AWS Tags – Resource Groups – Tag Editor

• Tags are key/value pairs that can be attached to AWS resources
• Tags are metadata: that means that they don’t actually do anything, they’re purely for labeling purposes and helps to organize AWS resources
• Tagging allows the user to assign her own (words/phrases/labels) metadata to each resource in the form of tags.
• Tags don’t have any semantic meaning to the resources it is assigned and are interpreted strictly as a string of characters
• Tags can
  • help to manage AWS resources & services for e.g. instances, images, security groups, etc.
  • help categorize AWS resources in different ways, for e.g., by purpose, owner (Developer, Finance, etc), or environment (DEV, TEST, PROD, etc).
  • help search and filter the resources
  • be used as a mechanism to organize resource costs on the cost allocation report.
  • enable Attribute-Based Access Control (ABAC) for fine-grained permissions management
  • support automation and operational workflows for e.g., automated patching, backup schedules, instance scheduling
• Tags are not automatically assigned to the resources, however, are (sometimes) inherited for e.g. services such as Auto Scaling, Elastic Beanstalk, and CloudFormation can create other resources, such as RDS or EC2 instances, and usually tag that resource with a reference to itself. These tags do count toward the total tag limit for a resource
• Tags can be defined using the
  • AWS Management Console,
  • AWS CLI
  • Amazon API.
• Most AWS resources now support tagging on creation (tag-on-create), allowing tags to be applied when a resource is first created via console, CLI, or API.
• Each tag consists of a key and value
  • key and an optional value, both of which are user-controlled
  • defining a new tag that has the same key as an existing tag on that resource, the new value overwrites the old value.
  • keys and values can be edited, removed from a resource at any time.
  • value can be defined as an empty string, but can’t be set to null.
• IAM allows you the ability to control which users in the AWS account have permission to create, edit, or delete tags.
• Common examples of tags are Environment, Application, Owner, Cost Center, Purpose, Stack, etc.
• AWS also applies system-generated tags (prefixed with aws:) automatically to resources for internal tracking.

Tags Restriction

• Maximum number of tags per resource – 50 (user-created tags; aws: prefixed tags do not count against this limit)
• Maximum key length – 128 Unicode characters in UTF-8
• Maximum value length – 256 Unicode characters in UTF-8
• Tag keys and values are case-sensitive.
• Do not use the aws: prefix in the tag names or values because it is reserved for AWS use. Tags with this prefix can’t be edited or deleted and they do not count against the tags per resource limit.
• Tags allowed characters are: letters, spaces, and numbers representable in UTF-8, plus the following special characters: + – = . _ : / @.
• Each tag key must be unique for each resource; it can have only one value per key.

Tagging Strategy

• AWS recommends defining a comprehensive tagging strategy early when establishing your cloud foundation
• Common tagging categories include:
  • Technical tags – Name, Application, Environment, Version, Cluster
  • Business tags – Owner, CostCenter, Project, Department
  • Automation tags – Schedule (start/stop), Backup, Patch Group
  • Security tags – Confidentiality, Compliance, DataClassification
• Mandatory tags are the minimum set of tags every resource should have, regardless of purpose (e.g., Owner, Environment, CostCenter)
• Use consistent naming conventions – decide on camelCase, PascalCase, or kebab-case and apply uniformly
• As the number of tags allowed per resource are limited, Complex Tagging can be used for e.g. keyName = value1|value2|value3 or keyName = key1|value1;key2|value2

EC2 Resources Tags

• For tags on EC2 instances, instances can’t terminate, stop, or delete a resource based solely on its tags; the resource identifier must be specified
• Public or shared resources can be tagged, but the tags assigned are available only to the AWS account and not to the other accounts sharing the resource.
• Almost all EC2 resources can be tagged, including instances, AMIs, volumes, snapshots, security groups, and network interfaces.
• EC2 supports tag-on-create – tags can be specified during resource creation (e.g., RunInstances, CreateVolume) using the TagSpecification parameter.

Cost Allocation Tags

• Tags can be used as a mechanism to organize the resource costs on the cost allocation report.
• Cost allocation tags can be used to categorize and track AWS costs.
• There are two types of cost allocation tags:
  • AWS-generated tags – automatically created by AWS (e.g., aws:createdBy), must be activated by the management account owner in the Billing console
  • User-defined tags – created by users and must be activated in the Billing console to appear in cost reports
• When tags are applied to AWS resources such as EC2 instances or S3 buckets and activated in the billing console, AWS generates a cost allocation report as a (CSV file) with the usage and costs aggregated by active tags.
• Tags can be applied so that they represent business categories (such as cost centers, application names, or owners) to organize costs across multiple services.
• Cost allocation report includes all of the AWS costs for each billing period and includes both tagged and untagged resources
• Tags can also be used to filter views in Cost Explorer
• AWS Cost Categories – allows grouping costs into meaningful categories based on rules (including tag-based rules) for advanced cost allocation
• Split Cost Allocation Data – provides granular container-level cost visibility for Amazon ECS tasks and EKS pods, using Kubernetes labels and ECS task tags as cost allocation tags. Supports CPU, memory, and accelerator (GPU, Trainium, Inferentia) cost tracking.
• When an account moves to another organization, previously activated cost allocation tags lose their “active” status and need to be re-activated by the new management account.

Attribute-Based Access Control (ABAC)

• ABAC is an authorization strategy that defines permissions based on attributes (tags) attached to IAM principals and AWS resources.
• Tags can be attached to IAM users, roles, and AWS resources to implement fine-grained access control.
• Key IAM condition keys for ABAC:
  • aws:ResourceTag/tag-key – matches the tag on the target resource
  • aws:RequestTag/tag-key – matches the tag in the API request
  • aws:PrincipalTag/tag-key – matches the tag on the calling IAM principal
  • aws:TagKeys – controls which tag keys can be used in a request
• ABAC scales permissions automatically – new resources with matching tags are automatically accessible without policy updates
• Requires fewer policies compared to traditional RBAC (Role-Based Access Control) as environments grow
• Supported by most AWS services including EC2, S3, RDS, Lambda, DynamoDB, and SageMaker
• Amazon S3 ABAC support (launched Nov 2025) – enables tag-based access control for S3 general purpose buckets, eliminating frequent IAM or bucket policy updates as the organization grows

Tag Policies (AWS Organizations)

• Tag Policies allow standardization of tags attached to AWS resources across an organization’s accounts
• Help maintain consistent tagging with proactive compliance, governance, and control
• Two key capabilities:
  • Basic compliance rules – define acceptable tag key case treatment and tag values for specific resource types
  • Required tag keys – specify mandatory tag keys that must be present on resources
• Two enforcement modes:
  • Reporting mode – evaluates compliance and reports violations without blocking operations
  • Enforcement mode – prevents resource creation/modification with non-compliant tag values
• Wildcard support (July 2025) – Tag Policies now support ALL_SUPPORTED in the Resource element, simplifying policy authoring and reducing policy size
• IaC enforcement (Nov 2025) – Tag Policies can now validate and enforce required tags in CloudFormation, Terraform, and Pulumi deployments, preventing non-compliant deployments proactively
• Tag policy enforcement has no effect on resources that are created without tags; use SCPs or AWS Config for mandatory tag-on-create enforcement

Tag Compliance and Governance

• AWS Config required-tags rule – managed rule that checks if resources have specified tags; supports up to 6 tags with optional values in a single rule
• Service Control Policies (SCPs) – can be used to deny resource creation without required tags using aws:RequestTag and aws:TagKeys condition keys
• Combining Tag Policies + SCPs + AWS Config provides comprehensive tag governance:
  • Tag Policies – define allowed values and enforce consistency
  • SCPs – prevent untagged resource creation
  • AWS Config – detect and report non-compliant existing resources
• Use AWS Config conformance packs to deploy tag compliance rules across multiple accounts

Resource Groups

• A Resource Group is a collection of resources that share one or more tags or are based on an AWS CloudFormation stack
• Resource groups help combine information for multiple resources and services on a single screen for e.g. for a Dev tag there might be multiple resources for ELB, EC2, and RDS. Using Resource Groups all the resources and their status can be viewed on a single page
• Two types of resource groups:
  • Tag-based groups – resources matching specified tag key/value pairs
  • AWS CloudFormation stack-based groups – resources belonging to a CloudFormation stack
• Resource Groups can be used with AWS Systems Manager to automate operational tasks on grouped resources (e.g., patching, run commands)
• Expanded resource type support (2024-2025) – AWS Resource Groups added support for 490+ new resource types across 2024-2025, covering services like AWS Entity Resolution, Amazon Personalize, Amazon Q Apps, AWS Backup, AWS Network Manager, and many more
• AWS PrivateLink support (June 2025) – Resource Groups APIs can now be invoked from within a VPC without traversing the public internet via interface VPC endpoints

AWS Resource Explorer

• AWS Resource Explorer (launched 2022) enables searching and discovering AWS resources across Regions and accounts from a single interface
• Supports search using tags, resource types, service names, and other metadata
• Key features:
  • Unified Search – integrated into the AWS Management Console search bar
  • Multi-region search – find resources across all enabled regions
  • Tag-based filtering – search for resources by tag keys and values
  • tag:none filter – find all resources missing user-generated tags
• Tagged resource discovery (Sept 2024) – can now discover all tagged resources regardless of whether the resource type is fully supported
• Tag support filtering (May 2024) – filter for resources that support tags to evaluate tagging coverage
• Resource Explorer complements Tag Editor by providing a broader search-and-discovery capability across the entire AWS account/organization
• Automatic resource search – no longer requires explicit setup; Resource Explorer enables resource search functionality automatically with appropriate permissions

Tag Editor

• Tag Editor allows the addition of tags to multiple resources at once (up to 400 resources in a single operation)
• Tag Editor allows searching of resources using tags and then add, edit, remove tags for these resources
• Supports multi-region tag management – search for and manage tags of resources across multiple AWS Regions
• Tag Editor is part of the AWS Resource Groups console and works with the Resource Groups Tagging API
• Supports hundreds of AWS resource types for tagging operations

AWS Certification Exam Practice Questions

• Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
• AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
• AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
• Open to further feedback, discussion and correction.

1. Fill in the blanks: _________ let you categorize your EC2 resources in different ways, for example, by purpose, owner, or environment.
   1. Wildcards
   2. Pointers
   3. Tags
   4. Special filters
2. Please select the Amazon EC2 resource, which can be tagged.
   1. Key pairs
   2. Elastic IP addresses
   3. Placement groups
   4. Amazon EBS snapshots
3. Can the string value of ‘Key’ be prefixed with aws:?
   1. No
   2. Only for EC2 not S3
   3. Yes
   4. Only for S3 not EC
4. What is the maximum key length of a tag?
   1. 512 Unicode characters
   2. 64 Unicode characters
   3. 256 Unicode characters
   4. 128 Unicode characters
5. An organization has launched 5 instances: 2 for production and 3 for testing. The organization wants that one particular group of IAM users should only access the test instances and not the production ones. How can the organization set that as a part of the policy?
   1. Launch the test and production instances in separate regions and allow region wise access to the group (possible using location constraint condition but not flexible)
   2. Define the IAM policy which allows access based on the instance ID (not flexible as it would change)
   3. Create an IAM policy with a condition which allows access to only small instances (not flexible as it would change)
   4. Define the tags on the test and production servers and add a condition to the IAM policy which allows access to specific tags (possible using aws:ResourceTag condition – this is ABAC)
6. A user has launched multiple EC2 instances for the purpose of development and testing in the same region. The user wants to find the separate cost for the production and development instances. How can the user find the cost distribution?
   1. The user should download the activity report of the EC2 services as it has the instance ID wise data
   2. It is not possible to get the AWS cost usage data of single region instances separately
   3. User should use Cost Distribution Metadata and AWS detailed billing
   4. User should use Cost Allocation Tags and AWS billing reports
7. An organization is using cost allocation tags to find the cost distribution of different departments and projects. One of the instances has two separate tags with the key/value as “InstanceName/HR”, “CostCenter/HR”. What will AWS do in this case?
   1. InstanceName is a reserved tag for AWS. Thus, AWS will not allow this tag
   2. AWS will not allow the tags as the value is the same for different keys
   3. AWS will allow tags but will not show correctly in the cost allocation report due to the same value of the two separate keys
   4. AWS will allow both the tags and show properly in the cost distribution report
8. A user is launching an instance. He is on the “Tag the instance” screen. Which of the below mentioned information will not help the user understand the functionality of an AWS tag?
   1. Each tag will have a key and value
   2. The user can apply tags to the S3 bucket
   3. The maximum value of the tag key length is 64 unicode characters
   4. AWS tags are used to find the cost distribution of various resources
9. Your system recently experienced down time during the troubleshooting process. You found that a new administrator mistakenly terminated several production EC2 instances. Which of the following strategies will help prevent a similar situation in the future? The administrator still must be able to:- launch, start stop, and terminate development resources. – launch and start production instances.
   1. Create an IAM user, which is not allowed to terminate instances by leveraging production EC2 termination protection. (EC2 termination protection is enabled on EC2 instance)
   2. Leverage resource based tagging along with an IAM user, which can prevent specific users from terminating production EC2 resources. (Identify production resources using tags and add explicit deny – ABAC pattern)
   3. Leverage EC2 termination protection and multi-factor authentication, which together require users to authenticate before terminating EC2 instances. (Does not still prevent user from terminating instance)
   4. Create an IAM user and apply an IAM role, which prevents users from terminating production EC2 instances. (Role is not applied to User but assumed by the User also need a way to identify production EC2 instances)
10. Your manager has requested you to tag EC2 instances to organize and manage a load balancer. Which of the following statements about tag restrictions is incorrect?
    1. The maximum key length is 127 Unicode characters.
    2. The maximum value length is 255 Unicode characters.
    3. Tag keys and values are case sensitive.
    4. The maximum number of tags per load balancer is 20. (50 is the limit)
11. What is the maximum number of tags that a user can assign to an EC2 instance?
    1. 50
    2. 10
    3. 5
    4. 25
12. A company wants to ensure all EC2 instances launched in their AWS accounts have mandatory “Environment” and “CostCenter” tags. Which combination of AWS services can enforce this requirement? (Choose 2)
    1. AWS Organizations Tag Policies with required tag keys and IaC enforcement
    2. Amazon CloudWatch Events with tag monitoring
    3. Service Control Policies (SCPs) with aws:RequestTag and aws:TagKeys conditions
    4. AWS CloudTrail with tag logging enabled
    5. Amazon Inspector with tag assessment templates
13. An organization uses ABAC (Attribute-Based Access Control) to manage permissions. A developer tagged with “team=backend” needs access to Lambda functions tagged with “team=backend”. Which IAM condition key should be used in the policy?
    1. aws:RequestTag/team
    2. aws:TagKeys
    3. aws:ResourceTag/team with aws:PrincipalTag/team
    4. aws:userid
14. A company needs to find all AWS resources across multiple regions that are missing required tags. Which AWS service provides this capability most efficiently?
    1. AWS Config with required-tags rule
    2. AWS CloudTrail with tag event filtering
    3. AWS Resource Explorer with the tag:none filter
    4. AWS Tag Editor with cross-region search