Cloud tagging strategy - Patrick Lewis Notes

> [!WARNING] Warning > Each resource can have a maximum of 50 user-created tags! Keep this in mind while we define the tag strategy. > [!INFO] Amazon Web Services (AWS) enforces these restrictions on tags: > Restrictions > - Tag keys cannot be longer than 128 characters > - Tag values cannot be longer than 256 characters > - Tag keys and values are case sensitive > - In general, the allowed characters are: > - Letters > - Numbers > - Spaces > - The following characters: _ . : / = + - @ > - Other allowed characters can vary by AWS service ## Data security and risk management - Data-Classification - Classify data for compliance and governance example values: `Public`, `Private`, `Confidential`, `Restricted` - Data-Description - A description of what type of data this resource stores. example value: `User emails and phone numbers` - Data-PII - This tag is true if the resource contains PII (personally identifiable information). examples include: - full name - SSN - driver’s license - address - credit card information - passport information - financial information - medical records - etc. example values: `true`, `false` - Compliance - Identifies the compliance framework(s) the resource is subject to example values: `PCI-DSS`, `HIPAA`, `ISO`, `SOC` - Compliance-Exclusion - Specify a reason why the resource should be excluded from the audit scope. example value: `This stores our favorite foods and isn't part of our production systems` - Severity - Risk severity level of the resource example values: `CRITICAL`, `HIGH`, `MEDIUM`, `LOW` ## Operational and Support - Name - Friendly Name in a standard format including `<managed-by/tenant-id>-<environment>-<region>-<purpose>` example value: `exl-prd-us-west-2a-worker` - Cost-Center - This should be a tag for who own’s the resource from a P&L perspective. example values: `R&D`, `IT`, `Finance`, `Sales`, `Marketing` - Maintenance-Window - Window for when maintenance operations can be run on the resource. In cron like format example value: `cron(30 23 ? * TUE#1 *)` - Schedule - The time frame the resource needs to be available example value: `mon-9am-fri-5pm` - Backup-Schedule - Backup schedule of the resource example values: `Daily`, `Weekly`, `Monthly` - Environment - What type of Environment is the resource part of example values: `Dev`, `Stg`, `Prd` - Expiration - The date when ephemeral resources can be shutdown and deleted example value: `08-13-23` - Purpose - This tag allows administrators to set a description, for instance, or add any other descriptive information example value: `Archive of ingested events handled by logs queue` - Managed-by - identifies who the resource is managed by example values: `consulting`, `development`, `IT`, `Sales`, `Marketing`, `Cust` - Tenant-id - If Managed by is set to `Cust` then this should be set to the customers tenant-id example values: `cust1`, `cust2`, `cust3` - Owner - Resource owner. The value should be the resource owner's company email address. example value: `[email protected]` ## Examples of Resources Requiring Tags - Compute - Virtual Machines/Instances (EC2, AVM) - Managed Kubernetes (AKS, EKS) - Managed Containers (ACA, ECS) - Auto Scaling (ASG) - Network - Virtual Networks (VPC) - Subnets - Firewalls/Access Control Lists (SG, NACL) - Load Balancers (ALB, ELB, NLB) - Network Gateways (TGW, VPG) - Storage - Object Storage (S3) - Block Storage (EBS) - Database - Managed Databases (Postgres, Mysql, Mariadb, SQL Server)