If the resource has all the specified tags, the evaluation result is Compliant.


An enterprise may require that cloud resources have specific tags, which can facilitate resource management in scenarios like permission isolation, expense splitting, and automatic O&M.

Risk level

Default risk level: high.

When you apply this rule, you can change the risk level based on your business requirements.

Compliance evaluation logic

  • If the resource has all the specified tags, the evaluation result is Compliant.
  • If the resource does not have all the specified tags, the evaluation result is Incompliant. For more information about how to remediate an incompliant configuration, see the "Incompliance remediation" section of this topic.

Rule details

Rule namecontains-all-tag
Rule identifiercontains-all-tag
Automatic remediationNot supported
Trigger typeConfiguration change
Supported resource type
  • Container Service for Kubernetes (ACK) cluster
  • API resource
  • API group
  • Alibaba Cloud CDN domain name
  • Cloud Enterprise Network (CEN) instance
  • Anti-DDoS instance
  • Dedicated host
  • Elastic Compute Service (ECS) disk
  • ECS instance
  • Launch template
  • Elastic network interface (ENI)
  • ECS security group
  • ECS snapshot
  • Elastic IP address (EIP)
  • ApsaraDB for HBase cluster
  • Customer master key (CMK) managed by Key Management Service (KMS)
  • Secret managed by Secrets Manager
  • ApsaraDB for MongoDB instance
  • Apsara File Storage NAS file system
  • NAT gateway
  • Object Storage Service (OSS) bucket
  • PolarDB cluster
  • ApsaraDB RDS instance
  • ApsaraDB for Redis instance
  • Server Load Balancer (SLB)
  • Virtual Private Cloud (VPC) route table
  • VPC
  • vSwitch
Input parameter
  • tag1Key: the key of tag 1.
  • tag1Value: the value of tag 1.
  • tag2Key: the key of tag 2.
  • tag2Value: the value of tag 2.
  • tag3Key: the key of tag 3.
  • tag3Value: the value of tag 3.
  • tag4Key: the key of tag 4.
  • tag4Value: the value of tag 4.
  • tag5Key: the key of tag 5.
  • tag5Value: the value of tag 5.
  • tag6Key: the key of tag 6.
  • tag6Value: the value of tag 6.
Note You can define up to six tags. Each tag must contain a key and a value. The keys and values are case-sensitive. You can use asterisks (*) and question marks (?) as wildcard characters. Only a single tag key can be specified for each tag, but multiple tag values can be specified for a single tag. Separate multiple tag values with commas (,). The system considers it a match if the resource has one of the values corresponding to a key that has multiple values.

Incompliance remediation

Attach all the specified tags to the resource. For more information, see Add a custom tag.