# Tagging resources in HealthOmics
**Topics**
+ [
## Important notice
](#important-notice-tagging)
+ [
## Tagging HealthOmics resources
](#tagging-using-Omics)
+ [
## Sequence store read set tags
](#sequence-store-read-tags)
+ [
# Adding a tag to a HealthOmics resource
](add-a-tag.md)
+ [
# Listing tags for a resource
](list-tags.md)
+ [
# Removing tags from a data store
](remove-tags.md)
## Important notice
HealthOmics protects customer data under the AWS Shared Responsibility Model policies. This means that all customer data is encrypted both in transition and at-rest. However, not all customer-inputed names for resources such as data stores or job-based operations are encrypted. They should never contain Personally Identifiable Information or Protected Health Information. For more information, see [Security in AWS HealthOmics](security.md).
## Tagging HealthOmics resources
You can assign metadata to your AWS resources using *tags*. Each tag is a label consisting of a user-defined key and value. Tags can help you manage, identify, organize, search for, and filter resources.
This topic describes commonly used tagging categories and strategies to help you implement a consistent and effective tagging strategy. The following sections assume basic knowledge of AWS resources, tagging, detailed billing, and AWS Identity and Access Management.
Each tag has two parts:
+ A *tag key* (for example, CostCenter, Environment, or Project). Tag keys are case sensitive.
+ A *tag value* (for example, 111122223333 or Production). Like tag keys, tag values are case sensitive.
You can use tags to categorize resources by purpose, owner, environment, or other criteria. For more information, see [AWS Tagging Strategies](https://d1.awsstatic.com/whitepapers/aws-tagging-best-practices.pdf).
You can add, change, or remove tags for a resource from the resource’s service console, service API, or the AWS CLI.
To enable tagging, make sure TagResources is authorized. You can authorize TagResources by attaching an IAM policy like the following example.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "omics:Create*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "omics:Start*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "omics:Tag*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "omics:Untag*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "omics:List*",
"Resource": "*"
}
]
}
```
------
### Best practices
As you create a tagging strategy for AWS resources, follow best practices:
+ Do not store Personally Identifiable Information (PII), Protected Health Information(PHI) or other sensitive information in tags.
+ Use a standardized, case-sensitive format for tags, and apply it consistently across all resource types.
+ Consider tag guidelines that support multiple purposes, like managing resource access control, cost tracking, automation, and organization.
+ Use automated tools to help manage resource tags. [AWS Resource Groups](https://docs.aws.amazon.com/ARG/latest/userguide/resource-groups.html) and the [Resource Groups Tagging API](https://docs.aws.amazon.com/resourcegroupstagging/latest/APIReference/overview.html) enable programmatic control of tags, making it possible to automatically manage, search, and filter tags and resources.
+ Tagging is more effective when you use more tags.
+ Tags can be edited or modified as user needs change. However to update access control tags, you must also update the policies that reference those tags to control access to your resources.
### Tagging requirements
Tags have the following requirements:
+ Keys can't be prefixed with aws:.
+ Keys must be unique per tag set.
+ A key must be between 1 and 128 allowed characters.
+ A value must be between 0 and 256 allowed characters.
+ Values don't need to be unique per tag set.
+ Allowed characters for keys and values are Unicode letters, digits, white space, and any of the following symbols: \$1 . : / = \$1 - @.
+ Keys and values are case sensitive.
## Sequence store read set tags
For sequence stores, tags created on the read set sit at the read set resource level. Read sets also contain objects under them that can be accessed, searched, and restricted using S3 APIs. By default, the sample ID (omics:sampleId) and subject ID (omics:subjectId) are added to the object.
Additionally, up to five tags can be synchronized between the read set and the objects under it. The configuration for which tags to sync is a store level configuration set during store creation or update using the `propogatedSetLevelTags` parameter.
If there is data already in the store, updating the keys may take time. During this update, HealthOmics changes the store status to **Updating**. On completion, HealthOmics sets the store status to **Active**. While the tags are propagating, permissions relying on the tags may not be enforced. Permissions will be enforced after the tag propagation is completed.
When tags are set or updated on the read set, the system decides whether to update the objects for that read set, based on the store configuration.
# Adding a tag to a HealthOmics resource
Adding tags to a resource can help you identify and organize your AWS resources and manage access to them. First, you add one or more tags (key-value pairs) to a resource. You can use up to 50 tags per resource. There are also restrictions on the characters that you can use in the key and value fields.
After you add tags, you can create IAM policies to manage access to the AWS resource based on these tags. You can use the HealthOmics console or the AWS CLI to add tags to a resource. Adding tags to a repository can impact access to that repository. Before you add a tag to a data store, review any IAM policies that might use tags to control access to resources such as data stores.
Service tags are autogenerated for both a subject and a sample id for sequence stores.
Follow these steps to use the AWS CLI to add a tag to an HealthOmics resource. For example, to add tags to a sequence store while it's being created, you would use the following command in the AWS CLI. The name of the sequence store is MySequenceStore, and the two added tags with keys are key1 and key2 with values as value1 and value2 respectively
:
```
aws omics create-sequence-store --name "MySequenceStore" --tags key1=value1,key2=value2
```
The output does not list the tags. It returns the following response.
```
{
"id": "6860403586",
"referenceStoreId": "4889894479",
"roleArn": "arn:aws:iam::555555555555:role/ImportTest",
"status": "CREATED",
"creationTime": "2022-07-21T01:19:07.194Z"
}
```
To add tags to an existing resource, you would run the following example command.
```
aws omics tag-resource --resource-arn arn:aws:omics:us-west-2:555555555555:sequenceStore/2275234794 --tags key1=value1,key2=value2
```
If successful, this command returns no response.
# Listing tags for a resource
Follow these steps to use the AWS CLI to view a list of the AWS tags for an HealthOmics resource. If no tags have been added, the returned list is empty.
At the terminal or command line, run the list-tags-for-resource command as shown in the following example.
```
aws omics list-tags-for-resource --resource-arn arn:aws:omics:us-west-2:555555555555:sequenceStore/2275234794
```
You will receive a list of tags in response, in JSON format.
```
{
"tags": {
"key1": "value1",
"key2": "value2"
}
}
```
# Removing tags from a data store
You can remove one or more tags associated with a resource. Removing a tag does not delete the tag from other AWS resources that are associated with that tag.
At the terminal or command line, run the untag-resource command, specifying the Amazon Resource Name (ARN) of the resource where you want to remove tags and the tag key of the tag you want to remove.
```
aws omics untag-resource --resource-arn arn:aws:omics:us-west-2:555555555555:sequenceStore/2275234794 --tag-keys key1,key2
```
If successful, this command does not return a response. To verify the tags associated with the resource, run the list-tags-for-resource command.