Links:

• https://www.duckbillgroup.com/blog/aws-cost-allocation-guide-tagging-best-practices/
• https://www.duckbillgroup.com/blog/aws-cost-allocation-guide-identifying-your-costs/

Transcript

Corey: If your mean time to WTF for a security alert is more than a minute, it's time to look at Lacework. Lacework will help you get your security act together for everything from compliance service configurations to container app relationships, all without the need for PhDs in AWS to write the rules. If you're building a secure business on AWS with compliance requirements, you don't really have time to choose between antivirus or firewall companies to help you secure your stack. That's why Lacework is built from the ground up for the Cloud: low effort, high visibility and detection. To learn more, visit lacework.com. 

Jesse: Hello, and welcome to the AWS Morning Brief: Fridays From the Field. I’m Jesse DeRose.

Amy: I’m Amy Negrette.

Tim: And I’m Tim Banks.

Jesse: This is the podcast within a podcast where we talk about all the ways we’ve seen AWS used and abused in the wild, with a healthy dose of complaining about AWS for good measure. Today, we’re actually going to talk about a very specific listener question that we didn’t get to last week, but really, we had so many thoughts on this topic that we wanted to break it out into its own episode. So, today we’re going to be talking about tagging, and the importance of tagging, and how tagging can be used. And when I say tagging, specifically we’re talking about user-defined cost allocation tags. The original question that I’ll read off was from [Aaron 00:00:58].

Aaron asks, “Is tagging over-recommended as a cost reporting mechanism? I recently took on managing my company’s AWS bill and when talking to AWS and reading third-party blog posts about cost management, a solid tagging strategy is often extolled this step zero for understanding AWS costs. Based on what I know about AWS so far, this approach seems like it may work for some aspects of cost management, but does not seem to be a sound strategy for more formal cost reporting, like budgeting or calculating total spend for a given product or cost center. To me, these activities require complete or near-complete accuracy the tags just don’t seem to be able to provide since there are some costs like data transfer that aren’t tagged, and the fact that the tags are not retroactive—” that’s a big one that I can say is super frustrating for me. “Is there something I’m missing here? Is there in fact, a way to use these tags to ensure that 100% of an AWS account’s costs are in fact attributed back to a specific cost center accurately? It seems drastically simpler to embrace a multi-account strategy where each account is simply billed to whatever cost center makes sense to the organization.” So, Amy and Tim, again, the main question here is, is tagging over-recommended as a cost reporting mechanism?

Tim: The simple answer is no, it is not over-recommended. And the question makes a lot of good points around some of the heartaches and some the problems that come with tagging, specifically about tags not being retroactive, but, if you’re going to make changes to reflect changes in the past, I mean, you know, I don’t really have a good answer for that, if we’re being honest. But if we’re talking about going forward, tracking costs from this point forward, tagging is going to be a much more concise solution than using multi-account strategy. That said, there are a lot of reasons you should use multi-account strategy and tagging together. Multi-account strategy and tagging strategies should definitely be an ‘and’ situation, not an ‘or’ situation. That’s like pizza or steak. No. It’s both pizza and steak.

And I feel like because there are a number of non-cost reasons to use multiple accounts, especially in AWS, the biggest concern of which are service limits, right? Service limits, as you know, are done by account by region, so, if I have a service limit of S3 buckets that I can create—and I think that the hard limit is, like, one thousand—once I need that one thousandth and one S3 bucket, I have to create another account. That account can still be production, it can still be for all the same things that I’ve used for anything else, but I had to add another account so I can spin up S3 buckets. So, how do I track those, what those buckets are for, what those costs are going to be? I’m going to track those with tags.

And I’m going to track those tags from the payer account, or from up in the organization. So, as you set up multiple accounts, you can have—even if they’re all production, they still need to be tagged. Even if they’re all dev, they still need to be tagged. If you’re using the account vending machine style stuff from Control Tower where you spin up a sandbox account, you run some stuff, and then you throw it away, tagging is going to be the best way to track those costs, not just the fact that this account is named a certain thing. Names are arbitrary; they don’t really reflect necessarily what they’re going to be for, accounts can come and go.

So, I don’t necessarily like the use of name. Plus, sometimes it’s hard to do that if you’re doing, like, [unintelligible 00:04:21] various countries and things like that, various languages. Different things can impart different meanings. Tags also still probably use language problems, but they are arbitrary values. You know you’re going to try and lump these all together; that’s all that matters.

So, I definitely think that, if we’re using tagging, tagging is going to let you be more concise with your costs, it’s going to let you apply costs across different accounts more readily, it’s going to let you apply costs across different cloud providers, especially if you use one of the CMP tools like CloudHealth, or Cloudcheckr, or something like that and you run production workloads from a single cost center across multiple clouds, you’re going to want to tag those in those tools, so, that way, you can keep a consistent track and more concise tracking of costs, versus just using account names. Account names after a while is going to just become unmanageable when it comes to tracking costs.

Amy: I totally agree. And one of the big things that I harp on, especially on this podcast, is that if you’re worried that it’s not going to be as explicit as other billing methods, you will still at least have that data. You will still know per resource—if it’s properly tagged—who it’s supposed to be charged to and who owns it. You would make that decision on an architectural level, you should also make it for your bill, just to make sure that if you ever need that information in the future, you can go get it. You’re not going to get it—since they don’t happen retroactively, then you may as well do it as early as possible.

Jesse: Yeah. It’s super frustrating that a lot of this information is not available retroactively. And while I understand the technical limitations to that, I can’t harp enough why starting to tag resources early is super, super critical to understanding that spend, and using that tagging setup, that tagging policy, to better understand your spend in a number of different ways. But ...