# Organizing and tracking costs using AWS cost allocation tags
| |
| --- |
| For questions about your AWS bills or to appeal your charges, contact Support to address your inquiries immediately. To get help, see [Getting help with your bills and payments](billing-get-answers.md). To understand your bills page contents, see [Using the Bills page to understand your monthly charges and invoice](getting-viewing-bill.md#invoice). |
A tag is a label that you or AWS assigns to an AWS resource. Each tag consists of a *key* and a *value*. For each resource, each tag key must be unique, and each tag key can have only one value. You can use tags to organize your resources, and cost allocation tags to track your AWS costs on a detailed level. After you activate cost allocation tags, AWS uses the cost allocation tags to organize your resource costs on your cost allocation report, to make it easier for you to categorize and track your AWS costs.
AWS provides two types of cost allocation tags, an *AWS-generated tags* and *user-defined tags*.
AWS, or AWS Marketplace ISV defines, creates, and applies the AWS-generated tags for you, and you define, create, and apply user-defined tags. You must activate both types of tags separately before they can appear in Cost Explorer or on a cost allocation report.
The following diagram illustrates the concept. In the example, you've assigned and activated tags on two Amazon EC2 instances, one tag called Cost Center and another tag called Stack. Each of the tags has an associated value. You also activated the AWS-generated tags, `createdBy` before creating these resources. The `createdBy` tag tracks who created the resource. The user-defined tags use the `user` prefix, and the AWS-generated tag uses the `aws:` prefix.
![\[Example tag keys for two Amazon EC2 instances.\]](http://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/images/Tag_Example.png)
After you or AWS applies tags to your AWS resources (such as Amazon EC2 instances or Amazon S3 buckets) and you activate the tags in the Billing and Cost Management console, AWS generates a cost allocation report as a comma-separated value (CSV file) with your usage and costs grouped by your active tags. You can apply tags that represent business categories (such as cost centers, application names, or owners) to organize your costs across multiple services.
The cost allocation report includes all of your AWS costs for each billing period. The report includes both tagged and untagged resources, so that you can clearly organize the charges for resources. For example, if you tag resources with an application name, you can track the total cost of a single application that runs on those resources. The following screenshot shows a partial report with columns for each tag.
![\[Partial cost allocation report showing your tag names, which are also called keys, as columns.\]](http://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/images/CostAllocationPartExampleReport.png)
At the end of the billing cycle, the total charges (tagged and untagged) on the billing report with cost allocation tags reconciles with the total charges on your [https://console.aws.amazon.com/billing/home#/bill](https://console.aws.amazon.com/billing/home#/bill) page total and other billing reports for the same period.
You can also use tags to filter views in Cost Explorer. For more information about Cost Explorer, see [Analyzing your costs with AWS Cost Explorer](https://docs.aws.amazon.com/cost-management/latest/userguide/ce-what-is.html).
For more information about activating the AWS-generated tags, see [Activating AWS-generated tags cost allocation tags](activate-built-in-tags.md). For more information about applying and activating user-defined tags, see [Using user-defined cost allocation tags](custom-tags.md). All tags can take up to 24 hours to appear in the Billing and Cost Management console.
**Notes**
As a best practice, don't include sensitive information in tags.
Only the management account in an organization and single accounts that aren't members of an organization have access to the **cost allocation tags** manager in the Billing console.
If you use billing transfer and you sign in as a bill source account, you manage the cost allocation tags for your AWS Organizations. You can view your cost allocation tags in the AWS Cost and Usage Report. The bill transfer account can also see your cost allocation tags in the AWS Cost and Usage Report that shows usage from AWS Organizations that transfer their bills.
To create and update tags, use AWS Tag Editor. For more information about Tag Editor, see [Using Tag Editor](https://docs.aws.amazon.com/tag-editor/latest/userguide/tag-editor.html) in the *Tagging AWS Resources User Guide*.
**Topics**
+ [Using AWS-generated tags](aws-tags.md)
+ [Using user-defined cost allocation tags](custom-tags.md)
+ [Using user attributes for cost allocation](user-attributes-cost-allocation.md)
+ [Using account tags for cost allocation](account-tags-cost-allocation.md)
+ [Using IAM principal for cost allocation](iam-principal-cost-allocation.md)
+ [Backfill cost allocation tags](cost-allocation-backfill.md)
+ [Using the monthly cost allocation report](configurecostallocreport.md)
+ [Understanding dates for cost allocation tags](cost-allocation-tags-timeline.md)
# Using AWS-generated tags
The AWS-generated tag `createdBy` is a tag that AWS defines and applies to supported AWS resources for cost allocation purposes. To use the AWS-generated tag, a management account owner must activate it in the Billing and Cost Management console. When a management account owner activates the tag, the tag is also activated for all member accounts. After the tag is activated, AWS starts applying the tag to resources that are created after the AWS-generated tag is activated. The AWS-generated tag is available only in the Billing and Cost Management console and reports, and doesn't appear anywhere else in the AWS console, including the AWS Tag Editor. The `createdBy` tag does not count towards your tags per resource quota.
The `aws:createdBy` tags are populated only in the following AWS Regions:
+ `ap-northeast-1`
+ `ap-northeast-2`
+ `ap-south-1`
+ `ap-southeast-1`
+ `ap-southeast-2`
+ `cn-north-1`
+ `eu-central-1`
+ `eu-west-1`
+ `sa-east-1`
+ `us-east-1`
+ `us-east-2`
+ `us-gov-west-1`
+ `us-west-1`
+ `us-west-2`
Resources created outside of these AWS Regions will not have this tag auto-populated.
The `createdBy` tag uses the following key-value definition:
```
key = aws:createdBy
```
```
value = account-type:account-ID or access-key:user-name or role session name
```
Not all values include all of the value parameters. For example, the value for a AWS-generated tag for a root account doesn't always have a user name.
Valid values for the *account-type* are `Root`, `IAMUser`, `AssumedRole`, and `FederatedUser`.
If the tag has an account ID, the *account-id* tracks the account number of the root account or federated user who created the resource. If the tag has an access key, then the *access-key* tracks the IAM access key used and, if applicable, the session role name.
The *user-name* is the user name, if one is available.
Here are some examples of tag values:
```
Root:1234567890
Root: 111122223333 :exampleUser
IAMUser: AIDACKCEVSQ6C2EXAMPLE :exampleUser
AssumedRole: AKIAIOSFODNN7EXAMPLE :exampleRole
FederatedUser:1234567890:exampleUser
```
For more information about IAM users, roles, and federation, see the [IAM User Guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/).
AWS generated cost allocation tags are applied on a best-effort basis. Issues with services that AWS-generated tag depends on, such as CloudTrail, can cause a gap in tagging.
The `createdBy` tag is applied only to the following services and resources after the following events.
| AWS Product | API or Console Event | Resource Type |
| --- | --- | --- |
| AWS CloudFormation (CloudFormation) | `CreateStack` | Stack |
| AWS Data Pipeline (AWS Data Pipeline) | `CreatePipeline` | Pipeline |
| Amazon Elastic Compute Cloud (Amazon EC2) | `CreateCustomerGateway` | Customer gateway |
| | `CreateDhcpOptions` | DHCP options |
| | `CreateImage` | Image |
| | `CreateInternetGateway` | Internet gateway |
| | `CreateNetworkAcl` | Network ACL |
| | `CreateNetworkInterface` | Network interface |
| | `CreateRouteTable` | Route table |
| | `CreateSecurityGroup` | Security group |
| | `CreateSnapshot` | Snapshot |
| | `CreateSubnet` | Subnet |
| | `CreateVolume` | Volume |
| | `CreateVpc` | VPC |
| | `CreateVpcPeeringConnection` | VPC peering connection |
| | `CreateVpnConnection` | VPN connection |
| | `CreateVpnGateway` | VPN gateway |
| | `PurchaseReservedInstancesOffering` | Reserved-instance |
| | `RequestSpotInstances` | Spot-instance-request |
| | `RunInstances` | Instance |
| Amazon ElastiCache (ElastiCache) | `CreateSnapshot` | Snapshot |
| | `CreateCacheCluster` | Cluster |
| AWS Elastic Beanstalk (Elastic Beanstalk) | `CreateEnvironment` | Environment |
| | `CreateApplication` | Application |
| Elastic Load Balancing (Elastic Load Balancing) | `CreateLoadBalancer` | Loadbalancer |
| Amazon Glacier (Amazon Glacier) | `CreateVault` | Vault |
| Amazon Kinesis (Kinesis) | `CreateStream` | Stream |
| Amazon Relational Database Service (Amazon RDS) | `CreateDBInstanceReadReplica` | Database |
| | `CreateDBParameterGroup` | ParameterGroup |
| | `CreateDBSnapshot` | Snapshot |
| | `CreateDBSubnetGroup` | SubnetGroup |
| | `CreateEventSubscription` | EventSubscription |
| | `CreateOptionGroup` | OptionGroup |
| | `PurchaseReservedDBInstancesOffering` | ReservedDBInstance |
| | `CreateDBInstance` | Database |
| Amazon Redshift (Amazon Redshift) | `CreateClusterParameterGroup` | ParameterGroup |
| | `CreateClusterSnapshot` | Snapshot |
| | `CreateClusterSubnetGroup` | SubnetGroup |
| | `CreateCluster` | Cluster |
| Amazon Route 53 (Route 53) | `CreateHealthCheck` | HealthCheck |
| | `CreatedHostedZone` | HostedZone |
| Amazon Simple Storage Service (Amazon S3) | `CreateBucket` | Bucket |
| AWS Storage Gateway (Storage Gateway) | `ActivateGateway` | Gateway |
**Note**
The `CreateDBSnapshot` tag isn't applied to the snapshot backup storage.
## AWS Marketplace vendor-provided tags
Certain AWS Marketplace vendors can create tags and associate them with your software usage. These tags will have the prefix `aws:marketplace:isv:`. To use the tags, a management account owner must activate the tag in the Billing and Cost Management console. When a management account owner activates the tag, the tag is also activated for all member accounts. Similar to `aws:createdBy` tags, these tags appear only in the Billing and Cost Management console and they don't count towards your tags per resource quota. You can find the tag keys that apply to the product on the [AWS Marketplace](https://aws.amazon.com/marketplace/) product pages.
## Restrictions on AWS-generated tags cost allocation tags
The following restrictions apply to the AWS-generated tags:
+ Only a management account can activate AWS-generated tags.
+ You can't update, edit, or delete AWS-generated tags.
+ The maximum active tag keys for Billing and Cost Management reports is 500.
+ AWS-generated tags are created using CloudTrail logs. CloudTrail logs over a certain size cause AWS-generated tag creation to fail.
+ The reserved prefix is `aws:`.
AWS-generated tag names and values are automatically assigned the `aws:` prefix, which you can't assign. AWS-generated tag names don't count towards the user-defined resource tag quota of 50. User-defined tag names have the prefix `user:` in the cost allocation report.
+ Null tag values will not appear in Cost Explorer and AWS Budgets. If there is only one tag value that is also null, the tag key will also not appear in Cost Explorer or AWS Budgets.
# Activating AWS-generated tags cost allocation tags
Management account owners can activate the AWS-generated tags in the Billing and Cost Management console. When a management account owner activates the tag, it's also activated for all member accounts. This tag is visible only in the Billing and Cost Management console and reports.
**Note**
You can activate the `createdBy` tag in the Billing and Cost Management console. This tag is available in specific AWS Regions. For more information, see [Using AWS-generated tags](aws-tags.md).
**To activate the AWS-generated tags**
1. Sign in to the AWS Management Console and open the AWS Billing and Cost Management console at [https://console.aws.amazon.com/costmanagement/](https://console.aws.amazon.com/costmanagement/).
1. In the navigation pane, choose **Cost allocation tags**.
1. Under **AWS-generated cost allocation tags**, choose the `createdBy` tag.
1. Choose **Activate**. It can take up to 24 hours for tags to activate.
# Deactivating the AWS-generated tags cost allocation tags
Management account owners can deactivate the AWS-generated tags in the Billing and Cost Management console. When a management account owner deactivates the tag, it's also deactivated for all member accounts. After you deactivate the AWS-generated tags, AWS no longer applies the tag to new resources. Previously tagged resources remain tagged.
**To deactivate the AWS-generated tags**
1. Sign in to the AWS Management Console and open the AWS Billing and Cost Management console at [https://console.aws.amazon.com/costmanagement/](https://console.aws.amazon.com/costmanagement/).
1. In the navigation pane, choose **Cost allocation tags**.
1. Under **AWS-generated cost allocation tags**, choose **Deactivate**.
It can take up to 24 hours for tags to deactivate.
# Using user-defined cost allocation tags
User-defined tags are tags that you define, create, and apply to resources. After you have created and applied the user-defined tags, you can activate by using the Billing and Cost Management console for cost allocation tracking. Cost allocation tags appear on the console after you've enabled Cost Explorer, Budgets, AWS Cost and Usage Reports, or legacy reports. After you activate the AWS services, they appear on your cost allocation report. You can then use the tags on your cost allocation report to track your AWS costs. Tags are not applied to resources that were created before the tags were created.
**Note**
As a best practice, reactivate your cost allocation tags when moving organizations. When an account moves to another organization as a member, previously activated cost allocation tags for that account lose their "active" status and need to be activated again by the new management account.
As a best practice, do not include sensitive information in tags.
Only a management account in an organization and single accounts that aren't members of an organization have access to the **cost allocation tags** manager in the Billing and Cost Management console.
## Applying user-defined cost allocation tags
For ease of use and best results, use the AWS Tag Editor to create and apply user-defined tags. The Tag Editor provides a central, unified way to create and manage your user-defined tags. For more information, see the [Tagging AWS Resources and Tag Editor](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html) User Guide.
For supported services, you can also apply tags to resources using the API or the AWS Management Console. Each AWS service has its own implementation of tags. You can work with these implementations individually or use Tag Editor to simplify the process. For a full list of services that support tags, see [Supported Resources for Tag-based Groups](https://docs.aws.amazon.com/ARG/latest/userguide/supported-resources.html#supported-resources-console-tagbased) and [Resource Groups Tagging API Reference](https://docs.aws.amazon.com/resourcegroupstagging/latest/APIReference/Welcome.html).
**Note**
The behavior of cost allocation tags varies across AWS services. To learn more about the cost allocation tag behavior for a supported service, refer to the service’s documentation. For example, to learn more about using cost allocation tags with Amazon ECS, see [Tagging your Amazon ECS resources](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-using-tags.html) in the *Amazon Elastic Container Service Developer Guide*.
After you create and apply user-defined tags, you can [activate them](activating-tags.md) for cost allocation. If you activate your tags for cost allocation, it's a good idea to devise a set of tag keys that represent how you want to organize your costs. Your cost allocation report displays the tag keys as additional columns with the applicable values for each row, so it's easier to track your costs if you use a consistent set of tag keys.
Some services launch other AWS resources that the service uses, such as Amazon EMR launching an EC2 instance. If the supporting service (EC2) supports tagging, you can tag the supporting resources (such as the associated Amazon EC2 instance) for your report. For a full list of resources that can be tagged, use the Tag Editor to search. For more information about how to search for resources using Tag Editor, see [ Searching for Resources to Tag](https://docs.aws.amazon.com/ARG/latest/userguide/find-resources-to-tag.html ).
**Notes**
AWS Marketplace line items are tagged with the associated Amazon EC2 instance tag.
The `awsApplication` tag will be automatically added to all resources that are associated with applications that are set up in AWS Service Catalog AppRegistry. This tag is automatically activated for you as a cost allocation tag. Tags that are automatically activated don’t count towards your cost allocation tag quota. For more information, see [Quotas and restrictions](billing-limits.md).
## User-defined tag restrictions
For basic tag restrictions, see [Tag Restrictions](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#tag-restrictions) in the Amazon EC2 User Guide.
The following restrictions apply to user-defined tags for Cost Allocation:
+ The reserved prefix is `aws:`.
AWS-generated tag names and values are automatically assigned the `aws:` prefix, which you can't assign. User-defined tag names have the prefix `user:` in the cost allocation report.
+ Use each key only once for each resource. If you attempt to use the same key twice on the same resource, your request will be rejected.
+ In some services, you can tag a resource when you create it. For more information, see the documentation for the service where you want to tag resources.
+ If you need characters outside of those listed in [Tag Restrictions](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#tag-restrictions), you can apply standard base-64 encoding to your tag. Billing and Cost Management does not encode or decode your tag for you.
+ User-defined tags on non-metered services can be activated (for example, Account Tagging). However, these tags will not populate in the Cost Management suite because these services are not metered.
# Activating user-defined cost allocation tags
For tags to appear on your billing reports, you must activate them. Your user-defined cost allocation tags represent the tag key, which you activate in the Billing and Cost Management console. Once you activate or deactivate the tag key, it will affect all tag values that share the same tag key. A tag key can have multiple tag values. You can also use the `UpdateCostAllocationTagsStatus` API operation to activate your tags in bulk. For more information, see the [AWS Billing and Cost Management API Reference](https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_UpdateCostAllocationTagsStatus.html).
**To activate your tag keys**
1. Sign in to the AWS Management Console and open the AWS Billing and Cost Management console at [https://console.aws.amazon.com/costmanagement/](https://console.aws.amazon.com/costmanagement/).
1. In the navigation pane, choose **Cost allocation tags**.
1. Select the tag keys that you want to activate.
1. Choose **Activate**.
After you create and apply user-defined tags to your resources, it can take up to 24 hours for the tag keys to appear on your cost allocation tags page for activation. It can then take up to 24 hours for tag keys to activate.
For an example of how tag keys appear in your billing report with cost allocation tags, see [Viewing a cost allocation report](configurecostallocreport.md#allocation-viewing).
## About the `awsApplication` tag
The `awsApplication` tag will be automatically added to all resources that are associated with applications that are set up in AWS Service Catalog AppRegistry. This tag is automatically activated for you as a cost allocation tag. Use this tag to analyze the costs trends for your application and its resources.
You can deactivate the `awsApplication` tag, but this will affect the cost reporting for the application. If you deactivate the tag, it won’t be automatically activated again. To manually activate the tag, use the Billing console or the [UpdateCostAllocationTagsStatus](https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_UpdateCostAllocationTagsStatus.html) API operation.
The `awsApplication` tag doesn’t count towards your cost allocation tag quota. For more information about quotas and restrictions for cost allocation tags, see [Quotas and restrictions](billing-limits.md). For more information about AppRegistry, see the [AWS Service Catalog AppRegistry Administrator Guide](https://docs.aws.amazon.com/servicecatalog/latest/arguide/overview-appreg.html#ar-user-tags).
# Using user attributes for cost allocation
## Overview
AWS supports cost allocation based on user attributes for Amazon Q Business, Amazon Q Developer, and Amazon QuickSight. This feature enables organizations to automatically track and allocate costs according to their internal organizational structure using existing workforce user attributes such as cost center, division, organization, and department.
## How user-based cost allocation works
Once you enable user attributes for cost allocation, when employees use AWS applications that charge per user, their usage and associated costs are automatically recorded with their organizational attributes. This helps you eliminate the need for manual cost allocation processes and provides accurate visibility into how different teams and departments are driving AWS costs.
## Key benefits
Once you enable user attributes for cost allocation, you can map usage to internal organizational structures. You can use user attributes to see which teams, departments, or cost centers are consuming AWS services and at what rate, enabling data-driven decisions about resource allocation, budget planning, and optimization opportunities. This includes subscription-based charges and feature-specific overage charges, giving organizations a complete picture of their AWS application cost and usage. It works with existing AWS Cost Management tools like Cost Explorer and Cost and Usage Reports (CUR2.0 and FOCUS), giving you access to this new dimension for cost analysis.
## Prerequisites
Before you can use user attributes for cost allocation, ensure you have:
+ **AWS Organizations** A management account with consolidated billing
+ **IAM Identity Center:** Configured and managing workforce access to AWS applications
+ **Identity Provider (IdP) Integration:** Connection to Microsoft Entra ID, Okta, or another supported IdP
+ **User Attributes:** Cost center, division, organization, or department attributes in your identity system
+ **Permissions:** Access to IAM Identity Center and Billing and Cost Management consoles
## Setting up user attributes for cost allocation
### Step 1: Import user attributes in IAM Identity Center
1. Import these attributes during the next synchronization with your Identity Provider. Attributes will be imported for both new and existing users. The import process typically completes within 24 hours. For more information about mapping user attributes, see [Attribute mapping between IAM Identity Center and External Identity Providers directory](https://docs.aws.amazon.com/singlesignon/latest/userguide/attributemappingsconcept.html) and [Enable automatic provisioning](https://docs.aws.amazon.com/singlesignon/latest/userguide/provision-automatically.html).
**Note**
By enabling User-Based Cost Allocation, user attributes stored in AWS IAM Identity Center will be included as user attribute cost allocation tags in AWS cost management products such as Cost and Usage Report 2.0 and Cost Explorer. Such tags do not constitute your content, and we recommend you do not include sensitive, confidential, or personally identifiable information in them.
### Step 2: Select user attributes for cost allocation
1. Open the AWS Management Console at [https://console.aws.amazon.com/costmanagement/](https://console.aws.amazon.com/costmanagement/).
1. In the left panel, under Preferences and Settings, select **Cost Management Preferences**
1. In the Cost Management Preferences page, locate the **User attributes for cost allocation** section.
1. Select up to four attributes from the available options: Cost center, Division, Organization, and Department.
1. Choose **Save changes**. These attributes are automatically activated as Cost Allocation Tags.
### Step 3: Verify Setup
1. Return to IAM Identity Center Settings and verify that selected attributes show as "Imported". Confirm attribute data is populated for your users.
1. In Billing and Cost Management console, under Cost Organization, select Cost Allocation Tags. Verify tags show as "Active".
## Viewing user attributes in cost and usage reports
After completing the setup, user attributes will appear in your Cost and Usage Report 2.0 (CUR 2.0) alongside other cost allocation tags. When viewing cost data in CUR 2.0, tags from different sources (resources, user attributes, accounts, and cost categories) are distinguished by prefixes to prevent conflicts when the same tag key is used across multiple contexts. For detailed information about how tag prefixes work and examples of overlapping tag keys, see the [CUR 2.0 Tags Column documentation](https://docs.aws.amazon.com/cur/latest/userguide/table-dictionary-cur2-tag-columns.html).
# Using account tags for cost allocation
## Overview
AWS supports cost allocation based on account tags from AWS Organizations. This feature enables organizations to automatically track and allocate costs according to their internal organizational structure using account-level tags such as business unit, cost center, project, and environment. Account tags operate at the account level and automatically apply to all metered usage within tagged accounts. Once activated for cost allocation, these tags provide organization-wide cost visibility and work alongside resource-level tags for comprehensive cost allocation strategies.
## How account-based cost allocation works
When you apply tags to AWS accounts in your organization, those tags are automatically recorded with usage and associated costs from that account. All resources and usage within tagged accounts inherit the account-level tags, mitigating manual cost allocation processes at the account level.
## Key benefits
Account tags for cost allocation map usage to internal organizational structures at the account level. You can see which business units, projects, or environments are consuming AWS services and the associated costs, enabling data-driven decisions about resource allocation, budget planning, and optimization opportunities. Account tags enable cost allocation for untaggable resources and costs within an account, including refunds, credits and certain service charges that cannot be tagged at the resource level. Account tags ensure these costs are properly allocated to your organizational structure, improving cost allocation coverage in your cost reports. Account tags integrate with existing AWS Cost Management tools like Cost Explorer and Cost and Usage Reports (CUR2.0 and FOCUS), giving you access to this new dimension for cost analysis. Once activated, account tags also work across AWS Cost Management products including AWS Budgets, Cost Categories, and Cost Anomaly Detection—similar to how resource tags function—enabling consistent cost tracking and analysis throughout your cost management workflows.
## Prerequisites
Before you can use account tags for cost allocation, ensure you have:
+ **AWS Organizations** A management account with consolidated billing
+ **Account Tags:** Tags applied to accounts in AWS Organizations
+ **Permissions:** Access to AWS Organizations and Billing and Cost Management consoles
## Setting up account tags for cost allocation
### Step 1: Apply account tags in AWS Organizations
**Note**
As a best practice, do not use "accountTag" keyword in your tag keys, as this prefix is automatically added by AWS for account tags in cost allocation reports.
1. Navigate to AWS Organizations console
1. Select the accounts you want to tag
1. Apply tags that represent your organizational structure (for example, business unit, cost center, project, environment)
### Step 2: Activate account tags for cost allocation and verify setup
1. Open the Billing and Cost Management console at [https://console.aws.amazon.com/costmanagement/](https://console.aws.amazon.com/costmanagement/).
1. In the left navigation pane, under Cost Organization, select **Cost Allocation Tags**
1. Filter for **Account Tags **
1. Search and Select the account tags that you want to activate
1. Choose **Activate**
1. Verify tags show as "Active"
1. It can take up to 24 hours for tag activation status to change to “Active”
## Viewing account tags in cost and usage reports
After completing the setup, account tags will appear in your Cost and Usage Report 2.0 (CUR 2.0) alongside other cost allocation tags. When viewing cost data in CUR 2.0, tags from different sources (resources, user attributes, accounts, and cost categories) are distinguished by prefixes to prevent conflicts when the same tag key is used across multiple contexts. For detailed information about how tag prefixes work and examples of overlapping tag keys, see the [CUR 2.0 Tags Column documentation](https://docs.aws.amazon.com/cur/latest/userguide/table-dictionary-cur2-tag-columns.html).
# Using IAM principal for cost allocation
## Overview
AWS supports cost allocation for Amazon Bedrock based on IAM principal identity and tags, enabling organizations to track usage and costs by caller identity across applications and organizational structures. This feature integrates with AWS Cost and Usage Reports (CUR 2.0) and AWS Cost Management tools to provide visibility into generative AI spending.
## How IAM principal based cost allocation works
When you enable IAM principal data in CUR 2.0, AWS automatically records the caller identity (IAM principal ARN) for each Bedrock API call in the `line_item_iam_principal` column. When you additionally apply tags to IAM principals (users or roles), those tags are automatically captured with associated costs and token usage. This eliminates manual reconciliation processes that required combining CloudWatch and CloudTrail logs with billing data.
## Key benefits
This capability transforms how organizations manage their generative AI costs. Once enabled, you gain immediate visibility into which users and roles are invoking Bedrock models through automatic caller identity tracking. When you layer on IAM principal tags, you can map this usage and costs to your organizational structures, teams, projects, and applications.
This visibility enables effective cost allocation across your organization, supports informed AI resource planning decisions, and reveals optimization opportunities to reduce spending. The feature integrates seamlessly with your existing AWS Cost Management workflows through Cost Explorer and AWS Cost and Usage Reports (CUR 2.0), requiring no additional tools or processes.
Organizations can implement accurate chargeback and showback costs, ensuring accountability for AI spending.
## Prerequisites
Before you can use IAM principal tags for cost allocation, ensure you have:
+ **IAM identities:** IAM users or roles that make Amazon Bedrock API calls
+ **IAM principal tags:** Tags applied to IAM users or roles in the IAM console
+ **Permissions:** Access to IAM and Billing and AWS Cost Management consoles
## Setting up IAM principal tags for cost allocation
### Step 1: Apply IAM principal tags in the IAM console
1. Navigate to the IAM console.
1. Select the IAM users or roles that access Amazon Bedrock.
1. Apply tags that represent your organizational structure (for example, `department`, `cost-center`, `team`, `project`, `environment`).
**Note**
For Amazon Bedrock, tags only appear for activation after the IAM principal with the tags has made at least one API call. This applies whether the principal is an IAM user, role, or assumed role session.
### Step 2: Activate IAM principal tags for cost allocation and verify setup
1. Open the Billing and AWS Cost Management console at [https://console.aws.amazon.com/costmanagement/](https://console.aws.amazon.com/costmanagement/).
1. In the left navigation pane, under **Cost Organization**, choose **Cost Allocation Tags**.
1. Filter for IAM principal type tags.
1. Search for and select the IAM principal tags that you want to activate.
1. Choose **Activate**.
1. Verify that these tags show as **Active**.
**Note**
After you apply tags to your IAM principals, it can take up to 24 hours for the tag keys to appear on your cost allocation tags page for activation. It can then take up to 24 hours for tag keys to activate.
### Step 3: Enable IAM principal data in CUR 2.0
1. Navigate to the Billing and AWS Cost Management console.
1. Go to the **Data Exports** section.
1. When creating a new data export, select **Standard data export ** (CUR 2.0).
1. Under **Additional export content**, select **Include caller identity (IAM principal) allocation data**.
1. Save the configuration.
This enables the `line_item_iam_principal` column and associated IAM principal tags in your CUR 2.0 export.
**Note**
Enabling IAM principal data will increase the number of CUR rows by a factor of the number of calling identities accessing each model, resulting in larger file sizes compared to typical CUR exports.
## Viewing IAM principal tags in AWS Cost and Usage Reports
After completing the setup, IAM principal tags appear in your CUR 2.0 alongside other cost allocation tags. When viewing cost data in CUR 2.0, tags from different sources (resources, user attributes, accounts, IAM principals, and cost categories) are distinguished by prefixes to prevent conflicts when the same tag key is used across multiple contexts. For detailed information about how tag prefixes work and examples of overlapping tag keys, see the [CUR 2.0 Tags Column documentation](https://docs.aws.amazon.com/cur/latest/userguide/table-dictionary-cur2-tag-columns.html).
### New CUR 2.0 column
The `line_item_iam_principal` column contains the AWS IAM ARN of the principal making Bedrock requests. Format examples:
+ `arn:aws:iam::123456789012:user/userID_A`
+ `arn:aws:iam::123456789012:role/application-role`
+ `arn:aws:sts::123456789012:assumed-role/application-role/session-name`
### IAM principal tags in the tags column
IAM principal tags appear with the prefix `iamPrincipal/` followed by your tag key. For example:
+ `iamPrincipal/department`
+ `iamPrincipal/cost-center`
+ `iamPrincipal/app`
## Using IAM principal tags in Cost Explorer
### Grouping by IAM principal tags
Create custom cost views by grouping:
1. In Cost Explorer, select the **Group by** dropdown.
1. Choose **Tag** as the grouping dimension.
1. Select your activated IAM principal tag (for example, `iamPrincipal/department`).
1. View aggregated costs by tag value.
### Filtering by IAM principal tags
1. Open Cost Explorer in the Billing and AWS Cost Management console.
1. Add filters for activated IAM principal tags in the **Tag** dropdown.
1. View costs broken down by these IAM principal tags.
## Best practices
+ **Use meaningful tag keys:** Choose tags that align with your organizational structure (`department`, `cost-center`, `team`, `project`).
+ **Avoid high-cardinality tags:** Do not use unique session IDs, timestamps, or random GUIDs as tag values.
+ **Standardize tag naming:** Establish consistent tag key naming conventions across your organization.
+ **Review tag usage regularly:** Monitor which tags are being used for cost allocation and deactivate unused tags.
+ **Plan for CUR file size growth:** Account for increased Amazon S3 storage costs when enabling IAM principal data.
# Backfill cost allocation tags
Management account users can request a backfill of cost allocation tags for up to twelve months. When you request a backfill, the current **activation status** of the tags are backfilled for the duration of your choice.
For example, the `Project` tag was associated to an AWS Resources in June 2023 and activated in November 2023. On December 2023, you request to backfill the tag from January 2023. As a result, the `Project` tag is retroactively activated for the prior months from January to December 2023. The tag values associated to the `Project` tag will be available with the cost data from June 2023 to December 2023. However, January 2023 to May 2023 will not have tag values associated because the `Project` tag was not present in the AWS Resources.
Backfill can also be used to deactivate tags for alignment. For example, a `Team` tag was active in prior months, but currently is set to `inactive` status. Backfilling will result in the `Team` tag being deactivated and removed from the cost data for previous months.
**Note**
The resource tag must be historically assigned to the AWS Resource for the backfilled cost data to be available.
You can't submit a new backfill request when there is a backfill in progress.
You can only submit a new backfill request once every 24 hours.
**To request a cost allocation tag backfill**
1. Sign in to the AWS Management Console and open the AWS Billing and Cost Management console at [https://console.aws.amazon.com/costmanagement/](https://console.aws.amazon.com/costmanagement/).
1. In the navigation pane, choose **Cost allocation tags**.
1. At the top right of the page, choose **Backfill tags**.
1. In the **Backfill tags** dialog box, choose the month you want the backfill to start from.
1. Choose **Confirm**.
## Updating your AWS Cost Management services with backfill
Backfill will update your Cost Explorer, Data Exports, and AWS Cost and Usage Report automatically. Because these services refresh your data once every 24 hours, your backfill won't update as soon as it succeeds. For more information, see the following resources in their corresponding guides:
+ [Analyzing your costs with Cost Explorer](https://docs.aws.amazon.com/cost-management/latest/userguide/ce-what-is.html) in the *AWS Cost Management User Guide*
+ [What is Data Exports?](https://docs.aws.amazon.com/cur/latest/userguide/what-is-data-exports.html) in the *AWS Data Exports user guide*
# Using the monthly cost allocation report
The monthly cost allocation report lists the AWS usage for your account by product category and linked account user. This report contains the same line items as the detailed [AWS Cost and Usage Report](https://docs.aws.amazon.com/cur/latest/userguide/what-is-cur.html) and additional columns for your tag keys. We recommend that you use AWS Cost and Usage Report instead.
For more information about the monthly allocation report, see the following topics.
**Topics**
+ [Setting up a monthly cost allocation report](#allocation-report)
+ [Getting an hourly cost allocation report](#allocation-get)
+ [Viewing a cost allocation report](#allocation-viewing)
## Setting up a monthly cost allocation report
By default, new tag keys that you add using the API or the AWS Management Console are automatically excluded from the cost allocation report. You can add them using the procedures described in this topic.
When you select tag keys to include in your cost allocation report, each key becomes an additional column that lists the value for each corresponding line item. Because you might use tags for more than just your cost allocation report (for example, tags for security or operational reasons), you can include or exclude individual tag keys for the report. This ensures that you're seeing meaningful billing information that helps organize your costs. A small number of consistent tag keys makes it easier to track your costs. For more information, see [Viewing a cost allocation report](#allocation-viewing).
**Note**
AWS stores billing reports in an Amazon S3 bucket that you create and own. You can retrieve these reports from the bucket using the Amazon S3 API, AWS Management Console for Amazon S3, or the AWS Command Line Interface. You can't download the cost allocation report from the [Account Activity](https://console.aws.amazon.com/billing/home#/bill) page of the Billing and Cost Management console.
**To set up the cost allocation report and activate tags**
1. Sign in to the AWS Management Console and open the AWS Billing and Cost Management console at [https://console.aws.amazon.com/costmanagement/](https://console.aws.amazon.com/costmanagement/).
1. Under **Detailed billing reports (legacy)**, choose **Edit**, and then select **Legacy report delivery to S3**.
1. Choose **Configure an S3 bucket to activate** to specify where your reports are delivered.
1. In the **Configure S3 Bucket** dialog box, choose one of the following options:
+ To use an existing S3 bucket, choose **Use an existing S3 bucket**, and then select the S3 bucket.
+ To create a new S3 bucket, choose **Create a new S3 bucket**, and then for **S3 bucket name**, enter the name, and then choose the **Region**.
1. Choose **Next**.
1. Verify the default IAM policy and then select **I have confirmed that this policy is correct**.
1. Choose **Save**.
1. In the **Report** list, select the check box for **Cost allocation report**, and then choose **Activate**.
1. Choose **Manage Report Tags**.
The page displays a list of tags that you've created using either the API or the console for the applicable AWS service. Tag keys that currently appear in the report are selected. Tag keys that are excluded aren't selected.
1. You can filter tags that are **Inactive** in the dropdown list, and then select the tags that you want to activate for your report.
1. Choose **Activate**.
If you own the management account in an organization, your cost allocation report includes all the usage, costs, and tags for the member accounts. By default, all keys registered by member accounts are available for you to include or exclude from your report. The detailed billing report with resources and tags also includes any cost allocation tag keys that you select using the preceding steps.
## Getting an hourly cost allocation report
The cost allocation report is one of several reports that AWS publishes to an Amazon S3 bucket several times a day.
**Note**
During the current billing period (monthly), AWS generates an estimated cost allocation report. The current month's file is overwritten throughout the billing period until a final report is generated at the end of the billing period. Then a new file is created for the next billing period. The reports for the previous months remain in the designated Amazon S3 bucket.
## Viewing a cost allocation report
The following example tracks the charges for several cost centers and applications. Resources (such as Amazon EC2 instances and Amazon S3 buckets) are assigned tags like "Cost Center"="78925" and "Application"="Widget1". In the cost allocation report, the user-defined tag keys have the prefix `user`, such as `user:Cost Center` and `user:Application`. AWS-generated tag keys have the prefix `aws`. The keys are column headings identifying each tagged line item's value, such as "78925".
![\[Keys in the Downloadable Report\]](http://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/images/CostAllocationPartExampleReport.png)
Pick your keys carefully so that you have a consistent hierarchy of values. Otherwise, your report won't group costs effectively, and you will have many line items.
**Note**
If you add or change the tags on a resource partway through a billing period, costs are split into two separate lines in your cost allocation report. The first line shows costs before the update, and the second line shows costs after the update.
### Unallocated resources in your report
Any charges that cannot be grouped by tags in your cost allocation report default to the standard billing aggregation (organized by Account/Product/Line Item) and are included in your report. Situations where you can have unallocated costs include:
+ You signed up for a cost allocation report mid-month.
+ Some resources aren't tagged for part, or all, of the billing period.
+ You are using services that currently don't support tagging.
+ Subscription-based charges, such as AWS Support and AWS Marketplace monthly fees, can't be allocated.
+ One-time fees, such as Amazon EC2 Reserved Instance upfront charges, can't be allocated.
### Unexpected costs associated with tagged resources
You can use cost allocation tags to see what resources are contributing to your usage and costs, but deleting or deactivating the resources doesn't always reduce your costs. For more information on reducing unexpected costs, see [Understanding unexpected charges](checklistforunwantedcharges.md).
# Understanding dates for cost allocation tags
**Prerequisites**
To view these dates in the **Cost allocation tags** page of the AWS Billing and Cost Management console, you must have the `ce:ListCostAllocationTags` permission.
For more information about updating your AWS Identity and Access Management (IAM) policies, see [Managing access permissions](migrate-granularaccess-whatis.md#migrate-control-access-billing).
When you use cost allocation tags, you can determine when the tags were last used or last updated with the following metadata fields:
+ **Last updated date** – The last date that the tag key was either activated or deactivated for cost allocation.
For example, suppose that your tag key `lambda:createdby` changed from inactive to active on July 1, 2023. This means that the **Last updated date** column will show July 1, 2023.
+ **Last used month** – The last month that the tag key was used on an AWS resource.
For example, suppose that your tag key `lambda:createdby` was last used on April 2023. The **Last used month** column will show April 2023. This means that the tag key hasn't been associated with any resource since that date.
**Notes**
The **Last updated date** column appears empty for newly created tag keys that haven't been activated.
The **Last used month** column shows **-** for tag keys that aren't currently associated with any resource.