Tag policies are a type of policy that is used to standardize the tags that are added to resources. You can use a tag policy to define the tags that must be added to your resources. Compliant tags can help you improve the efficiency in aspects such as cost allocation by tag, access control by tag, and automated O&M. The Tag Policy feature supports the single-account mode and multi-account mode. The two modes can meet your business requirements for standardized tag management in different stages.

Scenarios

As your resources on the cloud increase, you can add tags to the resources to classify the resources. This way, you can allocate costs by tag and implement automated O&M. When you add tags to a resource, issues may occur. For example, after you create a resource, you forget to add tags to the resource, you add only some tags such as O&M-related tags but forget to add finance-related tags, or the tags that you added contain spelling errors. If these issues occur, the costs of some resources cannot be allocated based on your business requirements when you allocate costs by tag, or automated O&M operations cannot be performed for some resources. The Tag Policy feature provides solutions to these issues in the following scenarios:

  • Automatic tag detection

    After you create a resource and add tags to the resource, you can use a tag policy to periodically check the following items to determine the tag compliance of the resource:

    • Whether the tags added to the resource are compliant
    • Whether the tags defined in the tag policy are added to the resource

    Automatic tag detection can help you identify issues at the earliest opportunity.

  • Automatic remediation for tags

    If you enable automatic remediation for tags and the remediation rules that you configure match the conditions for triggering automatic remediation, the system remediates the non-compliant tags based on the detection results.

  • Tag compliance enforcement

    Automatic tag detection starts with a latency. After a resource is created, non-compliant tags for the resource cannot be detected before automatic tag detection is started. We recommend that you perform standardized tag management when you create a resource. To achieve this, you can enable tag policy enforcement for a resource type when you create a tag policy. This way, when you create a resource of this type, tag compliance is enforced for the resource. If you add non-compliant tags to the resource, the resource fails to be created. Tag compliance enforcement takes effect only for tags that are defined in a tag policy. If no tags are added to a resource or other tags are added to the resource to which tag policy is applied, tag compliance enforcement does not take effect.

    Note The tag policy enforcement feature is in invitational preview. You can contact the service manager of Alibaba Cloud to apply for a trial.
  • Automatic tag inheritance from a resource group

    After you add a tag to a resource group, if you create a resource in or add a resource to the resource group, the tag is automatically added to the resource.

Modes of the Tag Policy feature

The Tag Policy feature supports the single-account mode and multi-account mode. You can enable the Tag Policy feature that is in a specific mode based on your business scenario and the type of your logon account. The following table describes the two modes.

Scenario Type of the logon account Mode of the Tag Policy feature References
If your business on the cloud is simple and you use only one Alibaba Cloud account and the RAM users within the Alibaba Cloud account to perform management operations, you can use the Alibaba Cloud account to enable the Tag Policy feature that is in single-account mode. Then, you can use tag policies to manage the tag-related operations performed by using the Alibaba Cloud account or the RAM users. Alibaba Cloud account that is not the management account or a member of a resource directory Single-account mode: The Tag Policy feature in this mode can be used to manage tag-related operations performed by using an Alibaba Cloud account or the RAM users within the Alibaba Cloud account. Use an Alibaba Cloud account to enable the Tag Policy feature
If your business on the cloud is complex and you use a resource directory to manage all your accounts, you can use the management account of the resource directory to enable the Tag Policy feature that is in multi-account mode. Then, you can use tag policies to manage the tag-related operations performed by using a member of the resource directory. Management account of a resource directory You can enable the Tag Policy feature in both modes or in one of the modes based on your business requirements.
  • Multi-account mode: The Tag Policy feature in this mode can be used to manage the tag-related operations performed by using a member of the resource directory.
    Note If a member of the resource directory is used to enable the Tag Policy feature that is in single-account mode, the management account of the resource directory cannot be used to enable the Tag Policy feature that is in multi-account mode. To enable the Tag Policy feature that is in multi-account mode, you must first disable the Tag Policy feature that is in single-account mode and enabled by using the member.
  • Single-account mode: The Tag Policy feature in this mode can be used to manage only tag-related operations performed by using the management account of the resource directory.
Use the management account of a resource directory to enable the Tag Policy feature
Member of a resource directory The following situations may occur based on whether the Tag Policy feature is enabled for a resource directory:
  • If the Tag Policy feature is not enabled for the resource directory, you can use a member of the resource directory to enable the Tag Policy feature that is in single-account mode to manage only the tag-related operations performed by using the member.
  • If the Tag Policy feature is enabled for the resource directory, you cannot use a member of the resource directory to enable the Tag Policy feature. Tag policies are managed by using the management account of the resource directory in a centralized manner. You can use the member only to view the effective policy of the member.
Use a member of a resource directory to enable the Tag Policy feature

Limits

Item Limit
Maximum number of tag policies you can create when you use the Tag Policy feature that is in single-account mode 10
Maximum number of tag policies you can create when you use the Tag Policy feature that is in multi-account mode 100
Maximum number of characters that each tag policy can contain 2,048
Time required before tag policy enforcement takes effect
  • After you attach a tag policy for which enforcement is enabled to an object, enforcement takes effect for the object within 5 minutes.
  • After you modify a tag policy for which enforcement is enabled, enforcement takes effect for the attached object within 5 minutes.
Time required before automatic tag detection is started or complete
  • After you attach a tag policy to an object, automatic tag detection starts within 1 hour.
  • After a resource is created within the account to which a tag policy is attached, automatic tag detection starts within 10 minutes.
  • After a resource within the account to which a tag policy is attached is modified, automatic tag detection starts in real time.
  • After the document of a tag policy that is attached to an account is modified, automatic tag detection is performed for all resources within the account. The time required for the detection depends on the number of the resources within the account. A larger number of resources indicate a longer detection time.
Time required before automatic remediation is complete After resources to which compliant tags are not added or non-compliant tags are added are detected, the system remediates tags for the resources within 10 minutes.

Best practices

Services that work with tag policies

Service Service code Resource type Support for automatic tag detection Support for automatic tag inheritance from a resource group Support for tag policy enforcement1 API operation that supports tag policy enforcement
Elastic Compute Service (ECS) ecs instance Yes Yes Yes RunInstances
CreateInstance
TagResources
eni Yes No Yes CreateNetworkInterface
TagResources
securitygroup Yes Yes Yes CreateSecurityGroup
TagResources
disk Yes Yes Yes CreateDisk
TagResources
snapshot Yes No Yes CreateSnapshot
TagResources
ddh Yes Yes Yes AllocateDedicatedHosts
TagResources
image No No Yes CreateImage
CopyImage
TagResources
keypair No No Yes ImportKeyPair
CreateKeyPair
TagResources
launchtemplate Yes Yes Yes CreateLaunchTemplate
TagResources
snapshotpolicy No No Yes CreateAutoSnapshotPolicy
ApsaraDB RDS rds instance Yes Yes Yes CreateDBInstance
TagResources
Server Load Balancer (SLB) slb instance Yes Yes Yes TagResources
certificate No No Yes TagResources
acl No No Yes TagResources
Application Load Balancer (ALB) alb acl No No Yes TagResources
loadbalancer No No Yes TagResources
securitypolicy No No Yes TagResources
servergroup No No Yes TagResources
Virtual Private Cloud (VPC) vpc vpc Yes Yes Yes TagResources
vswitch Yes No Yes TagResources
routetable Yes No Yes TagResources
NAT Gateway vpc natgateway Yes Yes Yes TagResources
VPN Gateway vpc vpngateway No No Yes TagResources
EIP Bandwidth Plan vpc commonbandwidthpackage No No Yes TagResources
Elastic IP Address (EIP) vpc eip Yes Yes Yes TagResources
Cloud Enterprise Network (CEN) cen cen Yes Yes Yes TagResources
bandwidthpackage No No Yes TagResources
Alibaba Cloud CDN (CDN) cdn domain Yes Yes No N/A
Object Storage Service (OSS) oss bucket Yes Yes No N/A
ApsaraDB for Redis kvstore instance Yes Yes Yes CreateInstance
TagResources
ApsaraDB for MongoDB dds instance Yes Yes Yes TagResources
ApsaraDB for HBase multimod cluster Yes Yes Yes TagResources
PolarDB polardb cluster Yes Yes No N/A
Apsara File Storage NAS (NAS) nas filesystem Yes Yes Yes

None

Anti-DDoS ddoscoo instance Yes Yes Yes TagResources
CreateTagResources
Container Service for Kubernetes (ACK) cs cluster Yes Yes No N/A
API Gateway apigateway api Yes Yes No N/A
apigroup Yes Yes No N/A
app No No No N/A
instance No No No N/A
plugin No No No N/A
Alibaba Cloud DNS (DNS) alidns domain No No Yes

N/A

Auto Scaling ess scalinggroup No No Yes CreateScalingGroup
TagResources
Elastic Container Instance eci containergroup No No Yes CreateContainerGroup
UpdateContainerGroup
imagecache No No Yes UpdateImageCache
CreateImageCache
virtualnode No No Yes UpdateVirtualNode
CreateVirtualNode
Message Queue for Apache RocketMQ mq group No No Yes TagResources
instance No No Yes TagResources
topic No No Yes TagResources
Bastionhost bastionhost instance No No Yes TagResources
Resource Orchestration Service (ROS) ros changeset No No Yes TagResources
stack No No Yes CreateStack
UpdateStack
TagResources
template No No Yes TagResources
Operation Orchestration Service (OOS) oos application No No Yes CreateApplication
UpdateApplication
TagResources
execution No No Yes StartExecution
TagResources
parameter No No Yes CreateParameter
UpdateParameter
TagResources
secretparameter No No Yes CreateSecretParameter
UpdateSecretParameter
TagResources
stateconfiguration No No Yes CreateStateConfiguration
UpdateStateConfiguration
TagResources
template No No Yes CreateTemplate
UpdateTemplate
TagResources

Additional information:

1Tag policy enforcement supports two scenarios: enforcement of tag compliance when you create a resource and enforcement of tag compliance when you add tags to a resource. Support for the two scenarios varies based on the Alibaba Cloud service type, resource type, and API operation. For example, you can call the CreateInstance operation to enforce tag compliance when you create an ECS instance, and you can call the TagResources operation to enforce tag compliance when you add tags to an ECS instance.