AWS Bulk resource tagging
Description
This playbook describes how to execute Bulk resource tagging in AWS.
The execution is based on AWS APIs:
Tamnoon’s bulk tagging script helps automate and scale tag management across your AWS environment. By leveraging AWS APIs and credential fallbacks, users can tag services such as EC2 snapshots programmatically.
The script supports both static and dynamic tagging, allowing flexible metadata assignment using resource IDs or ARNs. This solution aligns with AWS tagging best practices, ensuring consistency and traceability in cloud cost reporting and governance. Whether you’re tagging for billing, compliance, or operational clarity, this playbook simplifies AWS resource tagging and ensures repeatable, policy-driven enforcement at scale.
Severity Level
Medium – Important for operational clarity and financial tracking, but not immediately critical unless tagging gaps impact reporting, automation, or compliance.
When to use?
Use this playbook when you need to apply or update tags across multiple AWS resources consistently. It’s ideal for organizing assets, enabling cost allocation, and supporting governance at scale.
Playbook steps:
Prerequisites
2. Python v3.6 and above + boto3 package installed ( pip install boto3)
Notes:
The dynamic tagging currently support only the asset id or arn
Example use case
Tag all snapshots to allocate and trace their cost.
Step 1 - Tag your resources with a specific cost tag using this playbook
Execute the script - python3 resourceTagging.py --profile <aws_profile> --action tag --service ec2:snapshot --tagKey costAllocTag --tagValue {{id}}
Step 2 - Activate the tag as a cost allocation tag
https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/activating-tags.html
Step 3 - After 24 hours from the activation, you can start tracing your snapshot's cost under the cost explorer screen when you group by the activated tag (in our example costAllocTag)
Script help page
___
( ) .-.
| |_ .---. ___ .-. .-. ___ .-. .--. .--. ___ .-. ( __) .--.
( __) / .-, \ ( ) ' \ ( ) \ / \ / \ ( ) \ (''") / \
| | (__) ; | | .-. .-. ; | .-. . | .-. ; | .-. ; | .-. . | | | .-. ;
| | ___ .'` | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |( ) / .'| | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| | | | | / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| ' | | ; | ; | | | | | | | | | | | | ' | | | ' | | | | | | .-. | | | ' | |
' `-' ; ' `-' | | | | | | | | | | | ' `-' / ' `-' / | | | | ( ) | | ' `-' /
`.__. `.__.'_. (___)(___)(___)(___)(___) `.__.' `.__.' (___)(___) `-' (___) `.__.'
Welcome To AWS resource tagging helper
Dependencies:
AWS CLI
Python v3.8 and up
Boto3 pacakge 1.26 and above
This script will help you to bulk tag assets in your AWS environment
The script provides the ability to tag dynamic value to each asset (for example, its asset id or arn
This script is based on AWS API and rely on the fallback mechanism of AWS Authentication and Authorization
(Profile, creds file, os environment)
Executions Examples:
python3 resourceTagging.py --profile <aws_profile> --action ls
python3 resourceTagging.py --profile <aws_profile> --action tag --service ec2:snapshot --tagKey testtag --tagValue {{id}}
python3 resourceTagging.py --profile <aws_profile> --action tag --service ec2:snapshot --tagKey testtag --tagValue someTagValue
python3 resourceTagging.py --profile <aws_profile> --action tag --service ec2:snapshot --tagKey testtag --revert true
Parameter Usage:
logLevel - The logging level (optional). Default = Info
profile - The AWS profile to use to execute this script
action - Which action to execute:
1.listOfSupportedResources - print out the supported service and resources that the script can tag
2.tag - tag the given assets or the entire assets related to the service with the given tag value
service - The service which all resources from will be tagged:
It could be high level, for example, ec2 - in that case, all resources under ec2 will tag (instances, snapshots, volumes...)
Or it could be as the output of the listOfSupportedResources execution - for example, ec2:snapshot will tag only snapshots
tagKey - The name of the tag (the key part of the tag)"
tagValue - The value of the tag, two options are supported:"
1. Dynamic value - property have to be surrounded by {{}}, for example, {{id}} - the id of the resource"
2. Static value - string value to bulk all over the resources"
revert - A true false flag to a sign if this action need to revert"
Frequently Asked Questions
What is the purpose of using bulk resource tagging in AWS?
Bulk resource tagging enables centralized and automated management of metadata across services. This approach helps improve visibility, control, and cost allocation by applying consistent tags at scale through a single script execution.
Can I revert tags applied through this playbook?
Yes, by including the –revert true parameter, you can undo previously applied tags. This provides flexibility to test, validate, or roll back tag configurations when needed.
Which AWS services and resources are supported by the tagging script?
You can either specify a high-level service (like ec2) or use more granular identifiers (e.g., ec2:snapshot). The listOfSupportedResources action lists all services that the script can tag.
What is the difference between static and dynamic tag values?
Static tags apply the same value to all resources, while dynamic tags use variables like {{id}} to customize values per asset. This enhances traceability and operational context.
What authentication methods are supported when running the tagging script?
The script supports AWS CLI profiles, environment variables, and the default AWS credentials file. This fallback mechanism ensures flexibility across different execution environments.
Is this solution aligned with AWS tagging best practices?
Yes, the AWS Bulk resource tagging playbook supports standardized tag keys and values, bulk execution, and tag-based cost tracking—all of which align with AWS tagging best practices to improve governance and automation.
