Tagging

The Data Landing Zone implements a mandatory tagging strategy across all accounts and resources. This ensures that resource costs can be tracked and the responsible creators can be identified.

The following AWS services are utilized to enforce an effective tagging strategy:

1. An AWS Organization Tag Policy at the account level.
2. A Service Control Policy (SCP) at the account level, which enforces that all CloudFormation (CFN) Stacks must include these tags upon creation.
3. An AWS Config rule that checks for these tags on supported resources. While the rule does not support all resources, it ensures that key resources, such as AWS::CloudFormation::Stack, will inherently apply tags to the resources they create. For more information, refer to the config rule required-tags.

Note

It is not possible to enforce tags on all resources universally. The strategy outlined here represents the best possible effort. The Config Rule will report any untagged resources to Security Hub, where they can be tracked. It is then necessary to identify the responsible party and ensure the tags are applied to the resources.

Default Mandatory Tags

The mandatory tags all begin with a capital letter, but the underlying code property is lowercase. The mandatory tags are:

• Owner — Identifies the team or individual responsible for the resource.
• Project — Specifies the project to which the resource belongs.
• Environment — Defines the environment of the resource, such as development, staging, or production.
• CostCenter — Used by FinOps tooling for chargeback / showback.
• Domain — Data-platform domain marker. Foundation enforces presence only; the platform overlay may later constrain values to raw / curated / serving / inference.

The DLZ construct automatically applies these defaults to its own resources:

• Owner: infra
• Project: dlz
• Environment: dlz
• CostCenter: dlz
• Domain: foundation

These tag values can be customized by providing an array of values for each tag in mandatoryTags. Note that while the code property is lowercase, the tags created will follow the capitalized format outlined above.

Tag values are optional, but if provided, the resource will only be created if the tag value matches one of the specified values. Specifying an empty array or undefined enforces the presence of the tag but does not restrict its value.

Not all service actions are supported for enforcement by the Organization Tag Policy. To keep the policy size manageable, we do not list every resource in the list of supported resources. Instead, we include all :* actions and focus on “major” services to ensure the policy remains concise.

TypeScript

import {App} from 'aws-cdk-lib';
import { DataLandingZone } from 'aws-data-landing-zone';

const app = new App();
const dlz = new DataLandingZone(app, {
  mandatoryTags: {
    owner: [],
    project: undefined,
    environment: ['development', 'staging', 'production'],
    costCenter: [],
    domain: ['raw', 'curated', 'serving', 'inference'],
  },
 ...
});

Python

import aws_cdk as cdk
import aws_data_landing_zone as dlz

app = cdk.App()
dlz.DataLandingZone(app,
    mandatory_tags={
        "owner": None,
        "project": dlz.ANY_TAG_VALUE,
        "environment": ["development", "staging", "production"],
        "cost_center": None,
        "domain": ["raw", "curated", "serving", "inference"],
    },
    ...
)

Additional Mandatory Tags

Additional mandatory tags can be added to the Data Landing Zone construct by specifying the additionalMandatoryTags property.

TypeScript

import {App} from 'aws-cdk-lib';
import { DataLandingZone } from 'aws-data-landing-zone';

const app = new App();
const dlz = new DataLandingZone(app, {
  additionalMandatoryTags: [
    {
      name: 'cost-center',
      values: ['test']
    },
  ],
 ...
});

Python

import aws_cdk as cdk
import aws_data_landing_zone as dlz

app = cdk.App()
dlz.DataLandingZone(app,
    additional_mandatory_tags=[
        dlz.DlzTag(
            name='cost-center',
            values=['test']
        )
    ],
    ...
)

Activate Cost Allocation Tags

When finOps.dataExports is configured (with activateCostAllocationTags !== false, which is the default), DLZ auto-activates every mandatory tag, plus every additionalMandatoryTags entry, as a cost-allocation tag. A custom resource Lambda calls ce:UpdateCostAllocationTagsStatus on your behalf, so you don’t need to run a script or click through the console.

In CUR and the downstream Glue tables they appear as columns prefixed with tag_, lowercased:

Mandatory tag	Column in CUR / Glue
Owner	tag_owner
Project	tag_project
Environment	tag_environment
CostCenter	tag_cost_center
Domain	tag_domain

These are the canonical chargeback / showback dimensions DLZ uses everywhere: budgets, account budgets, cost anomaly detection, and CID dashboards. When cid-cmd prompts for which tags to load into datasets, these are the five to pick.

If you do not configure finOps.dataExports, fall back to the configureCostAllocationTags script or activate them through the AWS Management Console. They need to be active before CUR will populate the tag_* columns.

API References

• MandatoryTags
• DataLandingZoneProps.additionalMandatoryTags
• DlzTag