CASE 86 · LORICA · 2023
Untagged resources that retag themselves.
An adtech company had a 31% tag coverage problem and a finance team that had given up asking for cost-by-team reports. We deployed a Config-rule-and-Lambda-remediator combination that auto-tagged resources from CloudTrail data on creation events.
Adtech
LANDING ZONE
2023
RESULTS
What changed, by the numbers.
TAG COVERAGE
31% → 97%
AUTO-TAGGED
14K
ONGOING DRIFT
< 1%
COST REPORTS
SHIPPED
HOW IT WENT
The legacy tag enforcement attempts had failed because they were aspirational: "engineers should tag their resources." The auto-remediator inverted the model: when a resource is created without required tags, the Lambda reads the CloudTrail event, identifies the principal who created it, looks up that principal’s team membership in Identity Center, and tags the resource on their behalf.
Backfill ran against the existing 14k untagged resources using the same logic — fall back to least-recent-modifier when the creator was a long-departed principal. The few cases where attribution genuinely couldn’t be determined got tagged "unknown" and surfaced in a weekly digest for human review.
Tag coverage went from 31% to 97% in eight weeks; the remaining 3% are genuinely shared resources that need a different attribution model. Finance now ships monthly cost-by-team reports without complaint.
RELATED · SAME DOMAIN
Other engagements in this space.
READY WHEN YOU ARE
Let's get your AWS bill (and architecture) in order.
The discovery call is free. You walk away with at least one concrete idea — even if we never work together.