Tag Governance

Overview

Tag governance ensures consistent and effective resource management across cloud environments. It involves defining, enforcing, and monitoring organizational policies for tagging cloud resources, such as virtual machines, databases, and storage. Tags are metadata labels that categorize and organize resources, providing critical benefits like cloud cost management, operational visibility, and compliance.

However, tagging faces challenges such as inconsistent tagging, manual errors, scalability issues in large environments, and a lack of enforcement. To address this, Finout’s Tagging Governance solution allows you to define tagging policies across multiple cloud environments, offering visibility into non-compliant resources and costs while simplifying resource tracking. By creating a governance policy, you can establish your company’s tagging standards, enabling Finout to identify resources missing required tags or tagged with unapproved values. This helps ensure that resources are correctly associated with virtual tags, facilitates better budget management, and ensures compliance with security and governance standards.

You will learn how to:

• Create a Policy - Monitor tag coverage across your organization with policy creation.

• View your Policies - Access the details and status of each policy.

Create a Tag Governance Policy

Add policy details and define policy conditions.

To create a policy:

1. In Finout, navigate to Governance.
2. Add policy details:

   1. Click Add Policy. The Create Policy pop-up appears.
   2. Enter a policy name.

   3. Choose a policy type. There are two types of policies:

      ​Note: The policy type is not editable after creation.

      1. Untagged Resources -

         • Identifies and tracks resources that are missing required tags.

           For example: It ensures that all resources are tagged with a "Team" tag. If a resource lacks this tag, it is flagged as non-compliant.

      2. Unapproved Values -

         • Tracks resources that are tagged with unapproved or incorrect tag values.

           For example: If the approved values for the "Team" tag are "App" and "Data," a resource tagged with "Team: Application" is flagged as non-compliant.

   4. Choose a cost type. See Cost and Usage Types for all the possible cost types.

      ​Note: By default, the account's predefined cost type is automatically selected.

   5. ACL permissions: ​

      • ACL permissions are disabled by default, meaning all users can view or edit based on their specific role or access. See Role-Based Access Control for more information.

      • Optionally enable ACL permissions to define read and write permissions on a policy for specific users and groups.

        Note: Enabling ACL on an object overrides user role permissions, except for admins.

      • There are three modes with ACL permissions:

        1. Public: Everyone in your organization has this permission to the object.

        2. Private: Only admins have permission to the object.

        3. Shared: You must define users and/or groups.

   6. Click Next and proceed to the Policy Configuration step.

      ​

3. Configure your policy:

   After adding policy details, you can configure policy criteria and filters for Untagged Resources or Unapproved Values.

   ​Untagged Resources Configuration ​

   1. Under Policy Criteria, select a source and a key.

      Note: Available sources for selection are: AWS, GCP, OCI, Azure, or a virtual tag.

   2. Under Filters, click Filters.

      The available filters appear for selection.
   3. Select the desired filters and click Apply Filters. Review your configuration and click Create. You are brought to the Policy Results Columns step.

   4. Click Add Columns. The available filters appear for selection.

      Note: The selected columns are saved at the policy level for all users.
   5. Select the desired columns and click Select.

      Note: You can select up to 10 columns.

      The components appear on the screen.
   6. Drag and drop the columns in the order in which you want to appear in the Policy.

   7. Click Create. Your new policy appears in the policy feed.

Unapproved Values Policy Configuration ​

1. Under Policy Criteria, select a source and a key.

   Note: Available sources for selection are: AWS, GCP, OCI, Azure, or a virtual tag.

2. Under Filters, click Filters. ​The available filters appear for selection.
3. Select the desired filters and click Apply Filters. ​

4. Define approved values in the following two ways:

   1. Static values - define a static list of approved values.

   2. Dynamic values (coming soon) - define a regex to identify approved values.

      Note: Dynamic values will be available soon.

5. Static values - Select values manually by choosing approved values from the list of values available in Finout or by bulk uploading values using CSV. A policy can include up to 10K approved values.

   Manually select values:

   1. Click Select Values. The value dropdown appears.
   2. Choose values that are approved for this policy.

   Import CSV - Upload a CSV to import approved values.

   1. Import the CSV file by clicking Import CSV File.

      The Import CSV File window appears.
   2. Upload the CSV file.

      Note: - The file should list all approved values in a single column, one per row, without headers.

      - The values uploaded in the CSV file will override existing ones.

      Potential errors:
   3. Click Update.

6. Click Next. You are brought to the Results Column step.
7. Click Add Columns.

   The available filters appear for selection.

   Note: The selected columns are saved at the policy level for all users.
8. Select the desired columns and click Select.

   Note: You can select up to 10 columns.

   The components appear on the screen.
9. You can drag and drop the columns in the order they should appear in the Policy, and then click Next.

   You are brought to the Policy Overview step.

   Note: -You can view the total number of approved values and the complete list. -To update the list, simply hover over a value and click the trash icon to remove any entries that are no longer approved.
10. Review your policy and click Create.

    Your new policy appears in the policy feed.

Governance Page

On the Governance page, you can access a consolidated view of all your policies and their current status, including those with non-compliant resources. This allows you to efficiently observe policy details and track each policy's status.

1. Name of the policy.

2. The policy type: Untagged Resources or Unapproved Values.

3. The cost of the non-compliant resources for the last day of data.

4. The percentage of non-compliant costs for the last day of data.

5. The number of non-compliant resources for the last day of data.

6. The percentage of non-compliant resources for the last day of data.

7. The source cloud provider.

8. A single policy: Clicking on a policy will navigate you to the policy non-compliant resources view.

9. Edit the policy details. ​To edit a policy:

   1. In Finout, navigate to Governance. The Governance page appears.
   3. Follow the steps in the pop-up window.

      ​Note: Policy type is not editable after creation.

10. Delete the policy. ​To delete a policy:

    1. In Finout, navigate to Governance.

       The Governance page appears.
    2. The Delete this Policy pop-up appears. ​
    3. Click Delete. The policy is deleted.

11. Duplicate a policy ​To duplicate a policy:

    1. In Finout, navigate to Governance. The Governance page appears. ​

Policy Non-Compliant Resources View

Clicking on a policy brings you to this page, which displays a list of all non-compliant resources sorted by the highest cost from the previous day's data. ​

• At the top of the policy page, you'll find the total cost for the non-compliant resources as of the last day of data, the number of non-compliant resources, the missing tag (when the policy type is “Untagged resources”), and the filters applied to the policy. You can also filter and search the resource list.
• The table shows a list of non-compliant resources for that policy.

  • When the policy type is “Untagged resources,” the list shows the resources that are missing the specified tag in the policy configuration.

    For example: If the policy scans all resources and searches for the tag “Team,” resources missing this tag will be displayed in the list.
  • When the policy type is “Unapproved values,” the list shows the resources tagged with values that are not approved in the policy configuration. The table then displays the unapproved value for each resource.

    Note: - The list is sorted from the top costly resources down

    - The list displays 10K resources, even if there are more than 10K non-compliant resources for that policy.

    ​
  • Table Columns:

    • Resource ID

    • Unapproved values - This column appears only when looking at the resources of an unapproved values policy type.

    • Last Day Cost

    • Days Since Detected - The number of days the resource is non-compliant with your standards.

    • Last Identified Date - The date that this non-compliant resource was identified.

  • Functionalities:

    • You can export the resources by clicking on Export CSV.

    • Click on Edit Columns to add additional columns to the ones that appear in the table. This option allows you to add additional data that may be helpful in investigating who is responsible for the resource.

      ​Note: - You can add up to 5 columns. - Edits made to the columns on the resource view are not saved at the policy or user level and will only apply for the duration of the user's session on the resource view.