Using Tag Editor - Tagging Amazon Resources
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Using Tag Editor

Tags are key and value pairs that act as metadata for organizing your Amazon resources. With most Amazon resources, you have the option of adding tags when you create the resource. Examples of resources include an Amazon Elastic Compute Cloud (Amazon EC2) instance, an Amazon Simple Storage Service (Amazon S3) bucket, or a secret in Amazon Secrets Manager. However, you can also add tags to multiple, supported resources at once by using Tag Editor. You build a query for resources of various types, and then add, remove, or replace tags for the resources in your search results. Tag-based queries assign an AND operator to tags, so any resource that matches the specified resource types and all specified tags is returned by the query.


Do not store personally identifiable information (PII) or other confidential or sensitive information in tags. We use tags to provide you with billing and administration services. Tags are not intended to be used for private or sensitive data.

To add tags to—or edit or delete tags of—multiple resources at once, use Tag Editor. With Tag Editor, you search for the resources that you want to tag, and then manage tags for the resources in your search results.

To start Tag Editor
  1. Sign in to the Amazon Web Services Management Console.

  2. Perform either of the following steps:

    • Choose Services. Then, under Management & Governance, choose Resource Groups & Tag Editor. In the navigation pane on the left, choose Tag Editor.

    • Use the direct link: Amazon Tag Editor console.

Not all resources can have tags applied. For information about which resources Tag Editor supports, see the Tag Editor taggingcolumn at Supported resource types in the Amazon Resource Groups User Guide. If a resource type that you want to tag isn't supported, let Amazon know by choosing Feedback in the lower left corner of the console window.

For information about permissions and roles that are required to tag resources, see Set up permissions.

Tags and attribute-based access control

Tags can be an important part of your Amazon access control strategy. For information about using tags as the attributes in an attribute-based access control (ABAC) strategy, see Controlling access to Amazon resources using tags and Controlling access to and for IAM users and roles using tags, both in the IAM User Guide.

There is a comprehensive tutorial that shows how to grant access to different projects and groups using tags at IAM tutorial: Define permissions to access Amazon resources based on tags in the Amazon Identity and Access Management User Guide.

If you use a SAML-based identity provider (IdP) for single sign-in, you can attach tags to the assumed roles providing access to your users. For more information, see IAM tutorial: Use SAML session tags for ABAC in the Amazon Identity and Access Management User Guide.

Best practices for tag names

These are some best practices and naming conventions that we recommend that you use with your tags.

Key names for Amazon tags are case sensitive so ensure that they are used consistently. For example, the tags keys CostCenter and costcenter are different. One tag key might be configured as a cost allocation tag for financial analysis and reporting, and the other tag key might not be configured for the same use.

A number of tags are predefined by Amazon or created automatically by various Amazon Web Services. Many Amazon generated tags use key names that are all lowercase, with hyphens separating words in the name, and prefixes followed by colons to identify the source service for the tag. For example, see the following:

  • aws:ec2spot:fleet-request-id is a tag that identifies the Amazon EC2 Spot Instance Request that launched the instance.

  • aws:cloudformation:stack-name is a tag that identifies the Amazon CloudFormation stack that created the resource.

  • elasticbeanstalk:environment-name is a tag that identifies the application that created the resource.

Consider naming your tags using the following rules:

  • Use all lowercase for the words.

  • Use hyphens to separate words.

  • Use a prefix followed by a colon to identify the organization name or abbreviated name.

For example, for a fictitious company named AnyCompany, you might define tags such as:

  • anycompany:cost-center to identify the internal Cost Center code.

  • anycompany:environment-type to identify whether the environment is development, test, or production.

  • anycompany:application-id to identify the application that the resource was created for.

The prefix ensures that tags are clearly recognizable as defined by your organization and not by Amazon or a third-party tool that you might be using. Using all lowercase with hyphens for separators avoids confusion about how to capitalize a tag name. For example, anycompany:project-id is simpler to remember than ANYCOMPANY:ProjectID, anycompany:projectID, or Anycompany:ProjectId.