- Tags are key/value pairs that can be attached to AWS resources
- Tags are metadata: that means that they don’t actually do anything, they’re purely for labeling purposes and helps to organize AWS resources
- Tagging allows the user to assign her own (words/phrases/labels) metadata to each resource in the form of tags.
- Tags don’t have any semantic meaning to the resources it is assigned and are interpreted strictly as a string of characters
- Tags can
- help to manage AWS resources & services for e.g. instances, images, security groups, etc.
- help categorize AWS resources in different ways, for e.g., by purpose, owner (Developer, Finance, etc), or environment (DEV, TEST, PROD, etc).
- help search and filter the resources
- be used as a mechanism to organize resource costs on the cost allocation report.
- Tags are not automatically assigned to the resources, however, are (sometimes) inherited for e.g. services such as Auto Scaling, Elastic Beanstalk, and CloudFormation can create other resources, such as RDS or EC2 instances, and usually tag that resource with a reference to itself. These tags do count toward the total tag limit for a resource
- Tags can be defined using the
- AWS Management Console,
- AWS CLI
- Amazon API.
- Tags can be assigned only to resources that already exist and cannot be assigned when you create a resource; for e.g., when you use the run-instances AWS CLI command.
- However, when using the AWS Management console, some resource creation screens enable you to specify tags that are applied immediately after the resource is created.
- Each tag consists of a key and value
- key and an optional value, both of which are user-controlled
- defining a new tag that has the same key as an existing tag on that resource, the new value overwrites the old value.
- keys and values can be edited, removed from a resource at any time.
- value can be defined as an empty string, but can’t be set to null.
- IAM allows you the ability to control which users in the AWS account have permission to create, edit, or delete tags.
- Common examples of tags are Environment, Application, Owner, Cost Center, Purpose, Stack, etc.
- Maximum number of tags per resource – 50
- Maximum key length – 128 Unicode characters in UTF-8
- Maximum value length – 256 Unicode characters in UTF-8
- Tag keys and values are case-sensitive.
- Do not use the
aws:prefix in the tag names or values because it is reserved for AWS use. Tags with this prefix can’t be edited or deleted and they do not count against the tags per resource limit.
- Tags allowed characters are: letters, spaces, and numbers representable in UTF-8, plus the following special characters: + – = . _ : / @.
- AWS does not enforce any tagging naming conventions and can be used as per the user convenience
- As the number of tags allows per resource are limited, Complex Tagging can be used for e.g. keyName = value1|value2|value3 or keyName = key1|value1;key2|value2
EC2 Resources Tags
- For tags on EC2 instances, instances can’t terminate, stop, or delete a resource based solely on its tags; the resource identifier must be specified
- Public or shared resources can be tagged, but the tags assigned are available only to the AWS account and not to the other accounts sharing the resource.
- Almost all resources can be tagged, with some can only be tagged using API actions or the command line or during creation.
Cost Allocation Tags
- Tags can be used as a mechanism to organize the resource costs on the cost allocation report.
- Cost allocation tags can be used to categorize and track AWS costs.
- When tags are applied to AWS resources such as EC2 instances or S3 buckets and activated in the billing console, AWS generates a cost allocation report as a (CSV file) with the usage and costs aggregated by active tags.
- Tags can be applied so that they represent business categories (such as cost centers, application names, or owners) to organize costs across multiple services.
- Cost allocation report includes all of the AWS costs for each billing period and includes both tagged and untagged resources
- Tags can also be used to filter views in Cost Explorer
Access Control Tags
- Tags can be used as a condition in an access policy statement to control access to resources for e.g. Deny Delete Permission based on Tags
- Refer blog post @ AWS Blog Resource-level-Permissions
- A Resource Group is a collection of resources that share one or more tags
- Resource groups help combine information for multiple resources and services on a single screen for e.g. for a Dev tag there might be multiple resources for ELB, EC2, and RDS. Using Resource Groups all the resources and their status can be views on a single page
- Tag Editor allows the addition of tags to multiple resources at once
- Tag Editor allows searching of resources using tags and then add, edit, remove tags for these resources
AWS Certification Exam Practice Questions
- Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
- AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
- AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
- Open to further feedback, discussion and correction.
- Fill in the blanks: _________ let you categorize your EC2 resources in different ways, for example, by purpose, owner, or environment.
- Special filters
- Please select the Amazon EC2 resource, which can be tagged.
- Key pairs
- Elastic IP addresses
- Placement groups
- Amazon EBS snapshots
- Can the string value of ‘Key’ be prefixed with aws:?
- Only for EC2 not S3
- Only for S3 not EC
- What is the maximum key length of a tag?
- 512 Unicode characters
- 64 Unicode characters
- 256 Unicode characters
- 128 Unicode characters
- An organization has launched 5 instances: 2 for production and 3 for testing. The organization wants that one particular group of IAM users should only access the test instances and not the production ones. How can the organization set that as a part of the policy?
- Launch the test and production instances in separate regions and allow region wise access to the group (possible using location constraint condition but not flexible)
- Define the IAM policy which allows access based on the instance ID (not flexible as it would change)
- Create an IAM policy with a condition which allows access to only small instances (not flexible as it would change)
- Define the tags on the test and production servers and add a condition to the IAM policy which allows access to specific tags (possible using ResourceTag condition)
- A user has launched multiple EC2 instances for the purpose of development and testing in the same region. The user wants to find the separate cost for the production and development instances. How can the user find the cost distribution?
- The user should download the activity report of the EC2 services as it has the instance ID wise data
- It is not possible to get the AWS cost usage data of single region instances separately
- User should use Cost Distribution Metadata and AWS detailed billing
- User should use Cost Allocation Tags and AWS billing reports
- An organization is using cost allocation tags to find the cost distribution of different departments and projects. One of the instances has two separate tags with the key/value as “InstanceName/HR”, “CostCenter/HR”. What will AWS do in this case?
- InstanceName is a reserved tag for AWS. Thus, AWS will not allow this tag
- AWS will not allow the tags as the value is the same for different keys
- AWS will allow tags but will not show correctly in the cost allocation report due to the same value of the two separate keys
- AWS will allow both the tags and show properly in the cost distribution report
- A user is launching an instance. He is on the “Tag the instance” screen. Which of the below mentioned information will not help the user understand the functionality of an AWS tag?
- Each tag will have a key and value
- The user can apply tags to the S3 bucket
- The maximum value of the tag key length is 64 unicode characters
- AWS tags are used to find the cost distribution of various resources
- Your system recently experienced down time during the troubleshooting process. You found that a new administrator mistakenly terminated several production EC2 instances. Which of the following strategies will help prevent a similar situation in the future? The administrator still must be able to:- launch, start stop, and terminate development resources. – launch and start production instances.
- Create an IAM user, which is not allowed to terminate instances by leveraging production EC2 termination protection. (EC2 termination protection is enabled on EC2 instance)
- Leverage resource based tagging along with an IAM user, which can prevent specific users from terminating production EC2 resources. (Identify production resources using tags and add explicit deny)
- Leverage EC2 termination protection and multi-factor authentication, which together require users to authenticate before terminating EC2 instances. (Does not still prevent user from terminating instance)
- Create an IAM user and apply an IAM role, which prevents users from terminating production EC2 instances. (Role is not applied to User but assumed by the User also need a way to identify production EC2 instances)
- Your manager has requested you to tag EC2 instances to organize and manage a load balancer. Which of the following statements about tag restrictions is incorrect?
- The maximum key length is 127 Unicode characters.
- The maximum value length is 255 Unicode characters.
- Tag keys and values are case sensitive.
- The maximum number of tags per load balancer is 20. (50 is the limit)
- What is the maximum number of tags that a user can assign to an EC2 instance?
2 thoughts on “AWS Tags – Resource Groups – Tag Editor”
Q2: Seems list which supports tags is old and needs update and all resources support tags.
Thanks Rakesh, have removed the old data and pointing to the latest resource now.
Comments are closed.