Automating AWS Tag Mapping Using Step Functions & Resource Explorer
By Khushi Carpenter, Piyush Jalan / Jul 09,2025
Contents
- Overview
- Architecture Summary
- Why AWS Resource Explorer
- Key Capabilities
- Solution
- Benefits
- Future Enhancements
- Conclusion
Overview
In large-scale AWS environments, consistent resource tagging is essential for cost tracking, access control, automation, and compliance. Migrating from legacy tags (e.g., Application=Webapp) to standardized formats (e.g., Application ID=12435) presents operational challenges, especially when resources are distributed across regions and services.
This post outlines a fully serverless automation designed to migrate tags efficiently using:
- AWS Step Functions for orchestration
- AWS Lambda for business logic
- AWS Resource Explorer for discovery
- Resource Groups Tagging API for tag application
- Amazon SNS for failure reporting
Architecture Summary
The automation uses a Step Functions workflow to process a list of tag mappings. Each mapping is handled independently using a Map state. A Lambda function performs the following:
- Searches for resources using AWS Resource Explorer based on an old tag key-value pair.
- Applies the new tag to each resource using the Tagging API.
- Handles pagination through the NextToken mechanism.
- Reports errors via Amazon SNS when tagging fails.
Below is the workflow:
Why AWS Resource Explorer
AWS Resource Explorer provides fast, tag-based discovery of AWS resources across multiple regions and services. It eliminates the need for manual resource enumeration or custom scripts.
Example query:
query_str = f"tag:{old_key}={old_value}"
response = re_client.search(QueryString=query_str, MaxResults=200)
Resource Explorer also supports flexible queries using resource attributes. To identify resources whose names contain prd or prod—often indicating a production environment—the following query can be used:
Example query:
query_str = "name:prd OR name:prod"
response = re_client.search(QueryString=query_str, MaxResults=200)
These results can then be processed to apply environment-specific tags like Environment=Production, even if they were not previously tagged.
Key Capabilities
| Feature | Description |
| Pagination | Supports large datasets using NextToken |
| Parallel Processing | Processes multiple tag mappings concurrently |
| Region Awareness | Detects resource region from ARN |
| Alerting | Sends SNS notifications on failure |
| Fully Serverless | Requires no persistent infrastructure |
Solution
Each discovered resource is tagged using the Resource Groups Tagging API. The system dynamically determines the appropriate region for each resource:
tagging_client.tag_resources(
ResourceARNList=[arn],
Tags={new_key: new_value}
)
If a resource ARN lacks region information (e.g., global services), a default aggregator region is used.
The following snippet illustrates the use of a Map state to process each tag mapping in parallel. Pagination is handled through a looping construct that checks for NextToken. It also helps in processing multiple Tags in a single go.
"ProcessApplicationPairs": {
"Type": "Map",
"ItemsPath": "$.ApplicationPairs",
"Iterator": {
"StartAt": "TagResources",
"States": {
"TagResources": { "Type": "Task", ... },
"CheckNextToken": {
"Type": "Choice",
"Choices": [
{ "Variable": "$.NextToken", "StringMatches": "*", "Next": "TagResources" }
],
"Default": "Done"
},
"Done": { "Type": "Succeed" }
}
}
}
When tagging failures occur, the system compiles a detailed summary of:
- Successfully tagged resources
- Failed resources with corresponding error messages
- Applied tag values and original tag input
This summary is sent via Amazon SNS:
sns_client.publish(
TopicArn=sns_topic_arn,
Subject=f"Tagging Operation Failed: {account_id}",
Message=summary_message
)
Benefits
- Eliminates manual tagging overhead
- Scales across accounts, services, and regions
- Tracks tagging outcomes for audit and reporting
- Adapts easily to different tagging schemas
- Supports partial success with granular error visibility
Future Enhancements
Potential extensions to the current automation:
- Removal of legacy tags post-migration
- Integration with AWS Config to validate compliance
- Multi-account support using AWS Organizations
- Scheduled enforcement to maintain tag consistency over time
Conclusion
Tag standardization is foundational to effective cloud management. By combining AWS Step Functions, Lambda, and Resource Explorer, this automation offers a scalable and reliable approach for tag migration across complex AWS environments.
