CLOUD STRATEGY #7 - ANONYMIZATION IS THE ENEMY OF ACCOUNTABILITY—TAGGING TO THE RESCUE
SITUATION AWS customers use accounts as units of autonomy and as a security boundary between environments. Often, accounts are linked to VPCs and not to organizational or business units. This makes it hard to create the linkage between spend and business initiatives. In recognition of this issue, AWS has enabled a new service called AWS Organizations to enable management of accounts on organizational boundaries. However, this is a relatively new tool, and a number of customers already have an account structure in place that is based on previous best practices.
COMPLICATION AWS bills are very detailed; running into thousands of lines is quite common and the “million line bill” is not unheard of. Famously, Netflix tweeted in 2016 that their AWS bill was over 700 million lines long. With VPCs—and not organizational boundaries—often defining the operational boundary of an account, linking spend back to account is often not sufficient to create linkage between business initiatives and AWS spending.
IMPLICATION If you lose the direct linkage between operations and spend, you run the risk of removing cost accountability from the individual account owners. This flies in the face of good cloud governance. Good cloud governance means empowering your users to monitor the financial impact of their decisions, as well as giving them the tools to optimize costs.
POSITION AWS has enabled tags across nearly all of its products and services, making it the best way to group and identify resources. They make it possible to automate the process of cost-allocation and are often the only way to create a linkage between resource utilization and business initiatives. Proper use of tags is critical to maintaining good cloud governance.
ACTION A first step to using tags is to set up a tag strategy: define a set of tags that are mandatory (e.g., ProjectID, OwnerContact, ApplicationName, and so forth). These must be attached to any resource. Since AWS tags are not mandatory, it is important to monitor and enforce their use. Use HyperCloud Analytics to find resources that are untagged and set up a mechanism to enforce their tagging, or else you should disable them on a set schedule.
Enable the “Cost Allocation Tags” feature to ensure that the user-created tags are visible from the billing console and use Cost Explorer or HyperCloud Analytics to create custom views based on tags. Enforcing a well-defined tag structure is important to ensure that all resources can be accounted for in a cost-usage report. For organizations that wish to automate this process, a cloud management platform with built-in lifecycle management (such as the App Store in HyperCloud) is necessary.
The platform carries out the details of creating and managing tags, assigning quotas to individual accounts, and automating chargeback based on predefined policies. The HyperCloud Security and Compliance service can detect and report all deviations from established tagging policy and allow administrators to take one-click automation actions to remediate these issues.
BENEFITS Enforcing a well-defined tagging policy is the foundation, not just for automating cost-allocation and enabling chargeback, but is also critical to group AWS resources for other governance tasks as well.
Greybeard Consulting's President, Chris Gerhardt is featured. Chris talks about how tools like HyperGrid accelerate cloud adoption and streamline
|"Top 10 Strategies to Manage Cost and Continuously Optimize AWS"Read all ten tips now.|