Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Tags

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Low (generally tolerable level of risk)
Rule ID: RG-001

Ensure that user-defined tags (metadata) are being used for labeling, collecting, and organizing resources available within your AWS cloud environment. Trend Cloud One™ – Conformity recommends the following tagging schema to help you identify and manage your cloud resources:

  • Name: used to identify individual resources.
  • Role: used to describe the function of a specific resource (e.g. web tier, database tier).
  • Environment: used to distinguish between different stages (e.g. development, production).
  • Owner: used to identify the person responsible for the resource.

This rule can help you with the following compliance standards:

  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security
Reliability
Performance
efficiency
Cost
optimisation
Operational
excellence
Sustainability

As your AWS cloud environment is becoming more and more complex, it requires better management strategies. Using a tagging schema will help you gain visibility over your cloud resources and organize them more efficiently. You can use tags for different scenarios such as tracking resources owners and their stack level, identify which resources are incurring the highest costs, and filter available resources based on particular deployment stage.

Note: This conformity guide will use Amazon EC2 instances for tagging operations in order to demonstrate how to implement a tagging schema like the one listed above. However, you can use the same steps to search and/or assign tags for other AWS cloud resources types as well such as load balancers, Auto-Scaling Groups (ASGs), CloudFormation stacks, etc.

Audit

To determine if your Amazon EC2 instances are using tags (metadata), perform the following actions (to simplify the process we will use AWS Tag Editor):

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS Resource Groups console at https://console.aws.amazon.com/resource-groups/.

03 In the main navigation panel, under Tagging, choose Tag Editor.

04 Choose the AWS regions that you want to include in the search process from the Regions dropdown list.

05 Choose AWS::EC2::Instance from the Resource types dropdown list to search for Amazon EC2 instances.

06 For Tags – Optional, perform the following actions to limit the search for resources to the specified tagging schema only:

  • To search for Name tags:
    1. For Tag key enter Name as the name of the tag key to search for.
    2. For Optional tag value select (not tagged) to find any Amazon EC2 instances that don't have the Name tag assigned.
    3. Choose Add to save the Name tag set for the search process.
  • To search for Role tags:
    1. For Tag key enter Role as the name of the tag key to search for.
    2. For Optional tag value select (not tagged) to find any Amazon EC2 instances that don't use the Role tag.
    3. Choose Add to save the Role tag set.
  • To search for Environment tags:
    1. For Tag key enter Environment as the name of the tag key to search for.
    2. For Optional tag value select (not tagged) to find any Amazon EC2 instances that don't use the Environment tag.
    3. Choose Add to save the Environment tag set.
  • To search for Owner tags:
    1. For Tag key enter Owner as the name of the tag key to search for.
    2. For Optional tag value select (not tagged) to find any Amazon EC2 instances that don't use the Owner tag.
    3. Choose Add to save the Owner tag set.
  • Choose Search resources to search for Amazon EC2 instances that are not using the tagging schema. Amazon EC2 service will list all instances that match the search criteria in the Resource search results section. If one or more Amazon EC2 instances are returned, the specified tagging schema is not used to organize instances in your AWS cloud environment.

Using AWS CLI

01 Run describe-tags command (OSX/Linux/UNIX) with custom query filters to describe the Amazon EC2 instances that are using the specified tagging schema (i.e. Name, Role, Environment, and Owner): 

aws ec2 describe-tags
  --region us-east-1
  --filters "Name=key,Values=Name,Role,Environment,Owner" "Name=resource-type,Values=instance"
  --query 'Tags[*].ResourceId'

02 The command output should return the identifiers (IDs) of all EC2 instances configured with the specified tags: 

[]

If the describe-tags command output returns an empty array (i.e. []), as shown in the output example above, there are no Amazon EC2 instances configured with the specified tagging schema in the selected AWS region.

03 Change the AWS cloud region by updating the --region command parameter value and repeat step no. 1 and 2 to perform the Audit process for other regions.

Remediation / Resolution

Case A: To assign tags to your Amazon EC2 instances without using the Tag Editor, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Instances, choose Instances.

04 Select the Amazon EC2 instance that you want to assign tags to.

05 Click on the Actions dropdown menu from the console top menu, select Image and templates, and choose Create image.

06 Select the Tags tab and choose Manage tags.

07 On the Manage tags configuration page, use the Add new tag button to create the required tagging schema, using Name, Role, Environment, and Owner for tag keys and your own metadata for tag values. Choose Save to apply the changes.

08 Repeat steps no. 4 – 7 for each Amazon EC2 instance available within the current AWS region.

09 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run describe-instances command (OSX/Linux/UNIX) using custom query filters to list the IDs of all the Amazon EC2 instances available in the selected AWS region: 

aws ec2 describe-instances
  --region us-east-1
  --output table
  --query 'Reservations[*].Instances[*].InstanceId'

02 The command output should return a table with the requested instance IDs: 

-------------------------
|   DescribeInstances   |
+-----------------------+
|  i-01234abcd1234abcd  |
|  i-0abcabcabc1234567  |
|  i-01234567abcabcabc  |
|  i-0abcd1234abcd1234  |
+-----------------------+

03 Run describe-instances command (OSX/Linux/UNIX) using the ID of the Amazon EC2 instance that you want to configure as the identifier parameter to apply the specified tagging schema (i.e. Name, Role, Environment, and Owner) to the selected EC2 instance (the command does not produce an output): 

aws ec2 create-tags
  --resources i-01234abcd1234abcd
  --tags Key=Name,Value=Prod-Web-Server Key=Role,Value=Web-Tier Key=Environment,Value=Production Key=Owner,Value=DevOps-Team

04 Repeat step no. 3 for each Amazon EC2 instance available within the current AWS region.

05 Change the AWS cloud region by updating the --region command parameter value and repeat step no. 1 – 4 to perform the Remediation process for other regions.

Case B: To assign tags to your Amazon EC2 instances using the Tag Editor, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS Resource Groups console at https://console.aws.amazon.com/resource-groups/.

03 In the main navigation panel, under Tagging, choose Tag Editor.

04 Choose the AWS regions that you want to include in the search process from the Regions dropdown list.

05 Choose AWS::EC2::Instance from the Resource types dropdown list to search for Amazon EC2 instances.

06 For Tags – Optional, perform the following actions to limit the search for resources to the specified tagging schema only:

  • To search for Name tags:
    1. For Tag key enter Name as the name of the tag key to search for.
    2. For Optional tag value select (not tagged) to find any Amazon EC2 instances that don't have the Name tag assigned.
    3. Choose Add to save the Name tag set for the search process.
  • To search for Role tags:
    1. For Tag key enter Role as the name of the tag key to search for.
    2. For Optional tag value select (not tagged) to find any Amazon EC2 instances that don't use the Role tag.
    3. Choose Add to save the Role tag set.
  • To search for Environment tags:
    1. For Tag key enter Environment as the name of the tag key to search for.
    2. For Optional tag value select (not tagged) to find any Amazon EC2 instances that don't use the Environment tag.
    3. Choose Add to save the Environment tag set.
  • To search for Owner tags:
    1. For Tag key enter Owner as the name of the tag key to search for.
    2. For Optional tag value select (not tagged) to find any Amazon EC2 instances that don't use the Owner tag.
    3. Choose Add to save the Owner tag set.
  • Choose Search resources to search for Amazon EC2 instances that are not using the tagging schema. Amazon EC2 service will list all instances that match the search criteria in the Resource search results section.
  • If one or more Amazon EC2 instances are returned, the specified tagging schema is not used to organize instances in your AWS cloud environment.

07 Select the Amazon EC2 instances that you want to assign tags to, and choose Manage tags of the selected resource to apply the specified tagging schema.

08 On the Manage tags configuration page, use the Add tag button to create the required tagging schema, using Name, Role, Environment, and Owner for tag keys and your own metadata for tag values. Select Review and apply tag changes, then choose Apply changes to all selected to apply the configuration changes.

Using AWS CLI

01 Run describe-instances command (OSX/Linux/UNIX) using custom query filters to list the IDs of all the Amazon EC2 instances available in the selected AWS region: 

aws ec2 describe-instances
  --region us-east-1
  --output table
  --query 'Reservations[*].Instances[*].InstanceId'

02 The command output should return a table with the requested instance IDs: 

-------------------------
|   DescribeInstances   |
+-----------------------+
|  i-01234abcd1234abcd  |
|  i-0abcabcabc1234567  |
|  i-01234567abcabcabc  |
|  i-0abcd1234abcd1234  |
+-----------------------+

03 Run tag-resources command (OSX/Linux/UNIX) using the ARN of the Amazon EC2 instance that you want to configure as the identifier parameter to apply the specified tagging schema (i.e. Name, Role, Environment, and Owner) to the selected EC2 instance using the Tag Editor API: 

aws resourcegroupstaggingapi tag-resources
  --resource-arn-list arn:aws:ec2:us-east-1:123456789012:instance/i-01234abcd1234abcd
  --tags Name=Prod-Web-Server,Role=Web-Tier,Environment=Production,Owner=DevOps-Team

04 If the request is successful, the command output should return an empty object for the "FailedResourcesMap" attribute, as shown in the output example below: 

{
  "FailedResourcesMap": {}
}

05 Repeat steps no. 3 and 4 for each Amazon EC2 instance available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat step no. 1 – 5 to perform the Remediation process for other regions.

References

Publication date Apr 21, 2016

Related ResourceGroup rules