The GDS Way and its content is intended for internal use by the GDS community.

Tagging AWS resources

We use AWS for hosting. Most AWS resources support tagging.

This manual documents our efforts with tagging. In time, it may be upgraded to a standard.

Why tag?

The main reasons for tagging are:

• to be able to understand costs (by assisting queries in Cost Explorer)
• to understand the provenance of resources (by tagging with metadata about source code)
• security and assurance

Currently, we care most about understanding costs.

It’s not always clear to a developer what impact their work has on AWS costs.

If resources are consistently tagged as part of a particular directorate, programme, product, component, team, and environment, it becomes much easier to understand how much money is being spent in each particular context.

AWS Cost Explorer supports using cost allocation tags to filter and group resources.

Note that using AWS Organizations to tag accounts does not help here, because account-level tags are not supported for querying in Cost Explorer.

Alerting and enforcement

Currently, we do not enforce tags.

In future, we may wish to consider mechanisms such as alerting on untagged resources, or automatically deleting untagged resources.

Mandatory

• Product: GOV.UK One Login / GOV.UK or DSP
• System: the name of the software system, for example Authentication or Identity proofing and verification core. Avoid abbreviations.
• Environment: should be one of production, staging, integration, or development.
• Owner: an email address for an owner for the resource. For dev environments, this will be an individual email address; elsewhere it will be a group address.

Optional

• Service: used to describe the function of a particular resource (for example: account management, session storage, front end)
• Source: the URL(s) for any source code repositories related to this resource, separated by spaces
• Exposure : should specify the level of exposure the resource has to determine its attack surface area. (for example internal or external)
• Data Classification : should specify the highest data classification level the resource handles. This will help internal security teams to know what level of controls to apply and help focus on the resources with greatest level of risk.
• Cost Centre : helps the organisation’s accounting or financial management system to track and allocate expenses or costs to specific departments, teams, projects, or functions

References

This is based on:

• AWS documentation and best practices on tagging
• GDS’s former tagging strategy
• MoJ digital tagging strategy
• the duckbill group’s guide to tagging best practices

This page was last reviewed on 30 October 2023. It needs to be reviewed again on 30 October 2024 by the page owner #gds-way .

This page was set to be reviewed before 30 October 2024 by the page owner #gds-way. This might mean the content is out of date.