Auto-tagging AWS resources on creation

Automatically tagging resources can greatly improve the ease of cost allocation and governance. Consistently applied resource tags deliver organizational benefits such as accurate cost allocation, granular access controls, precisely routed operation issues, and simplified resource operating state changes. This blog post provides steps for ensuring your new AWS resources are tagged appropriately.

Solution overview

The auto-tagging solution described in this post applies your organization’s required tags to newly created resources using an automated workflow. It includes a rule created in Amazon CloudWatch Events and an AWS Lambda function.

By following the steps in this post, you create a CloudWatch event rule and a Lambda function to enable the auto-tagging solution explained in this post.

Figure 1 shows this solution’s architecture and its five-step workflow.

Workflow steps

  1. A user creates an AWS resource (VPC, Subnet, S3 Buckets, etc)
  2. AWS CloudTrail logs a resource creation API event.
  3. A CloudWatch event rule monitors and is triggered upon the creation of events like RunInstances, CreateVpc, CreateInternetGateway, CreateSubnet, CreateRole, CreateDBCluster, CreateBucket. A list of all CloudTrail events can be found here.
  4. The CloudWatch event rule detects an applicable event and then invokes a Lambda function to tag the resources.
  5. Lambda uses the hard-coded tags in the code and tags the new resource.

Solution setup

Follow these steps to set up the auto-tagging solution.

Note: The mentioned solution only takes into account EC2 resources like VPC, Subnets, InternetGateways, NatGateways , Instances, Volumes, etc. For another type of resource, a similar workflow can be created.

Step 1: Setup up IAM

You’ll find the AWS Identity and Access Management (IAM) permissions policy document, IAM trust policy document, and Lambda function in this GitHub repo.

Step 2: Select a CloudTrail trail

You need a CloudTrail trail to detect and respond to AWS resource creation API events. If you do not already have a trail, follow the steps in Creating a Trail in the AWS CloudTrail User Guide. Here is an example AWS CLI command for creating a trail for this auto-tagging solution:

aws cloudtrail create-trail --name resource-creation-events --s3-bucket-name blog-demos

Skip this step if there is already a cloudtrail created to log management events.

Step 3: Authorize the Lambda function

The resource-auto-tagger Lambda function used in this solution needs permission to interact with other AWS services on your behalf. Create an IAM permissions policy that allows the Lambda function to invoke the service actions shown in the following table.

Create an IAM permissions policy for the AWS services and actions shown in the table, and then assign that policy to an IAM role the resource-auto-tagger Lambda function assumes every time it is run. You can find an example IAM permissions policy and an example IAM trust policy here.

Step 4: Create the resource-auto-tagger Lambda function

Now, create the Lambda function that performs the resource tagging when it is triggered by the CloudWatch event rule. This Lambda function uses the Python 3.7 runtime.

You can find an example lambda function handler here.

Step 5: Create a rule in CloudWatch Events

Create a rule in CloudWatch Events to trigger on the Amazon EC2 resources creation like CreateVpc, CreateInternetGateway, CreateSubnet, CreateKeyPair, CreateNetworkInterface, CreateRouteTable, CreateSecurityGroup, CreateVpcPeeringConnection, etc. For information, see Creating a CloudWatch Events Rule That Triggers on an AWS API Call Using AWS CloudTrail in the Amazon CloudWatch Events User Guide. Use the following settings for the rule:

  • For the Event source, choose Event Pattern.
  • For Service Name, choose EC2.
  • For Event Type, choose AWS API Call via CloudTrail.
  • Choose Specific operation(s), and then enter CreateVpc, CreateInternetGateway, CreateSubnet, CreateKeyPair, CreateNetworkInterface, CreateRouteTable, CreateSecurityGroup, CreateVpcPeeringConnection, RunInstances, etc.
  • For Targets, choose the Lambda function you created in Step 4.

Figure 2 shows the Detect-new-resources rule.

Step 6: Verify the auto-tagging functionality

After you deploy your Lambda function and give it the appropriate IAM permissions through an assigned IAM role, create an EC2 resource from the console.

CloudTrail delivers API events within 15 minutes of their occurrence. After you create the instance, wait 15 minutes, and then check the tags assigned to the instance to verify the resource-auto-tagger Lambda function automatically applied the required tags.

Fancy. What about the costs?

The running costs for the solution above are probably way below the price of your lunch (even when working from home).


In this post, I showed how when CloudTrail reports a watched API call, a CloudWatch event rule will trigger a Lambda function that automatically tags newly created EC2 resources with your required tags. Using this auto-tagging technique with other service creation API calls, such as the CreateBucket action in Amazon Simple Storage Service (Amazon S3), you can create additional CloudWatch event rules and Lambda functions to automatically tag other AWS resource types as your builders and automation tools create them.

Software Developer