Tagging your Amazon resources - Tagging Amazon Resources
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Tagging your Amazon resources

Tags are key and value pairs that act as metadata for organizing your Amazon resources. With most Amazon resources, you have the option of adding tags when you create the resource. Examples of resources include an Amazon Elastic Compute Cloud (Amazon EC2) instance, an Amazon Simple Storage Service (Amazon S3) bucket, or a secret in Amazon Secrets Manager.


Do not store personally identifiable information (PII) or other confidential or sensitive information in tags. We use tags to provide you with billing and administration services. Tags are not intended to be used for private or sensitive data.

Tags can help you manage, identify, organize, search for, and filter resources. You can create tags to categorize resources by purpose, owner, environment, or other criteria.

Each tag has two parts:

  • A tag key (for example, CostCenter, Environment, or Project). Tag keys are case sensitive.

  • A tag value (for example, 111122223333 or Production). Like tag keys, tag values are case sensitive.

How to add tags to your Amazon resources

There are three ways to add tags to your Amazon resources:

  • Amazon Web Service API operation – The tagging API operations supported directly an Amazon Web Service. To discover what tagging functionality each Amazon Web Service provides, see the service's documentation in the Amazon documentation index.

  • Tag Editor console – Some services also support tagging with the Amazon Tag Editor console.

  • Resource Groups Tagging API – Most services also support tagging using the Amazon Resource Groups Tagging API.


You can also use Amazon Service Catalog TagOptions Library to easily manage tags on provisioned products. A TagOption is a key-value pair managed in Service Catalog. It is not an Amazon tag, but serves as a template for creating an Amazon tag based on the TagOption.

You can tag resources for all cost-accruing services in Amazon. For the following services, Amazon recommends newer alternative Amazon Web Services that support tagging to better meet customer use cases.

Amazon Cloud Directory

Amazon CloudSearch

Amazon Cognito Sync

Amazon Data Pipeline

Amazon Elastic Transcoder

Amazon Machine Learning

Amazon OpsWorks Stacks

Amazon S3 Glacier Direct

Amazon SimpleDB

Amazon WorkSpaces Application Manager

Best practices

As you create a tagging strategy for Amazon resources, follow best practices:

  • Do not add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon services, including billing. Tags are not intended to be used for private or sensitive data.

  • Use a standardized, case-sensitive format for tags, and apply it consistently across all resource types.

  • Consider tag guidelines that support multiple purposes, like managing resource access control, cost tracking, automation, and organization.

  • Use automated tools to help manage resource tags. Tag Editor and the Resource Groups Tagging API enable programmatic control of tags, making it easier to automatically manage, search, and filter tags and resources.

  • Use too many tags rather than too few tags.

  • Remember that it is easy to change tags to accommodate changing business requirements, but consider the consequences of future changes. For example, changing access control tags means you must also update the policies that reference those tags and control access to your resources.

  • You can automatically enforce the tagging standards that your organization chooses to adopt by creating and deploying tag policies using Amazon Organizations. Tag policies let you specify tagging rules that define valid key names and the values that are valid for each key. You can choose to only monitor, giving you an opportunity to evaluate and clean up your existing tags. Once your tags are in compliance with your chosen standards, you can then turn on enforcement in the tag policies to prevent non-compliant tags from being created. For more information, see Tag policies in the Amazon Organizations User Guide.

Tagging categories

Companies that are most effective in their use of tags typically create business-relevant tag groupings to organize their resources along technical, business, and security dimensions. Companies that use automated processes to manage their infrastructure also include additional, automation-specific tags.

Technical tags Tags for automation Business tags Security tags
  • Name – Identify individual resources

  • Application ID – Identify resources that are related to a specific application

  • Application Role – Describe the function of a particular resource (such as web server, message broker, database)

  • Cluster – Identify resource farms that share a common configuration and perform a specific function for an application

  • Environment – Distinguish between development, test, and production resources

  • Version – Help distinguish between versions of resources or applications

  • Date/Time – Identify the date or time a resource should be started, stopped, deleted, or rotated

  • Opt in/Opt out – Indicate whether a resource should be included in an automated activity such as starting, stopping, or resizing instances

  • Security – Determine requirements, such as encryption or enabling of Amazon VPC flow logs; identify route tables or security groups that need extra scrutiny

  • Project – Identify projects that the resource supports

  • Owner – Identify who is responsible for the resource

  • Cost Center/Business Unit – Identify the cost center or business unit associated with a resource, typically for cost allocation and tracking

  • Customer – Identify a specific client that a particular group of resources serves

  • Confidentiality – An identifier for the specific data confidentiality level a resource supports

  • Compliance – An identifier for workloads that must adhere to specific compliance requirements

Tag naming limits and requirements

The following basic naming and usage requirements apply to tags:

  • Each resource can have a maximum of 50 user created tags.

  • System created tags that begin with aws: are reserved for Amazon use, and do not count against this limit. You can't edit or delete a tag that begins with the aws: prefix.

  • For each resource, each tag key must be unique, and each tag key can have only one value.

  • The tag key must be a minimum of 1 and a maximum of 128 Unicode characters in UTF-8.

  • The tag value must be a minimum of 0 and a maximum of 256 Unicode characters in UTF-8.

  • Allowed characters can vary by Amazon service. For information about what characters you can use to tag resources in a particular Amazon service, see its documentation. In general, the allowed characters are letters, numbers, spaces representable in UTF-8, and the following characters: _ . : / = + - @.

  • Tag keys and values are case sensitive. As a best practice, decide on a strategy for capitalizing tags, and consistently implement that strategy across all resource types. For example, decide whether to use Costcenter, costcenter, or CostCenter, and use the same convention for all tags. Avoid using similar tags with inconsistent case treatment.

Common tagging strategies

Use the following tagging strategies to help identify and manage Amazon resources.

Tags for resource organization

Tags are a good way to organize Amazon resources in the Amazon Web Services Management Console. You can configure tags to be displayed with resources, and can search and filter by tag. With the Amazon Resource Groups service, you can create groups of Amazon resources based on one or more tags or portions of tags. You can also create groups based on their occurrence in an Amazon CloudFormation stack. Using Resource Groups and Tag Editor, you can consolidate and view data for applications that consist of multiple services, resources, and Regions in one place.

Tags for cost allocation

Amazon Cost Explorer and detailed billing reports let you break down Amazon costs by tag. Typically, you use business tags such as cost center/business unit, customer, or project to associate Amazon costs with traditional cost-allocation dimensions. But a cost allocation report can include any tag. This lets you associate costs with technical or security dimensions, such as specific applications, environments, or compliance programs. The following is an example of a partial cost allocation report.

Sample tag-based cost allocation report

For some services, you can use an Amazon-generated createdBy tag for cost allocation purposes, to help account for resources that might otherwise go uncategorized. The createdBy tag is available only for supported Amazon services and resources. Its value contains data associated with specific API or console events. For more information, see Amazon-Generated Cost Allocation Tags in the Amazon Billing and Cost Management User Guide.

Tags for automation

Resource or service-specific tags are often used to filter resources during automation activities. Automation tags are used to opt in or opt out of automated tasks or to identify specific versions of resources to archive, update, or delete. For example, you can run automated start or stop scripts that turn off development environments during nonbusiness hours to reduce costs. In this scenario, Amazon Elastic Compute Cloud (Amazon EC2) instance tags are a simple way to identify instances to opt out of this action. For scripts that find and delete stale, out-of-date, or rolling Amazon EBS snapshots, snapshot tags can add an extra dimension of search criteria.

Tags for access control

IAM policies support tag-based conditions, letting you constrain IAM permissions based on specific tags or tag values. For example, IAM user or role permissions can include conditions to limit EC2 API calls to specific environments (such as development, test, or production) based on their tags. The same strategy can be used to limit API calls to specific Amazon Virtual Private Cloud (Amazon VPC) networks. Support for tag-based, resource-level IAM permissions is service specific. When you use tag-based conditions for access control, be sure to define and restrict who can modify the tags. For more information about using tags to control API access to Amazon resources, see Amazon services that work with IAM in the IAM User Guide.

Tagging governance

An effective tagging strategy uses standardized tags and applies them consistently and programmatically across Amazon resources. You can use both reactive and proactive approaches for governing tags in your Amazon environment.

  • Reactive governance is for finding resources that are not properly tagged using tools such as the Resource Groups Tagging API, Amazon Config Rules, and custom scripts. To find resources manually, you can use Tag Editor and detailed billing reports.

  • Proactive governance uses tools such as Amazon CloudFormation, Service Catalog, tag policies in Amazon Organizations, or IAM resource-level permissions to ensure standardized tags are consistently applied at resource creation.

    For example, you can use the Amazon CloudFormation Resource Tags property to apply tags to resource types. In Service Catalog, you can add portfolio and product tags that are combined and applied to a product automatically when it is launched. More rigorous forms of proactive governance include automated tasks. For example, you can use the Resource Groups Tagging API to search an Amazon environment’s tags, or run scripts to quarantine or delete improperly tagged resources.

Learn more

This page provides general information on tagging Amazon resources. For more information about tagging resources in a particular Amazon service, see its documentation. The following are also good sources of information about tagging: