Cloud Resources Tagging

Cloud providers allow customers to assign metadata to their cloud resources in the form of tags or labels. Each tag is a customer defined key and an optional value that can make it easier to manage, search for and filter resources and enable categorisation by purpose, owner, project, team, environment and other criteria. Tags are also an important tool to help combat cost leakage, aid with security audits and policies, assist with platform development and automation.

Purpose

This cloud resources tagging best practice document aims to describe a unified approach to tagging all cloud resources that support tagging and are in use by all teams, platforms and products in an organisation. The scheme describes the usage of CDK to set and deploy tags automatically using IaC. Using this approach allows us to standardise the format of tags across all the cloud resources within CRUK.

Importance of Tagging Cloud Resources

At CRUK, Product Teams use the cloud to spin up virtual machines, run applications, store data, and create incredible products and services at pace to support our mission. Historically, technological change was delivered through tightly governed projects, which had the benefit of documenting our infrastructure and creating a centralised view of it. Now, this documentation and knowledge is more fragmented, dispersed, and localised within the product teams that build in the cloud.

As the number of cloud resources grows, obtaining accurate reporting data on our infrastructure to inform strategic and security decisions becomes a crucial challenge for CRUK without manual and error-prone work. All these requirements point to a need to improve our cloud maturity and introduce consistent tags across our cloud infrastructure.

The Cloud and Security Product Team have now published our Tagging Standards: Cloud and Platform Engineering Tagging Standards

Here are some of the outcomes we aim to achieve:

Improved Resource Organisation and Management By categorising resources based on criteria such as environment, department, value stream, or owner, we can make it easier to locate, report on, and manage resources by policy. This also aids our ability to migrate and keep our infrastructure agile.

Cost Management and Optimisation: By tagging resources consistently, we can gain insights into cost allocation and identify areas where we can optimise spending.

Enhanced Security and Compliance: Tags can be used to enforce security policies and compliance requirements or change the behaviour of security tooling and controls. For example, we can tag resources with their correct data classification to ensure that we take the right measures to secure and control those resources, including something as simple as just checking that the resource is adequately protected.

Automation and Operational Efficiency: Tagging is crucial for automation. We can use it to automate tasks such as resource provisioning and incident response. In the future, this could save CRUK thousands every month.

Audiences

This cloud resource tagging document is aimed at all development, engineering and operational support teams and will also be of interest to the security function of the organisation.

Development Teams

Developers will be able to query cloud provider APIs to quickly identify resources and filter by tags. This will aid in further resource automation and tool building as well as provide useful reference regarding ownership, resource location, repository reference, etc.

Finance Teams

In order to build the most possible accurate financial predictions of the cloud spend, finance teams need to be able to associate cost with particular services/domains/groups within the organisation.

Security Teams

The security team will be able to develop policies supported by tag-based conditions to constrain permissions based on tags keys and tag values in order to implement any security posture policies within CRUK. Tooling can also be developed to support monitoring and enforcement.

Everyone

Anyone who has access to cloud resources will be able to use the tags to identify ownership and contact details for resources.

Specification

Below is a table of tags and values that can be used to achieve coverage on various interests within the organisation - resource organisation, cost allocation, tooling and automation, access control, monitoring and management are some of the examples.

If a field is not explicitly REQUIRED, it can be considered OPTIONAL.

Technical Tags

Tag Name	Value	Description	Example
Product	`string`	REQUIRED Used to identify resources that are related to a specific application. This can be used for discovery and cost allocation - should be relatively broad.	`Activity Management`
Environment	`string`	REQUIRED. Used to distinguish between multiple environment infrastructure and resources.	`int`
Support-Level	`string`	REQUIRED Used to identify the support level and relevant access needed for the application.	`2`
Cost-Centre	`string`	REQUIRED Used for cost allocation and tracking to identify who should be billed for the application resources.	`TC7014`
Sub-Project-Code	`string`	REQUIRED Used to identify the sub project of an application.	`SG70066-0000`
GitRepo	`string`	REQUIRED. Used as a reference location of the project/application code repository.	`github.com/CRUKorg/activity-management`
Component	`string`	Optionally used to identify a sub component of a larger application.	`Activity Ingestor` when paired with an Application tag `Activity Management`.
Name	`string`	Used to identify individual resources	`activity-management-dynamo-table-int`

Tags for Automation

Tag Name	Value	Description
ManagedBy	`string`	REQUIRED. Used to describe a tool used for managing the object.
OptInXXX	`string`	Used to indicate whether a resource should be included in an activity.
OptOutXXX	`string`	Used to indicate whether a resource should be excluded from participating in an activity.

Business and Support Tags

Tag Name	Value	Description
Owner	`email`	Used to identify who is responsible for the resource. This should ideally be a team email address rather than an individual.

Security Tags

Tag Name	Value	Description
Encrypted	`bool`	Used to identify whether the resource is using some form of encryption or not.
Classification	`string`	An identifier for classification level assigned to the resource (sensitive, restricted etc).
Compliance	`string`	To identify any compliance requirements e.g. PCI, ISO, HPI... etc.

Example Implementation

CDK

import { Construct } from "constructs";
import { Stack, StackProps, Tags } from "aws-cdk-lib";

export class CrukSaveStack extends Stack {
  constructor(scope: Construct, id: string, props?: StackProps) {
    super(scope, id, props);

    const commonTags = {
      Product: "Project Save",
      Environment: "int",
      "Support-Level": "2",
      "Cost-Center": "AB123",
      "Sub-Project-Code": "XYZ",
      GitRepo: "github.com/CRUKorg/project-save",
      ManagedBy: "CDK",
    };

    Object.entries(commonTags).forEach(([name, value]) => {
      Tags.of(this).add(name, value);
    });
  }
}

Enforcement

To maintain good standards of resource tagging, an enforcement scheme should be implemented. These can include measures for detection and automatic removal of the resources that do not follow tagging scheme using some form of an automated scheduled tool. This should be dependent upon the cloud maturity level of the organisation as well as agreed business goals.

Cloud Resources Tagging

Purpose​

Importance of Tagging Cloud Resources​

Here are some of the outcomes we aim to achieve:​

Audiences​

Development Teams​

Finance Teams​

Security Teams​

Everyone​

Specification​

Technical Tags​

Tags for Automation​

Business and Support Tags​

Security Tags​

Example Implementation​

CDK​

Enforcement​