Carmel Amarilio
Tags : Cloud Cost Optimization, AWS, Tag Policies, FinOps, Governance
Cloud cost optimization often starts with automation, schedules, or rightsizing — but all of those depend on one fundamental capability – Without consistent tagging, you cannot reliably answer the most important cost questions:
- Who owns this resource?
- Why does it exist?
- When should it be turned off or deleted?
- Is it still needed?
This article focuses on tag policies, why they are critical, and how enforcing them directly saves money across AWS, Azure, and GCP.
More importantly, it explains how a mechanism many engineers initially hate becomes one of the most powerful financial control systems in the cloud. By the end, you’ll see how enforcing five simple tags can transform chaos into accountability and waste into measurable savings.
Why I Changed My Mind About Tags
The first time I encountered an SCP that enforced mandatory tags in AWS — I hated it.
If I forgot a tag, the resource wouldn’t launch.
If I misspelled a tag, it failed.
If I got the casing wrong, it failed again.
It felt like bureaucracy. It slowed me down. It was annoying.
Then I joined my first client.
In our very first alignment meeting, I asked a simple question:
“Who owns this environment?”
The answer revealed something very common in growing cloud environments.
As organizations scale, infrastructure evolves rapidly. Teams build, experiment, iterate, and move forward. Over time, some resources remain active longer than expected, ownership boundaries blur, and visibility decreases. not because of poor practice, but because growth outpaces governance.
At that moment, I understood what that annoying SCP was protecting me from.
That was the point where I decided to implement strict tag enforcement at the client.
The results came quickly.
Within weeks:
- Every resource had an owner
- Every service had a purpose
- Every temporary environment had an expiration date
And suddenly, the cloud environment became understandable.
Shortly after, the cost reduction followed.
What once felt like friction turned out to be financial discipline.
Why Tags Are the Foundation of Cost Control
In cloud environments, resources are easy to create and easy to forget. A single forgotten VM, database, or disk can quietly generate costs for months.
Tags turn anonymous infrastructure into owned, accountable resources.
When tags are enforced:
- Every resource has an owner
- Every resource has a purpose
- Every resource has a lifecycle
This is not just governance, it is financial control.
Without tags, cost optimization becomes guesswork.
With tags, it becomes engineering.
Mandatory Tags: The Minimum You Must Enforce
To make tags useful for cost optimization, they must be:
- Mandatory
- Consistent
- Applied at creation time
Required Tags
Tag Name |
Why It Saves Money |
|---|---|
| created_by | Helps identify unused test or temporary resources |
| team_name | Enables cost allocation and accountability |
| expiration_date | Prevents resources from living forever |
| working_hours | Enables automated shutdowns |
| owner | Allows direct communication before cleanup |
The following five tags create a strong baseline for cost-saving automation:
A resource without these tags is a financial risk.
Enforcing Tag Policies in AWS
In AWS, effective cost control requires two layers of enforcement:
- Tag Policies – define what tags must exist
- Service Control Policies (SCPs) – enforce when resources can be created
Together, they ensure that no resource can be created without ownership and lifecycle metadata.
Tag policies create structure.
SCPs create discipline.
Without enforcement, tagging becomes a best-effort habit.
With enforcement, it becomes part of your architecture.
AWS Organizations Tag Policy (Real Example)
The following Tag Policy enforces five mandatory tags across all supported resources in key services:
{
"tags": {
"created_by": {
"tag_key": { "@@assign": "created_by" },
"enforced_for": {
"@@assign": [
"ec2:ALL_SUPPORTED",
"rds:ALL_SUPPORTED",
"lambda:ALL_SUPPORTED",
"iam:ALL_SUPPORTED",
"sqs:ALL_SUPPORTED",
"s3:ALL_SUPPORTED",
"ecr:ALL_SUPPORTED",
"eks:ALL_SUPPORTED"
]
}
},
"team_name": {
"tag_key": { "@@assign": "team_name" },
"enforced_for": {
"@@assign": [
"ec2:ALL_SUPPORTED",
"rds:ALL_SUPPORTED",
"lambda:ALL_SUPPORTED",
"iam:ALL_SUPPORTED",
"sqs:ALL_SUPPORTED",
"s3:ALL_SUPPORTED",
"ecr:ALL_SUPPORTED",
"eks:ALL_SUPPORTED"
]
}
},
"expiration_date": {
"tag_key": { "@@assign": "expiration_date" },
"enforced_for": {
"@@assign": [
"ec2:ALL_SUPPORTED",
"rds:ALL_SUPPORTED",
"lambda:ALL_SUPPORTED",
"iam:ALL_SUPPORTED",
"sqs:ALL_SUPPORTED",
"s3:ALL_SUPPORTED",
"ecr:ALL_SUPPORTED",
"eks:ALL_SUPPORTED"
]
}
},
"working_hours": {
"tag_key": { "@@assign": "working_hours" },
"enforced_for": {
"@@assign": [
"ec2:ALL_SUPPORTED",
"rds:ALL_SUPPORTED",
"lambda:ALL_SUPPORTED",
"iam:ALL_SUPPORTED",
"sqs:ALL_SUPPORTED",
"s3:ALL_SUPPORTED",
"ecr:ALL_SUPPORTED",
"eks:ALL_SUPPORTED"
]
}
},
"owner": {
"tag_key": { "@@assign": "owner" },
"enforced_for": {
"@@assign": [
"ec2:ALL_SUPPORTED",
"rds:ALL_SUPPORTED",
"lambda:ALL_SUPPORTED",
"iam:ALL_SUPPORTED",
"sqs:ALL_SUPPORTED",
"s3:ALL_SUPPORTED",
"ecr:ALL_SUPPORTED",
"eks:ALL_SUPPORTED"
]
}
}
}
}Important: Tag Policies validate tag keys, but they do not block creation by themselves.
That’s where SCPs come in.
Enforcing Tags at Creation Time with SCPs
Service Control Policies ensure that resources cannot be created unless required tags are provided in the request.
This is where the “annoying” part becomes powerful.
You are no longer asking developers nicely to follow a convention.
You are encoding financial discipline into the platform itself.
Key Design Principles
- Enforce tags only at creation time
- Allow break-glass and emergency roles
- Fail fast: block waste before it exists
SCP Example (Production-Ready)
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ExcludeBreakGlassRoles",
"Effect": "Allow",
"Action": "*",
"Resource": "*",
"Condition": {
"ArnLikeIfExists": {
"aws:PrincipalArn": [
"arn:aws:iam::*:role/SecurityBreakGlass",
"arn:aws:iam::*:role/OrgAdminException"
]
}
}
},
{
"Sid": "DenyEC2MissingMandatoryTags",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"Null": {
"aws:RequestTag/created_by": "true",
"aws:RequestTag/team_name": "true",
"aws:RequestTag/expiration_date": "true",
"aws:RequestTag/working_hours": "true",
"aws:RequestTag/owner": "true"
}
}
},
{
"Sid": "DenyOtherServicesMissingMandatoryTags",
"Effect": "Deny",
"Action": [
"rds:CreateDBInstance",
"rds:CreateDBCluster",
"lambda:CreateFunction",
"sqs:CreateQueue",
"sns:CreateTopic",
"ecr:CreateRepository",
"eks:CreateCluster"
],
"Resource": "*",
"Condition": {
"Null": {
"aws:RequestTag/created_by": "true",
"aws:RequestTag/team_name": "true",
"aws:RequestTag/expiration_date": "true",
"aws:RequestTag/working_hours": "true",
"aws:RequestTag/owner": "true"
}
}
}
]
}Result
- Untagged resources cannot be created
- Cost leaks are stopped at the source
- Governance becomes automatic, not manual
How Tag Policies Directly Save Money
1. Automatic Identification of Waste
With enforced tags, you can instantly find:
- Resources without an expiration date
- Resources owned by inactive teams
- Resources created by CI pipelines and never cleaned up
These are the top sources of cloud waste.
And instead of running expensive discovery projects every quarter, you can simply query your tags.
2. Enabling Safe Automation
Tags like working_hours and owner allow automation to act without breaking trust.
Example automation logic:
- If current time is outside working_hours
- Notify the owner
- Stop the VM if no business justification exists
This avoids both:
- Unexpected outages
- Paying for idle compute
3. Preventing “Zombie” Resources
The expiration_date tag is one of the most powerful cost controls.
Resources with an expired date can be:
- Automatically flagged
- Reviewed with the owner
- Stopped or deleted
This prevents environments from surviving long after their purpose is gone.
Azure and GCP: Same Principle, Different Tools
Although the tooling differs, the cost-saving logic is identical.
Azure
- Enforce tags using Azure Policy
- Block creation of untagged resources
- Use tags for auto-shutdown and cleanup workflows
GCP
- Enforce labels at the organization or folder level
- Use labels for billing analysis
- Drive lifecycle automation from labels
Across all clouds, tags are the control plane for cost.
The Real Cost of Not Enforcing Tags
Teams without tag enforcement typically see:
- 20–40% wasted cloud spend
- No clear ownership during incidents
- Manual, risky cleanup efforts
- Endless debates instead of automation
Tag policies eliminate guesswork and replace it with data-driven decisions.
Final Thoughts: Tags Are Not Metadata — They Are Policy
Tagging is often treated as a documentation task. In reality, it is a financial safeguard.
When tag policies are enforced:
- Automation becomes safe
- Cleanup becomes routine
- Costs become predictable
If you want to save cloud money consistently, start with tag policies.
Even if they annoy you at first.
Especially if they annoy you at first.
Everything else depends on them.
