Tagging for cost allocation or attribute-based access control (ABAC) - Amazon Simple Storage Service
How tags workCommon ways to use tagsPlanning your tagging strategyManaging tags for Amazon S3 resources
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Tagging for cost allocation or attribute-based access control (ABAC)

An Amazon tag is a key-value pair that holds metadata. You attach the tags to your Amazon S3 resources, such as buckets. You can tag resources when you create them or manage tags on existing resources. There is no additional charge for using tags beyond the standard S3 API request rates. For more information, see Amazon S3 pricing.

How tags work

Amazon S3 support two types of tags:

  • Amazon-generated tags: Amazon automatically applies these tags, and you cannot modify them or remove them. To learn more about Amazon-generated tags, see Using Amazon-generated tags.

  • User-defined tags: You apply these tags to your S3 resources and manage them.

User-defined tags

A user-defined tag is a tag key-value pair that you use to label your resources. User-defined tags consist of a required key and an optional value. These are the main components of a user-defined tag:

The tag key

The tag key is the required name of the tag. For example, project is the tag key in the following tag key-value pair:

Key Value
project Trinity

The tag key is a case-sensitive string that must contain between 1 and 128 Unicode characters. Keys can only contain Unicode letters or numbers, white space, and the following symbols:

  • _ - underscore

  • . - period

  • : - colon

  • / - forward slash

  • = - equal sign

  • + - plus sign

  • @ - at sign

  • - - dash

The tag value

The tag value is an optional string. For example, Trinity is the tag value in this tag key-value pair:

Key Value
project Trinity

The tag value is a case-sensitive string that can contain between 0 and 256 Unicode characters. Values can only contain Unicode letters or numbers, white space, and the following symbols:

  • _ - underscore

  • . - period

  • : - colon

  • / - forward slash

  • = - equal sign

  • + - plus sign

  • @ - at sign

  • - - dash

For details on the characters allowed in user-defined tags and other restrictions, see User-Defined Tag Restrictions in the Amazon Billing and Cost Management User Guide.

The tag set

Each S3 resource has one tag set that contains all of the tag key and value pairs that are assigned to that bucket. A tag set can be empty, or it can contain as many as 50 user-defined tags, except in the case of tagging objects. Objects can have up to 10 tags only.

While each key must be unique in a tag set, you can use the same value multiple times. For example, you can have the same value, Trinity, for following two tag keys:

Key Value
project Trinity
cost-center Trinity

When you add a tag that has the same key as an existing tag, the new value overwrites the old value.

Amazon doesn't apply any semantic meaning to your tags. We interpret tags strictly as character strings.

To add, list, modify, or delete tags, you can use the Amazon S3 console, the Amazon Command Line Interface (Amazon CLI), or the Amazon S3 API.

Common ways to use tags

Use tags on your S3 resources for:

  1. Cost allocation – Track storage costs by bucket tag in Amazon Billing and Cost Management.

  2. Attribute-based access control (ABAC) – Scale access permissions and grant access to S3 resources based on their tags.

Note

You can use the same tags for both cost allocation and access control.

Using tags for cost allocation

Track your Amazon S3 storage costs by applying tags to S3 resources and activating these tags for cost allocation.

To start tracking costs:

  1. Add tags to your S3 resources or use existing tags. For example, you can label buckets with a tag that identifies a project or a group of projects.

  2. Activate the tags for cost allocation in the Amazon Billing and Cost Management console. See Activating user-defined cost allocation tags in the Amazon Billing and Cost Management User Guide. You can activate user-defined or Amazon-generated tags. For more information, see Organizing and tracking costs using Amazon cost allocation tags.

Amazon uses the activated tags to organize your resource costs in various billing and cost management tools, such as:

  • Cost allocation report

    Provides a high-level view of costs organized by your activated tags. For more information, see Using the monthly cost allocation report in the Amazon Billing User Guide.

  • Cost and Usage Report (CUR)

    Provides the most detailed set of Amazon cost and usage data, including tag-based cost breakdowns. For more information, see What are Amazon Cost and Usage Reports? in the Amazon Data Export User Guide.

Amazon S3 resources that support tracking costs with tags

The following Amazon S3 resources support storage cost tracking using tags.

Using tags for attribute-based access control (ABAC)

Attribute-based access control (ABAC) is an authorization strategy that defines permissions based on attributes, i.e., tags. You can attach tags to Amazon Identity and Access Management (IAM) entities (users or roles) and to Amazon resources, such as Amazon S3 Access Points and directory buckets. Then, you control permissions to these resources using tag-based conditions in access control policies to allow or deny operations when these conditions are met.

With ABAC, you use tag-based condition keys in your Amazon organizations, IAM, and S3 resource policies. For enterprises, ABAC in Amazon S3 supports authorization across multiple Amazon accounts.

In your IAM policies, you can control access to S3 resources based on the bucket's tags by using condition keys.

Supported condition keys

You can use the following Amazon condition keys for all Amazon S3 resources that support ABAC.

  • aws:ResourceTag/key-name

  • aws:RequestTag/key-name

  • aws:TagKeys

Some resources support additional Amazon S3 condition keys. For a complete list of condition keys that can be used for ABAC and example policies, see the following tagging topics for the resource.

Amazon S3 resources that support ABAC

The following Amazon S3 resources support attribute-based access control (ABAC) using tags.

Planning your tagging strategy

We recommend that you devise a set of tag keys that meets your needs for each resource type. Using a consistent set of tag keys makes it easier for you to manage your resources. You can search and filter the resources based on the tags you add. For more information about how to implement an effective resource tagging strategy, see the Tagging Best Practices Amazon Whitepaper.

Best practices for tagging Amazon S3 resources

When you use tags, we recommend that you adhere to the following best practices:

  • Document conventions for tag use that are followed by all teams in your organization. In particular, ensure the names are both descriptive and consistent. For example, standardize on the format environment:prod rather than tagging some resources with env:production.

    Important

    Do not store personally identifiable information (PII) or other confidential or sensitive information in tags.

  • Automate tagging to ensure consistency. For example, you can include tags in an Amazon CloudFormation template. When you create resources with the template, the resources are tagged automatically.

  • Use tags only when necessary. Avoid unnecessary tag proliferation and complexity.

  • Review tags periodically for relevance and accuracy. Remove or modify outdated tags as needed.

  • Consider creating tags with the Amazon Tag Editor in the Amazon Management Console. You can use the Tag Editor to add tags to multiple supported Amazon resources, including Amazon S3 resources, at the same time. For more information, see Tag Editor in the Amazon Resource Groups User Guide.

Managing tags for Amazon S3 resources

For more information on how to manage tags for Amazon S3 resources, see the following: