7.2.2. Resource Tagging Strategies
First Principle: Tags are the metadata that enables governance at scale — they connect resources to owners, cost centers, environments, and compliance requirements. Without consistent tagging, you can't answer basic questions like "who owns this resource?" or "is this production or development?"
Tag Governance with Organizations:
- Tag policies: Enforce required tag keys and standardized values across the organization
- Example: require tags
Environment(values: prod, staging, dev),Owner(email format),CostCenter(approved list) - Non-compliant tag values are blocked or reported
Tagging for Security:
| Tag | Purpose | Security Use |
|---|---|---|
Environment | Identify prod/dev/staging | Apply stricter controls to prod |
DataClassification | Identify sensitivity level | Trigger encryption and access policies |
Owner | Identify responsible team | Incident response contact |
CostCenter | Financial attribution | Detect unauthorized resource creation |
ComplianceScope | Regulatory framework | Apply framework-specific controls |
⚠️ Exam Trap: Tag policies enforce tag format and values. SCPs enforce what actions are allowed. These work together: tag policies ensure proper tags exist; SCPs can deny actions on untagged resources.
Scenario: An ABAC strategy requires all resources to have Project and Environment tags. You deploy an Organization tag policy enforcing these keys with valid values, and an SCP that denies ec2:RunInstances unless both tags are present in the request.
Reflection Question: Why are tags a governance mechanism (not just an organizational convenience), and how do they enable automated security controls?
