Tag Governance

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Tag Governance

    The ServiceNow® Tag Governance app enables organizations to identify and manage inconsistencies in tagging for on-premises and cloud resources. This helps ensure compliance with organizational tag policies, improving asset visibility and operational efficiency in cloud usage and costs.

    Show full answer Show less

    Key Features

    • Tag Management: Tags are key-value pairs assigned to resources, aiding categorization for better cloud management.
    • Discovery Integration: The app works with Discovery and Cloud Discovery features to automatically detect and collect tags from various cloud providers.
    • Policy Compliance: Users can run policies to check for tag counts, presence, and specific key-value pairs, facilitating compliance auditing.
    • Remediation Tools: Offers capabilities to create or update bulk tags for non-compliant configuration items (CIs) and assign remediation tasks to users or groups.
    • Auto-remediation: Automates tagging of cloud resources using AWS permissions for efficient management.

    Key Outcomes

    By implementing Tag Governance, organizations can:

    • Maintain compliance with tagging standards across all resources.
    • Improve reporting and operational efficiency through effective tag management.
    • Enhance visibility into resource usage and associated costs.
    • Ensure all teams, such as finance and IT security, can effectively categorize resources according to their specific needs.

    For effective implementation, it is crucial to establish clear tagging policies that consider the needs of various teams and to ensure proper permissions for auto-remediation functionalities.

    Use the ServiceNow® Tag Governance app to identify on-premises or cloud resources that are inconsistent and don't comply with the tag policies of your organization.

    Request apps on the Store

    Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.

    Tag Governance

    A tag is a label consisting of a key-value pair that is assigned to a cloud resource. Your organization may use tags to categorize its assets to improve visibility into cloud usage and costs. Effective tag management also improves reporting and overall operations management efficiency.

    Discovery also collects cloud tags that are specific to each virtual machine (VM) and saves them to the Key Value [cmdb_key_value] table.

    The Discovery and Cloud Discovery features discover all resources in the CMDB as well as cloud resources from cloud providers, such as Amazon AWS Cloud, Microsoft Azure Cloud, and Google Cloud Platform (GCP), respectively. The discovery process also detects tags that are associated with the CIs. However, if your organization uses inconsistent tagging standards or terms (key-value pairs), managing CIs with tags becomes more difficult.

    Discovery and Cloud Provisioning and Governance can discover tags that are used by all major cloud providers and container ecosystems through Service Mapping patterns. Once the tags are discovered, Service Mapping can create application services that are based on these tags. Typically, organizations use tagging in virtualized, hyper-converged, or multi-cloud infrastructures. For examples of the infrastructure types and tags used for them, see Tag-based discovery in Service Mapping.

    Depending on the scale and needs of your organization establish tagging policies that all users can use effectively. You may need extensive discussions and research to understand the needs of all the varied teams that are part of your organization. For instance, finance teams may want CIs to be tagged based on cost-center allocations, applications assignments, and business purpose. IT security teams on the other hand, may want CIs categorized by OS and security patch level tags, as part of their Vulnerability management plan.

    Before you finalize your tagging approach, ensure that you have also considered what filters various teams use, the level of access that different users need, and whether you would need real-time checks and the ability to synchronize the tags with your cloud resources. Having a methodical approach to setting up your tagging standards, helps you keep the number of tags to a minimum. You can also realize how to best use the Tag Governance application to monitor and manage tags across CIs in your organization.

    Tag Governance Dashboard

    Use the dashboard to do these tasks:
    • Check that CIs comply with the tag policies that you configure.
    • Identify non-compliant or partially compliant CIs.
    • Use remediation flows to create or update bulk tags to CIs that are non-compliant due to missing tags.
    View the tag health of your discovered resources. You can see the most popular and least used tags for the resources that you are managing. Filter the dashboard on the following predefined filters:
    • Cloud Service Accounts
    • CMDB CI Class
    • Datacenter
    Tag Health Dashboard

    Tag Policies and Remediation

    Run a policy to inspect or audit the discovered CIs for the following policy types:
    • Tag Count: Checks the CIs for the tag key count that you specify
    • Tag Presence: Checks the CIs for the presence of the tag key values (comma-separated) that you specify
    • Tag Key & Value: Checks the CIs for the presence of key and value pairs that you specify.
    Specify string value or tag keys that you are looking for in a comma-separated format in the Tag Presence policy type. You can also specify a number in the Tag Count check policy type to identify CIs with one or more tags. After you run these policies, you can view the audit results and configure remediation measures that are based on the compliance index quality. Optionally, you can also assign remediation tasks for non-compliant CIs to user groups and users for follow-on tasks.

    Auto-remediation should now work with assume role on AWS to automate the tagging of cloud resources, by following the steps in Configure access using temporary credentials based on trusted AWS accounts with AWS credentials.

    Assume Role must have the below permission (policy) for remediation to work:

    { 

    "Version": "2012-10-17", 

    "Statement": [ 

        { 

            "Effect": "Allow", 

            "Action": "tag:TagResources", 

            "Resource": [ 

                "arn:aws:ec2:*:*:instance/*", 

                "arn:aws:ec2:*:*:security-group/*", 

                "arn:aws:ec2:*:*:volume/*", 

                "arn:aws:ec2:*:*:vpc/*", 

                "arn:aws:ec2:*:*:subnet/*", 

                "arn:aws:ec2:*:*:network-interface/*", 

                "arn:aws:elasticloadbalancing:*:*:loadbalancer/*", 

                "arn:aws:ec2:*:*:availability-zone/*", 

                "arn:aws:ec2:*:*:public-ip/*", 

                "arn:aws:storagegateway:*:*:gateway/*", 

                "arn:aws:resource-groups:*:*:group/*" 

            ] 

        } 

    ] 

}
    Note:

    While performing Tag remediation, if it is found that Discovery is credential-less, Mid with Tag Management capability is picked. Hence, add Tag Management capability to the correct Mid with service account IAM role attached. It is essential, as there may be several accounts IAM role Mids must choose from.

    Note:
    You need to have the ITOM Visibility entitlements to run remediation on CIs in the CMDB. For more information, please contact Customer Service and Support.