Tag Governance
Last updated
Last updated
Tag governance ensures consistent and effective resource management across cloud environments. It involves defining, enforcing, and monitoring organizational policies for tagging cloud resources, such as virtual machines, databases, and storage. Tags are metadata labels that categorize and organize resources, providing critical benefits like cloud cost management, operational visibility, and compliance.
However, tagging faces challenges such as inconsistent tagging, manual errors, scalability issues in large environments, and a lack of enforcement. To address this, Finout’s Tagging Governance solution allows you to define tagging policies across multiple cloud environments, offering visibility into non-compliant resources and costs while simplifying resource tracking. By creating a governance policy, you can establish your company’s tagging standards, enabling Finout to identify resources missing required tags or tagged with unapproved values. This helps ensure that resources are correctly associated with virtual tags, facilitates better budget management, and ensures compliance with security and governance standards.
You will learn how to:
- Monitor tag coverage across your organization with policy creation.
- Access the details and status of each policy.
Add policy details and define policy conditions.
To create a policy:
In Finout, navigate to Governance.
Add policy details:
Click Add Policy. The Create Policy pop-up appears.
Enter a policy name.
Choose a policy type. There are two types of policies:
Untagged Resources -
Identifies and tracks resources that are missing required tags.
For example: It ensures that all resources are tagged with a "Team" tag. If a resource lacks this tag, it is flagged as non-compliant.
Unapproved Values -
Tracks resources that are tagged with unapproved or incorrect tag values.
For example: If the approved values for the "Team" tag are "App" and "Data," a resource tagged with "Team: Application" is flagged as non-compliant.
Choose a cost type. See for all the possible cost types.
ACL permissions:
ACL permissions are disabled by default, meaning all users can view or edit based on their specific role or access. See for more information.
Optionally enable ACL permissions to define read and write permissions on a policy for specific users and groups.
There are three modes with ACL permissions:
Public: Everyone in your organization has this permission to the object.
Private: Only admins have permission to the object.
Shared: You must define users and/or groups.
Click Next and proceed to the Policy Configuration step.
Configure your policy:
After adding policy details, you can configure policy criteria and filters for Untagged Resources or Unapproved Values and then click Next.
Under Policy Criteria, select a source and a key.
Under Filters, click Filters.
The available filters appear for selection.
Limitation: The Untagged Resources policy type does not detect resources labeled as “untagged” within Virtual Tags. To identify resources mapped as “untagged” in a Virtual Tag, users should create a Unapproved Values policy type and approve all valid values except “untagged.” This enables Finout to flag any remaining untagged resources as non-compliant.
Select the desired filters and click Apply Filters. Review your configuration and click Create. You are brought to the Policy Results Columns step.
Click Add Columns. The available filters appear for selection.
Select the desired columns and click Select.
The components appear on the screen.
Drag and drop the columns in the order in which you want to appear in the Policy.
Click Create. Your new policy appears in the policy feed.
Under Policy Criteria, select a source and a key.
Under Filters, click Filters. The available filters appear for selection.
Select the desired filters and click Apply Filters.
Define approved values in the following two ways:
-Static values - define a static list of approved values.
-Dynamic values (coming soon) - define a regex to identify approved values. Static values - Select values manually by choosing approved values from the list of values available in Finout or by bulk uploading values using CSV. A policy can include up to 10K approved values.
Click Next. You are brought to the Results Column step.
Click Add Columns. The available filters appear for selection.
Select the desired columns and click Select.
The components appear on the screen.
You can drag and drop the columns in the order they should appear in the Policy, and then click Next. You are brought to the Policy Overview step.
Review your policy and click Create. Your new policy appears in the policy feed.
On the Governance page, you can access a consolidated view of all your policies and their current status, including those with non-compliant resources. This allows you to efficiently observe policy details and track each policy's status.
Name of the policy.
The policy type: Untagged Resources or Unapproved Values.
The cost of the non-compliant resources for the last day of data.
The percentage of non-compliant costs for the last day of data.
The number of non-compliant resources for the last day of data.
The percentage of non-compliant resources for the last day of data.
The source cloud provider.
Edit the policy details. To edit a policy:
In Finout, navigate to Governance. The Governance page appears.
Follow the steps in the pop-up window.
Delete the policy. To delete a policy:
In Finout, navigate to Governance.
The Governance page appears.
The Delete this Policy pop-up appears.
Click Delete. The policy is deleted.
Duplicate a policy To duplicate a policy:
In Finout, navigate to Governance. The Governance page appears.
Clicking on a policy brings you to this page, which displays a list of all non-compliant resources sorted by the highest cost from the previous day's data.
At the top of the policy page, you'll find the total cost for the non-compliant resources as of the last day of data, the number of non-compliant resources, the missing tag (when the policy type is “Untagged resources”), and the filters applied to the policy. You can also filter and search the resource list.
The table shows a list of non-compliant resources for that policy.
When the policy type is “Untagged resources,” the list shows the resources that are missing the specified tag in the policy configuration.
For example: If the policy scans all resources and searches for the tag “Team,” resources missing this tag will be displayed in the list.
When the policy type is “Unapproved values,” the list shows the resources tagged with values that are not approved in the policy configuration. The table then displays the unapproved value for each resource.
Table Columns:
Resource ID
Unapproved values - This column appears only when looking at the resources of an unapproved values policy type.
Last Day Cost
Days Since Detected - The number of days the resource is non-compliant with your standards.
Last Identified Date - The date that this non-compliant resource was identified.
Functionalities:
You can export the resources by clicking on Export CSV.
Click on Edit Columns to add additional columns to the ones that appear in the table. This option allows you to add additional data that may be helpful in investigating who is responsible for the resource.
Manually select approved values or import approved values using CSV: - Manually select values - Manually select approved filter values. a. Click Filter Values. The value dropdown appears. b. Choose values that are approved for this policy. - Import CSV - Upload a CSV to import approved values. a. Import the CSV file by clicking Import CSV File. The Import CSV File window appears. b. Upload the CSV file.
Potential errors: c. Click Update.
A single policy: Clicking on a policy will navigate you to the .
Click on the policy that you want to edit and then press Edit.
Click on the policy that you want to delete and then press Delete.
Click on the policy you want to duplicate and then press Duplicate. The Policy is duplicated.
