Who created that VM?
With the advent of cloud and self-service, the question of who created a given resource such as a virtual machine often arises. The answer can usually be found in the cloud’s activity audit log, provided that logging is enabled (required on AWS) and that the log retention period hasn’t lapsed.
If you’re still using ticket-based IT in lieu of self-service to create cloud resources, then your ticketing system should have a CMDB record for the resource. Another solution is to ask people to tag the resources they create with the creator’s or owner’s name. This would be great… if everyone complied!
Required Tag Enforcement
Most cloud provider have a means for requiring that a particular tag be present when the resource is created. This works well when resources are created via UI, but less so when automation is used — unless that automation also specifies the tag. Even where enforcement is in place, there can be inconsistencies and typos when someone manually specifies a creator, for example.
Automate Creator Tag
The preferred solution is to automatically apply the creator when the resource is created (i.e., as ‘Creator’ tag). This should be some immutable but readble property of the creator such as their email address or user ID. The user’s display name could be used but this can lead to ambiguities.
Automation solutions for AWS, Azure, and GCP are presented below. All work more or less on the same principle: When the resource is created, an event is recorded. The event is intercepted by a function which, in turn, tags the underlying resource with the Creator.
AWS
In AWS, this could be done using an automated workflow. by including a rule created in Amazon CloudWatch Events, a resource tag repository such as AWS Systems Manager Parameter Store, and an AWS Lambda function.
The blog page below provides the step-by-step solution:
You can also use Cloud Custodian, an open source tool that uses a stateless rules engine for policy definition and enforcement, with metrics, structured outputs, and detailed reporting for cloud infrastructures. See: https://cloudcustodian.io/docs/azure/examples/autotagusers.html
Azure
In Microsoft Azure, you could use Event Grid Subscriptions and Azure Functions to automatically tag resource creators. Each time an activity occurs in an Azure subscription an activity event is generated, and we can subscribe to that event using an Event Grid Subscription — part of the information captured in this event will be the user who is making the call. An Azure Function is then used to apply a tag.
See Tagging Azure Resources with a Creator for a step-by-step solution.
GCP
In Google Cloud Platform, tags are referred to a labels. One solution using Cloud Functions can be used. See: https://blog.doit-intl.com/automatically-label-google-cloud-compute-engine-instances-and-disks-upon-creation-5d1245f361c1
Oracle Cloud
Oracle has a native solution for autoimatic tagging where tags can have substitution varaibles. For owner, this is ${iam.principal.name}.
For a step-by-step guide, see:
