ProjectC.

You will follow AWS Organizations → Organize accounts → Policies → Create Policy, specifying policy name and description.

You can specify the policy code using the visual editor or the corresponding JSON code. Below are our instructions:

Please note: AWS CloudFormation does not support tag policies enforcement at the moment, so in our tag policy we’ll refer to the essential or first few resources created by our CloudFormation template instead. For example, if one of the first resources our CloudFormation stack creates is an EC2 network interface, we’ll explicitly deny its creation if it will not be tagged with Project=ProjectA, ProjectB or ProjectC.

Using the visual editor, you can create your tag policy with the following settings:

That is equivalent to the following JSON tab contents:

This basically says: prevent the creation of any EC2 network interface or elastic IP (deny ec2:network-interface ec2:elastic-ip) if the CloudFormation stack doesn’t tag it with a Project key with either value ProjectA, ProjectB or ProjectC.

Now you can attach your tag policy to your member account.

• Return to AWS Organizations home page
• Select the target account(s) or OU(s) that will be affected
• Select Tag Policies on the right pane
• Choose my new policy and click on attach

As result of this new tag policy activation, any user who tries to create either an EC2 network interface, or a CloudFormation stack that involves the creation of an EC2 network interface without associating a Project tag with the allowed values to that interface will get this error message:

Visualize through Cost Explorer

Once your Project tags are enforced and validated, you can clearly monitor your costs and usage in Cost Explorer, filtering by tag.

You can access by AWS Console → Cost Explorer → Cost Explorer icon (lens) and set Project as tag filter, with any of the 3 values:

Conclusions

It is critical that your users apply certain tags that are compliant to the predefined values.  This is particularly true when it comes to efficiently and precisely monitor usage and costs. Usage of tags such as Project, Group or Department could fill the gap between anarchy and compliance, or between bill surprises and clear cost allocation, in any company.