All Products
Search

This Product

    Cloud Config:Automate tag management using Cloud Config

    Document Center

    Cloud Config:Automate tag management using Cloud Config

    Last Updated:Nov 04, 2025

    This topic describes the tag-related rule templates in Cloud Config and how to audit and automatically remediate tags that are associated with resources based on business requirements.

    Background information

    In most cases, enterprises use tags to categorize cloud resources for permission management, bill splitting, and audits. Therefore, enterprises may face challenges in efficiently associating tags with resources and ensuring the continuous compliance of tags in IT governance. Cloud Config provides various rule templates and remediation capabilities based on the accumulated experience in tag management of enterprises. This topic describes the tag-related rule templates in Cloud Config and the corresponding usage scenarios.

    Rule templates

    The following table describes the rule templates that are related to tag management in Cloud Config.

    Rule template

    Detection logic

    Scenario

    Remediation support

    required-tags

    If a resource has all specified tags, the evaluation result is Compliant. You can specify up to six tags in key-value pairs. Tag keys and values are case-sensitive. You can specify only one tag value for a tag key.

    The resource must have all specified tags in key-value pairs. The key-value pairs must meet the format requirements.

    Template remediation is supported. Multiple non-compliant tags can be remediated at the same time.

    required-any-tags

    If a resource has at least one of the specified tags, the evaluation result is Compliant. You can specify up to six tags in key-value pairs. Tag keys and values are case-sensitive. You can specify only one tag value for a tag key.

    The resource must have at least one of the specified tags in key-value pairs. The key-value pairs must meet the format requirements.

    Custom remediation is supported.

    contains-all-tag

    If a resource has all specified tags, the evaluation result is Compliant. You can specify up to six tags in key-value pairs. Tag keys and values are case-sensitive. You can use asterisks (*) and question marks (?) as wildcard characters. You can specify only one tag key but you can specify multiple tag values for each tag. Separate multiple tag values with commas (,). A tag that is associated with the resource only needs to match one of the tag values.

    The resource must have all specified tags in key-value pairs. The key-value pairs must contain asterisks (*) or question marks (?) as wildcard characters.

    Custom remediation is supported.

    contains-tag

    If a resource has the specified tag whose value is one of the specified values, the evaluation result is Compliant. The tag key and value are case-sensitive. You can use asterisks (*) and question marks (?) as wildcard characters. You can specify only one tag key but you can specify multiple tag values for each tag. Separate multiple tag values with commas (,). If the tag that is associated with the resource can match one of the tag values, the resource is considered compliant.

    The resource must have tag key-value pairs that match a specific wildcard format and meet at least one set of requirements.

    Custom remediation is supported.

    resources-tags-not-empty

    If the tag information of a resource is not empty, the evaluation result is Compliant.

    The resource must have valid tag information.

    Custom remediation is supported.

    matched-tag

    If a tag of a resource that belongs to a supported resource type matches the specified regular expression for tags in key-value pairs, the evaluation result is Compliant. You can specify a regular expression for tag keys. The regular expression for tag values is optional.

    This rule is used to evaluate resources whose tags are in complicated formats.

    You can modify templates to specify fixed tag key-value pairs.

    resources-inherit-tags-from-ecs-instance

    If a resource that is associated with an Elastic Compute Service (ECS) instance inherits a specified tag of the ECS instance, the evaluation result is Compliant. If the ECS instance does not have the specified tag key, the rule is not applicable.

    The resource inherits a specified tag of the ECS instance with which the resource is associated.

    Template remediation is supported.

    resources-inherit-tags-from-resource-group

    If a resource that belongs to a resource group inherits a specified tag of the resource group, the evaluation result is Compliant. If the resource does not belong to a resource group or the resource group does not have the specified tag key, the rule is not applicable.

    The resource inherits a specified tag of the resource group to which the resource belongs.

    Template remediation is supported.

    Scenario 1

    Description

    You can use creator tags from Resource Management to define the scope of a Cloud Config rule. This lets you automatically check whether resources created by a specific account have a required tag key-value pair. This scenario shows how to automatically check whether a resource created by the Resource Access Management (RAM) user 20654616023382**** has the env:test tag. If the tag is missing, it is automatically added.

    Prerequisites

    The createdby tags feature is enabled. For more information, see Enable or disable createdby tags.

    Procedure

    1. Log on to the Cloud Config console.

    2. In the navigation pane on the left, choose Compliance & Audit > Rules.

    3. On the Rules page, click Create Rule.

      1. In the Select Create Method step, select Based on managed rule, search for required-tags, select the displayed rule, and then click Next.

      2. On the Set Basic Properties page, under Rule Parameters, set tag1Key to env and the Expected Value for tag1Value to test. Configure other parameters as needed, and then click Next.

      3. On the Set Scope page, in the section for applying the rule based on specific tags, set Key to acs:tag:createdby and Value to sub:20654616023382****:dongdong_****.

        Note

        If the resource creator is a RAM user, the creator tag value is in the format sub:<RamUserId>:<RamUserName>. In this format, <RamUserId> is the RAM user ID, and <RamUserName> is the RAM user name.

      4. In the Set Remediation step, turn on Set Remediation and set the Invoke Type parameter to Automatic Remediation.

      5. Click Submit.

    4. Enable the rule to evaluate resources, view the evaluation result of the resources, and check whether non-compliant resources are automatically remediated.

    FAQ

    Some resources are not automatically remediated after an audit.

    After you enable the createdby tags feature, the acs:tag:createdby tag is automatically associated with resources that you create. However, resources that are created before you enable the feature are not associated with the acs:tag:createdby tag. The resources are not evaluated based on the rule. If non-compliant resources exist among the resources, the non-compliant resources are not automatically remediated.

    Scenario 2

    Description

    Cloud Config can automatically check the tag key-value pairs of resources in a specific resource group and apply corrections. This scenario shows how to use a Cloud Config rule template to check whether resources in the resource group rg-aekz5zudjfo**** (resource group identifier: test-resource-group) have the tag key-value pair env:test, and how to automatically correct non-compliant resources.

    Prerequisites

    Ensure that the resource group has the tag key-value pair env:test attached. Log on to the Tag console to check whether the tag is attached to the resource group. If not, attach the tag. For more information, see Create and attach a custom tag.

    Procedure

    1. Log on to the Cloud Config console.

    2. In the navigation pane on the left, choose Compliance & Audit > Rules.

    3. On the Rules page, click Create Rule.

      1. In the Select Create Method step, select Based on managed rule, search for resources-inherit-tags-from-resource-group, select the displayed rule, and then click Next.

      2. On the Set Basic Properties page, for Rule Parameters, set the Expected Value for inheritTagKeys to env. Configure other parameters as needed, and then click Next.

      3. On the Set Scope page, set Resource Group ID to test-resource-group (or rg-aekz5zudjfo****), and then click Next.

        Note

        You can set the resource group ID using the Resource Group Name, Resource Group Identifier, or Resource Group ID.

      4. On the Set Remediation page, enable remediation and set the Trigger Method to Automatic.

      5. Click Submit.

      6. Manually run the audit. Then, query the audit results and verify that the resources in the resource group rg-aekz5zudjfo**** have the env:test tag key-value pair attached.

    FAQ

    Why do non-compliant resources still exist after I enable the rule that can automatically remediate resources?

    Go to the rule details page and click the Result tab to view remediation results. Check whether the automatic remediation is complete. The remediation duration varies based on the number of non-compliant resources. After the automatic remediation is complete, the resource status is updated in Cloud Config in 10 minutes, and then the resources are re-evaluated based on the rule.