Tags are pretty simple—they store a single key-value pair, and are used as metadata for AWS resources to help you stay organized. We’ll show you how to use them, and how to set effective tagging policies for your organization.

What Is Tagging Used for?

In a shared account with many AWS resources, it can be hard to sort through everything. You can physically separate environments by creating new AWS accounts, and link them under the same billing using AWS Organizations, but that’s mostly meant for dev, testing, staging, and prod environments, and as such, is limited to four accounts.

Tags present a quick and easy solution to most of these organizational problem. For example, say your organization is handling projects for many clients, all under the same AWS account. You might be running a couple EC2 servers per project, a few S3 buckets, etc. You can create a “project” tag, and assign it to all of these resources based on the project name. Now, instead of your EC2 Management Console being crowded with many instances, you can filter quite easily based on the project tag:

While separating based on project is the simplest problem tagging fixes, there are many different tagging strategies you can employ. You can use them to distinguish between dev, testing, and staging resources (though you should likely use AWS Organizations to physically separate prod, for security reasons), filter based on version, or mark resources as needing special compliance or confidentiality levels.

It’s really up to you what you use them for. Once you have a clear tagging policy in mind, you can set it in place using the AWS Organizations console. Resources that don’t comply with the tagging policy will be flagged by the tag editor, and can be easily fixed.

How to Set and Search for Tags

Going forward, you should be setting tags whenever resources are created (setting a tagging policy helps with that), but retroactively tagging resources is pretty easy. From the AWS Management Console, select “Resource Groups” in the top menu bar, and open up the “Tag Editor.”

You can search for resources by region and type, or leave them blank for a list of everything. You cam also filter by existing tags.

Once you select something to tag, you can click “Manage Tags Of Selected Resources” to edit their tags.

Click “Add Tag” to create a new tag, and apply it to the selected resources. Select “Review And Apply Changes,” and the new tags should be set.

You can also search by tags from the AWS CLI, using get-resources:

Most services will also let you modify resource tags from the CLI, using add-tags-to-resource and the ARN:

Enforcing a Tag Policy

To prevent you from having to manually tag resources to stay organized, you can enforce an account-wide tagging policy that will apply to all new resources created in your account. This won’t prevent users from creating resources without proper tags, so you’ll still have to educate your employees on your tagging policy, but it will let you view which resources are non-compliant, and fix the problem quickly.

To do so, you’ll have to turn the feature on from the AWS Organizations console. Under “Organize Accounts,” click on “Root,” and enable “Tag Policies” in the sidebar. You can actually set different tagging policies for different accounts, if you’re separating out your dev and prod environments.

Under the “Policies” tab, you should now be able to click on “Tag Policies,” and create a new policy.

Give it a name and description, and specify the tag key that you want to enforce. It’s probably best to check “Use the capitalization specified” to prevent any errors. You can also set a list of allowed values for the tag.

The last option, “Prevent non-compliant operations for this tag,” doesn’t prevent the creation of new resources without the tag, but will prevent non-compliant tag updates.

Click “Create.” You’ll have to attach the policy before it will take effect. Click on your root account (or whatever you wish to apply it to), select “Tag Policies” in the sidebar, and attach the newly created policy.

You’ll also need to give the Tag Policies Console access to your organizational policies. Click on “Settings,” and scroll down to find “Tag Policies.” Enable this.

Now, you should be able to view non-compliant resources from the tag editor, under Tag Policies > This AWS Account.

Unfortunately, there’s not an easy way to update the tags from this screen—you’ll have to search for them in the Tag Editor tab, or click on the resources and manually update the tags from that resource’s management console.