How Skai leveraged Amazon Web Services Step Functions to enforce its tagging policies

by Judith Lehner and Eran Balan | on

Skai is an independent, global marketing platform for strategy, measurement, and best-of-breed activation across all of the world’s most influential digital channels. Skai’s solution provides data-driven insights and optimization technology to help companies make informed decisions and scale performance across critical publishers.

Skai possesses a highly technical engineering organization with over 350 software engineers, data experts, and DevOps engineers.

The challenge

As part of our migration to a cloud native architecture we are moving many of our workloads to Amazon Web Services, that includes services like Amazon Elastic Compute Cloud (EC2) Amazon RDS, Amazon Elastic Kubernetes Service (EKS) and more.

As a standard we wanted to tag all of our cloud resources on creation time with pre-decided mandatory tags.

We chose to focus on the “Project” tag which is an important part of our cost optimization efforts.

Our dev culture allows most developers to provision different Amazon Web Services resources, this resulted in an increase in our Amazon Web Services spend. Without proper resource tagging it’s difficult to group different resources and to understand their business value.

With many different users and teams now utilizing our Amazon Web Services cloud infrastructure we noticed more and more resources being created without the required mandatory tags.

And while we tried to increase the tagging coverage with different tools, like Amazon Web Services Tag Editor and custom boto3 scripts, the untagged resources percentage was increasing rapidly.

We wanted to monitor the increase in untagged resources so we can see the top contributors (usually automations) and fix them before we implement the next phase of preventing these resources from being created using Service Control Policies (SCPs) policies.

Solution Overview

Our solution was divided into 2 phases:

  1. Phase 1 – identifying newly created resources without the “project” tag.
  2. Phase 2 – Preventing resources without the “project” tag from being created using Service Control Policies (SCPs) .

In this blog post we will focus on Phase 1.

In order to gain visibility over resources that are created without our mandatory tags we leveraged Amazon Web Services Config , specifically the Amazon Web Services provided required-tags rule, Amazon Web Services Step Functions , Amazon Web Services Lambda , Amazon Web Services DynamoDB and Amazon Web Services Cloudtrail .

This could have also been achieved using a single monolithic Amazon Web Services Lambda however using Amazon Web Services Step Functions provides visibility of each step and an intuitive way of debugging, error handling and modularity using minimal code. The Figure below shows an overview of our solution:

Figure 1. High Level Archtcure

Figure 1. High Level Archtcure

We created an Amazon Web Services Step Function that generates a report with a list of resources that were created in the past 24 hours without our mandatory tags and then sends this report to us via email.

This report allows us to quickly locate newly created untagged resources and to identify the creator of those resources. This makes the implementation of the second phase easier by blocking less resources from being created.

The following list is how we harnessed Amazon Web Services services and how we configured the moving parts in our solution.

  1. Amazon Web Services Config – Gathers non-compliant resources (resources without the “Project” tag present) using the Amazon Web Services provided required-tags rule.
  2. Amazon Web Services Lambda – A multi entry point function used in our step function. It provides the following functionality:
    1. getYesterdayDate –  Filters resources that were created in the past 24 hours.
    2. getLatestElement –  Enriches the information for each resource with UserAgent and CreatorArn.
    3. parseEmail –  Sends an email with a report of supported noncompliant resources that were created in the past 24 hours using the “required-tags” Amazon Web Services Config rule.
  1. Amazon Web Services DynamoDB –  Records every filtered resource (resource created in past 24 hours without mandatory tags) in a dedicated table. This table will be used later in the Lambda function that sends the report.
  2. Amazon Web Services Step Functions – The backbone of our solution and is used to connect and orchestrate the different pieces and services used to achieve our goals.

Amazon Web Services Cloudtrail – For each noncompliant resource we will query Cloudtrail to enrich our report with UserAgent and CreatorArn. This  helps guide us in the right direction when it comes to fixing the resources and ensuring they are created with the mandatory tags. For example, if we see that a specific resource was created using ‘CreatorArn’ as  EKS role and ‘UserAgent’ as ‘eks.amazonaws.com’  we may immediately know what and where we need to fix.

To avoid reaching Amazon Web Services Step Function history quota we have separated our workflow into two step functions (https://docs.aws.amazon.com/step-functions/latest/dg/bp-history-limit.html)

  1. Map step function – Iterates through the paginated evaluation result from Amazon Web Services Config and for each page of the result it triggers our Map step function.
Figure 2. Main Step Function- Iterate through AWS Config report

Figure 2. Map Step Function- Iterate through Amazon Web Services Config report

  1. Map step function – Iterates over noncompliant resources from  each page in the Amazon Web Services Config rule evaluation.
Figure 3. Second Step Function- Iterate over non-compliant resources

Figure 3. Second Step Function- Iterate over non-compliant resources

According to Danny Zalkind, Director, Infrastructure Engineering at Skai – “StepFunctions has allowed us to quickly create a workflow process, integrated with multiple Amazon Web Services services, in a low-code manner, which would otherwise take us much longer to achieve using custom logic or open source tools. This enabled us to ramp up our resource tagging enforcement, gaining improved cost control. We were able to grow our account cost in a controlled way, increasing only a small, signal digit percentage of cost, while in the midst of a large-scale cloud migration.”

Conclusion

Ensuring resources are created with mandatory tags is critical for ensuring compliance as well as controlling cost.
In this post we saw how by leveraging Amazon Web Services Step Functions you can quickly and efficiently maintain a high percentage of tagged resources (> 85%) and track down untagged resource creators.

After implementing our solution and fixing all the findings we have since initialized the next phase of our tagging efforts by using Amazon Web Services Service control policies that actively prevent resources without mandatory tags from being created in the first place.

About the author:

Roman Fainerman

Roman Fainerman is a senior DevOps engineer, tech lead at Skai and an Amazon Web Services certified Professional DevOps Engineer.

Steve Mattar

Steve Mattar is a DevOps Architect at Skai.

Judith Lehner

Judith Lehner is a Technical Account Manager at Amazon Web Services based in Israel, she also focuses on helping customers with Cost Optimization activities.

Eran Balan

Eran Balan is an Amazon Web Services Senior Solutions Architect based in Israel. He works with digital native customers to provide them with architectural guidance for building scalable architecture in Amazon Web Services environments.

The mentioned AWS GenAI Services service names relating to generative AI are only available or previewed in the Global Regions. Amazon Web Services China promotes AWS GenAI Services relating to generative AI solely for China-to-global business purposes and/or advanced technology introduction.