Auto-Tagging EC2 Instances in AWS (Windows Servers only)

Question

I am looking for some guidance from the serverfault community.

We are spinning up several new AWS instances (windows server 2008/2012) over the next few days. We have a naming convention in place for AWS, and tags so we can keep track of owner, date created, domain joined and cost center.

I am trying to figure out a good method to 'auto-tag' instances.

The use case would go like this:

Script (powershell/or app of some sort) would poll AWS each night at midnight and look for instances missing tags. Once the instance(s) have been found, it would then attempt to append the IP address of the instance as the AWS name and a predetermined set of default tags to keep track of the previously 'untagged' instance(s).

Anyone familiar with this? I am not very good at scripting, but am willing to try-but am unsure where to look.

Thanks

Answer 1

First, before I get to the real answer, I'm going to explain why I'm not directly answering your question. Sure, you could likely write up some script that would do what you wanted. It would solve this problem, but would do nothing at all to solve the dozens of other potential problems you'll run into sooner or later.

So with that, here's the real answer...

---

You've run afoul of the most important rule when using AWS for anything serious: the web console is for inspection only, not making changes. It is just plain too easy to forget steps, mess things up, terminate the wrong instance, etc. when using the web console.

When creating instances, you and your staff should only be using one of the many technologies AWS provides to create resources in a controlled, reliable, repeatable manner.

At the very least, get to know the AWS Powershell Tools. After you've familiarized yourseif with them, create, publish, and distribute to your staff a standard method of interacting with AWS.

Ideally, you would create a wrapper around their API, which your staff can use, which would force them to provide relevant tag info before instance creation.

Additionally, ensure that all of your staff are using their own IAM user. Do not, under any circumstances, permit anyone other than the account owner have the account root credentials - even that person should only use those credentials for the bare minimum of tasks, instead using an IAM user as well.

Answer 2

Or, if you're already under the water, use this: https://blog.gorillastack.com/gorillastack-presents-auto-tag/

Or more recently: The second part of this post: https://aws.amazon.com/blogs/security/how-to-automatically-tag-amazon-ec2-resources-in-response-to-api-events/

The architecture implies the following: 1.-A lambda function with IAM role and policies with permissions to tag your resources/instances 2.-A way to trigger the lambda function based on an event (instance creation)

Here's the main difference between solution 1 and solution 2

Step 2: A way to trigger the lambda function based on an event (instance creation)

Option 1. Lambda Function LISTENS for Cloud Trail logs in AWS S3 Cloudtrail bucket: You define the name and region of the bucket under Region->CloudTrail->Add Trail.

Option 2. Lambda function is directly triggered by CloudWatch Events that you need to create and link to Lambda. Then filters the event to tag the instance/resource.

Remember that the second solution goes a little beyond simple tagging as they use tagging for an ulterior purpose.