Best Practices

Follow these best practices to get the most out of TagOps while maintaining security, performance, and cost-efficiency.

AWS Account Management

Account Setup

Do:

  • Use descriptive account names (e.g., "Production-US", "Dev-Environment")
  • Enable CloudTrail in all accounts for event-based tagging
  • Configure multi-region CloudTrail trails
  • Use CloudFormation for consistent IAM role setup
  • Document custom role configurations

Don't:

  • Use generic names like "Account1" or "AWS"
  • Skip CloudTrail setup (limits real-time tagging)
  • Manually create IAM roles (error-prone)
  • Modify CloudFormation-created roles without documentation

Region Configuration

  • Select only regions where you have resources
  • Include disaster recovery regions even if normally empty
  • Update region configuration when expanding infrastructure
  • Consider compliance requirements for data locality

Service Configuration

  • Start with core services: EC2, S3, Lambda, RDS
  • Add services as needed rather than enabling all
  • Regularly review and remove unused service configurations
  • Document why specific services are excluded

Tagging Strategy

Rule Design

Do:

  • Create rules that are specific and targeted
  • Use Start Rule for universal tags (e.g., ManagedBy: TagOps)
  • Name rules descriptively (e.g., "tag-ec2-production-env")
  • Document rule purpose and conditions

Don't:

  • Create overly broad rules that match everything
  • Use conflicting rules (later rules override earlier ones)
  • Delete rules - disable instead for historical reference
  • Create duplicate rules with different names

Tag Naming

Recommended Tags:

  • Environment (Production, Staging, Development)
  • Owner (team or individual email)
  • Project (project or application name)
  • CostCenter (for billing allocation)
  • ManagedBy (e.g., "TagOps")

Naming Conventions:

  • Use PascalCase: Environment, CostCenter, BusinessUnit
  • Be consistent across all resources
  • Use clear, self-explanatory names
  • Avoid abbreviations unless widely understood

Tag Values

  • Use standard values: "Production" not "prod", "PROD", "production"
  • Create an organization tag library
  • Document valid values for each tag
  • Validate tag values where possible

Scanning Configuration

Scan Scheduling

Recommended Schedules:

  • Daily scans: Most common, good balance
  • Schedule Time: 2-4 AM local time (low activity)
  • Avoid: Peak business hours
  • Consider: AWS API rate limits

Scan Frequency Guidelines:

  • High-change environments: Daily
  • Stable environments: Weekly
  • Development: Daily
  • Production: Daily with off-hours scheduling

Performance Optimization

  • Scan during low-activity periods
  • Use service filtering to scan only needed services
  • Limit regions to those actually in use
  • Monitor scan duration and adjust as needed
  • Implement batch processing for large inventories

Security Best Practices

Access Control

Do:

  • Follow principle of least privilege
  • Use ReadOnly role for most users
  • Limit Administrator role to 2-3 people
  • Regularly review user access
  • Remove departed employees immediately
  • Enable MFA for Administrator accounts

Don't:

  • Share user accounts
  • Grant PowerUser to everyone
  • Leave test accounts active
  • Ignore failed login attempts

Authentication

  • Enforce strong password policies
  • Enable MFA for all users (especially Administrators)
  • Rotate credentials regularly
  • Monitor authentication logs
  • Set appropriate session timeouts

External ID Security

  • Use auto-generated External IDs
  • Never share External IDs publicly