AgentSkillsCN

Compliance Tagging Strategies

落实成本分摊、安全责任归属以及强制性政策合规的必要标记制度。

SKILL.md
--- frontmatter
name: Compliance Tagging Strategies
description: Implement mandatory tagging for cost allocation, security ownership, and compliance with enforceable policies

Compliance Tagging Strategies

Overview

Tags are essential for cost allocation, security ownership, compliance, and automation. This skill covers mandatory tag enforcement, consistent tagging patterns, and tag-based policies.

mermaid
graph TB
    subgraph "Tag Sources"
        TF[Terraform default_tags]
        CDK[CDK Tags.of]
        SCP[Service Control Policies]
    end
    
    subgraph "Tag Uses"
        Cost[Cost Allocation]
        Security[Security Ownership]
        Compliance[Compliance Reports]
        Automation[Automation Triggers]
    end
    
    TF --> Cost
    CDK --> Security
    SCP --> Compliance
    TF --> Automation

Standard Tag Schema

TagRequiredValuesPurpose
Environmentdev, staging, prodEnvironment identification
Projectproject nameCost allocation, grouping
Ownerteam or emailOwnership, contact
CostCentercost center codeBilling allocation
ManagedByterraform, cdk, manualChange tracking
DataClassification🔒public, internal, confidential, restrictedSecurity classification
Compliance🔒pci, hipaa, sox, noneRegulatory requirements
BackupPolicy⚙️daily, weekly, noneAutomation trigger

Best Practices

  1. Enforce at provider level - Use default_tags in Terraform, Tags.of() in CDK
  2. Prevent untagged resources - SCPs to deny creation without required tags
  3. Automate tag validation - CI checks for tag presence
  4. Use consistent casing - PascalCase for keys, lowercase for values
  5. Tag inheritance - Child resources inherit parent tags
  6. Cost allocation tags - Activate in AWS Billing console
  7. Regular tag audits - Find and remediate untagged resources

Example 1: Terraform - Default Tags with Validation

Complete tagging strategy with provider-level defaults and validation.

📁 Location: terraform/examples/compliance-tagging/

Key Features

hcl
# Provider-level default tags (applied to ALL resources)
provider "aws" {
  default_tags {
    tags = {
      Environment        = var.environment
      Project            = var.project_name
      Owner              = var.owner
      CostCenter         = var.cost_center
      ManagedBy          = "terraform"
      DataClassification = var.data_classification
      Compliance         = var.compliance_framework
    }
  }
}

# Variable validation for tag values
variable "environment" {
  type = string
  validation {
    condition     = contains(["dev", "staging", "prod"], var.environment)
    error_message = "Environment must be dev, staging, or prod."
  }
}

Example 2: CDK - Aspects for Cross-Cutting Tagging

Using CDK Aspects for automatic tagging across all constructs.

📁 Location: cdk/examples/compliance-tagging/

Key Features

typescript
// Tagging aspect that validates and applies tags
class ComplianceTaggingAspect implements cdk.IAspect {
  constructor(private readonly tags: RequiredTags) {}

  public visit(node: IConstruct): void {
    if (cdk.TagManager.isTaggable(node)) {
      // Apply required tags
      cdk.Tags.of(node).add('Environment', this.tags.environment);
      cdk.Tags.of(node).add('Project', this.tags.project);
      cdk.Tags.of(node).add('Owner', this.tags.owner);
      cdk.Tags.of(node).add('CostCenter', this.tags.costCenter);
      cdk.Tags.of(node).add('ManagedBy', 'cdk');
    }
  }
}

// Apply to entire app
cdk.Aspects.of(app).add(new ComplianceTaggingAspect(requiredTags));

SCP for Tag Enforcement

Prevent resource creation without required tags:

json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "RequireTagsOnCreate",
      "Effect": "Deny",
      "Action": [
        "ec2:RunInstances",
        "rds:CreateDBInstance",
        "s3:CreateBucket"
      ],
      "Resource": "*",
      "Condition": {
        "Null": {
          "aws:RequestTag/Environment": "true",
          "aws:RequestTag/Owner": "true"
        }
      }
    }
  ]
}

Validation Checklist

  • default_tags configured in Terraform provider
  • CDK Aspects apply tags to all resources
  • Required tags validated in CI pipeline
  • SCPs prevent untagged resource creation
  • Cost allocation tags activated in Billing
  • Tag audit scheduled (monthly)

Related Skills