Adam Divall

Walkthrough Guides and Other Useful Information on AWS

Tagging Strategies for AWS

2023-10-28 5 min read Best Practices Adam Divall

What are tags & why do we need them?

Amazon Web Services (AWS) allows you to assign metadata to many of your AWS resources in the form of tags. Each tag is a simple label consisting of a key and an optional value to store information about the resource or data retained on that resource. Implementing a consistent tagging strategy can make it easier to filter and search for resources, monitor cost and usage, as well as manage your AWS environment.

Assigning tags to each resource allows these resources to be classified or grouped in multiple ways, the most common being purpose, owner or environments. Once cloud resources start getting created, it rapidly becomes apparent that keeping track of resources, their purpose, and how they should be tracked for billing is necessary.

For this, a tagging strategy should be defined and enforced.

Using tagging within AWS has numerous use cases and benefits and is a recommended best practice for all AWS customers.

Tag naming limits and requirements

The following basic naming and usage requirements apply to tags:

  • Each resource can have a maximum of 50 user created tags.
  • System created tags that begin with aws: are reserved for AWS use, and do not count against this limit. A tag that begins with the prefix “aws:” cannot be edited or deleted.
  • For each resource, each tag key must be unique, and each tag key can have only one value.
  • The tag key must be a minimum of 1 and a maximum of 128 Unicode characters in UTF-8.
  • The tag value must be a minimum of 0 and a maximum of 256 Unicode characters in UTF-8.
  • Allowed characters can vary by AWS service. For information about what characters you can use to tag resources in a particular AWS service, see its documentation. In general, allowed characters in tags are letters, numbers, spaces representable in UTF-8, and the following characters: _ . : / = + - @ .
  • Tag keys and values are case sensitive. As a best practice, decide on a strategy for capitalizing tags, and consistently implement that strategy across all resource types. For example, decide whether to use Costcenter, costcenter, or CostCenter, and use the same convention for all tags. Avoid using similar tags with inconsistent case treatment.

Note: Some services don’t permit tags with an empty value (length of 0).

Tagging Best Practices

  • Do not add personally identifiable information (PII) or other confidential or sensitive information in tags.
  • Use a standardised, case-sensitive format for tags, and apply it consistently across all resource types.
  • Consider implementing tags that support multiple purposes such as managing resource access control, cost tracking, automation etc.
  • Use automated tools to help manage resource tags.
  • Use too many tags rather than too few tags.
  • Remember that it is easy to change tags to accommodate changing business requirements, but consider the consequences of future changes e.g., tags used for access control.

Example Tagging Strategy

The below table shows a recommendation for tagging in an Organization, but should be tailored to meet the requirements of each organization.

Classification Key Use Case
Technical Name Identify individual resources
Technical Environment Distinguish between Production & Non-Production Environments AWS Accounts
Technical SDLC Distinguish between SDLC Environments e.g., Dev, Test, SIT, UAT
Technical ApplicationName Identify resources that are related to a specific application
Technical ApplicationRole Identify the function of a particular respource e.g., Web Server, Message Broker, Database Server
Technical Cluster Identify resource farms that share a common configuration and that perform a specific function for an application
Security Compliance Identify the specific compliance requirements that resources must adhere to e.g., PCI-DSS, HIPAA, ISO27001
Security DataClassification Identify the specific data confidentiality level a resource supports
Security DataRetention Identify the data retention policy applied to a resource
Migration map-migrated Identify resources that have been migrated as part of the AWS Migration Acceleration Program (MAP) for funding purposes
Business ProjectName Identify the project that the resource supports
Business ProductOwner Identify who is commercially responsible for the resource
Business TechnicalOwner Identify who is technically responsible for the resource
Business CostCenter Identify the cost center associated with a resource, typically for cost allocation and tracking
Business BusninessUnit Identify the business unit associated with a resource, typically for cost allocation and tracking
Operations BusinessImpact Identify the business impact associated with a resource e.g., Critical, High, Medium, Low
Operations EscalationPath Identify the next point of contact for a resource in an incident e.g, DevOps Team, 3rd Party Company
Operations KnowledgeBase Identify the location for knowledge base article or wiki associated with the resource
Automation MaintenanceWindow Identify the hours of operation for a resource e.g., 24*7, 06:00 – 22:00 Monday – Friday, 08:00 – 18:00 Monday – Friday
Automation HoursOfOperation Identify the hours in which.a resource is available for maintenance occur
Automation PatchGroup Identify the maintenance group used for patching a resource
Automation BackupSchedule Identify the backup schedule for a resource
Automation OptOut Identify whether a resource should be excluded from maintenance activities e.g., True, False
Automation DeploymentMethod Identify the method by which the resource was deployed e.g., CloudFormation, Terraform, Manual

Tagging Policies

Tagging policies can be created in AWS Organizations and provide the ability to define rules about valid key names and the values for each key based on the Organizations standards. With AWS Tag Policies, there are a couple of options:

  1. Observe: Providing the abiling to monitor the resources in the Organization and the Environment for non-compliance and providing time to clean up resources and remediate.
  2. Enforce: As it says on the tin, this will prevent resources from being created if they don’t adhere to the requirements.

Example Tagging Policy

    "tags": {
        "Name": {
            "tag_key": {
                "@@assign": "Name"
        "Environment": {
            "tag_key": {
                "@@assign": "Environment"
            "tag_value": {
                "@@assign": [
        "SDLC": {
            "tag_key": {
                "@@assign": "SDLC"
            "tag_value": {
                "@@assign": [
        "ApplicationName": {
            "tag_key": {
                "@@assign": "ApplicationName"
        "ApplicationRole": {
            "tag_key": {
                "@@assign": "ApplicationRole"
        "Cluster": {
            "tag_key": {
                "@@assign": "Cluster"

Note: There is a limit of 10,000 characters per tagging policy.