AWS Standard Tagging

Cost Center 

• Used to help facilitate automated billing via the Cornell KFS system.
• Any AWS resource with that tag will be billed directly to the provided account number.
• Anything in a Cornell AWS account that is not tagged (or cannot be tagged) will be billed to the Cornell account number associated with the AWS account as a whole. 

• Note that applying the "Cost Center" tag to a resource does not retroactively adjust the billing data for the resource, prior to the tag being set. E.g., If you have an EC2 instance running 24/7 and you set the "Cost Center" tag for that instance on the 15^th day of the billing period, the "Cost Center" will be billed the cost of the EC2 instance starting from that day forward.

Tag key/name: "Cost Center"

Tag value formats:

• A seven-character KFS account number.
  OR
• A seven-character KFS account number, followed by a hyphen, followed by a sub-account number.
  OR
• A fully qualified KFS accounting string as outlined here: https://finance.cornell.edu/accounting/chartofaccounts/transactionstring
  • Under this scheme, the parts of the accounting string labeled as optional in the link above can be left off, but a total of six hyphens are required.

Optional Tags

Tags with these names are propagated to billing data. Tags with any other names are NOT propagated to billing data.

• "Resource"
  • This can be any identifier that makes sense for your deployment.
• "Technical Contact"
  • This should be a netid
• "Functional Contact"
  • This should be a netid
• "Environment"
  • dev
  • test
  • stage
  • prod
  • dev/test (for cases of where a resource is shared by multiple environments, e.g an RDS DB hosting both dev and test schemas)
• "Application"
  • Identifies the software application this Amazon resource supports.
  • Resources used by multiple applications could have a suggested value of “infrastructure”
  • the application should be in all lowercase
  • This tag is required on all billable resources for CIT AWS accounts
    • For resources used by staff for learning, experimentation, and trials, we suggest using the value of "sandbox".
    • In the joint training account, we suggest using the value "training".
• "Deployment"
  • This can be any identifier that makes sense for your deployment.
• "aws:createdBy"
  • You cannot set this tag, but this tag is automatically created by AWS and visible only in the billing data. The value of this tag will hold a canonical IAM principal ID of the entity that created the resource. You can use this tag in CloudCheckr reporting to get a breakdown of costs by the user that created given resources. See Use CloudCheckr to Report AWS Spend by User

AWS resource types that incur charges but cannot be tagged

Note that not all AWS resource types can be tagged. If a specific AWS resource type cannot be tagged but still incurs charges, there is no way to target those charges to a KFS account other than the default KFS account configured for the AWS account.

See AWS documentation "Tagging AWS resources".

How to determine what's tagged and what's not

• Use the resource group tag editor in your AWS Console: https://resources.console.aws.amazon.com/resource-groups/tag-editor/find-resources
  • The following resource types can be tagged but cannot be accessed via the above AWS tag editor:
    • WorkSpaces
    • CloudFront
    • EFS
    • DynamoDB
• In CloudCheckr: http://support.cloudcheckr.com/tagged-untagged-resource-reporting/

How to enforce tagging

In cloudcheckr: http://support.cloudcheckr.com/reports/cost-reporting/cost-related-tag-reports/.

AWS Tagging Strategies

https://aws.amazon.com/answers/account-management/aws-tagging-strategies/

Helpful Resources

AWS tag editor / search:
https://console.aws.amazon.com/resource-groups/tag-editor

On tagging batch environments:
https://aws.amazon.com/about-aws/whats-new/2017/10/tag-your-aws-batch-spot-managed-compute-environments/