Proactive enforcement Reactive enforcement Cost Explorer Amazon QuickSight Amazon Athena

Measure, enforce, and evolve

Metrics are necessary to identify improvements in this process, and to evolve the governance. Are measures and KPIs improving over time? Are the envisioned outcomes being realized? Are resources been allocated properly? Is the enforcement mechanism too strong, or weak?

Examples of tagging KPIs include the following:

Tag coverage rate (per tag key)
Tag coverage rate (aggregate)
Percent of total spend tagged
Percent non-allocable spend (resources that were not tagged)

Examples of outcome-based KPIs include the following:

Number of resources terminated
Amount of money saved
Time saved (for example, by automating financial allocations)

Proactive enforcement

For proactive enforcement, you can determine which resources must be tagged. Then you can apply tag policies or service control policies (SCPs) using the AWS Organizations console.

A tag policy is applied to an organizational unit (OU) or a target account. For example, a policy can require a pre-defined tag_value for Amazon Elastic Compute Cloud (Amazon EC2) instances and volumes. In this example, if someone tries to launch an EC2 instance with a value different from ABC123 or ABC1234 (assigned for tag_value), an error message will be returned, because the EC2 instance isn’t respecting the tag policy.

SCPs are also applied to an OU or a target account. For example, a SCP can require a predefined tag_key for Amazon Elastic Compute Cloud (Amazon EC2) instances and volumes. In this example, if someone tries to launch an EC2 instance without the requested tag_key cost-center-id, an error message will be returned.

Reactive enforcement

Reactive governance is used to find resources that are not properly tagged. You can use tools such as the Resource Groups Tagging API, AWS Config rules, and Tag Editor. For example, AWS Config rules can use a managed rule required-tags to verify that every asset has been correctly tagged with a tag named cost-center-id with allowed values ABC123 or ABC1234. Any asset identified not having the required tag or the required values in the tag will be noncompliant.

To fix existing, noncompliant resources, we recommend the following solution:

GorillaStack Auto Tag

Cost Explorer

After tagging the resources, you can see them by using AWS Cost Explorer. It’s an interface that helps you to visualize and manage your AWS costs and usage over time by creating custom reports that analyze cost and usage data. On the AWS Management Console, open the Cost Explorer console. Then use the Tag filter to visualize the cost and usage by tag, according to the tagging dictionary tag template that was created before. For example, you can filter by project or by team.

To create Cost and Usage Reports that you can use with Amazon QuickSight or Amazon Athena, see Creating Cost and Usage Reports.

Amazon QuickSight

You can visualize your AWS cost and usage by using Amazon QuickSight. Amazon QuickSight is a cloud business analytics service to build visualizations, analysis, and quickly get business insights from data.

To analyze AWS Cost and Usage Reports) with Amazon QuickSight, see How do I ingest and visualize the AWS Cost and Usage Report (CUR) into Amazon QuickSight?

Amazon Athena

Amazon Athena is another way to analyze the data from your AWS Cost and Usage Reports. Amazon Athena is a serverless query service that supports standard SQL queries. Using Amazon Athena, you can query the data from Cost and Usage Reports stored in Amazon Simple Storage Service (Amazon S3.

To set up Amazon Athena for analyzing Cost and Usage Reports, see Querying Cost and Usage Reports using Amazon Athena.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Apply the tags

FAQ