Automate Tagging of EC2 Instances and EBS Volumes

·

·

,

When reviewing your AWS EC2 usage, you may find instances or volumes without a name, or even worse, with a name that isn’t clear. These resources might be a complete waste of money or critical to production workloads.

1 m01 02rpna99jr7phygwig
“DO NOT DELETE” m3.2xlarge instance in us-east-1 costing $388/month

 

The instances could be several years old, with no one in the organization having information about the instances or the credentials to connect to the instances.

To avoid this problem, companies enforce tagging policies, where every instance you provision must have†m a Name/Owner/Project/etc. tag.

There is no additional cost for tagging EC2 Instances and Volumes…

…however, since people are launching instances and writing automation scripts that launch instances, this process can be error-prone.

To avoid these cases, I wrote a solution for AWS that automatically tags the instances with the Owner tag and the volumes with Owner and AttachedInstance tags.

So in the future, if someone encounters an instance or a volume whose purpose is unknown, these tags will make it easier to identify who set it up.

How does auto-tagging work?

1 kco6wodxjx tlodeyln2kq
  1. User creates an AWS EC2 instance.
  2. AWS CloudTrail tracks the API calls and calls AWS EventBridge.
  3. AWS EventBridge triggers the Lambda function.
  4. AWS Lambda tags the instance and the instance volumes.

Once the AWS Lambda function is triggered with the instance launch information, it will tag the instance with the Owner tag, and the tag will contain one of the following:

  1. IAM User
  2. Assume Role (For example AutoScaling Role, SSO user and etc).
  3. Root User
1 5njmu6aav jsyqzf r6kwq
Instances page, tag at the bottom

In the next stage, Lambda will tag all the instance volumes with the ‘Owner’ and ‘AttachedInstance’ tags. The ‘Owner’ tag will contain the same information as the instance ‘Owner’ tag, and the ‘AttachedInstance’ tag will contain the instance-id and instance name if the instance name exists.

1 ibkcsd3nfb2kmw2cvbrzag
Volumes page, tags at the bottom

How to implement:

  1. Go to the CloudTrail page and click on “Create trail”.
1 hljnpgula4bzfrl2suphoa

 

2. Give the trail a name.

1 7ep2zjleg1qkeouagfet g

 

3. Scroll down and set a name for the CloudTrail S3 bucket. Then click on Create.

1 b3sr7mlrj xj1mzooh1nsw

 

4. Navigate to the Lambda dashboard, and click on “Create function”.

1 9psegjn1 dozkjuv rnxxg

 

5. Give the function a name, select “Python 3.8” in the Runtime dropdown, and click on “Create Function”.

1 5bumlpfx3tufefbfydotpw

 

6. Paste the code from the Github repository, and click on “Save”.

1 zzoknga31ob0 xse8apjrq

 

7. Scroll down to the “Basic settings” box, and click on the Edit button.

Then increase the Lambda function’s timeout to 1 minute.

Next, click on the Save button.

1 npzyovuwndo1haokzxbv6g

 

8. Scroll back up and click on Permissions. Then click on the Role name.

1 lv uyauuthvtntf9rfahqa

 

9. Click on the “Add inline policy” button.

1 jyrp7wflnwq7n9v vl53jq

 

10. Click on the JSON button, paste the following IAM policy, and click on Review policy.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "ec2:CreateTags",
            "Resource": [
                "arn:aws:ec2:*:*:instance/*",
                "arn:aws:ec2:*:*:volume/*"
            ]
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances",
                "ec2:DescribeVolumes"
            ],
            "Resource": "*"
        }
    ]
}

This policy will allow the Lambda function to discover the instance volumes, and to tag the instance and the instance volumes.

 

11. Give the policy a name and click on Create policy.

1 wcpcabyuf7broyau1la6kw

 

12. Go back to the Lambda tab in your browser, and click on “Add trigger”.

1 1e 7mouijzcvrglw0qwyxw

 

13. Click on “Select a trigger”, search for EventBridge, and then click on “Create a new rule” in the Rule dropdown.

Give your rule a name and description.

Under “Rule type”, select the Event pattern radio button.

In the first dropdown, choose EC2, and in the second dropdown, select AWS API call via CloudTrail.

1 2cyxoavi1xo 1zghiorcra

 

14. Scroll down, click on the Operation checkbox, and under Operation, type RunInstances. then click on the Add button to create the event trigger.

1 wjhl8upchm6trzed3j ghq

 

15. Finally, deploy a new test instance to check that everything works.

After a few seconds, the Lambda function we implemented will automatically tag the instance and volume(s).

Refresh the page and check the instance tags.

1 d5tem ttrxqgbx0rmsfuhg

Notes:

  1. This solution will tag only newly created instances after you installed the Lambda function.
  2. If you just turned on the CloudTrail trail, it might take up to an hour until EventBridge will start invoking the function.
  3. CloudTrail’s response size is limited to 500Kb. If you launch a large number of instances with one API call, the Lambda function will not be able to tag the instances.
  4. AWS EventBridge is a regional resource. If you are working with multiple regions, you will need to deploy the solution in every AWS region.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.