Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe
  • Twitter
  • Facebook
  • LinkedIn

Cloud Security: Improve Cyber Hygiene with Resource Tagging

Cloud Security: Improve Cyber Hygiene with Resource Tagging

Adopting consistent tagging practices can help to quickly identity resources, ensure change control efforts, and reduce security risks within your cloud environments.

Many organizations use the cloud to quickly deliver and scale applications across multiple cloud platforms. While engineering teams often work in parallel to build, test and deploy code across production and development environments, security teams are also working to continuously monitor and assess their cloud security posture.

As cloud footprints continue to scale, containing cloud costs and ensuring resource asset management have become top priorities. Without an effective plan to manage these changes, organizations can easily lose visibility on resources within their cloud environments. Over time, the number of unused resources will continue to increase, as will the number of resources with excessive permissions and other misconfigurations. Implementing a global tagging strategy provides an effective way to manage resources, control costs and prevent unnecessary risks. While tagging can be done manually, we see clear benefits in using Infrastructure as Code (IaC) to tag your resources.

We understand that IaC doesn't lend itself to every application or configuration; in some cases resources and tags need to be manually created. Some teams may not be using IaC at all, and have to manually deploy and tag resources. For these reasons, we also provide guidance on options available from cloud service providers that can help jumpstart your tagging strategy regardless of which method you choose. 

Why Tagging?

According to Amazon Web Services (AWS), tagging provides an effective way to "manage, identify, organize, search for, and filter resources." While tagging can be used for cost optimization purposes, it can also be used to promote accountability within your organization. When security issues or incidents arise, adding consistent tagging practices enables your security practitioners to easily identify the team that owns any given cloud resource in order to quickly address issues and mitigate risk. 

Getting Started: Establish Requirements

Tagging all of your cloud resources is considered best practice. But where do you begin? Business requirements can dictate whether to take a phased approach to your tagging strategy and help you identify priorities. We recommend identifying your critical services (i.e.: Identity and Access Management [IAM], Compute, etc.) first and applying tags to those resources. From there, you can work with your stakeholders to implement tagging on other services within your cloud environments. 

One of the first items that should be established in your global tagging policy is determining a set of required tags. Depending on business requirements, using a unique and consistent set of tags is ideal. Reviewing whether your required tags are in use by teams internally will help to prevent overlap and conflicts. Other factors to consider are whether application ownership or team names change within your organization. If so, then using tags such as "owner" or "team" may not be useful. Lastly, you should determine how your "required" tags will be applied and enforced.

Tagging using Infrastructure as Code

If your organization is using IaC in some form, your first step should be to work with your stakeholders and understand if, where and how these tools are being used across your cloud environments. Whether you have one cloud account or hundreds of accounts, tags can be easily added into your IaC with just a few lines of code, as shown in the examples below.

Adding tags using CloudFormation

Image: Adding tags using CloudFormation

Adding tags using Terraform

Image: Adding tags using Terraform

In this example, the Location tag value includes the name of the code repository from which the IAM role is deployed. Using Creation Time and Last Activity details, this IAM role was deployed from code and has not been accessed in the last 400 days. Security teams can work with code owners to remove the unused role from the account. 

IAM tags in AWS

Cloud Vendor Support for Tagging

For teams that have yet to embrace tagging using IaC, or simply need a solution to quickly deploy tags, AWS, Microsoft Azure and Google Cloud Platform (GCP) have several options that can help.

  • AWS - Tag Editor provides a centralized solution to view and add tags on your resources across any region within an AWS account. In the example below, Location tags are being applied to two Elastic Compute Cloud (EC2) instances in separate regions.

AWS Tag Editor

  • Azure - Resource Groups provide a great way to apply tags to resources, resource groups and subscriptions. Once you've created and associated resources with your group, you can then assign tags to any of your target resources.

Tagging with Azure Resource Groups

  • GCP - Labels are key/value pairs used to organize existing resources. By adding Labels to your resources, you can easily filter on production versus development resources, teams and services.

Tagging with GCP Labels

All three cloud platforms provide additional services and API support for advanced use cases that will help to audit and enforce tagging practices.

Understand the Benefits

Ensuring cyber hygiene practices though tagging should be a critical part of your cloud security program. Once consistent tagging practices are in place, less time is spent searching for resources and finding owners to address security risks. Below are just some of the benefits of an effective global tagging strategy:

  • Improve incident response time

  • Remediate security risks

  • Prevent privilege escalation

  • Enforce change management policies

  • Identify resource owners

  • Support auditing and compliance efforts

  • Remove unused resources

  • Reduce cloud costs 


Implementing a global tagging strategy will take time and buy-in from teams across the organization. Once these practices are in place, security teams will have improved visibility into cloud assets, enabling them to effectively reduce cyber risk and understand the organization's exposure across any cloud environment.

Learn More:

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

Try for Free Buy Now
Tenable.io FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.