Using AWS Tags and Resource Groups in AWS

Get Started
1 hour
  • 5 Learning Objectives

About this Hands-on Lab

To simplify the management of Amazon Web Services (AWS) resources such as EC2 instances, you can assign your metadata using tags. These tags can be used by resource groups to automate tasks on large numbers of resources at one time. They serve as a unique identifier for custom automation, to break out cost reporting by department and much more. In this hands-on lab, we will discuss tag restrictions and best practices for tagging strategies. We will also get experience with the Tag Editor, explore AWS resource group basics, and see how to leverage automation through the use of tags.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Set Up AWS Config
  1. Navigate to Services > Config > Get started.
  2. Ensure the checkbox for Record all resources supported in this region is selected.
  3. Ensure the radio button for Create a bucket is selected.
  4. Ensure the checkbox for Stream configuration changes and notifications to an Amazon SNS topic is NOT checked.
  5. If a radio button for Create AWS Config service-linked role is available, then select it. Otherwise, if a radio button for Use an existing AWS Config service-linked role is available, select it.
  6. Click Next > Next on the AWS Config Rules page > Confirm.

Note: We will return to AWS Config later in this lab.

Tag an AMI and EC2 Instance
  1. Navigate to EC2 > Instances.
  2. Select any of the instances listed.
  3. Click Actions > Image > Create image.
  4. For the Image name, enter "BaseAMI". (Avoid spaces)
  5. Click Create image.
  6. Click AMIs in the left-hand menu.
  7. Once the AMI you just created has a status of available, select it.
  8. Click Launch.
  9. Leave t2.micro selected, and click Next: Configure Instance Details.
  10. Leave the defaults on the Configure Instance Details page.
  11. Click Next: Add Storage, and then click Next: Add Tags.
  12. On the Add Tags page, add the following tag:
    • Key: Name
    • Value: Test Web Server
  13. Click Next: Configure Security Group.
  14. Click to Select an existing security group.
  15. Select the one with SecurityGroupWeb in the name (not the default security group).
  16. Launch the instance without a key pair.
Use the Tag Editor – Part 1: Application Tagging

Module 1 Tagging

  1. Search in the AWS console for ‘Resource Groups‘ and select Resource Groups and Tag Editor.
  2. Click Resource Groups > Tag Editor.
  3. In the Find resources to tag section, set the following values:
    • Regions: us-east-1
    • Resource types:
      • AWS::EC2::Instance
      • AWS::S3::Bucket
    • Click Search resources.
  4. In the Resource search results section, set the following values:
    1. Enter "Mod. 1" in the Filter resources search window, and then select both instances.
    2. Clear the filter.
    3. Enter "moduleone" in the Filter resources search window, and then select the listed S3 bucket.
    4. Clear the filter.
  5. Click Manage tags of selected resources.
  6. In the Edit tags of all selected resources section, click Add tag and set the following values:
    • Tag key: Module
    • Tag value: Starship Monitor
  7. Click Review and apply tag changes > Apply changes to all selected.

Module 2 Tagging

  1. Still on the Tag Editor page, in the Find resources to tag section, set the following values:
    • Regions: us-east-1
    • Resource types:
      • AWS::EC2::Instance
      • AWS::S3::Bucket
    • Click Search resources.
  2. In the Resource search results section:
    1. Enter "Mod. 2" in the Filter resources search window, and select both instances.
    2. Clear the filter.
    3. Enter "moduletwo" in the Filter resources search window, and select the S3 bucket.
    4. Clear the filter.
    5. Click Manage tags of selected resources.
  3. In the Edit tags of all selected resources section, click Add tag and set the following values:
    • Tag key: Module
    • Tag value: Warp Drive
  4. Click Review and apply tag changes > Apply changes to all selected.
Use the Tag Editor – Part 2: Application Query
  1. On the Tag Editor page, in the Find resources to tag section, set the following values:
    • Regions: us-east-1
    • Resource types:
      • AWS::EC2::Instance
      • AWS::S3::Bucket
    • Tag key: Module
    • Optional tag value: Warp Drive
  2. Select Search resources. We should then see our tagged resources in the results list.
Create Resource Groups and Use AWS Config Rules for Compliance

Create Starship Monitor Resource Group

  1. In the left-hand menu, select Create Resource Group.
  2. Select Tag based.
  3. In the Grouping criteria section, add the following:
    • Tag key: Module
    • Optional tag value: Starship Monitor
  4. Click Add.
  5. Click View group resources.
  6. Enter a Group name of "Starship-Monitor".
  7. Click Create group.

Create Warp Drive Resource Group

  1. Click Create Resource Group in the left-hand menu.
  2. Select Tag based.
  3. In the Grouping criteria section, add the following:
    • Tag key: Module
    • Optional tag value: Warp Drive
  4. Click Add.
  5. Click Preview group resources.
  6. Enter a Group name of "Warp-Drive".
  7. Click Create group.

View Saved Resource Groups

  1. Click Saved Resource Groups in the left-hand menu.
  2. Click Starship-Monitor. Here, we should see all the resources in our Starship-Monitor group.

Use AWS Config Rules for Compliance

  1. Navigate to EC2 > AMIs.
  2. Select the AMI we created earlier.
  3. Copy its AMI ID.
  4. Navigate to Config > Rules.
  5. Click Add rule.
  6. Search for approved-amis-by-id in the search box, and select that rule.
  7. In the Trigger section, set the following values:
    • Scope of changes: Tags
    • Resources by tag:
      • Tag key: Module
      • Tag value: Starship Monitor
  8. In the Rule parameters section, paste the AMI ID we copied earlier into the Value field.
  9. Click Save.
  10. Let the rule run for a few minutes, and then click the refresh icon to make sure it’s done.
  11. The rule is triggered by Configuration changes on the resources (this includes power state.) So navigate to the EC2 instance console and select all instances, then reboot them.
  12. Give the rule more time to run and then revisit the AWS Config console.
  13. Click the approved-amis-by-id link.
  14. Click the link for one of the noncompliant resources to see more information.

Additional Resources

Your company runs many applications in a shared AWS account with hundreds of instances. The application and security teams want an easy way to find resources associated with a particular application. AWS tags and resource groups demonstrated in this lab make it easy to identify application components.

Log in to the live AWS environment using the credentials provided. Make sure you're in the N. Virginia (us-east-1) region throughout the lab.

Lab Prerequisites

  • Understand how to log in to and use the AWS Management Console.
  • Understand Amazon Elastic Compute Cloud (EC2) basics, including how to launch an instance.
  • Understand AWS Identity and Access Management (IAM) basics, including users, policies, and roles.
  • Understand how to use the AWS Command Line Interface (CLI).

Helpful Documentation

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Get Started
Who’s going to be learning?

How many seats do you need?

  • $499 $399 USD per seat per year
  • Billed Annually
  • Renews in 12 months

Ready to accelerate learning?

For over 25 licenses, a member of our sales team will walk you through a custom tailored solution for your business.


$1,995.00

Checkout
Sign In
Welcome Back!
Thanks for reaching out!

You’ll hear from us shortly. In the meantime, why not check out what our customers have to say about ACG?