# Managing Service Quotas resources with tags Tagging resources You can use tags to categorize resources by purpose, owner, environment, or other criteria. A *tag* is a custom attribute label that you add to an AWS resource to make it easier to identify, organize, and search for resources. Each tag includes two parts: + A **tag key**, such as `CostCenter`, `Environment`, or `Project`. Tag keys are case sensitive. + A **tag value**, such as `111122223333` or `Production`. You can set the value of a tag to an empty string, but you can't set the value of a tag to null. Omitting the tag value is the same as using an empty string. Like tag keys, tag values are case sensitive. Tags help you do the following: + Identify and organize your AWS resources. Many services support tagging, so you can assign the same tag to resources from different services to indicate that the resources are related. + Track your AWS costs. You activate these tags on the AWS Billing and Cost Management dashboard. AWS uses the tags to categorize your costs and deliver a monthly cost allocation report to you. For more information, see [Use cost allocation tags](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/cost-alloc-tags.html) in the [AWS Billing User Guide](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/). + Control access to your AWS resources. For more information, see [Controlling access using tags](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html) in the * [IAM User Guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/)*. **Topics** + [ ## Service Quotas resources that support tagging ](#sq-supported-resources) + [ ## Tag restrictions ](#sq-tagging-restrictions) + [ # Enabling the required permissions for tagging Service Quotas resources ](sq_tags_permissions.md) + [ # Managing Service Quotas tags ](sq_tags_managing-console.md) + [ # Controlling access using Service Quotas tags ](sq_tags_access.md) ## Service Quotas resources that support tagging Supported resources Service Quotas supports tagging the **Applied quotas** resource. An applied quota is a quota that you requested an increase for, *and* the increase was approved by Support. **Important** You can only tag quotas if they have an applied quota value. Quotas with default quota values cannot be tagged. Do not store personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are not intended to be used for private or sensitive data. ## Tag restrictions Tag restrictions Restrictions apply to tags on Service Quotas resources, including: + Maximum number of tags that you can assign to a resource – 50 + Maximum tag key length – 128 Unicode characters + Maximum tag value length – 256 Unicode characters + Valid characters for tag key and value – a-z, A-Z, 0-9, space, and the following characters: \$1 . : / = \$1 - and @ + Tag keys and values are case sensitive. + Don't use `aws:` as a prefix for tag keys. It is reserved for AWS use. # Enabling the required permissions for tagging Service Quotas resources Enabling required permissions You must configure permissions to allow your users or roles to manage tags in Service Quotas. The permissions that are required to administer tags generally correspond to the API operations for the task. To allow IAM principles, such as roles or users, to use Service Quotas for tagging operations, attach the [`ServiceQuotasReadOnlyAccess`AWS managed policy](https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/ServiceQuotasReadOnlyAccess$jsonEditor) to the principals. | Task | Required permission | | --- | --- | | Add tags to applied quotas | `servicequotas:ListTagsForResource` `servicequotas:TagResource` | | View tags for an applied quota | `servicequotas:ListTagsForResource` | | Remove existing tags from an applied quota | `servicequotas:UntagResource` | | Edit existing tag values for applied quotas | `servicequotas:ListTagsForResource` `servicequotas:TagResource` `servicequotas:UntagResource` | # Managing Service Quotas tags Managing tags You can manage Service Quotas tags by using the AWS Management Console, the AWS CLI, or the AWS API. ## Managing tags from the AWS Management Console Managing tags from the AWS Management Console 1. Sign in to the AWS Management Console and open the Service Quotas console at [https://console.aws.amazon.com/servicequotas/home](https://console.aws.amazon.com/servicequotas/home). 1. In the navigation page, choose **AWS services**. 1. Choose an AWS service from the list, or enter the name of the service in the search box. 1. Choose a service that has a value in the **Applied quota value** column. 1. In the **Tags** section, choose **Manage tags**. This option is not available for quotas that don't have an applied quota value. 1. You can add or remove tags, or you can edit tag values for existing tags. Enter a name for the tag in **Key**. You can add an optional value for the tag in **Value**. 1. After making all of your changes to tags, choose **Save changes**. If the operation is successful, you return to the quota details page where you can verify your changes. If the operation fails, follow the instructions in the error message to resolve it. ## Managing Service Quotas tags using the AWS CLI or API Managing tags (CLI or API) To manage Service Quotas tags using the CLI or API, choose a management task and use the corresponding CLI command or API call. | Tag management task | CLI command | API call | | --- | --- | --- | | Add tags to applied quotas | `aws service-quotas [tag-resource](https://docs.aws.amazon.com/cli/latest/reference/service-quotas/tag-resource.html)` | [https://docs.aws.amazon.com/servicequotas/2019-06-24/apireference/API_TagResource.html](https://docs.aws.amazon.com/servicequotas/2019-06-24/apireference/API_TagResource.html) | | View tags for an applied quota | `aws service-quotas [list-tags-for-resource](https://docs.aws.amazon.com/cli/latest/reference/service-quotas/list-tags-for-resource.html)` | `[ListTagsForResource](https://docs.aws.amazon.com/servicequotas/2019-06-24/apireference/API_ListTagsForResource.html)` | | Delete existing tag values for applied quotas | `aws service-quotas [untag-resource](https://docs.aws.amazon.com/cli/latest/reference/service-quotas/untag-resource.html)` | `[UntagResource](https://docs.aws.amazon.com/servicequotas/2019-06-24/apireference/API_UntagResource.html)` | # Controlling access using Service Quotas tags Controlling access using tags To control access to Service Quotas resources based on tags, you provide the tag information in the [condition element](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html) of a policy using the `aws:ResourceTag/key-name`, `aws:RequestTag/key-name`, or `aws:TagKeys` condition keys. For more information about these condition keys, see [Controlling access to AWS resources using resource tags ](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html) in the *IAM User Guide*. For example, when you attach the following policy to an AWS Identity and Access Management (IAM) role or user, that principal can request an increase to Amazon Athena applied quotas that are tagged with the tag key **Owner** and tag value **admin**. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["servicequotas:RequestServiceQuotaIncrease"], "Resource": "arn:aws:servicequotas:*:*:athena/*", "Condition": { "StringEquals": {"aws:ResourceTag/Owner": "admin"} } } ] } ``` ------ You can also attach tags to IAM principals to use attribute-based access control (ABAC). ABAC is an authorization strategy that defines permissions based on attributes. Tagging entities and resources is the first step of ABAC. Then you design ABAC policies to allow operations when the principal's tag matches the tag on the resource that they're trying to access. ABAC is helpful in environments that are growing rapidly and helps with situations where policy management becomes cumbersome. For more information about ABAC, see [What is ABAC?](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. To view a tutorial with steps for setting up ABAC, see [IAM tutorial: Define permissions to access AWS resources based on tags](https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html) in the *IAM User Guide*.