Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

Check for Cost Allocation Tags

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: Low (generally tolerable level of risk)
Rule ID: OCI-KMS-003

Ensure that cost allocation tags are used for labeling, organizing, and budget tracking your OCI KMS Vaults. In Oracle Cloud Infrastructure (OCI), resource tags are simple key-value pairs assigned to cloud resources for simplified organization, management, and budgeting.
For robust cost allocation and tracking, TrendAI Vision One™ Cloud Risk Management recommends the following tagging schema:

  • CostCenter: used to allocate and track cloud spending to a specific financial entity.
  • Project: used to identify individual projects consuming the resource.
  • Environment: used to distinguish between different stages (e.g., Development, Staging, and Production).
  • Owner: used to identify the person responsible for the cloud resource.
  • Department: used to identify the department responsible for the cloud resource.
Cost
optimisation

By leveraging a structured tagging schema on your Oracle Cloud Infrastructure (OCI) KMS Vaults, you enable granular cost allocation and budget tracking. This process provides enhanced operational visibility, allowing you to efficiently query and filter vaults based on crucial metadata dimensions, such as owner, environment, and cost attribution.

Audit

To determine if your Oracle Cloud Infrastructure (OCI) KMS Vaults are using cost allocation tags, perform the following operations:

Using OCI Console

  1. Sign in to your Oracle Cloud Infrastructure (OCI) account.

  2. Navigate to Key Management & Secret Management console available at https://cloud.oracle.com/security/kms/.

  3. In the left navigation panel, choose Vault, and select an OCI compartment from the Compartment dropdown menu next to Applied filters, to list the OCI KMS Vaults available within that compartment.

  4. Click on the name (link) of the active KMS Vault that you want to examine, listed in the Name column. Being an active Vault means its State is set to Active.

  5. Select the Tags tab to access the resource tags defined for the selected KMS Vault.

  6. In the Tags section, identify the Tag key column, and search for the following combination of tag keys: CostCenter, Project, Environment, Owner, and Department. If the Tag key column does not contain the specified combination of tag keys, the selected Oracle Cloud Infrastructure (OCI) KMS Vault is not using cost allocation tags.

Using OCI CLI

  1. Run iam compartment list command (Windows/macOS/Linux) with custom output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account:

    oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'

  2. The command output should return the requested OCI compartment identifiers (OCIDs):

    [
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  3. Run kms management vault list command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to examine as the identifier parameter, the list the ID of each active KMS Vault provisioned in the selected OCI compartment:

    oci kms management vault list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--all
	--query "data[?\"lifecycle-state\"=='ACTIVE'].id"

  4. The command output should return the requested Vault IDs:

    [
	"ocid1.vault.oc1.ap-sydney-1.1234abcd1234a.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.vault.oc1.ap-sydney-1.abcd1234abcda.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  5. Run kms management vault get command (Windows/macOS/Linux) to describe the resource tags (defined tags and free-form tags) defined for the specified OCI KMS Vault:

    oci kms management vault get
	--vault-id 'ocid1.vault.oc1.ap-sydney-1.1234abcd1234a.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--query 'data.["defined-tags","freeform-tags"]'

  6. The command output should return the resource tags used by the selected KMS Vault:

    [
	{
		"Project": "Project5"
	},
	{
		"Oracle-Tags": {
		"CreatedBy": "Sydney Dev Team"
		}
	}
]

    Resource tags are simple key-value pairs. Check each tag key returned by the kms management vault get command output (e.g., "Project") for the following combination of tag keys: "CostCenter", "Project", "Environment", "Owner", and "Department". If the command output does not return the specified combination of tag keys, the selected Oracle Cloud Infrastructure (OCI) KMS Vault is not using cost allocation tags.

Remediation / Resolution

To implement cost allocation tags for your Oracle Cloud Infrastructure (OCI) KMS Vaults, perform the following operations:

Using OCI Console

  1. Sign in to your Oracle Cloud Infrastructure (OCI) account.

  2. Navigate to Key Management & Secret Management console available at https://cloud.oracle.com/security/kms/.

  3. In the left navigation panel, choose Vault, and select an OCI compartment from the Compartment dropdown menu next to Applied filters, to list the OCI KMS Vaults available within that compartment.

  4. Click on the name (link) of the active KMS Vault that you want to examine, listed in the Name column. Being an active Vault means its State is set to Active.

  5. Select the Tags tab to access the resource tags defined for the selected KMS Vault.

  6. In the Tags section, choose Add, and perform the following actions to create the recommended cost allocation tags for the selected OCI KMS Vault:

    1. For Namespace, select a tag namespace from the dropdown list to add a defined tag or select None to add a free-form tag. A defined tag is a structured key-value metadata with enforced policies and namespace. A free-form tag is a simple key-value metadata with no structure or namespace enforcement.
    2. For Key, choose a cost allocation tag key that's associated with the selected tag namespace if you are adding a defined tag, or type CostCenter, Project, Environment, Owner, or Department in the tag key box if you're adding a free-form tag.
    3. For Value, enter the tag value for the chosen cost allocation tag key.
    4. Choose Add tag and make sure that each cost allocation tag (i.e., CostCenter, Project, Environment, Owner, and Department) is defined.
    5. Choose Add tags to apply the recommended cost allocation tags to your OCI resource.

Using OCI CLI

  1. Run kms management vault update command (Windows/macOS/Linux) to add cost allocation tags (free-form tags) to the specified Oracle Cloud Infrastructure (OCI) KMS Vault. A free-form tag is a simple key-value metadata with no structure or namespace enforcement. Make sure that you include any existing free-form tags to the --freeform-tags parameter value:

    oci kms management vault update
	--vault-id 'ocid1.vault.oc1.ap-sydney-1.1234abcd1234a.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--freeform-tags '{"CostCenter":"FIN-OPS","Project":"Project5"}'

  2. Type Y and press Enter for confirmation:

    WARNING: Updates to defined-tags and freeform-tags will replace any existing values. Are you sure you want to continue? [y/N]: Y

  3. The command output should return the configuration information (including tags) available for the modified KMS Vault:

    {
	"data": {
		"compartment-id": "ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"crypto-endpoint": "https://1234abcd1234abcd-crypto.kms.ap-sydney-1.oraclecloud.com",
		"display-name": "cc-project5-vault",
		"external-key-manager-metadata-summary": null,
		"freeform-tags": {
			"CostCenter": "FIN-OPS",
			"Project": "Project5"
		},
		"id": "ocid1.vault.oc1.ap-sydney-1.1234abcd1234a.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"is-primary": true,
		"is-vault-replicable": null,
		"lifecycle-state": "ACTIVE",
		"management-endpoint": "https://1234abcd1234abcd-management.kms.ap-sydney-1.oraclecloud.com",
		"replica-details": null,
		"restored-from-vault-id": null,
		"time-created": "2025-10-27T11:49:33.807000+00:00",
		"time-of-deletion": null,
		"vault-type": "DEFAULT",
		"wrappingkey-id": "ocid1.key.oc1.ap-sydney-1.1234abcd1234abcd.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd"
	}
}

  4. Run kms management vault update command (Windows/macOS/Linux) to add cost allocation tags (defined tags) to the specified OCI KMS Vault. A defined tag is a structured key-value metadata with enforced policies and namespace. Make sure that you include any existing defined tags to the --defined-tags parameter value:

    oci kms management vault update
	--vault-id 'ocid1.vault.oc1.ap-sydney-1.1234abcd1234a.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--defined-tags '{"Cost":{"CostCenter":"FIN-OPS"}}'

  5. Type Y and press Enter for confirmation:

    WARNING: Updates to defined-tags and freeform-tags will replace any existing values. Are you sure you want to continue? [y/N]: Y

  6. The command output should return the configuration information (including tags) available for the modified KMS Vault:

    {
	"data": {
		"compartment-id": "ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"crypto-endpoint": "https://1234abcd1234abcd-crypto.kms.ap-sydney-1.oraclecloud.com",
		"defined-tags": {
			"Cost": {
				"CostCenter": "FIN-OPS"
			}
		},
		"display-name": "cc-project5-vault",
		"external-key-manager-metadata-summary": null,
		"freeform-tags": {},
		"id": "ocid1.vault.oc1.ap-sydney-1.1234abcd1234a.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"is-primary": true,
		"is-vault-replicable": null,
		"lifecycle-state": "ACTIVE",
		"management-endpoint": "https://1234abcd1234abcd-management.kms.ap-sydney-1.oraclecloud.com",
		"replica-details": null,
		"restored-from-vault-id": null,
		"time-created": "2025-10-27T11:49:33.807000+00:00",
		"time-of-deletion": null,
		"vault-type": "DEFAULT",
		"wrappingkey-id": "ocid1.key.oc1.ap-sydney-1.1234abcd1234abcd.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd"
	}
}

  7. Repeat steps no. 1 - 6 for each recommended cost allocation tag, i.e., CostCenter, Project, Environment, Owner, and Department.

References

Publication date Nov 12, 2025

Related OCI-KMS rules