AWS Resource Tagging Standard

Scope: OIT
Type: Standard
Version: 2025

Goal

This standard defines the mandatory and optional tags that must be applied to every AWS resource created by the Windows Server Group (WSG), Enterprise Unix Services (EUS), Middleware, DBA, and Cloud teams. The standard enables multiple “lenses” over the estate — application, cost/billing, operations, security & compliance, and lifecycle—while aligning with current AWS best-practice guidance on cost-allocation, tag policies, and governance.

AWS Tagging Best Practices

Ownership

This standard is owned by the Cloud Center of Excellence. Direct questions to the sponsor of the CCoE, Sarkis Daglian email redacted

Scope

This standard applies to all AWS resources in OIT-managed landing-zone accounts (EC2, RDS, S3, Lambda, containerized workloads, IAM roles, etc.) created after adoption of this guideline.

Timeline & Enforcement

All newly-created resources must include the required tags by the end of 2025.

This standard will be enforced by a monthly compliance report, which will identify out-of-compliance resources. The Cloud Infrastructure team will work with the team owning out-of-compliance resources to bring those resources in to compliance.

Exceptions

Exceptions can be granted by the Cloud Infrastructure team for resources where the standard tags do not apply. This includes resources which do not incur costs, resources which are shared widely between accounts, and other resources on a per-resource basis.

Terminology

Requirements

The following are the mandatory and optional tags defined by this standard.

Mandatory Tags

The following tags are considered mandatory. Their inclusion on AWS resources will be tracked by the monthly compliance report.

Key Example value Purpose / Lens Allowed values and notes
uci:DeploymentSource cmf, tf, manual Identify the deployment source Free-form; 64 chars
uci:RepositorySource OIT-EDOCS/Filenet Name and organization of github repo, optionally as a full url, if not hosted on github.aws.uci.edu [https://github.oit.uci.edu/]/
uci:ProjectID PRJ######, INC#####, other Identify the source of the request to add the resources. ServiceNow Project Number, Ticket Number, or another relevant identifier
uci:CostCenterID FAU-12345, 0123456789 Aligns spend to UCI ledger Valid UC account string, for OIT CORE resources use 0123456789
uci:CostCategory OIT CORE, Cost Recovery, RCIC, DIM Cost Category for recharge. These will be set by the Cloud Infrastructure team. The allowed set is determined by management, and is subject to change.
uci:ProtectionLevel P1, P2, P3, P4 Identify the highest protection level of the data Letter number combination for P level
uci:DataClassification HIPAA Filter assets subject to regulatory controls HIPAA, FERPA, PCI, None
uci:Environment prod, dev, stage, test Identify the environment prod, dev, stage, test, qa, and others according to standard practice within a team.
uci:ServiceName Filenet Identify the service or application Free-form; 64 chars
uci:DRRecoveryLevel R0, R1, R2, R3, R4 Identify the recovery level of the resource Single letter, single number
uci:AvailabilityLevel A1,A2,A3,A4 Identify the availability level of the resource Single letter, single number
uci:SysAdminTeam EUS, WSG, MAI Specifies the name of the admin team Team code
uci:ApplicationTeam TRS, EDOCS, IAM Specifies the name of the application team Team code

Optional Tags

Optional tags are not tracked by the monthly compliance report, but are recommended ways to include specific types of information on AWS resources.

There are no optional Tags at this time. This section is left in place for future, as-needed expansion.

Key Example value Purpose / Lens Allowed values and notes