LogoLogo
Contact Us
  • Finout Documentation
  • Get Started with Finout
    • Introduction to Finout's Suite of Features
    • Onboarding New Users to Your Finout Account
    • Single Sign-On (SSO) Setup
    • Enterprise Discount Program (EDP)
    • Cost and Usage Types
      • FairShare Cost
      • List Cost
  • Integrations
    • Cloud Services
      • Connect to AWS
      • Connect to Azure
      • Connect to Oracle
      • Connect to GCP
    • Third Party
      • Connect to Confluent
      • Connect to Databricks
      • Connect to Snowflake
      • Connect to Jira
      • Connect to Datadog
        • Datadog API Cost Calculation
        • Datadog Integration Levels
        • Datadog Usage Attribution Tags (UAT)
      • Connect to Microsoft Teams
      • Connect to ServiceNow
      • Custom Cost Centers
      • Credentials Vault
    • Telemetry
      • S3 Telemetry Integration
      • Setting Up a Datadog - Finout Metrics Integration (Export)
    • Kubernetes
      • Connect to Kubernetes Prometheus
      • Kubernetes - How Finout Calculates K8s Costs
      • Kubernetes MegaBill
      • Kubernetes Budgeting
      • Kubernetes Anomaly Detection
      • Kubernetes Custom Dashboards
      • Kubernetes Predefined Dashboards
      • Ensure Compatibility of Your Kubernetes Monitoring with Finout
  • User Guide
    • Inform
      • MegaBill
      • Custom Drilldown
      • Custom Cost Input
      • Virtual Tags
        • Relational Virtual Tags
      • Shared Cost Reallocation
        • How to Use Shared Cost Reallocation
      • FinOps Dashboards
      • Financial Plans
      • Data Explorer
    • Optimize
      • My Commitments
      • Commitments Log
      • Anomalies
      • CostGuard
        • CostGuard - Scans
        • Connect CostGuard for AWS
        • Connect CostGuard for GCP
    • Operate
      • Reports
      • Tag Governance
  • Configuration
    • Finout API
      • Generate an API Token
      • Filter Object Definition
      • Cost API
      • Query Language API
      • Virtual Tags API
      • CostGuard API
      • Endpoint API
      • Virtual Tag Metadata API
    • Role-Based Access Control (RBAC)
      • Role Permissions
      • Managing Roles
        • Creating a Custom Role
        • Permissions List
        • Managing a Role and its Permissions
      • Managing Users
        • Inviting a User
        • Edit a User's Roles
      • Data Access Control
      • Groups
        • Create a New Group
        • Edit Group Data Access
        • Delete a group
        • Edit Group Users and SAML Groups
      • RBAC FAQs
    • Endpoints
      • Slack Notification Endpoint
  • Common Features
    • List of Common Features
      • ACL Permissions
      • Saved Views
Powered by GitBook

Still need help? Please feel free to reach out to our team at support@finout.io.

On this page
  • Overview
  • Create a Tag Governance Policy
  • Untagged Resources Configuration
  • Unapproved Values Policy Configuration
  • Governance Page
  • Policy Non-Compliant Resources View
Export as PDF
  1. User Guide
  2. Operate

Tag Governance

PreviousReportsNextFinout API

Last updated 1 month ago

Overview

Tag governance ensures consistent and effective resource management across cloud environments. It involves defining, enforcing, and monitoring organizational policies for tagging cloud resources, such as virtual machines, databases, and storage. Tags are metadata labels that categorize and organize resources, providing critical benefits like cloud cost management, operational visibility, and compliance.

However, tagging faces challenges such as inconsistent tagging, manual errors, scalability issues in large environments, and a lack of enforcement. To address this, Finout’s Tagging Governance solution allows you to define tagging policies across multiple cloud environments, offering visibility into non-compliant resources and costs while simplifying resource tracking. By creating a governance policy, you can establish your company’s tagging standards, enabling Finout to identify resources missing required tags or tagged with unapproved values. This helps ensure that resources are correctly associated with virtual tags, facilitates better budget management, and ensures compliance with security and governance standards.

You will learn how to:

  • - Monitor tag coverage across your organization with policy creation.

  • - Access the details and status of each policy.

Create a Tag Governance Policy

Add policy details and define policy conditions.

To create a policy:

  1. In Finout, navigate to Governance.

  2. Add policy details:

    1. Click Add Policy. The Create Policy pop-up appears.

    2. Enter a policy name.

    3. Choose a policy type. There are two types of policies:

      ​Note: The policy type is not editable after creation.

      1. Untagged Resources -

        • Identifies and tracks resources that are missing required tags.

          For example: It ensures that all resources are tagged with a "Team" tag. If a resource lacks this tag, it is flagged as non-compliant.

      2. Unapproved Values -

        • Tracks resources that are tagged with unapproved or incorrect tag values.

          For example: If the approved values for the "Team" tag are "App" and "Data," a resource tagged with "Team: Application" is flagged as non-compliant.

    4. Choose a cost type. See for all the possible cost types.

      ​Note: By default, the account's predefined cost type is automatically selected.

    5. ACL permissions: ​

      • ACL permissions are disabled by default, meaning all users can view or edit based on their specific role or access. See for more information.

      • Optionally enable ACL permissions to define read and write permissions on a policy for specific users and groups.

        Note: Enabling ACL on an object overrides user role permissions, except for admins.

      • There are three modes with ACL permissions:

        1. Public: Everyone in your organization has this permission to the object.

        2. Private: Only admins have permission to the object.

        3. Shared: You must define users and/or groups.

    6. Click Next and proceed to the Policy Configuration step.

      ​

  3. Configure your policy:

    After adding policy details, you can configure policy criteria and filters for Untagged Resources or Unapproved Values and then click Next.

Untagged Resources Configuration

  1. Under Policy Criteria, select a source and a key.

    Note: Available sources for selection are: AWS, GCP, OCI, Azure, or a virtual tag.

  2. Under Filters, click Filters.

    The available filters appear for selection.

    Limitation: The Untagged Resources policy type does not detect resources labeled as “untagged” within Virtual Tags. To identify resources mapped as “untagged” in a Virtual Tag, users should create a Unapproved Values policy type and approve all valid values except “untagged.” This enables Finout to flag any remaining untagged resources as non-compliant.

  3. Select the desired filters and click Apply Filters. Review your configuration and click Create. You are brought to the Policy Results Columns step.

  4. Click Add Columns. The available filters appear for selection.

    Note: The selected columns are saved at the policy level for all users.

  5. Select the desired columns and click Select.

    Note: You can select up to 10 columns.

    The components appear on the screen.

  6. Drag and drop the columns in the order in which you want to appear in the Policy.

  7. Click Create. Your new policy appears in the policy feed.

Unapproved Values Policy Configuration

  1. Under Policy Criteria, select a source and a key.

    Note: Available sources for selection are: AWS, GCP, OCI, Azure, or a virtual tag.

  2. Under Filters, click Filters. ​The available filters appear for selection.

  3. Select the desired filters and click Apply Filters.

  4. Define approved values in the following two ways:

    -Static values - define a static list of approved values.

    -Dynamic values (coming soon) - define a regex to identify approved values. Static values - Select values manually by choosing approved values from the list of values available in Finout or by bulk uploading values using CSV. A policy can include up to 10K approved values.

    Note: Dynamic values will be available soon.

    Note: - The file should list all approved values in a single column, one per row, without headers.

    - The values uploaded in the CSV file will override existing ones.

  1. Click Next. You are brought to the Results Column step.

  2. Click Add Columns. The available filters appear for selection.

    Note: The selected columns are saved at the policy level for all users.

  3. Select the desired columns and click Select.

    Note: You can select up to 10 columns.

    The components appear on the screen.

  4. You can drag and drop the columns in the order they should appear in the Policy, and then click Next. You are brought to the Policy Overview step.

    Note: -You can view the total number of approved values and the complete list. -To update the list, simply hover over a value and click the trash icon to remove any entries that are no longer approved.

  5. Review your policy and click Create. Your new policy appears in the policy feed.

Governance Page

On the Governance page, you can access a consolidated view of all your policies and their current status, including those with non-compliant resources. This allows you to efficiently observe policy details and track each policy's status.

  1. Name of the policy.

  2. The policy type: Untagged Resources or Unapproved Values.

  3. The cost of the non-compliant resources for the last day of data.

  4. The percentage of non-compliant costs for the last day of data.

  5. The number of non-compliant resources for the last day of data.

  6. The percentage of non-compliant resources for the last day of data.

  7. The source cloud provider.

  8. Edit the policy details. ​To edit a policy:

    1. In Finout, navigate to Governance. The Governance page appears.

    2. Follow the steps in the pop-up window.

      ​Note: Policy type is not editable after creation.

  9. Delete the policy. ​To delete a policy:

    1. In Finout, navigate to Governance.

      The Governance page appears.

    2. The Delete this Policy pop-up appears. ​

    3. Click Delete. The policy is deleted.

  10. Duplicate a policy ​To duplicate a policy:

    1. In Finout, navigate to Governance. The Governance page appears.

Policy Non-Compliant Resources View

Clicking on a policy brings you to this page, which displays a list of all non-compliant resources sorted by the highest cost from the previous day's data.

  • At the top of the policy page, you'll find the total cost for the non-compliant resources as of the last day of data, the number of non-compliant resources, the missing tag (when the policy type is “Untagged resources”), and the filters applied to the policy. You can also filter and search the resource list.

  • The table shows a list of non-compliant resources for that policy.

    • When the policy type is “Untagged resources,” the list shows the resources that are missing the specified tag in the policy configuration.

      For example: If the policy scans all resources and searches for the tag “Team,” resources missing this tag will be displayed in the list.

    • When the policy type is “Unapproved values,” the list shows the resources tagged with values that are not approved in the policy configuration. The table then displays the unapproved value for each resource.

      Note: - The list is sorted from the top costly resources down

      - The list displays 10K resources, even if there are more than 10K non-compliant resources for that policy.

      ​

    • Table Columns:

      • Resource ID

      • Unapproved values - This column appears only when looking at the resources of an unapproved values policy type.

      • Last Day Cost

      • Days Since Detected - The number of days the resource is non-compliant with your standards.

      • Last Identified Date - The date that this non-compliant resource was identified.

    • Functionalities:

      • You can export the resources by clicking on Export CSV.

      • Click on Edit Columns to add additional columns to the ones that appear in the table. This option allows you to add additional data that may be helpful in investigating who is responsible for the resource.

        ​Note: - You can add up to 5 columns. - Edits made to the columns on the resource view are not saved at the policy or user level and will only apply for the duration of the user's session on the resource view.

Manually select approved values or import approved values using CSV: - Manually select values - Manually select approved filter values. a. Click Filter Values. The value dropdown appears. b. Choose values that are approved for this policy. - Import CSV - Upload a CSV to import approved values. a. Import the CSV file by clicking Import CSV File. The Import CSV File window appears. b. Upload the CSV file.

Potential errors: c. Click Update.

A single policy: Clicking on a policy will navigate you to the .

Click on the policy that you want to edit and then press Edit. ​

Click on the policy that you want to delete and then press Delete.

Click on the policy you want to duplicate and then press Duplicate. The Policy is duplicated.

policy non-compliant resources view
Cost and Usage Types
Role-Based Access Control
Create a Policy
View your Policies