Cost Optimization - Tagging.pptx

© 2022, Amazon Web Services, Inc. or its affiliates.
Techniques: Tagging
Presenter Name, title & team
Date
AWS Cost Optimization Workshop

Agenda
• Tag Taxonomy
• Proactive vs Reactive Tag Governance
• Proactive Tag Governance
• Tags Policies
• IAM or Organization Service Control Policies
• AWS Config Rules
• Reactive Tag Governance Tags Policies
• AWS Config rules
• Example Use Cases

Tagging is like exercising
Everyone agrees it should be done …
But it is hard to implement and keep consistent.

Tagging – Basic rules
• Maximum number of tags per resource – 50
• Maximum active tags keys for Billing and Cost Management reports - 500
• For each resource, each tag key must be unique, and each tag key can have only
one value.
• Maximum key length – 128 Unicode characters in UTF-8
• Maximum value length – 256 Unicode characters in UTF-8
• Although EC2 allows for any character in its tags, other services are more
restrictive. The allowed characters across services are: letters, numbers,
and spaces representable in UTF-8, and the following characters: + - = . _
: / @.
• Tag keys and values are case-sensitive.
• The aws: prefix is reserved for AWS use. If a tag has a tag key with this prefix,
then you can't edit or delete the tag's key or value. Tags with the aws: prefix do
not count against your tags per resource limit.

Resource tags vs Cost Allocation tags
• Cost allocations tags are a subset of
resource tags that can be used for
billing/financial purposes.
• Cost allocation tags needs to be
enabled in the billing console of the
master account
• It may take up to 24 hrs. to get cost
allocation tags to show up on billing.
Applies to line items on a going forward
basis

Customer Tags and AWS-Generated Tags
All tags with aws: as prefix are tags generated by AWS and are related to services in use
The aws:createdBy is applied only to resources created after the tag was activated
Those tags and the tags created by the customers needs to be activated in the billing console
in order to be reflected in CUR and Cost Explorer.
Best practice is to enable
AWS-generated cost
allocation tags

Tagging –Taxonomy example

What this presentation is focused on
Basic Tagging categories:
• Technical
• Automation
• Security
• Business

Tagging – What happens if tagging is not enforced

Business Tag Taxonomy
Benefits
• Standardizes tags across accounts
• Focus on business needs
• Enables business insights
Action
• Agree a taxonomy with business stakeholders
• Implement a proactive/reactive tagging strategy and a way to enforce it
Tools
• AWS Tags Policies
• AWS Config Rules
• AWS Service Control Policies (SCP)
• AWS Tag Editor
• Third party – with aws api

Example Taxonomy – real use case from large enterprise customers
Tag Rationale Example
ProjectId Identify the project running the application ProjectX
ApplicationId Identify the application DataLakeX, RetailSiteX
LayerId SubComponent / Layer DB Layer, Web, Layer
BusinessUnitId Identify the business unit
ArchitectureBusinessUnit,
OperationBusinessUnit
CostCenterId Identify the Cost Center
EnvironmentId
to identify the environment where the application is
running
Prod, Dev, Test
RightSizingId Allows to track cost/hours of resources targeted for RS Q1 2018-6hexcode
SourceInstanceType Defines the original instance type to be rightsized R5.8xlarge
DestinationInstanceTyp
e
Defines the target instance type for the rightsizing R5.xlarge
ArnId Track top resources by ARN unique identifiers
TeamName/ID To identify a specific team/owner
aws:createdBy AWS-Generated cost allocation tags
AssumedRole:[Role Key
ID]:DummyUser
aws:*
Anything with aws: prefix is automatically generated by
aws
EXAMPLE

Tagging – Lessons Learnt
• Don’t overload tags,
• i.e. Tag1: test1:awsenv2:12734:external
• Enable them in PoCs
• Agree a simple taxonomy
• Specially important when multiple teams use the same account
• Critical to allocate credits later on to report and chargeback
• Ensure consistency in consolidated account families.
• Use automation when possible to catch duplicates, misspellings, etc.
• DBR and CUR are not retroactive, careful with yearly summaries if tagging
was not implemented.

Tag Enforcement

Proactive
• Good for new workloads and when
considering tags in the project design
phase
• Could break automation for existing
workload
• Can work only if the API’s support atomic
operations (similar to SCP or IAM)
• AWS Tools: Tag policies, AWS
Organization SCP, IAM Policies, Service
Catalog tags
Tags - Proactive vs Reactive tags enforcement
Reactive
• Good for existing workloads
• Possibility to have compliance reports to
provide a list of non compliant resources to
action, manually or automatically
• Does not break existing automations
• AWS Tools: Tag Editor, AWS Config rules,
Custom lambdas
Usually both methods need to be used for an effective Tag enforcement

Proactive Tag Enforcement
AWS Organizations
• SCP - Fine Grained Service Controlled Policies (Enforcement)
• Tag Policies (Validation)
Service Catalog
• Incorporate tagging (TagOptions) as part of product catalog items
Cloud Formation/Terraform
• Enforce tagging through your CloudFormation/Terraform IAC scripts
Note: Not all services support Tags and/or Tag enforcement.
Services and resource types that support enforcement (open link)

Service Control Policies (Enforce)
Service control policies (SCPs) are a type of organization policy (JSON) that you can
use to manage permissions in your organization:
• A set of actions
• Their permissible values
• Any constraints you want to place on the actions

Tag Policies (Validate)
Tag policies are JSON files that define the following:
• A set of tag keys
• Their permissible values
• Any constraints you want to place on the use of tags for the accounts in your
organization
Be aware that Tag Policies will allow resources
without Tags. This is potentially addressed by
enforcement through SCP / IAM policies.

Tag policies
Tag policies blog
Tag policies Limits

Tags Policies - disabled by default

Creating a tag policy

Create a tag policy (2)

Attach a tag policy
Services and resource types that support enforcement

Tagging - Reactive Enforcement
Tag Governance should identify non-compliant resources and optionally initiate a remediation
action.
Reactive TAG Enforcement (Compliance)
• AWS Config rules
• Required-tags (managed rule)
• Set up custom rule
•Tag Editor
• Discover untagged/wrongly tagged assets
• To bulk filter, add, and edit tags
Can export resources and tags to csv
Turning on cost allocation tags
https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/cost-alloc-tags.html

Example AWS Config Rules
In this example AWS Config
rules will use the managed
rule “required-tags” to verify
that every asset has been
correctly tagged with a tag
named CostCenter with
allowed values 111 or 222.
Any asset identified not
having the required tag or the
required values in the tag will
be non-compliant.

From the EC2 console launch
two EC2 instances in the same
region as the rule, one with the
CostCenter tag 111 and one
without any tags.
From the AWS Config console
select the newly created rule and
refresh it until it detects the
creation events of the two new
instances.
Check the compliance status
section of the rule where you
should see 1 non-compliant
instance and 1 compliant.

When identifying a non
compliant asset one can choose
a remediation action:
You can edit the AWS Config
Rule to add a remediation action
for non-compliant assets.
In this example the non-
compliant EC2 instance will be
stopped.
Save the remediation action
Go back to the rule compliance
status and select the non-
compliant resource.
Select remediate.

Tag Editor
 Actions to manage tagging:
 Add
 Edit
 Delete
 Search and manage the resources that you want to tag via search
results
 Can also use Resource Group API

AWS TagEditor
Allow centralized orchestration of tagging enabling you to find resources in one or more AWS Regions.
You can choose up to 20 individual resource types, or build a query on All resource types.
Your query can include resources that already have tags, or resources that have no tags.
You can restrict permission to enable AWS TagEditor users to manage tags per specific services or resources.

Adding Tags
Find resources to tag

Adding Tags
Bulk editing tags

Adding Tags

Cost Reporting using Tags
Example

Enabling Cost Allocation Tags
For Cost explorer reporting, Tags need to be enabled for Cost allocation

EC2 Console Review
• Test environment is scheduled from running 24x7 to a schedule named “uk-working-days”
running 24x5 (i.e. Monday to Friday 24 hours on)
• Prod environment is NOT scheduled and left running 24x7

Cost Explorer Console View. (1/3)
• Before the schedule is enabled we will see a flat report in cost explorer when
filtering by ApplicationID and grouping by EnvironmentID.

Cost Explorer Console View (2/3).
• After the schedule is implemented in the Test environment we can see the
Test workloads being shut down over weekends

Cost Explorer Console View (3/3).
• In the below graph we can observe the evolution of Application2 before and after schedule

Tag Inheritance

Tags Inheritance
Not available on all services
Example: creating an instance with tags on creation will automatically
create the same tags on the volumes associated with the instances
Creating a volume from an existing snapshot will not inherit the tags
from the volume
Copying a snapshot will loose the tags

Thank you!

Appendix

Example - EC2 Rightsizing lab
A walkthrough on best practices to track and assess results achieved with operational cost
optimization tuning.
In this lab we use:
• EC2 rightsizing recommendation to identify underutilized instance with opportunity of cost
saving.
• CloudWatch metrics to refine the recommendation
• Rightsizing Cost allocation TAGs
• Cost Explorer

EC2 Rightsizing lab
Step 1 - Define EC2 rightsizing related user defined Cost Allocation TAGs to enable the tracking of
progress in EC2 Rightsizing exercise.
Step 2 - Enable the tags as User Defined Billing Tags.
Note. The activation of user defined cost allocation tags will requires some time to have the tags
available in Cost Explorer. Usually 24 hours are required.
Tag Name Description Example Fundamental
Name Instance human readable indentifier MyTestInstance N
CostOptimizationID Cost Optimization session ID 2021-Q1-EC2-001 Y
RightSizingID Cost Optimization session ID for RightSizing recommendation 2021-04-07-M N
SourceInstanceType Current under utilized instance type m3.large Y
DestinationInstanceType Target instance type, tipically from EC2-RightSizing recommendation or Compute Optimizer m3.medium Y

EC2 Rightsizing lab
Step 3 - Start to look first at EC2 Rightsizing recommendation to spot rightsizing cost saving opportunities.
Step 4 - Vet the eligibility of the instance for a further downscale:
Review CPU and other main metrics (memory/EBS metrics) for a longer period than 14 days. Inquiry the operational team
to establish if any other usage that justify the current instance type. If underutilisation is confirmed apply the tags.

EC2 Rightsizing lab
Step 5 - Apply Rightsizing Cost Optimization TAGs to the instance.
Note
AWS Tag Editor can be used to enable you to create, modify and delete tags for EC2 instance resources accessing the AWS Tag
Editor console with the minimum permissions set granted: EC2 service read only, EC2 create/delete TAG,
ResourceGroupsandTagEditorFullAccess.

EC2 Rightsizing lab
Step 6 - Establish a baseline for the current instance size
Review the traceability of the the cost looking at Cost Explorer for EC2-Instances running hours using the RighsizingID
as filter.

EC2 Rightsizing lab
Step 7 - Apply the rightsizing recommendation
Leave the instance running for a proper time to gather significant number of data points. Scale down the instance
considering what advised by the recommendation.
Step 8 - Operational review to vet the new instance type performances are in the expected range
Review effective pressure on CPU and other significant metric for the case of usage to verify if the new
configuration is able to perform as required

EC2 Rightsizing lab
Step 9 - Visualize the cost trend history for your EC2 Rightsizing cost optimization exercise.

Cost per day of MyTest instance with rightsized instance type moved from 0.14
$/hour to 0.07 $/hour
~50% savings of EC2 compute costs
Conclusions
The rightsizing generated savings of 50% of the ec2 instances computing costs for
MyTest instance where the rightsizing recommendation has been applied.
EC2 Rightsizing lab - Outcome

EC2 Rightsizing lab - Conclusion
Using the RightSizingID cost allocation tags strategy is now possible track the effectiveness of
our cost optimization.
When the right sizing is in place, you might want update values
of SourceInstanceType and DestinationInstanceType tags to be equal and use this to exclude
those instances from further cost optimisation exercises.
The same approach can be used for other rightsizing recommendations as for instance EBS
recommendations from Amazon Compute Optimizer.

TagEditor permission example
• Full access for TagEditor: ResourceGroupsandTagEditorFullAccess
• Allow access to TagEditor and enable query functionality to find resources filtering per regions,
resource types and tags
• Read only access for EC2: AmazonEC2ReadOnlyAccess
• Required to provide access to EC2 configuration information
• EC2 Tag permissions required to create/update/delete tags for EC2 resources
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:DeleteTags",
"ec2:CreateTags"
],
"Resource": "*"
}
]
}

Tags Policies compliance reports
Via cli and link
VIA S3 export
- s3 bucket must have appropriate permissions
- https://docs.aws.amazon.com/ARG/latest/userguide/tag-policies-
prereqs.html

Cost Optimization - Tagging.pptx

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Cost Optimization - Tagging.pptx

Similar to Cost Optimization - Tagging.pptx (20)

Recently uploaded

Recently uploaded (20)

Cost Optimization - Tagging.pptx

Editor's Notes