FinOps
Tagging Strategies That Actually Work for Cost Allocation
Updated By Zachary Kann
FinOpsAWSCost OptimizationTaggingCost AllocationTerraformIAMConfig Rules
Key takeaways
- Implement a 3-tier tagging strategy with mandatory tags (Environment, Owner, Application, CostCenter) enforced via SCPs, optional tags for metadata, and auto-tags from AWS services, achieving 95%+ tagging compliance within 60 days
- Automate tag enforcement using AWS Config Rules ($2/rule/month), EventBridge-triggered Lambda remediation ($0.20/million invocations), and tag-on-create IAM policies preventing untagged resource creation, reducing manual tagging effort by 80%
- Build accurate cost allocation with Cost Allocation Tags activated in Billing Console (24-hour activation), Cost Categories for hierarchical grouping (cost center → department → team), and monthly chargeback reports showing per-team spending with 98% accuracy
- Implement tag governance with centralized tag registry in DynamoDB, quarterly tag audits identifying orphaned resources ($47K average savings), and tag validation in CI/CD pipelines preventing 95% of tagging violations before deployment
- Scale with automation using Terraform tag inheritance (module-level defaults cascading to all resources), AWS Organizations tag policies enforcing schemas across 100+ accounts, and Tag Editor bulk operations fixing 10,000+ resources in minutes versus weeks of manual work
The $2.4M Question: Where Did Our Cloud Budget Go?
I'll never forget the panic in the CFO's voice during our emergency call: "Zach, we budgeted $800K for AWS this year. We're at $2.4M with two months left. Can you tell me who's responsible?"
I logged into Cost Explorer, and it looked like this:
Service Cost (Nov)
EC2 $847,231
RDS $312,445
S3 $198,773
Data Transfer $176,892
Other $521,339
Perfect. We knew what services cost money. But we had no idea:
- Which business unit owned these resources
- Which customer project they supported
- Which environment they belonged to (prod vs dev/staging)
- Who approved the spend
The engineering team had been moving fast, spinning up resources on demand. No one had enforced tagging. Cost allocation was impossible.
The result? We spent 6 weeks manually auditing 14,000+ AWS resources, interviewing 40+ engineers, and reverse-engineering cost attribution. The CFO couldn't do chargeback to business units. The VP of Engineering couldn't hold teams accountable.
This is the tagging problem. And it's not just about costs—it's about visibility, governance, and accountability.
This guide shows you the exact tagging strategy that took us from 12% tagging compliance to 97% in 90 days, enabled accurate chargeback to 8 business units, and recovered $380K in orphaned resources.
Why Tagging Fails (And Why You Need It)
The 4 Reasons Tagging Initiatives Collapse
1. No Enforcement
Engineers forget. Terraform modules don't include tags. Clickops happens. Without automated enforcement, tagging compliance decays to <20% within 6 months.
2. Inconsistent Schemas
One team uses environment=prod. Another uses env=production. Another uses stage=prd. Cost Explorer can't aggregate inconsistent tags.
3. Lack of Ownership
Tagging is "someone else's problem." DevOps says it's Finance's job. Finance says it's Engineering's job. No one owns the tag registry.
4. No Value Realized
Teams tag resources but never use the data. No chargeback reports. No cost allocation. Engineers ask, "Why are we doing this?" and stop tagging.
What Good Tagging Enables
Here's what we achieved after implementing proper tagging:
| Capability | Before Tagging | After Tagging | Impact |
|---|---|---|---|
| Cost Attribution | Unknown | 98% accurate | Chargeback to 8 BUs |
| Orphaned Resources | Unknown | Identified weekly | $47K/quarter savings |
| Environment Breakdown | 0% visibility | 100% visibility | Right-sized non-prod |
| Incident Response | Manual detective work | Auto-correlation | MTTI reduced 60% |
| Compliance Audits | 80 hours/quarter | 4 hours/quarter | 95% time savings |
| Budget Forecasting | ±40% accuracy | ±8% accuracy | CFO confidence restored |
Tagging isn't a nice-to-have. It's the foundation of cloud financial management.
The 3-Tier Tagging Strategy
Most companies either under-tag (no enforcement) or over-tag (30+ mandatory tags that no one follows). Here's the balanced approach that actually works:
Tier 1: Mandatory Tags (4 Tags)
These are enforced at creation via AWS Config Rules and IAM policies. Resources cannot be created without them.
# Mandatory tags enforced via SCP
variable "mandatory_tags" {
type = map(string)
default = {
Environment = "" # prod | staging | dev | sandbox
Owner = "" # Email of team/person (e.g., team-payments@company.com)
Application = "" # App/service name (e.g., payment-api, fraud-detection)
CostCenter = "" # Finance cost center code (e.g., ENG-001, MKT-002)
}
}Why These 4?
- Environment: Enables cost splitting between prod (60%) and non-prod (40%). Critical for right-sizing dev/staging.
- Owner: Enables accountability. Auto-generates Slack alerts for cost anomalies to the owning team.
- Application: Enables per-app cost tracking. "How much does the payment service cost to run?"
- CostCenter: Enables chargeback to finance departments. Required for multi-BU companies.
Tier 2: Recommended Tags (6 Tags)
These are encouraged but not enforced. They provide additional context for specific use cases.
variable "recommended_tags" {
type = map(string)
default = {
Project = "" # Initiative/project (e.g., mobile-app-rewrite, gdpr-compliance)
Compliance = "" # Regulatory requirement (e.g., PCI-DSS, SOC2, HIPAA)
DataClass = "" # Data sensitivity (public | internal | confidential | restricted)
Backup = "" # Backup policy (daily | weekly | none)
Schedule = "" # Auto-start/stop schedule (e.g., weekdays-9to5, always-on)
Contact = "" # Oncall contact (e.g., @payments-oncall in PagerDuty)
}
}When to Use Recommended Tags:
- Project: Track initiative-specific costs (e.g., "How much did the mobile rewrite cost?")
- Compliance: Filter resources for audit reports (e.g., "Show all PCI-DSS resources")
- DataClass: Apply security policies based on data sensitivity
- Backup: Auto-configure backup schedules via AWS Backup
- Schedule: Auto-start/stop non-prod resources with Lambda/Instance Scheduler
- Contact: Auto-page the right team during incidents
Tier 3: Auto-Tags (AWS-Managed)
These are automatically applied by AWS services. You don't manage them—you consume them in reports.
# Auto-tags from AWS
aws:autoscaling:groupName: payments-api-asg
aws:cloudformation:stack-name: payments-api-prod
aws:eks:cluster-name: prod-cluster
aws:createdBy: AWSServiceRoleForECSHow to Use Auto-Tags:
- CloudFormation Stack Name: Track costs by deployment stack
- ECS Cluster: Aggregate costs by cluster/workload
- Created By: Identify which IAM role/service created resources
Implementation: 90-Day Rollout Plan
Here's the phased approach we used to go from 12% → 97% compliance without breaking existing workflows.
Phase 1: Design & Buy-In (Week 1-2)
1. Create Tag Registry
We built a central tag registry in Confluence (could be DynamoDB, Notion, etc.):
# Tag Registry
## Mandatory Tags
| Tag | Values | Owner | Purpose |
|-------------|----------------------------|-----------|----------------------|
| Environment | prod, staging, dev, sandbox| DevOps | Cost allocation |
| Owner | Email address | Engineering| Accountability |
| Application | Service name | Engineering| Per-app cost tracking|
| CostCenter | Finance code (ENG-001) | Finance | Chargeback |
## Approved Values
### Environment
- `prod`: Production workloads (customer-facing)
- `staging`: Pre-prod testing (mirrors production)
- `dev`: Development/integration testing
- `sandbox`: Experimentation (auto-deleted after 30 days)
### CostCenter
- `ENG-001`: Engineering - Platform
- `ENG-002`: Engineering - Product
- `MKT-001`: Marketing - Growth
- `MKT-002`: Marketing - Brand2. Get Executive Sponsorship
We presented a 1-pager to the CFO:
Subject: Cloud Cost Allocation Initiative
Problem:
- $2.4M AWS spend with 0% cost attribution
- Cannot perform chargeback to business units
- $380K+ in orphaned resources (estimate)
Solution:
- Implement 4 mandatory tags (Environment, Owner, Application, CostCenter)
- Automate enforcement via Config Rules + IAM policies
- Deliver monthly chargeback reports by BU
Timeline: 90 days
Investment: 80 engineering hours + $1,200/year in Config Rules
ROI: $380K in identified savings + accurate chargeback
Approval: [ ] Yes [ ] No
We got approval in 48 hours because we tied it directly to financial visibility.
Phase 2: Baseline Assessment (Week 3)
Audit Current State
We ran this Python script using boto3 to assess tagging compliance:
import boto3
import csv
from collections import defaultdict
# Define mandatory tags
MANDATORY_TAGS = {'Environment', 'Owner', 'Application', 'CostCenter'}
def get_all_resources():
"""Get all resources using Resource Groups Tagging API"""
client = boto3.client('resourcegroupstaggingapi', region_name='us-east-1')
resources = []
paginator = client.get_paginator('get_resources')
for page in paginator.paginate():
resources.extend(page['ResourceTagMappingList'])
return resources
def assess_compliance(resources):
"""Assess tagging compliance"""
stats = {
'total_resources': len(resources),
'fully_compliant': 0,
'partially_compliant': 0,
'non_compliant': 0,
'by_service': defaultdict(lambda: {'total': 0, 'compliant': 0}),
'missing_tags': defaultdict(int)
}
non_compliant_resources = []
for resource in resources:
arn = resource['ResourceARN']
service = arn.split(':')[2] # Extract service from ARN
tags = {tag['Key']: tag['Value'] for tag in resource.get('Tags', [])}
stats['by_service'][service]['total'] += 1
# Check compliance
missing = MANDATORY_TAGS - set(tags.keys())
if not missing:
stats['fully_compliant'] += 1
stats['by_service'][service]['compliant'] += 1
elif len(missing) < len(MANDATORY_TAGS):
stats['partially_compliant'] += 1
for tag in missing:
stats['missing_tags'][tag] += 1
non_compliant_resources.append({
'arn': arn,
'service': service,
'missing_tags': list(missing),
'existing_tags': tags
})
else:
stats['non_compliant'] += 1
for tag in missing:
stats['missing_tags'][tag] += 1
non_compliant_resources.append({
'arn': arn,
'service': service,
'missing_tags': list(missing),
'existing_tags': tags
})
return stats, non_compliant_resources
def generate_report(stats, non_compliant_resources):
"""Generate compliance report"""
print("=" * 80)
print("AWS TAGGING COMPLIANCE REPORT")
print("=" * 80)
print(f"\nTotal Resources: {stats['total_resources']}")
print(f"Fully Compliant: {stats['fully_compliant']} ({stats['fully_compliant']/stats['total_resources']*100:.1f}%)")
print(f"Partially Compliant: {stats['partially_compliant']} ({stats['partially_compliant']/stats['total_resources']*100:.1f}%)")
print(f"Non-Compliant: {stats['non_compliant']} ({stats['non_compliant']/stats['total_resources']*100:.1f}%)")
print("\n" + "=" * 80)
print("COMPLIANCE BY SERVICE")
print("=" * 80)
for service, counts in sorted(stats['by_service'].items(), key=lambda x: x[1]['total'], reverse=True):
compliance_rate = counts['compliant'] / counts['total'] * 100 if counts['total'] > 0 else 0
print(f"{service:20} {counts['total']:6} resources {compliance_rate:5.1f}% compliant")
print("\n" + "=" * 80)
print("MOST COMMONLY MISSING TAGS")
print("=" * 80)
for tag, count in sorted(stats['missing_tags'].items(), key=lambda x: x[1], reverse=True):
print(f"{tag:20} {count:6} resources missing this tag")
# Export non-compliant resources to CSV
with open('non_compliant_resources.csv', 'w', newline='') as f:
writer = csv.writer(f)
writer.writerow(['ARN', 'Service', 'Missing Tags', 'Existing Tags'])
for resource in non_compliant_resources:
writer.writerow([
resource['arn'],
resource['service'],
', '.join(resource['missing_tags']),
', '.join([f"{k}={v}" for k, v in resource['existing_tags'].items()])
])
print(f"\n✅ Exported {len(non_compliant_resources)} non-compliant resources to non_compliant_resources.csv")
if __name__ == '__main__':
print("Fetching all AWS resources...")
resources = get_all_resources()
print(f"Found {len(resources)} resources. Assessing compliance...")
stats, non_compliant = assess_compliance(resources)
generate_report(stats, non_compliant)Our Baseline Results:
Total Resources: 14,287
Fully Compliant: 1,719 (12.0%)
Partially Compliant: 3,214 (22.5%)
Non-Compliant: 9,354 (65.5%)
COMPLIANCE BY SERVICE
ec2 4,823 resources 8.2% compliant
rds 1,247 resources 18.9% compliant
s3 2,891 resources 4.1% compliant
lambda 1,982 resources 22.7% compliant
dynamodb 743 resources 31.2% compliant
MOST COMMONLY MISSING TAGS
Environment 11,234 resources missing
Owner 10,892 resources missing
Application 9,473 resources missing
CostCenter 12,103 resources missing
Key Insight: Lambda had the highest compliance (22.7%) because our Terraform Lambda module included tags by default. EC2 had the lowest (8.2%) because engineers were launching instances via console ClickOps.
Phase 3: Enforce Tag-on-Create (Week 4-6)
1. IAM Policy: Prevent Untagged Resource Creation
We deployed this SCP (Service Control Policy) at the AWS Organizations level:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyCreateWithoutMandatoryTags",
"Effect": "Deny",
"Action": [
"ec2:RunInstances",
"ec2:CreateVolume",
"ec2:CreateSnapshot",
"rds:CreateDBInstance",
"rds:CreateDBCluster",
"s3:CreateBucket",
"lambda:CreateFunction",
"dynamodb:CreateTable",
"elasticloadbalancing:CreateLoadBalancer",
"elasticloadbalancing:CreateTargetGroup"
],
"Resource": "*",
"Condition": {
"StringNotLike": {
"aws:RequestTag/Environment": ["prod", "staging", "dev", "sandbox"],
"aws:RequestTag/Owner": "*@company.com",
"aws:RequestTag/Application": "*",
"aws:RequestTag/CostCenter": ["ENG-*", "MKT-*", "SAL-*", "FIN-*"]
}
}
},
{
"Sid": "DenyCreateWithoutAllTags",
"Effect": "Deny",
"Action": [
"ec2:RunInstances",
"rds:CreateDBInstance",
"lambda:CreateFunction"
],
"Resource": "*",
"Condition": {
"Null": {
"aws:RequestTag/Environment": "true",
"aws:RequestTag/Owner": "true",
"aws:RequestTag/Application": "true",
"aws:RequestTag/CostCenter": "true"
}
}
}
]
}Result: Engineers attempting to create resources without tags saw this error:
An error occurred (UnauthorizedOperation) when calling the RunInstances operation:
You are not authorized to perform this operation. Ensure all mandatory tags are present:
Environment, Owner, Application, CostCenter
2. Terraform Module Defaults
We updated all Terraform modules to include tags:
# modules/ec2-instance/main.tf
variable "tags" {
description = "Resource tags (will be merged with mandatory tags)"
type = map(string)
default = {}
}
variable "mandatory_tags" {
description = "Mandatory tags enforced by organization"
type = object({
Environment = string
Owner = string
Application = string
CostCenter = string
})
}
resource "aws_instance" "this" {
ami = var.ami_id
instance_type = var.instance_type
tags = merge(
var.mandatory_tags,
var.tags,
{
Name = var.instance_name
ManagedBy = "Terraform"
Module = "ec2-instance"
CreatedAt = timestamp()
}
)
}Usage in environments:
# environments/prod/main.tf
module "payment_api" {
source = "../../modules/ec2-instance"
instance_name = "payment-api-prod"
ami_id = "ami-0c55b159cbfafe1f0"
instance_type = "t3.large"
mandatory_tags = {
Environment = "prod"
Owner = "team-payments@company.com"
Application = "payment-api"
CostCenter = "ENG-002"
}
tags = {
Project = "checkout-v2"
Compliance = "PCI-DSS"
Backup = "daily"
}
}3. AWS Config Rules for Compliance Monitoring
We deployed Config Rules to continuously monitor compliance:
# terraform/config-rules.tf
resource "aws_config_config_rule" "required_tags" {
name = "required-tags"
source {
owner = "AWS"
source_identifier = "REQUIRED_TAGS"
}
input_parameters = jsonencode({
tag1Key = "Environment"
tag2Key = "Owner"
tag3Key = "Application"
tag4Key = "CostCenter"
})
depends_on = [aws_config_configuration_recorder.main]
}
resource "aws_config_config_rule" "environment_tag_values" {
name = "environment-tag-values"
source {
owner = "AWS"
source_identifier = "REQUIRED_TAGS"
}
input_parameters = jsonencode({
tag1Key = "Environment"
tag1Value = "prod,staging,dev,sandbox"
})
}
# Auto-remediation: Tag non-compliant resources
resource "aws_config_remediation_configuration" "auto_tag" {
config_rule_name = aws_config_config_rule.required_tags.name
target_type = "SSM_DOCUMENT"
target_identifier = "AWS-PublishSNSNotification"
parameter {
name = "AutomationAssumeRole"
static_value = aws_iam_role.config_remediation.arn
}
parameter {
name = "TopicArn"
static_value = aws_sns_topic.tagging_violations.arn
}
automatic = true
maximum_automatic_attempts = 3
retry_attempt_seconds = 60
}Cost: ~$2/rule/month + $0.003/config item evaluation = ~$50/month for our setup.
Phase 4: Backfill Existing Resources (Week 7-10)
1. Identify Resource Owners
We couldn't tag 14,000 resources manually. So we used CloudTrail to identify who created each resource:
import boto3
from datetime import datetime, timedelta
def find_resource_creator(resource_arn):
"""Find who created a resource using CloudTrail"""
cloudtrail = boto3.client('cloudtrail')
# Extract resource ID from ARN
resource_id = resource_arn.split('/')[-1]
# Search CloudTrail for creation event
start_time = datetime.now() - timedelta(days=90) # CloudTrail retains 90 days
response = cloudtrail.lookup_events(
LookupAttributes=[
{
'AttributeKey': 'ResourceName',
'AttributeValue': resource_id
}
],
StartTime=start_time,
MaxResults=50
)
if response['Events']:
event = response['Events'][0]
username = event.get('Username', 'unknown')
event_time = event['EventTime']
event_name = event['EventName']
return {
'creator': username,
'created_at': event_time,
'event': event_name
}
return None
# Example: Find creator of an EC2 instance
creator_info = find_resource_creator('arn:aws:ec2:us-east-1:123456789012:instance/i-0abcd1234efgh5678')
print(f"Created by: {creator_info['creator']}")2. Bulk Tagging with Tag Editor
For resources >90 days old (no CloudTrail history), we:
- Grouped resources by naming patterns (e.g.,
payment-api-*→ Application=payment-api) - Used AWS Tag Editor for bulk operations
- Tagged 2,000+ resources in 30 minutes vs. weeks manually
Tag Editor Example:
# Using AWS CLI for bulk tagging
aws resourcegroupstaggingapi tag-resources \
--resource-arn-list \
"arn:aws:ec2:us-east-1:123456789012:instance/i-0abcd1234efgh5678" \
"arn:aws:ec2:us-east-1:123456789012:instance/i-0abcd1234efgh5679" \
--tags \
Environment=prod \
Owner=team-platform@company.com \
Application=legacy-monolith \
CostCenter=ENG-0013. Orphaned Resource Cleanup
We discovered 1,200+ resources with no identifiable owner. These included:
- EC2 instances stopped for >6 months
- EBS volumes unattached for >90 days
- RDS snapshots from deleted databases
- S3 buckets with 0 requests in 12 months
We tagged them with:
{
Environment = "unknown"
Owner = "infra-team@company.com"
Application = "orphaned"
CostCenter = "ENG-001"
DeleteAfter = "2025-01-15" # 30-day grace period
}Result: Deleted $47K/quarter in orphaned resources after 30-day notification period.
Phase 5: Activate Cost Allocation Tags (Week 11)
1. Enable Tags in Billing Console
# Via AWS CLI
aws ce update-cost-allocation-tags-status \
--cost-allocation-tags-status \
TagKey=Environment,Status=Active \
TagKey=Owner,Status=Active \
TagKey=Application,Status=Active \
TagKey=CostCenter,Status=ActiveImportant: Cost allocation tags take 24 hours to activate and only apply to new spend going forward. Historical data won't be tagged.
2. Create Cost Categories
We built a hierarchy: CostCenter → Department → Team
# terraform/cost-categories.tf
resource "aws_ce_cost_category" "department" {
name = "Department"
rule_version = "CostCategoryExpression.v1"
rule {
value = "Engineering"
rule {
dimension {
key = "COST_CENTER"
values = ["ENG-001", "ENG-002", "ENG-003"]
match_options = ["EQUALS"]
}
}
}
rule {
value = "Marketing"
rule {
dimension {
key = "COST_CENTER"
values = ["MKT-001", "MKT-002"]
match_options = ["EQUALS"]
}
}
}
rule {
value = "Sales"
rule {
dimension {
key = "COST_CENTER"
values = ["SAL-001"]
match_options = ["EQUALS"]
}
}
}
}
resource "aws_ce_cost_category" "team" {
name = "Team"
rule_version = "CostCategoryExpression.v1"
rule {
value = "Platform Team"
rule {
tags {
key = "Owner"
values = ["team-platform@company.com"]
match_options = ["EQUALS"]
}
}
}
rule {
value = "Payments Team"
rule {
tags {
key = "Owner"
values = ["team-payments@company.com"]
match_options = ["EQUALS"]
}
}
}
}Phase 6: Build Chargeback Reports (Week 12)
Monthly Cost Allocation Report
We automated monthly reports sent to each business unit:
import boto3
from datetime import datetime, timedelta
import pandas as pd
def generate_chargeback_report(start_date, end_date, cost_center):
"""Generate chargeback report for a cost center"""
ce = boto3.client('ce')
response = ce.get_cost_and_usage(
TimePeriod={
'Start': start_date.strftime('%Y-%m-%d'),
'End': end_date.strftime('%Y-%m-%d')
},
Granularity='MONTHLY',
Filter={
'Tags': {
'Key': 'CostCenter',
'Values': [cost_center]
}
},
Metrics=['UnblendedCost', 'UsageQuantity'],
GroupBy=[
{'Type': 'TAG', 'Key': 'Application'},
{'Type': 'TAG', 'Key': 'Environment'},
{'Type': 'SERVICE'}
]
)
# Parse response into DataFrame
rows = []
for result in response['ResultsByTime']:
period = result['TimePeriod']['Start']
for group in result['Groups']:
app = group['Keys'][0].split('$')[1] if '$' in group['Keys'][0] else 'Untagged'
env = group['Keys'][1].split('$')[1] if '$' in group['Keys'][1] else 'Untagged'
service = group['Keys'][2]
cost = float(group['Metrics']['UnblendedCost']['Amount'])
rows.append({
'Period': period,
'Application': app,
'Environment': env,
'Service': service,
'Cost': cost
})
df = pd.DataFrame(rows)
# Generate summary
summary = {
'cost_center': cost_center,
'period': f"{start_date.strftime('%Y-%m')}",
'total_cost': df['Cost'].sum(),
'by_environment': df.groupby('Environment')['Cost'].sum().to_dict(),
'by_application': df.groupby('Application')['Cost'].sum().to_dict(),
'top_services': df.groupby('Service')['Cost'].sum().nlargest(5).to_dict()
}
return summary, df
# Generate report for Engineering
last_month_start = datetime.now().replace(day=1) - timedelta(days=1)
last_month_start = last_month_start.replace(day=1)
last_month_end = datetime.now().replace(day=1)
summary, detailed = generate_chargeback_report(
last_month_start,
last_month_end,
'ENG-001'
)
print(f"Cost Center: {summary['cost_center']}")
print(f"Period: {summary['period']}")
print(f"Total Cost: ${summary['total_cost']:,.2f}")
print("\nBy Environment:")
for env, cost in summary['by_environment'].items():
print(f" {env}: ${cost:,.2f}")
print("\nTop Applications:")
for app, cost in list(summary['by_application'].items())[:5]:
print(f" {app}: ${cost:,.2f}")Sample Output:
Cost Center: ENG-001 (Platform Engineering)
Period: 2025-11
Total Cost: $147,293.42
By Environment:
prod: $98,234.12 (66.7%)
staging: $32,441.83 (22.0%)
dev: $14,892.47 (10.1%)
sandbox: $1,725.00 (1.2%)
Top Applications:
api-gateway: $42,381.29
fraud-detection: $28,447.11
user-service: $23,102.84
payment-processor: $19,283.19
notification-service: $12,847.38
Top Services:
EC2: $58,293.12
RDS: $31,447.83
Data Transfer: $18,293.47
S3: $14,382.19
Lambda: $8,293.81
Tagging Compliance: 97.3%
Untagged Spend: $3,976.00 (2.7%)
We email this to each cost center owner monthly, with a link to the full CSV report.
Automation: Set It and Forget It
1. EventBridge + Lambda Auto-Remediation
We built a Lambda function that automatically tags new resources within 5 minutes of creation:
import { EC2Client, CreateTagsCommand, DescribeInstancesCommand } from '@aws-sdk/client-ec2';
import { CloudTrailClient, LookupEventsCommand } from '@aws-sdk/client-cloudtrail';
interface EventBridgeEvent {
detail: {
eventName: string;
requestParameters: any;
responseElements: any;
userIdentity: {
principalId: string;
arn: string;
};
};
}
const ec2 = new EC2Client({});
const cloudtrail = new CloudTrailClient({});
export const handler = async (event: EventBridgeEvent): Promise<void> => {
const { detail } = event;
// Handle EC2 instance creation
if (detail.eventName === 'RunInstances') {
const instanceIds = detail.responseElements?.instancesSet?.items?.map(
(i: any) => i.instanceId
) || [];
if (instanceIds.length === 0) return;
// Check if instances already have mandatory tags
const describeCmd = new DescribeInstancesCommand({
InstanceIds: instanceIds
});
const instances = await ec2.send(describeCmd);
for (const reservation of instances.Reservations || []) {
for (const instance of reservation.Instances || []) {
const tags = instance.Tags || [];
const tagKeys = tags.map(t => t.Key);
const missingTags = ['Environment', 'Owner', 'Application', 'CostCenter'].filter(
tag => !tagKeys.includes(tag)
);
if (missingTags.length > 0) {
// Attempt to infer tags from creator and context
const inferredTags = await inferTags(detail, instance);
// Tag the instance
const createTagsCmd = new CreateTagsCommand({
Resources: [instance.InstanceId!],
Tags: [
...inferredTags,
{ Key: 'AutoTagged', Value: 'true' },
{ Key: 'AutoTaggedAt', Value: new Date().toISOString() }
]
});
await ec2.send(createTagsCmd);
// Send notification to creator
await sendTaggingNotification(detail.userIdentity.arn, instance.InstanceId!, missingTags);
console.log(`Auto-tagged instance ${instance.InstanceId} with inferred tags`);
}
}
}
}
};
async function inferTags(event: any, instance: any): Promise<Array<{Key: string, Value: string}>> {
const tags: Array<{Key: string, Value: string}> = [];
// Infer Owner from IAM principal
const principalArn = event.userIdentity.arn;
if (principalArn.includes(':user/')) {
const username = principalArn.split('/').pop();
tags.push({ Key: 'Owner', Value: `${username}@company.com` });
}
// Infer Environment from VPC/Subnet tags
if (instance.SubnetId) {
const subnet = await getSubnetTags(instance.SubnetId);
if (subnet?.Environment) {
tags.push({ Key: 'Environment', Value: subnet.Environment });
}
}
// Infer Application from instance name
const nameTag = instance.Tags?.find((t: any) => t.Key === 'Name');
if (nameTag) {
const appName = nameTag.Value.split('-')[0]; // Extract from naming pattern
tags.push({ Key: 'Application', Value: appName });
}
// Default CostCenter to 'ENG-001' (manual review required)
tags.push({ Key: 'CostCenter', Value: 'ENG-001' });
tags.push({ Key: 'RequiresReview', Value: 'true' });
return tags;
}
async function sendTaggingNotification(userArn: string, resourceId: string, missingTags: string[]): Promise<void> {
// Send email via SES or Slack notification
console.log(`Notification: User ${userArn} created ${resourceId} missing tags: ${missingTags.join(', ')}`);
// Implementation details omitted for brevity
}
async function getSubnetTags(subnetId: string): Promise<Record<string, string> | null> {
// Fetch subnet tags to infer environment
return null; // Implementation omitted
}EventBridge Rule:
resource "aws_cloudwatch_event_rule" "ec2_creation" {
name = "ec2-instance-creation"
description = "Trigger on EC2 instance creation"
event_pattern = jsonencode({
source = ["aws.ec2"]
detail-type = ["AWS API Call via CloudTrail"]
detail = {
eventName = ["RunInstances"]
}
})
}
resource "aws_cloudwatch_event_target" "lambda" {
rule = aws_cloudwatch_event_rule.ec2_creation.name
target_id = "AutoTagLambda"
arn = aws_lambda_function.auto_tag.arn
}Cost: $0.20 per million invocations + Lambda execution time.
2. Weekly Compliance Dashboard
We built a CloudWatch dashboard showing real-time compliance:
resource "aws_cloudwatch_dashboard" "tagging_compliance" {
dashboard_name = "Tagging-Compliance"
dashboard_body = jsonencode({
widgets = [
{
type = "metric"
properties = {
metrics = [
["AWS/Config", "ComplianceScore", { stat = "Average" }]
]
period = 86400
stat = "Average"
region = "us-east-1"
title = "Overall Tagging Compliance"
yAxis = {
left = {
min = 0
max = 100
}
}
}
},
{
type = "log"
properties = {
query = <<-EOT
SOURCE '/aws/config/compliance'
| fields @timestamp, resourceType, compliance
| filter compliance = "NON_COMPLIANT"
| stats count() by resourceType
EOT
region = "us-east-1"
title = "Non-Compliant Resources by Type"
}
}
]
})
}3. Quarterly Tag Audit
We run a quarterly Lambda function to:
- Identify orphaned resources (no activity in 90 days)
- Validate tag values against registry
- Generate cleanup recommendations
import boto3
from datetime import datetime, timedelta
def quarterly_tag_audit():
"""Quarterly audit to identify orphaned and mis-tagged resources"""
results = {
'orphaned_resources': [],
'invalid_tag_values': [],
'estimated_savings': 0
}
# Get all resources
client = boto3.client('resourcegroupstaggingapi')
resources = client.get_resources()['ResourceTagMappingList']
cloudwatch = boto3.client('cloudwatch')
ce = boto3.client('ce')
for resource in resources:
arn = resource['ResourceARN']
tags = {tag['Key']: tag['Value'] for tag in resource.get('Tags', [])}
# Check for invalid Environment values
if 'Environment' in tags:
if tags['Environment'] not in ['prod', 'staging', 'dev', 'sandbox']:
results['invalid_tag_values'].append({
'arn': arn,
'tag': 'Environment',
'value': tags['Environment'],
'expected': 'prod, staging, dev, sandbox'
})
# Check for orphaned resources (no activity in 90 days)
if is_orphaned(arn, cloudwatch):
cost = estimate_resource_cost(arn, ce)
results['orphaned_resources'].append({
'arn': arn,
'tags': tags,
'monthly_cost': cost
})
results['estimated_savings'] += cost
# Generate report
print(f"=== QUARTERLY TAG AUDIT ===")
print(f"Orphaned Resources: {len(results['orphaned_resources'])}")
print(f"Estimated Savings: ${results['estimated_savings']:,.2f}/month")
print(f"Invalid Tag Values: {len(results['invalid_tag_values'])}")
return results
def is_orphaned(arn, cloudwatch):
"""Check if resource has had no activity in 90 days"""
# Implementation varies by resource type
# For EC2: Check CPUUtilization metric
# For RDS: Check DatabaseConnections
# For S3: Check NumberOfObjects
return False # Simplified
def estimate_resource_cost(arn, ce_client):
"""Estimate monthly cost of a resource"""
# Use Cost Explorer to get resource-specific costs
return 0.0 # SimplifiedQuarterly Audit Output:
=== Q4 2025 TAG AUDIT ===
Total Resources: 16,492
Orphaned Resources: 147
Estimated Savings: $18,293/month
Invalid Tag Values:
- 23 resources with Environment=production (should be 'prod')
- 12 resources with Owner=john.doe (should be email)
- 8 resources with CostCenter=Engineering (should be code like ENG-001)
Recommendations:
1. Delete 89 EBS volumes unattached for >90 days ($4,200/month savings)
2. Delete 34 RDS snapshots from deleted databases ($2,100/month savings)
3. Delete 24 stopped EC2 instances >180 days ($11,993/month savings)
Real-World Results: 6-Month Post-Implementation
Compliance Metrics
| Metric | Before | After 90 Days | After 6 Months |
|---|---|---|---|
| Tagging Compliance | 12% | 89% | 97% |
| Untagged Resources | 12,568 | 1,571 | 441 |
| Tag Enforcement | Manual | Automated | Automated |
| Manual Tagging Effort | 40 hrs/week | 8 hrs/week | 2 hrs/week |
Financial Impact
| Category | Annual Impact |
|---|---|
| Orphaned Resource Cleanup | $188,000 saved |
| Non-Prod Right-Sizing | $142,000 saved (identified via Environment tag) |
| Cost Allocation Accuracy | 98% (up from 0%) |
| Chargeback Enabled | 8 business units |
| Audit Time Reduction | 304 hours saved/year |
| Total Financial Value | $330,000/year |
ROI Calculation:
Investment:
- Initial implementation: 160 engineering hours × $150/hr = $24,000
- AWS Config Rules: $50/month × 12 = $600/year
- Lambda auto-remediation: $120/year
- Ongoing maintenance: 24 hours/year × $150/hr = $3,600/year
Total Investment: $28,320
Return:
- Direct savings: $330,000/year
- ROI: 1,065%
- Payback period: 1 month
Operational Benefits
1. Incident Response
Before tagging, when an alert fired, we had to:
- Find the resource in console (5 min)
- Determine what application it belonged to (10 min)
- Find the owning team (15 min)
- Page the right oncall (5 min)
Total MTTI (Mean Time to Identify): 35 minutes
After tagging, our monitoring system auto-correlates alerts:
- Alert fires → reads
OwnerandContacttags - Auto-pages oncall from
Contacttag - Includes application context from tags in alert
New MTTI: 2 minutes (93% reduction)
2. Budget Forecasting
Our CFO can now accurately forecast spend by:
- Business unit (via
CostCentertag) - Environment (prod vs. non-prod)
- Application (per-service costs)
Forecasting accuracy improved from ±40% to ±8%.
3. Compliance Audits
SOC 2 audit previously required:
- Manually listing all production resources (60 hours)
- Proving ownership and change control (20 hours)
Now we run:
aws resourcegroupstaggingapi get-resources \
--tag-filters Key=Environment,Values=prod Key=Compliance,Values=SOC2Audit prep time reduced from 80 hours to 4 hours.
Common Pitfalls and How to Avoid Them
Pitfall 1: Over-Tagging
The Problem: Some companies require 30+ mandatory tags. Compliance drops to <10% because it's too burdensome.
The Fix: Start with 4 mandatory tags. Add optional tags as needed. Tagging is a journey, not a destination.
Pitfall 2: No Enforcement
The Problem: Tags are "recommended" but not enforced. Compliance decays within 6 months.
The Fix: Use IAM SCPs to prevent untagged resource creation. It's the only way to maintain >90% compliance long-term.
Pitfall 3: Inconsistent Schemas
The Problem: One team uses env=prod, another uses environment=production. Cost Explorer can't aggregate.
The Fix: Publish a tag registry with approved keys and values. Use Config Rules to enforce valid values.
Pitfall 4: No Value Realization
The Problem: Teams tag resources but never use the data. Tagging becomes "checkbox compliance."
The Fix: Immediately build chargeback reports, cost dashboards, and automated alerts using tags. Show value within 30 days.
Pitfall 5: Forgetting Auto-Scaling
The Problem: You tag EC2 instances, but new instances launched by Auto Scaling Groups are untagged.
The Fix: Configure tag propagation in ASG launch templates:
resource "aws_autoscaling_group" "app" {
name = "app-asg"
max_size = 10
min_size = 2
desired_capacity = 4
launch_template {
id = aws_launch_template.app.id
version = "$Latest"
}
# Propagate tags from ASG to instances
tag {
key = "Environment"
value = "prod"
propagate_at_launch = true
}
tag {
key = "Owner"
value = "team-platform@company.com"
propagate_at_launch = true
}
tag {
key = "Application"
value = "web-app"
propagate_at_launch = true
}
tag {
key = "CostCenter"
value = "ENG-001"
propagate_at_launch = true
}
}Advanced Strategies
1. Tag Inheritance in Terraform
Instead of repeating tags in every resource, use module-level defaults:
# modules/app-stack/main.tf
variable "app_name" {}
variable "environment" {}
variable "owner" {}
variable "cost_center" {}
locals {
common_tags = {
Environment = var.environment
Owner = var.owner
Application = var.app_name
CostCenter = var.cost_center
ManagedBy = "Terraform"
Module = "app-stack"
}
}
resource "aws_instance" "web" {
ami = data.aws_ami.ubuntu.id
instance_type = "t3.medium"
tags = merge(
local.common_tags,
{
Name = "${var.app_name}-web-${var.environment}"
Tier = "web"
}
)
}
resource "aws_db_instance" "db" {
allocated_storage = 100
engine = "postgres"
instance_class = "db.t3.medium"
tags = merge(
local.common_tags,
{
Name = "${var.app_name}-db-${var.environment}"
Tier = "database"
}
)
}
resource "aws_s3_bucket" "assets" {
bucket = "${var.app_name}-assets-${var.environment}"
tags = merge(
local.common_tags,
{
Name = "${var.app_name}-assets"
Tier = "storage"
}
)
}Usage:
module "payment_api" {
source = "../../modules/app-stack"
app_name = "payment-api"
environment = "prod"
owner = "team-payments@company.com"
cost_center = "ENG-002"
}Result: All resources in the stack inherit the same 4 mandatory tags. DRY principle applied to tagging.
2. AWS Organizations Tag Policies
For multi-account setups, use Tag Policies to enforce schemas across all accounts:
{
"tags": {
"Environment": {
"tag_key": {
"@@assign": "Environment",
"@@operators_allowed_for_child_policies": ["@@none"]
},
"tag_value": {
"@@assign": ["prod", "staging", "dev", "sandbox"]
},
"enforced_for": {
"@@assign": [
"ec2:instance",
"rds:db",
"s3:bucket",
"lambda:function"
]
}
},
"Owner": {
"tag_key": {
"@@assign": "Owner"
},
"tag_value": {
"@@assign": ["*@company.com"]
},
"enforced_for": {
"@@assign": ["ec2:*", "rds:*", "s3:*", "lambda:*"]
}
},
"CostCenter": {
"tag_key": {
"@@assign": "CostCenter"
},
"tag_value": {
"@@assign": ["ENG-*", "MKT-*", "SAL-*", "FIN-*"]
},
"enforced_for": {
"@@assign": ["ec2:*", "rds:*"]
}
}
}
}Apply to Organization:
aws organizations create-policy \
--content file://tag-policy.json \
--name "Mandatory-Tagging-Policy" \
--type TAG_POLICY \
--description "Enforce mandatory tags across all accounts"
aws organizations attach-policy \
--policy-id p-xxxxxxxxxx \
--target-id r-xxxx # Root OUResult: Any account in the organization cannot create resources without compliant tags.
3. Cost Anomaly Detection by Tag
Use AWS Cost Anomaly Detection with tag-based monitors:
resource "aws_ce_anomaly_monitor" "by_application" {
name = "Application-Cost-Monitor"
monitor_type = "DIMENSIONAL"
monitor_dimension = "SERVICE"
}
resource "aws_ce_anomaly_subscription" "app_alerts" {
name = "app-cost-alerts"
frequency = "DAILY"
monitor_arn_list = [
aws_ce_anomaly_monitor.by_application.arn
]
subscriber {
type = "SNS"
address = aws_sns_topic.cost_alerts.arn
}
threshold_expression {
dimension {
key = "ANOMALY_TOTAL_IMPACT_ABSOLUTE"
values = ["100"] # Alert if anomaly >$100
match_options = ["GREATER_THAN_OR_EQUAL"]
}
}
}Use Case: If payment-api typically costs $5K/month, but suddenly spikes to $12K, you get a Slack alert within 24 hours.
When NOT to Tag
1. Ephemeral Resources (<1 hour lifespan)
Lambda functions in a Step Functions workflow that execute for seconds? Don't bother. Tag the Step Functions state machine instead.
2. Auto-Generated Resources
ECS task ENIs created/destroyed every few minutes? Tag the ECS service, not the ENIs.
3. AWS-Managed Resources
CloudFormation stack resources that are fully managed by the stack? Tag the stack, not individual resources.
Conclusion: Tagging is a Continuous Practice
Here's what we learned implementing tagging at 6 companies:
- Start small. 4 mandatory tags is enough. Add more later.
- Enforce from day 1. Without enforcement, compliance decays to <20% within 6 months.
- Automate everything. Manual tagging doesn't scale past 1,000 resources.
- Show value immediately. Build chargeback reports within 30 days or teams will stop caring.
- Audit quarterly. Tags drift. Schemas change. Review every 90 days.
Our final results after 12 months:
Tagging Compliance: 97.3%
Cost Allocation Accuracy: 98.1%
Orphaned Resource Savings: $188K/year
Audit Time Reduction: 95%
Incident MTTI Reduction: 93%
ROI: 1,065%
Tagging isn't glamorous. But it's the foundation of cloud financial management. Without it, you're flying blind.
Need Help Implementing Tagging at Your Company?
Cloud Kiln specializes in cloud financial operations (FinOps) and cost optimization. We've implemented tagging strategies at companies with 10 AWS accounts to 500+ accounts.
What we deliver:
- Custom tagging strategy (4-week engagement)
- Terraform automation for tag enforcement
- Cost allocation reports and dashboards
- Chargeback/showback implementation
- Quarterly tag audits
Typical results: 90%+ compliance in 90 days, $200K-$2M in identified savings.