AWS Proactive Governance - Featured Image

How to achieve Proactive Governance using AWS Tagging

How to achieve Proactive Governance using AWS Tags

This article provides a detailed overview of proactive based governance with AWS Tags, also highlights few of the use-cases in general.


Before you start
  • CloudySave is an all-round one stop-shop for your organization & teams to reduce your AWS Cloud Costs by more than 55%.
  • Cloudysave team assess your AWS infra and assists your teams to define standard AWS tagging practices.
  • Our goal is to provide clear visibility about the spending and usage patterns to your Engineers and Ops teams.
  • Sign up Now and uncover instant savings opportunities.


AWS Proactive Governance - Security

What is Proactive Governance?

  • In simple terms, proactive governance deals with the management and 0verseeing activities at regular intervals to make sure things are going smooth.
  • It provides a standard set of patterns and approaches to effectively protect the resources, applications & users even before the threat event occur.

Proactive Governance in AWS Cloud
  • Within AWS, Proactive governance typically depends on services that are required for management & deployment (Ex: AWS Organizations, IAM access policies, AWS Service Catalog, AWS CloudFormation).
  • For Ex, Tag policies should be enforced within top level AWS Orgs to make sure all the standardized tags should be efficiently applied upon the creation of each resource within any of the AWS Linked Accounts.
  • Another example details the use of Resource Tags in AWS CloudFormation, these are used for adding tags for one deployment. Whereas, with AWS Service Catalog, you are capable of adding product and portfolio tags directly to the entire product/infra upon its launch.
  • Automated tasks is also one of the rigorous approach for proactive governance. For Example, running numerous aws-cli/api based scripts using Lambda (or any other automation) to make sure they quarantine and  perform remediation actions on top of un-necessary resources based on environment & automation tags.

Therefore, AWS Proactive Governance means is to reach governance & compliance through taking action with change and not just reacting to the change when it occurs.


AWS Proactive Governance using AWS Service Catalog

The following information provides details on implementing proactive governance measures on Products/Infra using TagOptions in AWS Service Catalog.

As soon as you launch a product with TagOptions, the AWS Service Catalog does the below actions for you:

  • Finds and collects every product’s TagOptions and the launching the repective portfolio.
  • User is granted to for adding non-conflicting tags to the product while provisioning is In-progress.
  • Makes sure that TagOptions having unique keys will be utilized in the final provisioned product’s tag. AWS provides an option to include multiple value lists for a key. As soon as a specific value is selected, it will turn into a tag on the newly provisioned product.

Few use-cases are discussed below on how TagOptions operates while launch is In-progress.


1. Multiple Set of TagOptions having Same Key on a Portfolio:
  • If Admin/User try to use multiple TagOptions having the same key on a portfolio, Its quite not possible to create products using multiple keys.
  • So user should choose any one of the values associated with the key while product is being launched. The provisioned final product will be tagged with the user selected value.

AWS Proactive Governance - Example One


2. Set of TagOptions having Same Key on Portfolio as well as on a Product found in that Portfolio
  • If Admin/User try to use multiple TagOptions having the same key on a specific portfolio, as well as multiple TagOptions having the same key on the portfolio’s product.
  • The Service Catalog then starts working on creating these set of values by aggregating the TagOptions.
  • So user should choose any one of the values associated with the key while product is being launched. The provisioned final product will be tagged with the user selected value.

AWS Proactive Governance - Example Two


3. A Unique TagOption Key
  • If Admin/User creates single TagOption (Ex: Group=Finance). And associates with Portfolio1 that includes Product1 having no TagOptions.
  • As soon as a user launches the product, the Tag[Group=Finance] will automatically associate with the product.

AWS Proactive Governance - Example Three


4. Multiple TagOptions sharing exact Key with Conflicting Values
  • If Admin/User creates multiple TagOptions having th exact same key on a portfolio, as well as multiple TagOptions having the exact same key on the portfolio’s product.
  • The Service Catalog then starts working on creating these set of values by aggregating the TagOptions. If aggregation was not capable of finding values for the respective key, the Service Catalog will create a tag having the exact same key as well as a value of sc-<tag_conflict>-<portfolio_id>-<product_id>. (portfolio_id & product_id represent the ARNs of portfolio and product.)
  • The provisioned product will be tagged with a value that should be corrected by the admin/user

AWS Proactive Governance - Example Four


Please navigate to Managing TagOptions for further details on how to create and use TagOptions in detail.


Here are few awesome resources on AWS Tagging:

AWS Tags Introduction
AWS Tagging Governance
AWS Tags for Automation
AWS Cost Centric Tags
AWS Tagging Strategies
AWS Tagging Best Practices

CloudySave helps to improve your AWS Usage & management by providing a full visibility to your DevOps & Engineers into their Cloud Usage. Sign-up now and start saving. No commitment, no credit card required!