Cloud resources are tagged using a consistent tagging strategy to facilitate security and compliance processes for cloud workloads.

A tag is a label assigned to a cloud resource to apply custom metadata. Almost anything in a cloud Resource Hierarchy is taggable - from the cloud tenant on the top level down to single resources like virtual machines and databases.

💡 Tag early, tag often - at the highest possible layer in the resource hierarchy. Review the building block Cloud Tenant Tagging for an introduction to the concept of tagging and general considerations specific to leveraging tagging to build a solid cloud foundation.

This building block will focus on the specifics of tagging cloud resources.

Cloud Foundation teams can tag resources with information relevant to security and compliance processes.

Make your Cloud Security a Priority

One central advantage of using the cloud is rapid scalability. Tag early - tag often to keep track of what is going on in your cloud infrastructure while it is constantly growing and changing.

Learn more →

Best Practices for Cloud Resource Tagging

In addition to the concerns and best practices about cloud tagging already laid out in Cloud Tenant Tagging, the following best practices apply specifically to cloud resource tagging.

Hold Customers Accountable for Resource Tagging

It’s difficult for the cloud foundation team to anticipate what kind of cloud resources internal customers want to deploy and how they will deploy them. The responsibility for tagging them correctly must consequently reside with application teams. Cloud Foundation teams should thus set clear expectations, for example by defining and communicating a tag catalog or cloud tagging policy.

Automated enforcement of these policies is partially possible. For example, if your cloud foundation team wants to ensure that all cloud resources storing personally identifiable information (PII) are tagged accordingly, you can enforce a policy on common data storage resources such as Azure Storage Account or S3 Buckets to only allow creation of those resources when they contain a data-classification:pii or data-classification:other tag. Cloud Foundation teams can also audit the correct use of tags using Resource Configuration Scanning tools.

Avoid Chargeback via Resource Tagging

In contrast to a lot of published advice around the use of cloud resource tagging, the cloud foundation maturity model recommends avoiding resource tagging for chargeback.

⚠️ Cloud chargeback based on resource tagging is an anti-pattern that’s often used to cover up a lack of proper tenant isolation and unclear responsibilities. Cloud Foundation teams should ensure Tenant Provisioning is not a bottleneck for application teams and implement Chargeback via consumption cost allocation on the cloud tenant level.

As with every rule, there are also valid exceptions for leveraging cloud resource tagging to process chargeback.

• Service Providers can use resource tagging to implement Consumption based pay-per-use for internal Services, e.g. tagging cloud resources used by a service-consumer and charging back the incurred cost

• Cloud Tenants used to host lift&shift workloads as part of Landing Zones for traditionally “non-cloud” workloads often avoid effort to re-architect application deployments by co-locating resources consumed by different internal customers in the same cloud tenant (e.g. VMs on the same virtual network used by different IT Systems)

Leveraging resource tagging for chargeback requires solid automation to detect untagged or incorrectly tagged resources.

Align Cloud Resource Tagging across Multiple Clouds

Cloud resource tagging is a platform-zone-scoped building block in the cloud foundation maturity model. Cloud Foundation teams following a multi-cloud strategy should look into Multi-Cloud Tagging Policy to implement consistent tagging across all cloud platforms. This becomes especially critical when the cloud foundation team wants to centralize security and compliance capabilities like Incident Management Process.

Related Tools

• collie-cli

  With Collie CLI you can find out within minutes what your current cloud tagging strategy looks like; across AWS, Azure, and GCP.

  Learn More

Did this page help you?