Using AWS Tags and Resource Groups

1 hour
  • 4 Learning Objectives

About this Hands-on Lab

To simplify the management of AWS resources such as EC2 instances, you can assign metadata using tags. Resource groups can then use these tags to automate tasks on large numbers of resources at one time. They serve as a unique identifier for custom automation, to break out cost reporting by department, and much more. In this hands-on lab, we will explore tag restrictions and best practices for tagging strategies. We will also get experience with the Tag Editor, AWS resource group basics, and leveraging automation through the use of tags.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Set Up AWS Config
  1. Navigate to Config.
  2. Click 1-click setup.
  3. Leave the settings as their defaults and confirm your configuration.
Tag an AMI and EC2 Instance
  1. On the EC2 instances page, select any of the instances and create an AMI image from it.
  2. For the Image name, enter Base.
  3. Navigate to the AMI page, and once the Base image has a status of available (this may take a few minutes), launch it.
  4. Select t3.micro and keep the default settings until you reach the Add Tags page.
  5. On the Add Tags page, add the following tag:
    • Key: Name
    • Value: Test Web Server
  6. Advance to the Configure Security Group page and select the pre-existing group named SecurityGroupWeb (listed as the first option).
  7. Launch the instance without a key pair.
Tag Applications with the Tag Editor

Module 1 Tagging

  1. Navigate to Tag Editor under Resource Groups & Tag Editor.
  2. Find the following types of resources:
    • Regions: us-east-1
    • Resource types:
      • AWS::EC2::Instance
      • AWS::S3::Bucket
  3. Find and select both resources of Mod. 1.
  4. Find and select the resources of moduleone.
  5. Add tags to the resources:
    • Tag key: Module
    • Tag value: Starship Monitor
  6. Apply the changes to the selected resources.

Module 2 Tagging

  1. Navigate to Tag Editor under Resource Groups & Tag Editor.
  2. Find the following types of resources:
    • Regions: us-east-1
    • Resource types:
      • AWS::EC2::Instance
      • AWS::S3::Bucket
  3. Find and select both resources of Mod. 2.
  4. Find and select the resources of moduletwo.
  5. Add tags to the resources:
    • Tag key: Module
    • Tag value: Warp-Drive
  6. Apply the changes to the selected resources.
Create Resource Groups and Use AWS Config Rules for Compliance

Create the Starship-Monitor Resource Group

  1. Add these tag-based resources to a new resource group.
  2. In the Grouping criteria section, add the following:
    • Tag key: Module
    • Optional tag value: Starship Monitor
  3. Preview the group resources and enter the Group name of Starship-Monitor.

Create the Warp Drive Resource Group

  1. Add these tag-based resources to a new resource group.
  2. In the Grouping criteria section, add the following:
    • Tag key: Module
    • Optional tag value: Warp Drive
  3. Preview the group resources and enter the Group name of Warp-Drive.

View the Saved Resource Groups

In Saved Resource Groups, check the Starship-Monitor and Warp-Drive resource groups. We should see all the resources applied correctly to each group.

Use AWS Config Rules for Compliance

  1. Copy the AMI ID of the AMI we created and add a rule to it in the AWS Config console.
  2. Search for approved-amis-by-id in the search box and select that rule.
  3. In the Trigger section, set the following values:
    • Scope of changes: Tags
    • Resources by tag:
      • Tag key: Module
      • Tag value: Starship Monitor
  4. In the Parameters section, paste the AMI ID we copied earlier into the Value field and save the rule.
  5. Let the rule run for a few minutes until complete.
  6. Reboot all your EC2 instances.
  7. Give the rule more time to run, and then revisit the AWS Config console.
  8. Click the approved-amis-by-id link.
  9. Click the link for one of the non-compliant resources to see more information.

Additional Resources

Your company runs many applications in a shared AWS account with hundreds of instances. The application and security teams want an easy way to find resources associated with a particular application. AWS tags and resource groups demonstrated in this lab make it easy to identify application components.

Log in to the live AWS environment using the credentials provided. Make sure you're in the N. Virginia (us-east-1) Region throughout the lab.

Lab Prerequisites

  • Understand how to log in to and use the AWS Management Console.
  • Understand EC2 basics, including how to launch an instance.
  • Understand AWS Identity & Access Management (IAM) basics, including users, policies, and roles.
  • Understand how to use the AWS Command Line Interface (CLI).

Helpful Documentation

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?