Compliance Tagging Strategies
Overview
Tags are essential for cost allocation, security ownership, compliance, and automation. This skill covers mandatory tag enforcement, consistent tagging patterns, and tag-based policies.
mermaid
graph TB
subgraph "Tag Sources"
TF[Terraform default_tags]
CDK[CDK Tags.of]
SCP[Service Control Policies]
end
subgraph "Tag Uses"
Cost[Cost Allocation]
Security[Security Ownership]
Compliance[Compliance Reports]
Automation[Automation Triggers]
end
TF --> Cost
CDK --> Security
SCP --> Compliance
TF --> Automation
Standard Tag Schema
| Tag | Required | Values | Purpose |
|---|---|---|---|
Environment | ✅ | dev, staging, prod | Environment identification |
Project | ✅ | project name | Cost allocation, grouping |
Owner | ✅ | team or email | Ownership, contact |
CostCenter | ✅ | cost center code | Billing allocation |
ManagedBy | ✅ | terraform, cdk, manual | Change tracking |
DataClassification | 🔒 | public, internal, confidential, restricted | Security classification |
Compliance | 🔒 | pci, hipaa, sox, none | Regulatory requirements |
BackupPolicy | ⚙️ | daily, weekly, none | Automation trigger |
Best Practices
- •Enforce at provider level - Use
default_tagsin Terraform,Tags.of()in CDK - •Prevent untagged resources - SCPs to deny creation without required tags
- •Automate tag validation - CI checks for tag presence
- •Use consistent casing - PascalCase for keys, lowercase for values
- •Tag inheritance - Child resources inherit parent tags
- •Cost allocation tags - Activate in AWS Billing console
- •Regular tag audits - Find and remediate untagged resources
Example 1: Terraform - Default Tags with Validation
Complete tagging strategy with provider-level defaults and validation.
📁 Location: terraform/examples/compliance-tagging/
Key Features
hcl
# Provider-level default tags (applied to ALL resources)
provider "aws" {
default_tags {
tags = {
Environment = var.environment
Project = var.project_name
Owner = var.owner
CostCenter = var.cost_center
ManagedBy = "terraform"
DataClassification = var.data_classification
Compliance = var.compliance_framework
}
}
}
# Variable validation for tag values
variable "environment" {
type = string
validation {
condition = contains(["dev", "staging", "prod"], var.environment)
error_message = "Environment must be dev, staging, or prod."
}
}
Example 2: CDK - Aspects for Cross-Cutting Tagging
Using CDK Aspects for automatic tagging across all constructs.
📁 Location: cdk/examples/compliance-tagging/
Key Features
typescript
// Tagging aspect that validates and applies tags
class ComplianceTaggingAspect implements cdk.IAspect {
constructor(private readonly tags: RequiredTags) {}
public visit(node: IConstruct): void {
if (cdk.TagManager.isTaggable(node)) {
// Apply required tags
cdk.Tags.of(node).add('Environment', this.tags.environment);
cdk.Tags.of(node).add('Project', this.tags.project);
cdk.Tags.of(node).add('Owner', this.tags.owner);
cdk.Tags.of(node).add('CostCenter', this.tags.costCenter);
cdk.Tags.of(node).add('ManagedBy', 'cdk');
}
}
}
// Apply to entire app
cdk.Aspects.of(app).add(new ComplianceTaggingAspect(requiredTags));
SCP for Tag Enforcement
Prevent resource creation without required tags:
json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RequireTagsOnCreate",
"Effect": "Deny",
"Action": [
"ec2:RunInstances",
"rds:CreateDBInstance",
"s3:CreateBucket"
],
"Resource": "*",
"Condition": {
"Null": {
"aws:RequestTag/Environment": "true",
"aws:RequestTag/Owner": "true"
}
}
}
]
}
Validation Checklist
- •
default_tagsconfigured in Terraform provider - • CDK Aspects apply tags to all resources
- • Required tags validated in CI pipeline
- • SCPs prevent untagged resource creation
- • Cost allocation tags activated in Billing
- • Tag audit scheduled (monthly)
Related Skills
- •Cost Governance - Tag-based cost tracking
- •Policy as Code - Enforce tags with OPA
- •Naming & Tagging Standards - Naming conventions