AWS accounts tagging schema
This policy defines the standards for applying metadata to AWS resources across the Cabinet Office. Consistent tagging is essential for cost tracking, security auditing, and automated resource management.
Core principles
- Standardisation: use lowercase letters and hyphens for all tag keys (for example,
team-name). - Automation: apply tags at the point of creation using Infrastructure as Code (Terraform or CloudFormation).
- Enforcement: compliance is monitored via AWS Tag Policies and AWS Config rules. Untagged resources may be subject to automated isolation or shutdown.
Mandatory tags
The Request an AWS account application automatically applies specific metadata tags to all resources in the AWS organisation level. These tags ensure every AWS account has the meta-data associated with the organisation’s operational and financial needs.
You cannot currently edit or manage these organisation tags.
Ownership and operational
account-namedescriptionorganisationteam-nameteam-email-addressteam-lead-nameteam-lead-email-addressteam-lead-phone-numberteam-lead-roleservice-name
Security and support
service-is-out-of-hours-support-providedsecurity-requested-alert-priority-levelsecurity-critical-resources-descriptionsecurity-does-account-hold-piisecurity-does-account-hold-pci-data
Billing
billing-cost-centrebilling-business-unitbilling-business-unit-subsection
Conditional tags
These tags are recommended to provide additional granularity for specific service support needs.
out-of-hours-support-contact-nameout-of-hours-support-phone-numberout-of-hours-support-pagerduty-linkout-of-hours-support-email-address
References
- Tagging AWS resources - The GDS Way
- Best Practices for Tagging AWS Resources - Best Practices for Tagging AWS Resources
- Best practices and strategies - Tagging AWS Resources and Tag Editor
- Tagging categories - Tagging AWS Resources and Tag Editor
This page was last reviewed on 9 September 2025.