Tags

Veza Tags provide a way to add additional metadata to entities such as identities, policies, or data resources. You can create Veza tags and apply them to any object in the Access Graph, and use these tags to filter search results (along with any cloud-native tags Veza has discovered).

Overview

Cloud service providers such as AWS and Google Cloud offer ways to tag and label resources, identities, and other objects within an account or service. These provider-specific, cloud-native tags are typically used to enforce policies and enable automation. Tags and labels can also classify resources for business processes (such as spend management), or track technical metadata such as version or development environment.

Veza Tags enable the application of consistent tagging strategies across all identities, resources, and any other entities in the data catalog, regardless of cloud provider. Security teams can use Veza Tags to categorize entities and create rule-based policies without exposing the values or tagging scheme to AWS or GCP users.

Veza system tags can also enable automatic . Filtering on a given tag can be useful when creating Workflows ("certify AWS S3 access for buckets tagged for PCI compliance"). Tag filters can also narrow authorization graph results ("show only AWS EC2 instances tagged environment: production”).

For example, you could use tags to filter specifically for databases containing sensitive customer records. After creating a PII tag and applying it to those resources, you can filter search and query results to only show the tagged entities. Tags can also enable fine-grained control for and when specified in the original query .

Viewing Entity Tags

You might notice that some tags are already applied to your identity and data entities, as Veza automatically ingests pre-existing tags during discovery. You can see the provider-native or Veza tags for any entity using the Authorization Graph actions sidebar:

Like AWS tags, Veza tags have a key and an optional value. For example, a tag with the key Departments could have a value such as Engineering, Finance, or Sales. The DataCompliance key can be granted additional context with a value such as PCI, GDPR, or SOX:

You can view all AWS or Google tags and labels on entities in the Veza data catalog by browsing under the Configurations menu.

Search for Tagged Entities

It's not currently possible to search by tag key or value from Authorization Graph or Query Builder. However, you can add filters to only show entities with a given tag.

• Use the Data Catalog > Tags panel to review all the Veza Tags or cloud-native tags Veza has discovered, with the option to open any item in Tagged Entity Search.

Creating and Applying Veza Tags

You can create a new tag, or pick an existing one on the modal that appears.

To remove a tag from an entity:

1. Search for the entity using Authorization Graph or Query Builder *. From Query Builder, click on the result name to view details *. From Graph, click on the node to expand the actions sidebar, and choose View Details or Veza Tags

2. Any applied Veza Tags are shown in purple. Click the "x" next to a tag to remove it from the entity.

Tag Administration

The Data Catalog > Tags panel lists all the tags that Veza users have created, with additional tabs for any cloud native tags Veza has discovered. You can sort the list by key or title, or create a new tag from this panel:

1. Click the "Add New" button to create a new tag

2. Enter a key and value, and save your changes

3. Once populated, the tag can be assigned to entities and used as a filter

Using Tags in Search

To filter an Authorization Graph search by a Veza tag or external tag, click "Add tags" in the Filter by Tag section of the graph Search menu. Select an entity type to filter, and choose from the list of available tags.

Once the tag has been added to your search, the layer where the filter is applied will collapse to only include entities with a matching AWS or Veza Tag. You can see any tags filtering your current search on the search sidebar:

Note that tag-based filters are applied to a single entity type at a time. You can still filter multiple entity types by a Veza tag by applying the filter to each layer.

Tagging for custom apps and identity providers

{
  "name": "BitBucket",
  "tags": [
            {
              "key": "instanceTag1key",
              "value": "instanceTag1Val"
            },
            {
              "key": "instanceTag2key"
            }
          ],
  "projects": [
    {
      "name": "Project 1",
      "repos": [
        {
          "name": "Repo 1",
          "tags": [
            {
              "key": "repoTag1key",
              "value": "repoTag1Val"
            },
            {
              "key": "repoTag2key"
            }
          ]
        }
      ],
      "tags": [
        {
          "key": "projectTag1key",
          "value": "projectTag1Val"
        },
        {
          "key": "projectTag2key"
        }
      ]
    }
  ],
  "groups": [
    {
      "name": "Test Group 1",
      "tags": [
        {
          "key": "groupTag1key",
          "value": "groupTag1Val"
        },
        {
          "key": "groupTag2key"
        }
      ],
      "global_permissions": "ProjectCreator"
    }
  ],
  "users": [
    {
      "name": "User1",
      "email": "user1@testme.com",
      "identity": "user1@testme.com",
      "global_permissions": "BitbucketUser",
      "tags": [
        {
          "key": "userTag1key",
          "value": "userTag1Val"
        },
        {
          "key": "userTag2key"
        }
      ]
    }
  ]
}