AWS Resource Auto-Tagging Solution
Implementing AWS resource creator traceability and automated tag management based on CloudTrail + EventBridge + Lambda
Solution Overview
All resource creations are recorded by CloudTrail, the system automatically identifies “person/CI”, and then Lambda automatically completes standardized Tags, achieving full account traceability.
Background and Problems
Current Problems
The following management risks exist in current AWS usage:
| Problem | Specific Manifestation |
|---|---|
| ❌ Resource creator untraceable | Multiple people share IAM Role, unable to confirm who created EC2 / ECS / Lambda |
| ❌ CI/CD and manual mixed together | Cost and responsibility boundaries unclear |
| ❌ Tags inconsistent or missing | Cost allocation difficult, audit and security investigation inefficient |
Business Risks
- FinOps Risk: Costs cannot be accurately attributed
- Operations Risk: Unable to quickly locate responsible person when problems occur
- Management Risk: Not compliant with cloud governance and compliance requirements
Objectives
For any AWS resource, be able to answer the following questions:
- Who created it?
- Is it a person or CI/CD?
- Triggered by which project/repository?
- Which team/cost center does it belong to?
Solution Design
Core Approach
Leverage AWS native audit capabilities to achieve non-invasive, automated, comprehensive resource tagging:
CloudTrail recording → EventBridge triggering → Lambda auto-tagging- People forget
- CI is difficult to unify
- Audit cannot guarantee consistency
Clear Distinction between Manual vs CI/CD
| Scenario | CreatedBy | TriggeredBy |
|---|---|---|
| Manual Console / CLI | Specific username | Same as CreatedBy |
| CI/CD Pipeline | github-actions / gitlab-ci | Person who committed code |
👉 Clear responsibility, costs properly attributed
Standardized Tag System
CreatedBy: github-actions / jet.wang
TriggeredBy: jet.wang
ManagedBy: terraform
Repo: org/project
Environment: prod
CostCenter: research-ai
CreatedAt: 2026-01-08T12:30ZCoverage Scope
| Resource Type | Coverage |
|---|---|
| EC2 / EBS / AMI | ✅ |
| ECS / Fargate | ✅ |
| Lambda | ✅ |
| RDS / DynamoDB | ✅ |
| VPC / SG / ELB | ✅ |
Covers 95%+ of core cost and risk resources
Technical Implementation
Automation Chain
- Enforce
sourceIdentity - CI/CD passes session tags
- Records all resource creation APIs
- Real-time trigger rules
- Parse creator
- Auto-complete tags
Management Value
💰 Cost Governance (FinOps)
- Costs can be accurately allocated by team / project / CI Pipeline
- No more guessing based on manual estimates
🔍 Audit and Security
- Every resource has a “chain of responsibility”
- Security incidents can be quickly traced to source
🧩 Scalable Governance
- Not dependent on individual habits
- New accounts, new teams automatically effective
Risks and Boundaries
Known Boundaries
| Type | Description |
|---|---|
| AWS internal system resources | Such as temporary ENI and other automatically created resources |
| Object-level operations | S3 PUT / Lambda invoke, etc. |
👉 Does not affect cost and responsibility attribution, acceptable
Implementation Recommendations
Implementation Cost
- 1 Lambda function
- 1 EventBridge Rule
- 1 CloudTrail (usually already exists)
Rollout Approach
- First enable in test account
- Verify Tags and cost billing
- Promote to all organization accounts
This is a cloud governance infrastructure that uses extremely low cost to achieve long-term cost transparency, clear responsibility, and compliance capability.
Next Steps
- Boss version one-page PPT simplified version
- Technical implementation checklist for engineering teams
- Integration solution with AWS Control Tower / Organizations