The why, what and how of tagging resources in your AWS serverless application

If you’re building serverless applications in a large organisation where multiple teams are involved in their ongoing development and support, you may find yourself needing to answer questions such as:

• Who owns this resource? What application does it belong to?
• Who should we call when the application is broken?
• Who should pay for this resource? Which applications are driving our costs?
• Do access controls secure this resource appropriately?
• How much risk does our Cloud deployment have? Where is that risk concentrated?
• Which security improvements reduce our risk the most?

If so, then you should considering implementing resource tagging. Tagging involves applying one or more key-value tags to the resources deployed within your AWS accounts.

Stephen Kuenzli from k9 Security has just released this excellent guide to tagging cloud deployments. He describes the organisational challenges that drive the need to categorise cloud resources, as well as laying out a list of recommended tags to apply in order to answer all of the above questions.

So if Stephen’s guide covers the why and what of tagging your cloud resources, Jeremy Daly also has a recent article on how you can apply tags to your serverless resources, specifically Lambda functions. Both the Serverless Framework and SAM generally make this pretty easy to do, but there are certain gotchas to be aware of, as certain resource types make it more difficult to apply tags.

Here are the links to the 2 guides again:

• Guide to Tagging Cloud Deployments by Stephen Kuenzli
• How To: Tag Your Lambda Functions for Smarter Serverless Applications by Jeremy Daly

— Paul