Effective management of AWS resources starts with the right use of AWS resource tags. AWS resource tags are crucial for identifying and managing untapped or untagged resources. As cloud environments grow, ensuring all resources are tagged correctly becomes essential for optimizing cloud management and controlling costs. This guide will walk you through how to uncover untagged resources using AWS resource tags, providing best practices and strategies to enhance your cloud governance and achieve cost efficiency.

What Are AWS Resource Tags?

AWS resource tags are metadata that you can attach to your AWS resources. Each tag consists of a key and a value, which helps categorize and manage resources effectively. Tags can include information like project names, environment types (e.g., development, staging, production), or cost centers. Proper resource tags allows you to track usage, allocate costs, and enforce governance policies more efficiently.

Why Are AWS Resource Tags Important?

1. Cost Management: AWS resource tags help in breaking down your AWS costs by various dimensions, such as project or department. This visibility allows you to understand where your spending is concentrated and take corrective actions.

2. Resource Organization: AWS resource tags facilitate better organization of resources, making it easier to search and filter them. For example, you can group resources by their lifecycle stage or business unit.

3. Compliance and Security: Resource tags helps in maintaining compliance and enhances security by enabling better monitoring and access control based on tags.

Despite the importance of tagging, many AWS environments often contain untagged resources, which can lead to challenges in resource tracking, cost allocation discrepancies, and security vulnerabilities. Identifying and addressing these untagged resources is key to maintaining a well-organized and

optimized AWS environment. In this blog post, we’ll explore strategies and tools for finding untagged resources on AWS.

Strategies for Finding Untagged Resources

1. Utilize Tag Editor

What is Tag Editor?

AWS Tag Editor is a native AWS tool that allows you to search, manage, and apply tags across multiple resources in one place.

How to Use It:

• Navigate to the AWS Management Console → Resource Groups & Tag Editor.
• Filter resources by region, resource type, and tag key-value pairs.
• Identify untagged resources and update them accordingly.

Why It Matters: Tag Editor provides a centralized way to audit and standardize tagging across AWS services efficiently.

2. Leverage AWS Config Rules

What is AWS Config? 

AWS Config continuously monitors AWS resource configurations and helps ensure compliance with governance policies, including tagging.

How to Use It:

• Create a custom AWS Config rule to check for missing mandatory tags.
• Set up automated remediation actions, such as triggering AWS Lambda to apply default tags or sending alerts via SNS.

Why It Matters: Automating tag compliance reduces manual effort and ensures that all AWS resources adhere to defined tagging policies.

3. Use AWS Cost Explorer

What is AWS Cost Explorer?

AWS Cost Explorer is a financial management tool that helps analyze cloud costs and usage.

How to Use It:

• • Open AWS Cost Explorer → Apply tag-based filters.
  • Identify resources that do not have cost allocation tags.
  • Prioritize tagging based on high-cost untagged resources.

 

Why It Matters: Proper tagging improves cost visibility, enables accurate chargeback/showback reporting, and optimizes budget allocation.

4. Implement AWS Lambda Functions

What is AWS Lambda? 

AWS Lambda lets you run scripts that automate AWS tasks, including scanning for untagged resources.

How to Use It:

• • Deploy a scheduled Lambda function that checks all resources for missing tags.
  • Generate a CSV report or trigger notifications to the appropriate teams.
  • Optionally, apply default tags automatically using the AWS SDK.

Why It Matters: Automating tag checks minimizes manual intervention and ensures continuous compliance with tagging policies.

5. AWS Service Control Policies (SCPs)

What are SCPs?

SCPs allow you to define policies that govern resource usage at an AWS Organization level.

How to Use It:

• • Set up SCPs in AWS Organizations to enforce mandatory tagging.
  • Prevent the creation of resources without specific tags.
  • Ensure organization-wide tagging consistency across accounts.

Why It Matters: SCPs help establish strong governance and security controls by making tagging a mandatory requirement.

6. CUR Athena Query

This SQL query helps analyze AWS resource tags within the AWS Cost and Usage Report (CUR) to identify untagged resources across accounts and services.

How This Query Helps with AWS Resource Tagging:

✅ Counts AWS resources by account and service.
✅ Identifies missing AWS resource tags by checking resource_tags_user_env.
✅ Calculates tagging compliance by measuring the percentage of tagged vs. untagged resources.
✅ Groups data by AWS account and product code for better visibility.

WITH allresources AS (
SELECT
line_item_usage_account_id
, line_item_product_code
, count(DISTINCT line_item_resource_id) AS count_resource
, CASE
WHEN resource_tags_user_env = ” THEN ‘NoTag’
ELSE ‘Tag’
END AS Tag_Status
FROM <CUR Table>

WHERE year=’2024′
GROUP BY line_item_usage_account_id, line_item_product_code, 4 — 4 represents
the Tag_Status column
)
SELECT
line_item_usage_account_id
, line_item_product_code
, sum(count_resource) AS “resources”
, sum(CASE WHEN Tag_Status = ‘Tag’ THEN count_resource ELSE 0 END) AS
“tagged_resources”
, round(sum(CASE WHEN Tag_Status = ‘Tag’ THEN CAST(count_resource AS double)
ELSE 0. END)/ sum(count_resource)  100.,
1) AS “percentage_tagged”
FROM allresources
GROUP BY 1,2

Best Practices for Managing AWS Resource Tags

1. Define a Tagging Strategy: Establish a consistent tagging strategy that aligns with your organizational needs. Define tag keys and values that make sense for your business processes and cost tracking.

2. Automate Tagging: Use automation tools and scripts to ensure new resources are tagged appropriately. AWS Lambda functions and AWS CloudFormation templates can be used to enforce tagging policies.

3. Regular Audits: Conduct regular audits to ensure all resources are tagged correctly. AWS Config rules and AWS Trusted Advisor can help in automating compliance checks.

4. Educate Your Team: Ensure that your team understands the importance of tagging and follows the tagging policy consistently. Regular training and communication can reinforce good tagging practices.