Infrastructure Tagging

In order to gain full observability, compliance and transparency of our infrastructure we need to tag our infrastructure resources properly.

• Backup and Restore (mandatory)
• Ownership (mandatory)
• Service Modelling (optional but recommended)
• Data Classification (mandatory)

Tagging with CDK

Only tag AWS-Backup supported resources! See the list of supported resources.

For tagging supported resources with data-classification and backup tags you need to do the following:

// Example 1: Tag an RDS instance
const database = new rds.DatabaseInstance(this, "Database", {
  /*...*/
});
cdk.Tags.of(database).add("data-classification", "confidential");
cdk.Tags.of(database).add("backup", "enabled");

// Example 2: Tag an EBS volume
const volume = new ec2.Volume(this, "Volume", {
  /*...*/
});
cdk.Tags.of(volume).add("data-classification", "internal");
cdk.Tags.of(volume).add("backup", "enabled");

// Example 3: Tag a DynamoDB table
const table = new dynamodb.Table(this, "Table", {
  /*...*/
});
cdk.Tags.of(table).add("data-classification", "public");
cdk.Tags.of(table).add("backup", "custom");

// Example 4: Tag an EFS file system
const fileSystem = new efs.FileSystem(this, "FileSystem", {
  /*...*/
});
cdk.Tags.of(fileSystem).add("data-classification", "strictly-confidential");
cdk.Tags.of(fileSystem).add("backup", "disabled");

// Example 5: Tag an S3 bucket
const bucket = new s3.Bucket(this, "Bucket", {
  /*...*/
});
cdk.Tags.of(bucket).add("data-classification", "confidential");
cdk.Tags.of(bucket).add("backup", "enabled");

// Example 6: Tag an EC2 instance
const instance = new ec2.Instance(this, "Instance", {
  /*...*/
});
cdk.Tags.of(instance).add("data-classification", "internal");
cdk.Tags.of(instance).add("backup", "enabled");

// Example 7: Tag an Aurora cluster
const cluster = new rds.DatabaseCluster(this, "Cluster", {
  /*...*/
});
cdk.Tags.of(cluster).add("data-classification", "strictly-confidential");
cdk.Tags.of(cluster).add("backup", "enabled");

// Example 9: Tag a Redshift cluster
const redshiftCluster = new redshift.Cluster(this, "RedshiftCluster", {
  /*...*/
});
cdk.Tags.of(redshiftCluster).add("data-classification", "confidential");
cdk.Tags.of(redshiftCluster).add("backup", "enabled");

---

Last updated: January 05, 2026 at 13:31

By: Markus Wolf

📄 View source

Repository: PIT-Shared/architecture