Why Tagging Fails at Most Organizations
Most engineering teams understand that they should tag resources. Few do it consistently. The gap between "should" and "do" comes from three problems: tagging is manual and easy to forget, there is no enforcement mechanism, and the value (cost allocation) is invisible to the engineer who pays the cognitive cost of tagging.
Solving tagging at scale requires making it automatic where possible, enforced where necessary, and valuable enough that teams see the benefit in their own dashboards. This guide covers the technical infrastructure for all three.
Standard Tag Schema
Required Tags (enforced via SCP — resources without these cannot be created):
Environment: production | staging | development | sandbox
Team: platform | backend | frontend | data | security | devops
Service: Name of the microservice or application
CostCenter: Finance cost center code (e.g., CC-1234)
Owner: Email of the owning team (e.g., platform-team@company.com)
Recommended Tags (not enforced, but tracked):
Project: Project or initiative this resource belongs to
ManagedBy: terraform | cloudformation | manual | cdk
Version: Application version or release tag
DataClass: public | internal | confidential | restricted
Tag Naming Conventions:
Use PascalCase keys: "CostCenter" not "cost_center" or "costcenter"
Use lowercase values: "production" not "Production"
No spaces: use hyphens in values if needed ("backend-api")
Max 128 characters per key, 256 per value (AWS limits)AWS Organizations Tag Policies
{
"tags": {
"Environment": {
"tag_key": {
"@@assign": "Environment"
},
"tag_value": {
"@@assign": ["production", "staging", "development", "sandbox"]
},
"enforced_for": {
"@@assign": [
"ec2:instance",
"ec2:volume",
"rds:db",
"lambda:function",
"elasticloadbalancing:loadbalancer",
"ecs:cluster",
"ecs:service",
"eks:cluster",
"s3:bucket"
]
}
},
"Team": {
"tag_key": {
"@@assign": "Team"
},
"tag_value": {
"@@assign": ["platform", "backend", "frontend", "data", "security", "devops", "ml"]
},
"enforced_for": {
"@@assign": ["ec2:instance", "rds:db", "lambda:function", "ecs:service"]
}
},
"CostCenter": {
"tag_key": {
"@@assign": "CostCenter"
},
"enforced_for": {
"@@assign": ["ec2:instance", "rds:db", "elasticloadbalancing:loadbalancer"]
}
}
}
}# Create and attach tag policy to an OU
aws organizations create-policy --name "RequiredTagsPolicy" --description "Enforce required tags on critical resources" --content file://tag-policy.json --type TAG_POLICY
# Get the policy ID
POLICY_ID=$(aws organizations list-policies --filter TAG_POLICY --query 'Policies[?Name=='RequiredTagsPolicy'].Id' --output text)
# Attach to an OU (applies to all accounts in the OU)
aws organizations attach-policy --policy-id "$POLICY_ID" --target-id ou-XXXXXXXXX # Replace with your OU ID
# Verify tag compliance
aws organizations describe-effective-policy --policy-type TAG_POLICY --target-id 123456789012 # Account IDSCP to Prevent Untagged Resource Creation
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyEC2WithoutRequiredTags",
"Effect": "Deny",
"Action": [
"ec2:RunInstances"
],
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"Null": {
"aws:RequestTag/Environment": "true"
}
}
},
{
"Sid": "DenyRDSWithoutCostCenter",
"Effect": "Deny",
"Action": [
"rds:CreateDBInstance",
"rds:CreateDBCluster"
],
"Resource": "*",
"Condition": {
"Null": {
"aws:RequestTag/CostCenter": "true"
}
}
},
{
"Sid": "DenyLambdaWithoutTeamTag",
"Effect": "Deny",
"Action": [
"lambda:CreateFunction",
"lambda:UpdateFunctionConfiguration"
],
"Resource": "*",
"Condition": {
"Null": {
"aws:RequestTag/Team": "true"
}
}
}
]
}AWS Config Rule for Tagging Compliance
# Terraform: Deploy AWS Config rule to flag non-compliant resources
resource "aws_config_config_rule" "required_tags" {
name = "required-tags"
description = "Checks that required tags are present on resources"
source {
owner = "AWS"
source_identifier = "REQUIRED_TAGS"
}
input_parameters = jsonencode({
tag1Key = "Environment"
tag2Key = "Team"
tag3Key = "CostCenter"
tag4Key = "Service"
tag5Key = "Owner"
})
scope {
compliance_resource_types = [
"AWS::EC2::Instance",
"AWS::RDS::DBInstance",
"AWS::Lambda::Function",
"AWS::ECS::Service",
"AWS::ElasticLoadBalancingV2::LoadBalancer",
"AWS::S3::Bucket",
]
}
}
# Auto-remediation: tag untagged resources via SSM Automation
resource "aws_config_remediation_configuration" "tag_ec2" {
config_rule_name = aws_config_config_rule.required_tags.name
resource_type = "AWS::EC2::Instance"
target_type = "SSM_DOCUMENT"
target_id = "AWS-AddTagsToResources"
parameter {
name = "ResourceArn"
resource_value = "RESOURCE_ID"
}
parameter {
name = "Tags"
static_value = "Environment=unknown,Team=unowned,CostCenter=unknown"
}
automatic = true
maximum_automatic_attempts = 3
retry_attempt_seconds = 60
execution_controls {
ssm_controls {
concurrent_execution_rate_percentage = 10
error_percentage = 10
}
}
}Bulk Tag Remediation Script
import boto3
from typing import Optional
def find_untagged_resources(region: str = 'us-east-1', required_tags: Optional[list] = None):
"""Find EC2 instances missing required tags."""
if required_tags is None:
required_tags = ['Environment', 'Team', 'CostCenter', 'Service']
ec2 = boto3.client('ec2', region_name=region)
# Get all running instances
instances = ec2.describe_instances(
Filters=[{'Name': 'instance-state-name', 'Values': ['running', 'stopped']}]
)['Reservations']
untagged = []
for reservation in instances:
for instance in reservation['Instances']:
instance_id = instance['InstanceId']
tags = {t['Key']: t['Value'] for t in instance.get('Tags', [])}
missing = [tag for tag in required_tags if tag not in tags]
if missing:
untagged.append({
'InstanceId': instance_id,
'MissingTags': missing,
'ExistingTags': tags,
'LaunchTime': str(instance['LaunchTime']),
})
# Calculate cost impact
total_missing = sum(len(r['MissingTags']) for r in untagged)
print(f"Untagged instances: {len(untagged)}")
print(f"Total missing tag entries: {total_missing}")
print(f"Unallocated resources cannot be attributed to teams for chargeback")
return untagged
untagged = find_untagged_resources()
for resource in untagged[:10]:
print(f" {resource['InstanceId']}: missing {resource['MissingTags']}")
Activate Cost Allocation Tags and View by Team
# Activate tags for Cost Explorer billing reports (must do this BEFORE data appears)
aws ce create-cost-category-definition --name "Team" --rules '[
{"Value": "platform", "Rule": {"Tags": {"Key": "Team", "Values": ["platform"]}}},
{"Value": "backend", "Rule": {"Tags": {"Key": "Team", "Values": ["backend"]}}},
{"Value": "frontend", "Rule": {"Tags": {"Key": "Team", "Values": ["frontend"]}}},
{"Value": "data", "Rule": {"Tags": {"Key": "Team", "Values": ["data"]}}},
{"Value": "untagged", "Rule": {"Not": {"Tags": {"Key": "Team", "Values": ["platform","backend","frontend","data"]}}}}
]' --rule-version "CostCategoryExpression.v1" --default-value "Untagged"
# View costs by team for last month
aws ce get-cost-and-usage --time-period Start=2024-01-01,End=2024-02-01 --granularity MONTHLY --metrics BlendedCost --group-by '[{"Type": "COST_CATEGORY", "Key": "Team"}]' --query 'ResultsByTime[0].Groups[*].{Team:Keys[0],Cost:Metrics.BlendedCost.Amount}' --output tableConclusion
Tagging is the foundation of cloud financial accountability. Without it, you cannot do chargeback, cannot identify wasteful owners, and cannot make architectural decisions based on cost-per-feature. The technical infrastructure — tag policies, SCPs, Config rules, and Cost Categories — makes tagging enforced and automatic rather than voluntary.
Start with the required tag schema, deploy the SCP to prevent untagged resource creation, run the compliance script to identify existing ungtagged resources, and activate cost allocation tags in Cost Explorer. Within 30 days you will have team-level cost visibility that makes the FinOps conversation concrete rather than theoretical.
E
Emily Watson
Technical Writer and Developer Advocate who simplifies complex technology for everyday readers.