# AWS cost-allocation tag taxonomy (2026)

Companion artifact for the FactualMinds post **AWS Tagging, Chargeback, and FinOps Ownership**.
Keep the mandatory set to **3–5 keys**. Every key you make mandatory is a key someone has to set on
every resource forever; over-specifying the taxonomy is the most common reason tag programs stall.

## Mandatory tags (enforced — SCP denies create without them)

| Key | Allowed values | Owner | Why |
|-----|----------------|-------|-----|
| `CostCenter` | `cc-####` (4 digits) | Finance | The chargeback dimension. No CostCenter → cost lands in the "unallocated" bucket. |
| `Team` | discrete list (`platform`, `payments`, `data`, `growth`, …) | Eng leads | Engineering ownership; routes the bill to the team that can act on it. |
| `Environment` | `prod` \| `staging` \| `dev` \| `sandbox` | Platform | Lets you exclude non-prod from chargeback or charge it differently. |
| `Application` | kebab-case service name | Service owner | Ties spend to a deployable unit, not just a team. |

## Recommended tags (reported via tag policy, not blocked)

| Key | Allowed values | Why |
|-----|----------------|-----|
| `DataClass` | `public` \| `internal` \| `pii` \| `financial` | Doubles as the KMS classification key boundary. |
| `Owner` | email | Human to ping on an anomaly. |
| `ManagedBy` | `terraform` \| `cdk` \| `console` | `console` resources are your drift + untagged risk. |

## The two-layer enforcement model

1. **SCP** (prevent): denies resource creation when a mandatory tag is missing — this is the only
   layer that actually *stops* untagged spend. Scope it to taggable, create-time-taggable
   resource types and exempt automation roles (see `scp-require-tags.json`).
2. **Tag policy** (report + standardize): defines the allowed values and capitalization, and finds
   non-compliant existing tags. Tag policies *report* by default; they only *prevent* tag changes on
   resource types you explicitly list, and they do **not** block resource creation. Pair them with
   the SCP. Org-wide compliance evaluation runs from **us-east-1** with management-account
   credentials (`organizations:DescribeEffectivePolicy`, `tag:GetResources`).

> **Shift-left option (2026):** the Terraform AWS provider (v6.22+) can validate tags against your
> live Organizations tag policy at plan time, so violations fail in CI instead of at apply.

## Rollout order that does not start a spreadsheet war

1. Publish the taxonomy. **Showback only** — no chargeback yet.
2. Turn on the tag policy in **report mode**; fix the worst non-compliant resources with Tag Editor.
3. Activate the mandatory keys as **cost allocation tags** in the Billing console (takes effect
   going forward, ~24h, not retroactive — activate early).
4. Add the SCP in a **single non-prod OU** first; watch for broken automation; widen to prod.
5. Only after coverage is stable (>90% of taggable spend) do you switch showback → chargeback.