Editorial photograph of a global network representing cloud cost tagging strategy
Multi Cloud · FinOps · Governance

Cloud cost tagging strategy. Governance that pays for itself.

The buyer side cloud cost tagging strategy and governance framework. AWS, Azure, and GCP tag policies, FinOps allocation, untagged spend remediation, and the seven controls every CIO should apply.

Read the framework Contact Us
$2B+Under Advisory
a leading industry analyst firmRecognized
Cloud cost tagging strategy · Independent. Buyer side. Reads in your browser. Talk to a buyer side advisor →
Industry Recognized
500+ Enterprise Clients
$2B+ Under Advisory
11 Vendor Practices
100% Buyer Side Independent
Home Assessment Tools Cloud Cost Tagging Strategy
Portrait placeholder for Morten Andersen, Co Founder
Written by Morten Andersen Co Founder · ex IBM, ex Oracle
PublishedSeptember 8, 2025
Last updatedMay 15, 2026
Key Takeaways

Six things every cloud FinOps lead should know

  • Six tags cover 95 percent of allocation. Cost center, BU, product, environment, owner, data class.
  • Untagged spend has no owner. The default in every enterprise is 20 to 40 percent untagged.
  • AWS Tag Policies enforce at create. Use SCPs for hard enforcement on cost critical services.
  • Azure tags do not inherit. Apply at the subscription, RG, and resource level explicitly.
  • GCP labels and tags are different. Labels for cost. Tags for governance hierarchy.
  • Remediation is recurring. A one time cleanup loses 10 to 20 percent of coverage per quarter without active governance.

Why tagging is the FinOps foundation

FinOps starts with allocation. Allocation depends on tagging. Without a working tagging strategy, the cloud bill arrives as one giant total with no owner.

What untagged spend costs the business

  • No showback: business units cannot see their own consumption. Spend grows unchecked.
  • No accountability: overspend has no owner. The platform team carries the blame.
  • No optimization: right sizing, reservation purchase, and storage class moves all depend on knowing the workload context.
  • No audit defense: compliance audits cannot tie spend back to a business owner or a regulated workload.
  • No M&A carve out: divestiture and acquisition events cannot cleanly separate cloud spend.

Tagging coverage benchmark

Tagging maturityCoverageFinOps state
No strategy0 to 20 percentFinOps blind. Total bill view only.
Ad hoc20 to 50 percentSome allocation. Heavy manual cleanup.
Defined policy50 to 80 percentFinOps active. Untagged spend remediation in flight.
Enforced policy80 to 95 percentFinOps mature. Allocation automated. Optimization active.
Enforced plus recurring audit95 percent plusFinOps fully embedded. Showback monthly.

The six tags every enterprise must enforce

Most tagging policies fail because they try to enforce too many tags. Six tags cover the allocation need across nearly every enterprise we work with.

The six core tags

  1. cost_center: the finance system cost center code. The single most important tag for showback.
  2. business_unit: the rolled up business unit. Used for executive dashboards.
  3. application: the product, service, or application name. Used for workload optimization.
  4. environment: prod, qa, dev, test, dr. Used for right sizing and reservation policy.
  5. owner: the email or AD group of the technical owner. Used for accountability.
  6. data_classification: public, internal, confidential, restricted. Used for compliance and security policy.

What not to over enforce

  • Free form tags. They drift across teams and become unusable.
  • Project tags. Most projects do not survive a year. The tag outlives the project.
  • Vendor tags. Useful at the contract level, not at the resource level.
  • Multi value tags. They break most cost allocation tooling.

The tagging policy minimum viable rollout

Start with the six tags above. Make four required and two recommended. Enforce required tags at resource creation through hyperscaler native tag policy. Remediate non compliant existing resources on a 90 day rolling window. Audit coverage monthly. This minimum viable rollout typically lifts coverage from 30 percent to 85 percent in two quarters.

Hyperscaler tag mechanics

Each hyperscaler implements tagging differently. The buyer side strategy must match the mechanics of each cloud.

AWS tag policy mechanics

  • AWS Organizations Tag Policies: centralized at the management account, applied across member accounts.
  • Service Control Policies: hard deny on resource creation if a required tag is missing.
  • Cost Allocation Tags: tags must be activated explicitly in the Billing console to flow to CUR.
  • Resource Groups Tagging API: bulk tagging across regions and accounts.
  • AWS Config: the rules engine that audits tag compliance over time.

Azure tag policy mechanics

  • Azure Policy: tag keys, values, and required tag rules at subscription or management group scope.
  • Policy Initiatives: bundles of policies for batch enforcement.
  • Tag inheritance: not automatic. Apply tags at the subscription, RG, and resource level explicitly.
  • Azure Cost Management: consumes tags directly without explicit activation, unlike AWS.
  • Modify effect: Azure Policy can auto remediate missing tags using the modify effect.

GCP label and tag mechanics

  • Labels: key value pairs on resources. Used for cost allocation and resource search.
  • Tags: governance hierarchies. Bound to IAM conditions and firewall rules. Not the same as labels.
  • Billing labels: labels flow to BigQuery billing export and the cost console automatically.
  • Organization Policy: enforces label keys and tag binding at the org or folder level.
  • Inheritance: labels inherit to child resources where the API supports it. Not all services do.

Remediating untagged spend

The first tagging strategy rollout always uncovers a large pool of untagged spend. Remediation is the engine that turns the rollout into recurring savings.

The four step remediation flow

  1. Map untagged spend: identify every untagged resource by service, region, and account.
  2. Owner discovery: trace the untagged resource back to a likely owner through CloudTrail or activity logs.
  3. Owner ratification: contact the owner and ratify the tag values.
  4. Bulk apply: apply the ratified tags through the Resource Groups Tagging API or Azure CLI bulk update.

What to do with orphaned untagged resources

  • Resources with no traceable owner.
  • Resources older than 12 months with no activity.
  • Snapshots and AMIs older than 18 months with no source instance.
  • Unattached EBS volumes older than 90 days.
  • Idle load balancers and unused elastic IPs.

These resources should be tagged with an orphan flag, broadcast to the platform team for review, and deleted after a 30 day grace period. The orphan cleanup typically removes 4 to 8 percent of total cloud spend without changing any workload.

The first untagged spend cleanup pays for the entire FinOps program. Every quarter after, the cleanup is recurring margin against the cloud bill.

Seven controls every cloud FinOps lead should apply

  1. Six tag policy. Enforce cost center, BU, application, environment, owner, data classification.
  2. Hard enforcement at create. SCP on AWS, deny effect on Azure Policy, Organization Policy on GCP.
  3. Auto remediation. Azure modify effect, AWS Lambda based remediation, GCP Cloud Functions on label addition.
  4. Monthly coverage audit. Track tagged spend percentage by service, account, and BU.
  5. Quarterly orphan cleanup. Remove untraceable resources after the 30 day grace window.
  6. Showback by BU. Monthly business unit reports rolled up from cost center tag.
  7. Tag policy review. Annual policy review with finance, security, and platform teams.

What to do next on your cloud estate

  1. Pull a 12 month spend report by tag coverage status. Establish the baseline.
  2. Define the six tag policy and circulate to finance, security, and platform teams for ratification.
  3. Stand up hyperscaler native tag enforcement: AWS Tag Policies, Azure Policy, GCP Organization Policy.
  4. Launch the four step remediation flow on the top 100 untagged resources by spend.
  5. Stand up the monthly showback dashboard pulled from CUR, Azure Cost Export, or BigQuery billing.
  6. Run the software spend health check on the full cloud estate.
  7. Engage independent buyer side advisory on the FinOps and tagging program.

Frequently asked questions

Why does tagging strategy matter for cloud cost?

Tagging is the only mechanism to allocate cloud spend to business units, products, environments, and projects. Without a tagging strategy, FinOps cannot work, showback cannot happen, and cost optimization is blind. Every dollar of untagged spend is a dollar without an owner.

What are the most important tags to enforce?

Cost center, business unit, product or application, environment, owner, and data classification. These six tags cover roughly 95 percent of allocation needs across our deal database. Other tags should be optional and governed by team.

How does AWS tag policy enforcement work?

AWS Organizations Tag Policies allow the management account to enforce tag keys, value formats, and required tags on every resource. The policies apply across all member accounts. Service Control Policies can refuse creation of untagged resources for specific services.

How does Azure handle tagging?

Azure Policy enforces tag keys and values at the subscription or management group level. Policy initiatives bundle tagging rules with other governance rules. Tags do not automatically inherit to child resources, which is the single largest source of Azure tagging gaps.

How does GCP handle tagging?

GCP uses labels at the resource level and tags at the organization level. Labels are key value pairs on resources. Tags are governance hierarchies that bind to IAM policies. The two systems do different jobs and both must be managed.

How does Redress engage on tagging strategy?

We run the buyer side process end to end across AWS, Azure, and GCP. We assess tag coverage, build the tagging policy, drive remediation of untagged spend, and stand up the FinOps allocation flow. We are not a partner of any hyperscaler.

Every cloud bill has a tagging story behind it. The cleaner the tags, the cleaner the cost story. The first cleanup pays for the FinOps program.

Morten Andersen
Co Founder, Redress Compliance
Run the software spend health check across your cloud estate.
Open the health check →
White Paper · Aws

Download the AWS EDP Negotiation Guide.

A buyer side reference on AWS EDP negotiation. Commit tier math, support discount, SMP credits, and the seven levers on every EDP renewal.

Independent. Buyer side. Written for CIOs, CFOs, and procurement leaders carrying Aws contracts. No vendor influence. No sales kickback.

AWS EDP Negotiation Guide

Open the white paper in your browser. Corporate email only.

Open the Paper →
More Reading

More from this practice.

All AWS articles →
AWS Advisory Services
Aws · Article
AWS Advisory Services
Independent buyer side advisory on every AWS engagement.
10 min read
AWS Knowledge Hub
Aws · Article
AWS Knowledge Hub
Every AWS licensing topic in one place.
11 min read
Google Cloud Services
Aws · Article
Google Cloud Services
Independent buyer side advisory on every GCP engagement.
9 min read
Software Licensing Benchmarking
Aws · Article
Software Licensing Benchmarking
The buyer side benchmarking framework across all vendors.
13 min read
Editorial photograph of enterprise contract negotiation strategy

Cloud bill outpacing your tagging policy? Get a buyer side opinion.

Independent. Buyer side. Hyperscaler neutral. We have run 500 enterprise engagements across AWS, Azure, and GCP.

Contact Us Assessment Tools

Cloud cost intelligence, in your inbox

Buyer side cloud FinOps insight. No vendor influence. Read in five minutes.