If we want to step forward regarding tag automation, we need to treat metadata (tags) like cattle rather than pets. Many services in AWS can help us to control and improve our tagging practices efficiently. These services can ensure tags are in place when required, and we can control who can have access to these tags for modification or deletion.

1. AWS Service Catalog

   AWS Service Catalog allows organizations to create and manage catalogs of IT services approved for use on AWS. These IT services can include everything from virtual machines, images, servers, software, and databases to complete multi-tier application environments. AWS Service Catalog enables a self-service capability for users, allowing them to manage the services they need while also helping you to maintain consistent governance – including the application of required tags and tag values.

2. AWS CloudFormation, Terraform, or CDK

   You can use a common language for provisioning all the infrastructure resources in your cloud environment. Simple files that create AWS resources in an automated and secure manner. When you create AWS resources using these tools, you can define the Tags property to apply tags to certain resource types upon creation.

   <aside> 💡 Auto tagging may not be available for some resources. For more information, read the exceptions section under Tagging with Terraform, Tagging with CDK, and Tagging with CloudFormation .

   </aside>

3. Lock Down Tags Used for Access Control

   Using IAM, you can create and manage AWS users and groups and use permissions to allow or deny their access to AWS resources. You can specify resource-level permissions, including specific permissions for creating and deleting tags. Besides, you can include condition keys, such as aws:RequestTag and aws:TagKeys, which will prevent resources from being created if specific tags or tag values are not present.

Tag Governance Process

For further improvements on tagging strategies, we can define a process in which we will have specific steps for adding, modifying, and deleting tags in our system. A simple tag governance process could include:

• impact analysis, approval, and implementation for requests to add, change, or deprecate tags
• monitoring and remediation of missing or incorrect tags and periodic reporting on tagging resources.