/aws-enterprise-naming-tagging-standard

AWS Tagging policy and naming convention for all resources created within any AWS accounts under the AWS Master Account.

AWS Naming & Tagging Conventions

AWS Tagging policy and naming convention for all resources created within any AWS accounts under the AWS Master Account

Table of Contents

Terms and Abbreviations

Bibliography

Executive Summary

AWS Terms and Abbreviations

Tagging Overview

Tagging Best Practices

Resource Groups

Compound Tags

Style Rules

Tagging Region Codes

Enterprise Tagging Standards

Environment Names

Name Tag Format

AMI Versioning

Additional Tags

Operational Tags

Business Tags

Security Tags

AWS Resource Suffixes 11

Name Tag Examples 12

Terms and Abbreviations

The following table lists the Terms and Abbreviations that are referenced within the document.

Term Explanation
AMI Amazon Machine Image
AWS Amazon Web Services
AWS IAM AWS Identity and Access Management Service
DB Database
EBS Elastic Block Store
EC2 AWS Elastic Compute Cloud
OS Operating System
PCI Payment Card Industry
PII Personally identifiable information
RBAC Role-based Access Control
RDS Relational Database Service
S3 Simple Storage Service
SNS Simple Notification Service
SQS Simple Queue Service
VPC Virtual Private Cloud

Bibliography

The table below contains information about, and (where possible) links to, supporting documentation.

NO. DESCRIPTION VERSION
“How Should I Tag my AWS resources?” - https://d0.awsstatic.com/aws-answers/AWS_Tagging_Strategies.pdf June 2, 2017
AWS Naming Convention Best Practices (tagging) - http://www.myrtec.com.au/sites/www.myrtec.com.au/files/attachments/aws_naming_convention_best_practices_-_tagging.pdf September 11, 2014
AWS now supports 50 tags per resource - https://aws.amazon.com/blogs/security/now-organize-your-aws-resources-by-using-up-to-50-tags-per-resource/ August 15, 2016
User defined tag restrictions - http://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/allocation-tag-restrictions.html LATEST
Tagging your EC2 resources - http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html LATEST
Naming Conventions - https://en.wikipedia.org/wiki/Naming_convention_(programming) August 3, 2017
Elasticache replication group naming limits - http://docs.aws.amazon.com/cli/latest/reference/elasticache/create-replication-group.html As of 06/09/2017

AWS Terms and Abbreviations

The following terms and abbreviations will be used through this design and implementation of all Enterprise applications.

Name Value
Connectivity CONN
Database Layer RDS
Productuion Environment PROD
Dev Test Environment DEV/TEST
Pre Production Environment PPE
Management and Monitoring MGMT
Private PRI
Public PUB

N.B. In the above table the forward slash character (“/”) is part of the Value and is not being used as a delimiter.

Tagging Overview

AWS provide the ability to tag resources with descriptive metadata. Tags simplify resource management at scale and will be used for cost allocation. As the Enterprise plans to implement multiple applications, multiple application environments and multiple AWS accounts; tagging must be applied consistently to allow costs to be separated out into applications, environments and business units.

Each tag consists of a key and a value, both of which are user-defined strings. Once defined, tags can be used as a filter when requesting resources, such as Amazon EC2 instances, based on tag keys or values. Tags are also reported against in Cost Allocation Reports.

Tags provide identification and classification of AWS resources. Examples of commonly used tags include application identifier, environment, or owner.

Resource Groups

Use resource groups. A Resource Group is a collection of resources that shares one or more tags. It can span services and can be used to create a custom console that organizes and consolidates resources on a per-project basis. In AWS, a resource is an entity such as an EC2 instance, a S3 bucket and so on. Using the resource group tool, custom consoles can be created that organize and consolidate all resources for a specific project in a single view. For example, all the resources for a version of TEAM_A in production can be in one resource group whilst those resources used for TEAM_B be can be in another resource group (though the Enterprise's cloud operating model dictates that applications must exist in different accounts).

Compound Tags

There is a limit of 50 tags per resource in AWS, as such it is a good practice to combine several tag keys and values into a single compound tag. For example, rather than creating 3 keys (tags) called “OwnerName”, “OwnerPhone”, and “OwnerEmail,” the 3 keys should be combined into 1 key called “OwnerContact,” which could contain the compound values of Name, Phone, and Email address using a pipe delimiter.

We will assign the Name Tag as a compound value. We will use the hyphen as a delimiter. An example of the values assigned to the Name Tag are shown in examples section at the end of this document.

Style Rules

  • Tag key names are case-sensitive and can contain mixed-case letters, numbers, underscores, and hyphens.

  • Tag key names should use upper CamelCase (a.k.a. Pascal case), a convention that combines words/abbreviations by beginning each word with a capital letter such as “MiscMetadata” and “SupportEndpoints”.

  • Tag values are case-sensitive and should not use the semi-colon (“;”), equal sign (“=”), or pipe (“|”) characters as these are used as delimiters in compound values.

  • Compound tag value key names should use Pascal case followed by an equal sign (“=”) such as KeyName1=value1-value2-value3;KeyName2=value1-value2-value3

Tagging Region Codes

AWS’ regions codes are unique; therefore, they will be abbreviated as follows:

Region Region Code
ap-northeast-1 an1
ap-northeast-2 an2
ap-south-1 as1
ap-southeast-1 ase1
ap-southeast-2 ase2
ca-central-1 cc1
eu-central-1 ec1
eu-west-1 euw1
eu-west-2 euw2
sa-east-1 se1
us-east-1 ue1
us-east-2 ue2
us-west-1 uw1
us-west-2 uw2

AMI Versioning

AMI’s will have names that uniquely identify their use, operating system, OS version, creation date (reversed), creation version and AWS resource type prefix ‘AMI’. A “golden image” RedHat Linux 7.1 AMI name would be as follows:

Use Operating System Version Creation Date Version AWS Resource
GOLD RHEL 7.1 12/09/2017 01 AMI
GOLD.RHEL.7.1.2017.09.12.01-AMI

Business Tags

These can be used to capture business relevant information and which part of the business is responsible for this resource. Can greatly speed up the elimination process in an event of failure or attack.

Tag Description
SquadName Squad / Business are responsible for resource
CostCentre Business group to be billed for the AWS resources
PartnerContact Value contains contact information for external managed services partner Pipe separated John Smith

Security Tags

To obtain a full visibility over account surface data we use these security classification tags in conjunction with the Additional Tags to map which classification of data is where. AWS Config Rules can also be set where PCI data can only sit in Network=Red.

Tag Description
Compliance An identifier for workloads designed to adhere to specific compliance e.g. Normal / PII / PCI
Permissions An identifier for the specific entity that can modify the resource
LastReviewed Last time this instance was reviewed for compliance - YYYY-mm-dd
ApprovedVersion Steps which are taken to approve AMI image
ApprovedBy Department or software which has approved AMI for use in Organisation X