Automatic Web Tagging and Person Tagging Using Language Models
Webinar: AWS Resource tagging for spend, asset management and security
-
Upload
aaron-klein -
Category
Software
-
view
69 -
download
1
Transcript of Webinar: AWS Resource tagging for spend, asset management and security
AWS Resource Taggingfor spend, asset management, and security
Aaron C. Newman
Founder, CloudCheckr
Why Tag? What is Tagging About?
• Labelling/classifying resources
• So that you can keep track of them
• Allows you to report on what’s being used and who’s doing what
• When you have 1 application, 1 DevOps, 1 customer
• Tagging isn't as critical
• As you added 50+ instances, tagging starts to really help
• As you reach 1,000s of instances, not tagging is disastrous
What does a Resource Tag look like?
• Resource Tags consist of Key-Value Pairs• Eg. CostCenter=proj1
• Eg. Department=Finance
• Tag Key – discreet way to classify a resource• Eg. CostCenter, Department
• Tag Value – specific or group of what you want to classify• Eg. Proj1, Finance
• A resource (EC2 instance, EBS Volume) is “labelled” with a resource tag• Resources can then be filtered by a resource tag
http://docs.aws.amazon.com/AWSEC2/
latest/UserGuide/Using_Tags.html
What is a Tagging Strategy
• How do you want to view/report on asset/resources?
• What are the types of items consider tagging
• Application, Cost center, Charge codes,
• Owner, Department, Expiration Date
• Challenges with tagging
• Tags are case-sensitive and free-form text
• Not all resources can be tagged
• Hard to enforce tagging
• Resources are tagged at the account level
Creating Tagging Rules
• Define the rules for tagging resources
Example: All EC2 instances must be tagged with department
Example: The Department tag must be a valid department
Example: All resources must be tagged with Environment of Prod,
QA, Staging, or Development
• Enforce the tagging rules
• Police untagged resource
• Cross-reference untagged resource to IAM user
• Use CloudTrail to cross-reference
Using Resource Tags
• Two places they can be used
• Through the AWS Management Console• Mainly for asset management
• Through the Detailed Billing Report• Mainly for cost allocation
New AWS Management Console features
• New feature: Resource Groups• https://resources.console.aws.amazon.com/r/group
• New feature: Tag Editor• https://resources.console.aws.amazon.com/r/tags
DEMO
Build a Strategies for Cost Allocation
• Tag your resources so you can allocate costs
• Tie costs to applications and resource owners
• Provides visibility into what you are spending
• Identify and classify costs
• So that you can reduce them
• Locate and eliminate untagged resources
You can’t optimize what you can’t measure
Tagging in the Detailed Billing Report
• What’s tagged in an account flows into the DBR• Need to configure what Tag Keys flow into the DBR from the master payer
• Need to tag the resources in the payee account
• Coordinate both can be complex if different people are managing the 2
accounts
• Configuring Tag Keys for the DBR• Can designate up to 10 Tag Keys to flow thru
• This is for all payees across the consolidated bill
• Unlimited number of Tag Values can flow through
• For example, Stack=Test or Stack=Production, Application=SW1 or
Application=SW2
• Each Tag Key you designate becomes a header in the DBR
Resource Tagging in IAM Policies
• July 2013 Amazon releases support for Resource-based Permissions for
EC2/RDS
• Allows people to define IAM policies with “conditions” such as:
"Condition": { "StringEquals": { "ec2:ResourceTag/YourTagKey":"true" },
• Does not support “ec2:ResourceValue/tag-value”
• Need to do tricks like ${aws:username} or use TagKey as identifier
http://blogs.aws.amazon.com/security/post/Tx29HCT3ABL7LP3/Resource-level-
Permissions-for-EC2-Controlling-Management-Access-on-Specific-Ins
https://aws.amazon.com/blogs/aws/resource-permissions-for-ec2-and-rds-resources/
Example IAM Policies
{
"Version": "2012-10-17",
"Statement":
[
{ "Action":
[ "ec2:StartInstances", "ec2:StopInstances", "ec2:RebootInstances",
"ec2:TerminateInstances" ],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/owner":"${aws:username}" } },
"Resource":
[ "arn:aws:ec2:your_region:your_account_ID:instance/*" ], "Effect": "Allow“
}
]
}
• Amazon Management Console• Configuring Detailed Billing Reports
• CloudCheckr• Allocating costs
• Monitoring your tagging strategy
DEMO
Thank You for Attending
Sign up today for free evaluationat http://cloudcheckr.com
Aaron Newman is the Founder of CloudCheckr (www.cloudcheckr.com)
Please contact me with additional questions at:[email protected]