Using Tags and Resource Groups in AWS

1 hour
  • 6 Learning Objectives

About this Hands-on Lab

To simplify the management of Amazon Web Services (AWS) Resources such as EC2 Instances, you can assign your metadata using tags. These tags can be used by resource groups to automate tasks on large numbers of resources at one time. They serve as a unique identifier for custom automation, to break out cost reporting by department and much more. In this hands-on lab, we will discuss tag restrictions and best practices for tagging strategies. We will also get experience with the Tag Editor, AWS Resource Group basics, and see how to leverage automation through the use of tags.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Set Up AWS Config
  1. Click Services > Config > Get started.
  2. Ensure the checkbox for Record all resources supported in this region is selected.
  3. Ensure the radio button for Create a bucket is selected.
  4. Ensure the checkbox for Stream configuration changes and notifications to an Amazon SNS topic is NOT checked.
  5. If a radio button for Create AWS Config service-linked role is available, then select it, otherwise if a radio button for Use an existing AWS Config service-linked role is available, then select it.
  6. Click Next > Next on the AWS Config Rules page > Confirm.

    Note: We will return to AWS Config later in this lab.

Tag an AMI and EC2 instance
  1. Click Services > EC2.
  2. Click Instances on the left-hand menu.
  3. Select the instance named Mod. 1 Web Server A.
  4. Click Actions > Image > Create Image.
  5. Enter "Base AMI – {yyyy-mm-dd}" and replace "{yyyy-mm-dd}" with today’s date.
  6. Click Create Image > Close.
  7. Click AMIs on the left-hand menu.
  8. Select the AMI with the AMI name you just created.
  9. Select the Tags tab for the AMI.
  10. Click Add/Edit Tags > Create Tag.
  11. Enter "AMI Standard" as the key with "{yyyy-mm-dd}" as the value (replace "{yyyy-mm-dd}" with today’s date).
  12. Click Save.
  13. Once the AMI has a status of available, select the AMI and click Launch.
  14. Click Next: Configure Instance Details
  15. Leave the defaults, and then click Next: Add Storage > Next: Add Tags.
  16. Click Add Tag.
  17. Enter "Name" as the key > enter "Test Web Server" as the value.
  18. Click Next: Configure Security Group > Select an existing security group.
  19. Select the security group with the description Web.
  20. Click Review and Launch > Continue to confirm we do not allow port 22 open.
  21. In the Boot from General Purpose (SSD) dialog, select Make General Purpose (SSD) the boot volume for this instance.
  22. Click Next > Launch.
  23. Since we will not be logging into these servers, select "Proceed without a key pair".
  24. Select the checkbox to confirm and acknowledge the instance connection.
  25. Click Launch Instances > View Instances.
Using the Tag Editor – Part 1: Application Tagging

Module 1 Tagging

  1. Click Resource Groups at the top of the EC2 Management Console > Tag Editor.

  2. Verify that us-east-1 is selected for the Regions section.

  3. Select AWS::EC2::Instance and AWS::S3::Bucket as the resource types.

  4. Click Search resources.

    Note: All the EC2 instances and S3 buckets are shown for this region.

  5. Enter "Mod. 1" in the Filter resources search window, and then select the 2 instances.

  6. Enter "moduleone" in the Filter resources search window, and then select the S3 bucket.

  7. Select the X in the Filter resources search window.

  8. Click Manage tags of selected resources.

  9. Click Add tag.

  10. Enter "Module" as the Tag key > Enter "Starship Monitor" for the Tag value.

  11. Click Review and apply tag changes > Apply changes to all selected.

Module 2 Tagging

  1. Ensure that we are still on the Tag Editor page.

  2. Verify that us-east-1 is selected for the Regions section.

  3. Select AWS::EC2::Instance and AWS::S3::Bucket as the resource types.

  4. Click Search resources.

    Note: All the EC2 instances and S3 buckets are shown for this region.

  5. Enter "Mod. 2" in the Filter resources search window and select the 2 instances.

  6. Enter moduletwo in the Filter resources search window and select the S3 bucket.

  7. Select the X in the Filter resources search window.

  8. Click Manage tags of selected resources.

  9. Click Add tag.

  10. Enter "Module" as the Tag key > Enter "Hyper Drive Design and Analysis" for the Tag value.

  11. Click Review and apply tag changes > Apply changes to all selected.

Using the Tag Editor – Part 2: Application Query
  1. Ensure that we are still on the Tag Editor page.
  2. Verify that us-east-1 is selected for the Regions section.
  3. Select AWS::EC2::Instance and AWS::S3::Bucket as the resource types.
  4. Enter "Module" for the Tag key section.
  5. Click on the Optional tag value search window > start typing "Hy", then select the Hyper Drive Design and Analysis text that shows up.
  6. Select Search resources.
  7. Select the link to the EC2 instance for the server with the Tag:Name of "Mod. 2 – Web Server B".
Using Resource Groups

Create Starship Monitor Resource Group

  1. Click Resource Groups > Create Resource Group
  2. Ensure that Tag base is selected in the Group type section.
  3. Enter "Module" within the Tags field and "Starship Monitor" for the Tag value field.
  4. Click Add
  5. Click View group resources to preview.
  6. Under the Group Details section, enter "Starship-Monitor" for the Group name field.
  7. Click Create group.

Create Hyper Drive Design and Analysis Resource Group

  1. Click Create Resource Group.
  2. Ensure that Tag based is selected for the Group name field.
  3. Enter "Module" within the Tags field and "Hyper Drive Design and Analysis" for the Tag value field.
  4. Click Add.
  5. Click View group resources.
  6. Enter "Hyper-Drive-Design-and-Analysis" for the Group name field.
  7. Click Create group.

Viewing Saved Resource Groups

  1. Click Saved Resource Groups on the left-hand side.
  2. Click Starship-Monitor
  3. Navigate to the an EC2 Instance by clicking on the link in the Group resources section.
Using AWS Config Rules for Compliance
  1. On the EC2 Management Console page, click Services > EC2.

  2. Click AMIs on the left-hand side menu.

  3. Select the radio button for the "Base AMI – {yyyy-mm-dd}" we created earlier in this lab.

  4. Copy the AMI ID to the clipboard.

  5. Navigate back to the AWS Config Console main page.

  6. Click Rules on the left-hand side menu.

  7. Click Add rule.

  8. Select the approved-amis-by-id rule.

  9. Select the Tags radio button for Scope of changes.

  10. Enter "Module" for the Tag key field.

  11. Enter "Starship Monitor" for the Tag value field.

  12. Paste the AMI ID that we copied to the clipboard earlier in to the Value field under the Rule parameters section.

  13. Click Save.

    Note: Let the rule run for a few minutes.

  14. Click the approved-amis-by-id link.

  15. Click on the link for one of the noncompliant resources.
    Note: You may see more non-compliant EC2 instances than shown in the video.

Additional Resources

Your company runs many applications in a shared Amazon Web Services (AWS) account with hundreds of instances. The application and security teams want an easy way to find resources associated with a particular application. AWS tags and resource groups demonstrated in this lab makes it easy to identify application components.

Log in to the live AWS environment using the credentials provided. Make sure you're in the N. Virginia (us-east-1) region throughout the lab.

Lab Prerequisites

  • Understand how to log in to and use the AWS Management Console.
  • Understand Amazon Elastic Compute Cloud (EC2) basics, including how to launch an Instance.
  • Understand AWS Identity and Access Management (IAM) basics, including users, policies, and roles.
  • Understand how to use the AWS Command Line Interface (CLI).

Helpful Documentation

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?