A cloud tagging strategy that survives contact with reality

We have inherited tagging policies with 40 mandatory tags. Adherence was around 15%. The cost report built on top was fiction. A tagging strategy is only as good as the percentage of spend it can actually attribute, and that percentage is almost always the thing nobody measures.

Five tags, not forty

We start with the smallest set that answers the questions finance and engineering actually ask. For most clients that is owner, environment, cost-center, service, and team. Everything else is optional metadata. If a tag does not change a decision, it does not belong in the mandatory list.

owner - a person or team that can answer for the spend
environment - prod, staging, dev (drives the biggest cost split)
cost-center - the line finance reconciles against
service - the product or system the resource belongs to
team - who to ask when service is ambiguous

Enforce at the gate, not in a meeting

Manual tagging never reaches 90%. We enforce required tags in the IaC pipeline - a Terraform default_tags block plus a policy check (OPA/Conftest or tflint) that fails the plan if a required tag is missing. For the AWS-native route, Tag Policies plus an SCP that denies resource creation without the keys. The point is that the wrong place to discover a missing tag is the monthly bill.

If a tag can be skipped, it will be skipped. Enforcement at deploy time is the only policy that holds.

bash

default_tags {
  tags = {
    environment = var.environment
    cost-center = var.cost_center
    service     = var.service
    owner       = var.owner
    team        = var.team
  }
}

Plan for what you cannot tag

Data transfer, shared NAT gateways, support charges, and a lot of marketplace spend simply do not carry tags. We see 10-25% of a bill land in this untaggable bucket. Pretending it does not exist breaks every chargeback model. Instead we split shared costs by a proportional key - usually each team's tagged share of compute - and we document the rule so nobody argues about it later.

Once enforcement is live, attribution climbs from the usual 60% to above 95% within two billing cycles, and the cost report stops being a source of arguments.

Five tags, not forty

owner - a person or team that can answer for the spend

environment - prod, staging, dev (drives the biggest cost split)

cost-center - the line finance reconciles against

service - the product or system the resource belongs to

team - who to ask when service is ambiguous

Enforce at the gate, not in a meeting

If a tag can be skipped, it will be skipped. Enforcement at deploy time is the only policy that holds.

bash

default_tags {
  tags = {
    environment = var.environment
    cost-center = var.cost_center
    service     = var.service
    owner       = var.owner
    team        = var.team
  }
}

Plan for what you cannot tag

Once enforcement is live, attribution climbs from the usual 60% to above 95% within two billing cycles, and the cost report stops being a source of arguments.

A cloud tagging strategy that survives contact with reality

Five tags, not forty

Enforce at the gate, not in a meeting

Plan for what you cannot tag

João Matos

Other notes from the team.

The FinOps audit: where the money actually goes

Rightsizing compute without breaking things

Commitments done right: reserved instances, savings plans, and spot

A cloud tagging strategy that survives contact with reality

Five tags, not forty

Enforce at the gate, not in a meeting

Plan for what you cannot tag

João Matos

Other notes from the team.

The FinOps audit: where the money actually goes

Rightsizing compute without breaking things

Commitments done right: reserved instances, savings plans, and spot