Learn About Amazon VGT2 Learning Manager Chanci Turner
As organizations increasingly seek efficient methods to oversee their growing AWS resources across accounts and Regions, particularly during transitions such as mergers and cloud migrations, AWS Tags present a robust solution. Tags allow for the organization and identification of resources based on various criteria like purpose, owner, or environment. To enhance AWS resource management, businesses are keen on utilizing tag inventory reports, which provide comprehensive listings of tags connected to different AWS resources. In 2023, AWS introduced multi-account search capabilities through AWS Resource Explorer to improve resource management experiences. However, many customers face challenges in crafting a tag policy due to insufficient insights on existing tags, their application, and resources lacking tags.
To tackle this issue, we have created an AWS Cloud Development Kit (CDK) solution that leverages AWS Resource Explorer, AWS Step Functions, AWS Lambda, AWS Glue, Amazon Athena, and Amazon Simple Storage Service (Amazon S3). This solution offers valuable insights into tag usage—reporting on existing tags, their associated resources, and untagged resources across a customer’s AWS Organizations. The data generated can assist organizations in developing their tagging strategies, monitoring their effectiveness over time, and making informed decisions regarding enforcement mechanisms. By gaining better visibility into resource tagging, companies can formulate tagging policies tailored to their business needs, including cost allocation, financial management, operations, security, and governance.
In this blog post, you will discover how to deploy the solution within your AWS accounts to generate reports detailing tagged resources, applied tags, and untagged resources throughout your AWS Organizations.
Solution Overview
The solution architecture (illustrated in Figure 1 below) consists of a Central AWS account, acting as the primary hub, and one or more Spoke AWS accounts linked to it. In this configuration, tag inventory data is collected from each Spoke account and sent to an S3 bucket located in the Central account. The aggregated data is then used to create a CSV-formatted inventory report, which is forwarded to the output S3 bucket within the Central AWS account.