Cloud Tags: From Whac-A-Mole to Mastery with Stacklet

In the realm of cloud governance, effective tagging is paramount. Operating your cloud infrastructure without tags is akin to managing a major retail store without barcodes—a recipe for chaos. Yet achieving accurate cloud tagging is no simple feat. To deploy resources, different teams may be using a plethora of tools, scripts, and consoles. This makes it difficult for cloud operations, FinOps, and governance teams to ensure consistently accurate tagging. These challenges often lead to inconsistent tags, and make it difficult to rectify them and prevent their recurrence. It's like playing a never-ending game of Whac-a-Mole with tags; as soon as one issue is addressed, another pops up, and the backlog of bad cloud tags keeps growing.

Building on our previous exploration of cloud tagging's crucial role in FinOps, security, compliance, and operations, we turn our attention to Stacklet. Rooted in the robust foundation of the Cloud Custodian OSS project, Stacklet's governance as code platform stands out. The solution offers comprehensive, automated tagging enforcement throughout the cloud infrastructure lifecycle, ensuring each resource is consistently and accurately labeled.

Here are the key use cases and benefits of Stacklet Platform for cloud tag management:

  • Get continuous, comprehensive visibility into the existing tagging infrastructure. Stacklet Platform builds a real-time inventory of all your cloud resources in a proprietary cloud asset database. Changes to cloud resources, such as tags, are recorded in near real time. You can use Stacklet's out-of-the-box dashboards or craft a simple SQL query to inspect the tagging structure of your existing resources. You can see things like missing tags and values and even spot different permutations of tag values for specific attributes, such as application center, business unit, or cost center.

  • Rapidly normalize your existing tagging structure. Once you understand your tagging structure and variances of specific tag values, the next step is to normalize the values. You can quickly generate policies in Stacklet to fix all the inconsistencies you find. These policies automatically update tags, notify owners, and point them to the relevant policy repository. Below is a sample dashboard that shows existing tagging structure. 

  • Create flexible, automated tagging policy workflows for existing non-compliant resources.  While cloud tag remediations can be applied to existing resources using a single policy, this approach is very blunt and causes a lot of friction with developers. Employing policy workflows helps reduce much of this friction by providing affected users with notifications and a grace period to address their issues before automatic remediation takes place. For example, a policy workflow could identify an incorrectly tagged resource and then notify the associated users. If the issue isn’t addressed, users can receive a second notification on day six. On Day 12, a policy can escalate the issue to  management. You can customize this workflow per your organization's requirements and exception management policies. Below is a sample Slack notification. 

    Slack notification - Tags
  • Set default tag values automatically during resource creation or modification. When attributes are created or modified, you can automatically apply tags for missing attributes, such as resource owner. Stacklet Platform enables you to apply several actions, such as auto-tag-user action. This action automatically adds the user ID tag based on the user identity associated with the real-time event logged in your audit service, such as AWS CloudTrail. You can also automatically add a tag for the user who last modified a resource. This can add helpful context to a resource and help you track down issues with recent resource changes. If specific tag values are missing, you can also automatically add default values.


  • Keep your tags consistent with continuous communications and remediation workflows. Once your tagging structure is defined, Stacklet, in near real-time, detects non-compliant resources as they get created. Depending on your organization's policies, you can send notifications to developers for a certain period and even take action on the resource, such as termination. Many teams prefer swift and decisive measures, like terminating resources, to ensure that backlogs of tagging issues don't resurface. Below is a sample tagging remediation dashboard. 


Tag remediation stacklet

  • Address tagging issues earlier in the cycle using IaC tagging governance. Many organizations use infrastructure as code (IaC) management tools. Stacklet offers IaC governance capabilities that enable you to empower DevOps and development teams to fix tagging issues earlier in the infrastructure lifecycle. Policies can be applied across developer workstations, code reviews, CI pipelines, and deployment pipelines using the same policy language and toolset. Teams get in-line notifications and remediation suggestions that they can use to fix tagging issues. 


iac tag

The world of cloud governance is rife with challenges, and effective tagging stands at the forefront of these complexities. With its foundation in the Cloud Custodian OSS project, Stacklet offers a transformative solution to these challenges. By providing continuous visibility, fostering standardization, and automating workflows, Stacklet ensures that organizations can transition from playing a reactive game of Whac-a-mole to proactively mastering their cloud tagging strategy. You can sign up for a demo here.

Credits: Thanks to Jamison Roberts and Sam Cozannet for providing content and reviewing this blog