Tags
Multi-cloud tagging for all Veza entities
Veza Tags provide a way to add additional metadata to entities such as identities, policies, or data resources. You can create Veza tags and apply them to any object in the Access Graph, and use these tags to filter search results (along with any cloud-native tags Veza has discovered).
Overview
Cloud service providers such as AWS and Google Cloud offer ways to tag and label resources, identities, and other objects within an account or service. These provider-specific, cloud-native tags are typically used to enforce policies and enable automation. Tags and labels can also classify resources for business processes (such as spend management), or track technical metadata such as version or development environment.
Veza Tags enable the application of consistent tagging strategies across all identities, resources, and any other entities in the data catalog, regardless of cloud provider. Security teams can use Veza Tags to categorize entities and create rule-based policies without exposing the values or tagging scheme to AWS or GCP users.
Veza system tags can also enable automatic workflow reviewer assignments. Filtering on a given tag can be useful when creating Workflows ("certify AWS S3 access for buckets tagged for PCI compliance"). Tag filters can also narrow authorization graph results ("show only AWS EC2 instances tagged environment: production”).
For example, you could use tags to filter specifically for databases containing sensitive customer records. After creating a PII tag and applying it to those resources, you can filter search and query results to only show the tagged entities. Tags can also enable fine-grained control for rules and Risks when specified in the original query conditions.
Viewing Entity Tags
You might notice that some tags are already applied to your identity and data entities, as Veza automatically ingests pre-existing tags during discovery. You can see the provider-native or Veza tags for any entity using the Authorization Graph actions sidebar:
Like AWS tags, Veza tags have a key and an optional value. For example, a tag with the key Departments could have a value such as Engineering, Finance, or Sales. The DataCompliance key can be granted additional context with a value such as PCI, GDPR, or SOX:
You can view all AWS or Google tags and labels on entities in the Veza data catalog by browsing under the Configurations menu.
Search for Tagged Entities
It's not currently possible to search by tag key or value from Authorization Graph or Query Builder. However, you can add filters to only show entities with a given tag.
Use Tagged Entity Search to search entities with a Veza, Google Cloud, or AWS tag, and remove Veza tags from entities.
Use the Data Catalog > Tags panel to review all the Veza Tags or cloud-native tags Veza has discovered, with the option to open any item in Tagged Entity Search.
Creating and Applying Veza Tags
You can create and apply Veza Tags from the Authorization Graph actions sidebar. Select the entity you want to tag, and click Add Tag.
You can create a new tag, or pick an existing one on the modal that appears.
To remove a tag from an entity:
Search for the entity using Authorization Graph or Query Builder *. From Query Builder, click on the result name to view details *. From Graph, click on the node to expand the actions sidebar, and choose View Details or Veza Tags
Any applied Veza Tags are shown in purple. Click the "x" next to a tag to remove it from the entity.
Tag Administration
The Data Catalog > Tags panel lists all the tags that Veza users have created, with additional tabs for any cloud native tags Veza has discovered. You can sort the list by key or title, or create a new tag from this panel:
Click the "Add New" button to create a new tag
Enter a key and value, and save your changes
Once populated, the tag can be assigned to entities and used as a filter
Using Tags in Search
To filter an Authorization Graph search by a Veza tag or external tag, click "Add tags" in the Filter by Tag section of the graph Search menu. Select an entity type to filter, and choose from the list of available tags.
Once the tag has been added to your search, the layer where the filter is applied will collapse to only include entities with a matching AWS or Veza Tag. You can see any tags filtering your current search on the search sidebar:
Note that tag-based filters are applied to a single entity type at a time. You can still filter multiple entity types by a Veza tag by applying the filter to each layer.
Tagging for custom apps and identity providers
You can apply tags to entities pushed using the Open Authorization API by declaring them in the tags array of the custom template. This example for the BitBucket application type has multiple tags on the instance, project, group, and user:
{
"name": "BitBucket",
"tags": [
{
"key": "instanceTag1key",
"value": "instanceTag1Val"
},
{
"key": "instanceTag2key"
}
],
"projects": [
{
"name": "Project 1",
"repos": [
{
"name": "Repo 1",
"tags": [
{
"key": "repoTag1key",
"value": "repoTag1Val"
},
{
"key": "repoTag2key"
}
]
}
],
"tags": [
{
"key": "projectTag1key",
"value": "projectTag1Val"
},
{
"key": "projectTag2key"
}
]
}
],
"groups": [
{
"name": "Test Group 1",
"tags": [
{
"key": "groupTag1key",
"value": "groupTag1Val"
},
{
"key": "groupTag2key"
}
],
"global_permissions": "ProjectCreator"
}
],
"users": [
{
"name": "User1",
"email": "[email protected]",
"identity": "[email protected]",
"global_permissions": "BitbucketUser",
"tags": [
{
"key": "userTag1key",
"value": "userTag1Val"
},
{
"key": "userTag2key"
}
]
}
]
}Last updated
Was this helpful?