AWS Cloud Financial Management
How to create and enforce your tagging strategy for more granular cost visibility
Customers are always looking for ways to better understand their AWS spend. Most want to know how much specific teams are spending, the cost of running certain applications, and savings opportunities across various organizational initiatives. The ability to provide resource level cost transparency is a key benefit of moving to the AWS cloud. The key to achieving this granular visibility is the implementation and enforcement of a comprehensive organizational tagging strategy.
Tools to implement a cost allocation strategy
In this post, we’ll show you what tools you can use, and how you can use them to define, implement, and enforce a tagging strategy that improves your organization’s cost awareness. The first tool is AWS Cost Explorer, which provides analysis and management of your AWS costs and usage with compelling visualizations that can also drive deeper insights into organizational spend. With Cost Explorer, you can get cost data for the past 12 months that is refreshed on a daily basis. You can filter the data by a number of parameters, including date range, account, service, region and more.
To add granularity to your cost usage data, customers can apply “tags” to their resources. Tags are key-value pairs that allow you to add metadata to your AWS resources and summarize cost usage data by tag values. As key-value pairs, tags provide flexibility to create names (keys) that fit your organization, and use values that mean something to your business. For example, you may use “CostCenter” in your organization to track costs. In AWS, you can assign a tag to a resource with a key of CostCenter, and assign it a value representing the CostCenter to which that resource should be charged (e.g. CostCenter=12345).
We will also review using two features of AWS Organizations called tag policies and service control policies. These policies won’t work retroactively, so to help us identify untagged resources created in the past, we’ll use AWS Tag Editor. Finally, AWS Config will support ongoing compliance of the strategy.
Creating a tagging taxonomy
With tags providing the additional level of granularity, it is important to establish a tagging strategy at an organizational level along with a method to enforce it. As a best practice, an organization can start by defining a tag taxonomy, which lays out the recommended tags for all business units. Tags can be associated with resources for a variety of purposes. Technical tags provide identifying information. Automation tags help with scheduling start/stop times, or if a resource should be automatically backed up. Business tags add ownership and business context, while security tags help us define any data security concerns. Examples of these are outlined below.
When implementing a tagging strategy that will apply across all business units, ensuring the strategy is properly documented is vital. We’ve included an example tag taxonomy document detailing the organization’s required tags below.
Tagging strategy approaches
Organizations typically follow two distinct paths when implementing a tagging strategy. Either they implement all policies from the top down, or they allow child organizations to define tags for themselves. Both have their pros and cons. The top-down approach can be more time consuming to define and setup, but can lead to improved cost visibility across the organization. Meanwhile, giving child organizations flexibility to determine tagging requirements for themselves can improve their agility, but can lead to a lack of cohesiveness when trying to analyze the entire organization’s AWS spend.
A mix of these two strategies will likely be the most successful approach. For example, at the highest level of an organization, you can enforce a business tagging strategy that all teams and organizational units follow as seen in the image below. Individual units can then have the autonomy and flexibility to implement additional business-specific tags.
You can enforce additional granularity to tags within your tag taxonomy document by defining acceptable key values. For example, in our CostCenter tag example, we added a “Two Digit Division”, which represents a business unit or division. We also added a “Four Digit code” representing a project, application, team, or other grouping to track costs. This way, each business unit is clear on what the proper tagging convention is to properly identify the resource. Once you’ve clearly defined and documented your tagging strategy, you can move to enforcement.
Enforcing your tagging policy
Once your tagging strategy has been socialized throughout your organization, you can begin the implementation of required tags within your AWS Organization. The goal is to enforce your new, standardized tagging policy during AWS resource creation. For today’s example, we will deny the creation of Amazon EC2 instances if a specific tag is present without its required predefined value. In this case, we’ll use the custom CostCenter tag.
1. The first thing we will need to do is navigate to the AWS Organizations console in the management account, and select “Policies”. Then click “Tag policies”.
2. Next, we’ll create a tag policy for the CostCenter tag, with the values defined from our example above. We will enforce this policy on Amazon EC2 instances, disallowing resources to be created with a CostCenter tag unless it has the values specified by the organization.
- Name the tag policy at the top of the screen. You have the option of adding a policy description. In the center of this screen, you can add tags to the policy itself to help you track who created the policy (note these are tagging the policy itself, not resources to which the policy applies). Below the “Tags” section, within the “Visual editor” tab, you can define your tag key. In this example, we’ll call it “CostCenter”.
- Underneath the CostCenter tag key, we will also tick the box that ensures capitalization. This makes the tag case-sensitive, so it has to be typed exactly as specified in the tag key field.
- In the “Tag value compliance” section, check the box to specify allowed values for the CostCenter tag key. Then add the list of CostCenter values as defined in our example above.
- Finally, in the “Resource types to enforce section”, click “Prevent noncompliant operations for this tag”. Click the button to “Edit resource types”, then select the checkbox for “EC2 (ec2.*)”. This prevents Amazon EC2 instances from being launched when it contains the CostCenter tag and does not have a valid value per the tagging policy.
3. To ensure organizational-wide enforcement of this newly created policy, you must attach it to your organizational units. To do this, navigate back to your Tag policies page and select the “CostCenterTagPolicy you just created. Then, select “Actions”, and click “Attach policy”.
4. On the next screen, you can select and confirm that the new tag policy is attached to specific organizational units.
5. Now, let’s navigate to the Amazon EC2 console and try to launch a new Amazon EC2 instance without providing the appropriate CostCenter tag value.
6. If you try to launch this instance without the required tag policy value, you’ll receive an error.
The tag policy has been implemented, preventing our organization from launching resources that don’t follow the value parameters we set for the CostCenter tag within our tag policy. However, this does not prevent resources from being launched without the presence of the CostCenter tag key at all. For that, we can turn to Service Control Policies, or SCPs.
Increasing tag enforcement
For a stricter policy around tagging enforcement, such as not allowing users to launch resources without the inclusion of a specific tag, you can use Service Control Policies (SCPs). SCPs give you central control over the maximum available permissions for all accounts in your organization. With SCPs, you can deny certain actions if a specific tag is not included, such as the CostCenter Tag.
An example of this type of SCP can be seen below. Once created, it can be attached to specific organizational units similar to how we attached the tagging policy we created earlier. To define SCPs, navigate to the AWS Organizations page in the Management Account, click on Policies, then on “Services control Policies”.
NOTE: Use of SCPs is completely optional and adds a level of governance around tag compliance, among other things. Using SCPs should not be taken lightly. Implementation can affect existing resources. For example, an auto-scaling plan for resources that have not been configured with the now required CostCenter key might be prevented from scaling activities. Be sure to consider this when implementing SCPs in organizations with existing resources.
Understanding tag compliance
To validate the ongoing compliance of this new tagging policy, you can use AWS Config. AWS Config provides a detailed view of the configuration of AWS resources in your AWS account. By using AWS Config rules, specifically the “required-tags” rule, you can check if your resources have the tags that you require (i.e., ensuring your Amazon EC2 instances have the CostCenter tag we created earlier).
To monitor tag compliance, navigate to the AWS Config console page, then select “Rules” from the left navigation menu.
The details on how to add new rules are outside the scope of this blog, but details on using the required-tags built-in config rule can be found in the AWS Config documentation. Through AWS Config and SCPs, you can further enforce tagging policies across your organization, and validate long-term compliance.
But what about existing resources that may not meet our new tagging policy? How can we bring these resources into compliance?
Identifying untagged resources with Tag Editor
The final step of our tagging policy implementation is addressing resources that have been provisioned in the past without tags. This can be done with the help of Tag Editor.
- To use Tag Editor, go to your AWS Management Console, search for and click “AWS Resource Groups & Tag Editor”.
- Then click “Tag Editor” in the left-hand navigation under “Tagging”.
- On the Tag Editor page, start by selecting the regions where you want to find resources. In this example, we’ll search “All regions”.
- Next, configure the resource types you’re searching for. In this example, we’ll search for Amazon EC2 instances.
- Last, input the tag you’re searching for. In this case, we’re looking for all Amazon EC2 instances that are not tagged with the CostCenter tag.
- You’ll be provided a list of resources that meet your criteria, i.e., a list of all Amazon EC2 instances, across all regions, without the CostCenter tag. You can export the results to a CSV, and notify employees within the organization to take action.
NOTE: Tag Editor can only be run on a single account, not at the organizational level. Each account within your organization will need to use Tag Editor to identify untagged resources.
Activate cost allocation tags
Before you can start analyzing costs in Cost Explorer with your newly implemented tagging strategy, you will need to activate them for cost and usage reporting. Browse to the AWS Billing Console, select “Cost allocation tags”, and activate the newly created CostCenter tag. Until you’ve tagged your resources and activated your tags, AWS Cost Explorer will not show the results of applying these tags.
Visualizing and analyzing your spend in AWS Cost Explorer
After implementing your tagging strategy and activating your tags in your AWS Billing Console, you can use AWS Cost Explorer to analyze costs for each individual cost center. In our example, you can view each individual Cost Center’s spend on a per-service basis.
As you review your costs using the Cost Explorer, you may be confused when resources you know have been tagged don’t reflect accurately for previous periods. Tagging does not retroactively apply and will only reflect accurately for future cost and usage reporting.
With Cost Explorer, you can analyze which accounts are contributing to the most spend that don’t have the proper CostCenter tag associated with them. You can do this by creating a Cost Explorer report with the dimension “Linked Account”, the tag filter “CostCenter”, and the value “No tag key: CostCenter”.
With reports like this, your organization can help these specific accounts implement a new tagging strategy. Over time, you’ll be able to create additional Cost Explorer reports that give you a detailed breakdown of your organization’s AWS spend by Cost Center.
This blog has outlined a process to help you in defining, implementing, and enforcing an organizational tagging strategy, which includes identifying untagged resources within your AWS account. Once completed, you can use Cost Explorer to visualize, understand, manage, and report on your AWS costs and usage using these tags. In the end, this not only increases organizational cost visibility and awareness, but fosters individual business unit cost accountability that can positively impact cloud cost optimization and business value realization.
🏁GET STARTED: Implement and activate your tagging strategy in the AWS Billing Console