Tag Resources

This guide explains how to use Tag Analyzer to review the tagging coverage across all clouds and tag resources directly from Cloudaware.

Requirements

AWS

To tag AWS resources from Cloudaware, download the Cloudaware Tagging policy:

Cloudaware Tagging Policy

CODE

{
 "Version": "2012-10-17",
 "Statement": [
  {
   "Effect": "Allow",
   "Action": [
    "ec2:CreateTags",
    "ec2:DeleteTags",
    "rds:AddTagsToResource",
    "rds:RemoveTagsFromResource",
    "iam:Tag*",
    "iam:Untag*",
    "s3:DeleteJobTagging",
    "s3:DeleteObjectTagging",
    "s3:DeleteObjectVersionTagging",
    "s3:DeleteStorageLensConfigurationTagging",
    "s3:PutBucketTagging",
    "s3:PutJobTagging",
    "s3:PutObjectTagging",
    "s3:PutObjectVersionTagging",
    "s3:PutStorageLensConfigurationTagging",
    "s3:ReplicateTags",
    "s3:TagResource",
    "s3:UntagResource",
    "sqs:TagQueue",
    "sqs:UntagQueue",
    "cloudfront:TagResource",
    "cloudfront:UntagResource",
    "elasticmapreduce:AddTags",
    "elasticmapreduce:RemoveTags",
    "elasticloadbalancing:AddTags",
    "elasticloadbalancing:RemoveTags",
    "sns:TagResource",
    "sns:UntagResource",
    "route53:ChangeTagsForResource",
    "autoscaling:CreateOrUpdateTags",
    "autoscaling:DeleteTags",
    "dynamodb:TagResource",
    "dynamodb:UntagResource",
    "redshift:CreateTags",
    "redshift:DeleteTags",
    "cloudtrail:AddTags",
    "cloudtrail:RemoveTags",
    "kinesis:AddTagsToStream",
    "kinesis:RemoveTagsFromStream",
    "kinesis:TagResource",
    "kinesis:UntagResource",
    "ecs:TagResource",
    "ecs:UntagResource",
    "lambda:TagResource",
    "lambda:UntagResource",
    "kms:TagResource",
    "kms:UntagResource",
    "elasticache:AddTagsToResource",
    "elasticache:RemoveTagsFromResource",
    "workspaces:CreateTags",
    "workspaces:DeleteTags",
    "opsworks:TagResource",
    "opsworks:UntagResource",
    "glue:TagResource",
    "glue:UntagResource",
    "organizations:TagResource",
    "organizations:UntagResource",
    "elasticfilesystem:CreateTags",
    "elasticfilesystem:DeleteTags",
    "elasticfilesystem:TagResource",
    "elasticfilesystem:UntagResource",
    "dms:AddTagsToResource",
    "dms:RemoveTagsFromResource",
    "ssm:AddTagsToResource",
    "ssm:RemoveTagsFromResource",
    "transcribe:TagResource",
    "transcribe:UntagResource",
    "guardduty:TagResource",
    "guardduty:UntagResource",
    "ram:TagResource",
    "ram:UntagResource",
    "sagemaker:AddTags",
    "sagemaker:DeleteTags",
    "kafka:TagResource",
    "kafka:UntagResource",
    "shield:TagResource",
    "shield:UntagResource",
    "secretsmanager:TagResource",
    "secretsmanager:UntagResource",
    "route53domains:DeleteTagsForDomain",
    "route53domains:UpdateTagsForDomain",
    "fsx:TagResource",
    "fsx:UntagResource",
    "cloudhsm:TagResource",
    "cloudhsm:UntagResource",
    "codedeploy:AddTagsToOnPremisesInstances",
    "codedeploy:RemoveTagsFromOnPremisesInstances",
    "codedeploy:TagResource",
    "codedeploy:UntagResource",
    "datapipeline:AddTags",
    "datapipeline:RemoveTags",
    "cognito-idp:TagResource",
    "cognito-idp:UntagResource",
    "swf:TagResource",
    "swf:UntagResource",
    "acm:AddTagsToCertificate",
    "acm:RemoveTagsFromCertificate",
    "xray:TagResource",
    "xray:UntagResource",
    "eks:TagResource",
    "eks:UntagResource",
    "fms:TagResource",
    "fms:UntagResource",
    "ds:AddTagsToResource",
    "ds:RemoveTagsFromResource",
    "dax:TagResource",
    "dax:UntagResource",
    "logs:Tag*",
    "logs:Untag*",
    "firehose:TagDeliveryStream",
    "firehose:UntagDeliveryStream",
    "mq:CreateTags",
    "mq:DeleteTags",
    "es:AddTags",
    "es:RemoveTags",
    "cognito-identity:TagResource",
    "cognito-identity:UntagResource",
    "codepipeline:TagResource",
    "codepipeline:UntagResource",
    "servicediscovery:TagResource",
    "servicediscovery:UntagResource",
    "waf:TagResource",
    "waf:UntagResource",
    "appstream:TagResource",
    "appstream:UntagResource",
    "quicksight:TagResource",
    "quicksight:UntagResource",
    "wellarchitected:TagResource",
    "wellarchitected:UntagResource",
    "directconnect:TagResource",
    "directconnect:UntagResource",
    "backup:TagResource",
    "backup:UntagResource",
    "appmesh:TagResource",
    "appmesh:UntagResource",
    "savingsplans:TagResource",
    "savingsplans:UntagResource",
    "access-analyzer:TagResource",
    "access-analyzer:UntagResource",
    "kendra:TagResource",
    "kendra:UntagResource",
    "profile:TagResource",
    "profile:UntagResource",
    "bedrock:TagResource",
    "bedrock:UntagResource"
   ],
   "Resource": [
    "*"
   ]
  }
 ]
}

Review and apply the policy in the AWS Console.

Azure

To tag Microsoft Azure resources from Cloudaware:

Assign the Tag Contributor role to Cloudaware. Learn more here (see 'Tagging Permissions').

GCP

To tag GCP resources from Cloudaware:

Ensure the required label permissions are included in the custom role created for and assigned to Cloudaware.

Alibaba Cloud

Ensure that the Cloudaware RAM Role template with the required permissions is applied using Resource Orchestration Service (ROS).

If access keys are used to add an Alibaba Cloud account to Cloudaware, make sure that the user access policy includes the following permissions:

CODE

            {
              "Action": [
                "tag:*",
                "*:ListTagResources",
                "*:DescribeTags",
                "*:DescribeTagKeys",
                "*:ListTagKeys",
                "*:ListTagValues",
                "*:Tag*",
                "*:Untag*",
                "*:UnTag*",
                "*:AddTags*",
                "*:RemoveTags*"
              ],
              "Resource": [
                "*"
              ],
              "Effect": "Allow"
            }

Oracle Cloud

Tagging Oracle Cloud resources directly from Cloudaware is not supported at this time.

Tag Analyzer

Log in to Cloudaware → Tag Analyzer.
Select a cloud provider, e.g. AWS:

Choose an object type from the list, e.g. AWS EC2 Instance:
In the 'Not Tagged Objects' column, review the number of untagged resources. Click the number to open the Objects Explorer.
Select AWS EC2 instances to which the tag should be applied. Click the three-dot menu -> Tag AWS EC2 Instances..
Review the existing tags. Click +ADD TAG to apply a new tag.
Enter a tag name and value, then click SAVE. New tags will be propagated to the AWS Console.

Tag name–value pair limits may vary by cloud provider: up to 50 tags per resource in AWS and Microsoft Azure, and up to 64 tags per resource in Google Cloud.

Create CaTags

СaTags are Cloudaware-specific fields used to parse row tag data received from cloud providers. Cloudaware supports two types of CaTags: Fuzzy and Exact.

Fuzzy CaTag: use when similar tags (e.g., environment, Environment) should be treated as equivalent. Fuzzy CaTags consolidate such tags under a single normalized tag (e.g., Environment).
Exact CaTag: use when tag names must be treated as distinct (e.g., environment vs. Environment).

CMDB - Tag resources - caTags creation - exact caTag example.png

Tags in Cloudaware CMDB

In addition to using Tag Analyzer, add or delete tags directly from the CI record:

Open a record, e.g. a specific AWS instance.
In the left menu, select TAGS.
To add a tag, click + ADD TAG.

CMDB - Tag resources - navigation - the tab Tags.png

To remove a tag, select the tag and click DELETE TAG.

CMDB - Tag resources - Tag Analyzer - delete tag.png