This topic describes how to use a tag policy to standardize tag-related operations.

Background information

The Tag Policy feature supports the single-account mode and multi-account mode. For more information, see the Modes of the Tag Policy feature section in Modes of the Tag Policy feature.

When you use the Tag Policy feature for the first time, we recommend that you enable the feature by using a test account that has a small number of resources. If the test is successful, you can enable the feature by using a production account.

Enable the Tag Policy feature that is in single-account mode

Step 1: Enable the Tag Policy feature

  1. Log on to the Resource Management console.
  2. In the left-side navigation pane, choose Tag Policy > Policy Library.
  3. On the Policy Library page, click Enable Tag Policy.
  4. In the Enable Tag Policy message, click OK.
    When you enable the Tag Policy feature, the system creates the service-linked role AliyunServiceRoleForTag. This role can resolve cross-service access issues. For more information, see Service-linked role for Tag Policy.

Step 2: Create a tag policy

You can create and configure a tag policy to define the tags that must be added to a resource. This ensures that the tags added to the resource are compliant.

  1. In the left-side navigation pane, choose Tag Policy > Policy Library.
  2. On the Policy Library page, click Create Tag Policy.
  3. On the Create Tag Policy page, configure the parameters.
    1. Enter a policy name in the Policy Name field.
    2. Optional:Enter a description in the Policy Description field.
    3. Configure the policy details in the Policy Details section.
      You can configure the policy details by using one of the following modes:
      • Quick Mode (recommended)

        In this mode, you need to enter a tag key and configure one or more rules that are described in the following table for the tag key based on your business requirements.

        Rule Description
        Specify Allowed Tag Values The tag values that are allowed for the tag key. You can use an asterisk (*) to indicate any tag values.
        Post-detection This feature enables the system to check the compliance of tags after the tags are added to resources. Post-detection is selected by default.
        Enforcement If you enable the enforcement feature for a tag key, non-compliant operations on the tag key are forcefully stopped.

        You need to specify the resource types for enforcement. For more information about the Alibaba Cloud services and resource types that support the enforcement feature, see Services that work with tag policies.

        For more information, see Enable tag policy enforcement.

        Note The enforcement feature is in invitational preview. You can contact the service manager of Alibaba Cloud to apply for a trial.
        Automatic Remediation If you enable the automatic remediation feature, non-compliant tags of resources are automatically corrected.

        You need to specify compliant tag values and the resource scope for automatic remediation. You can specify the resource scope only by using tags.

        You can click Add Tag Key to add tag keys and configure rules for the tag keys.

      • JSON

        In this mode, you need to specify the policy details in the JSON format. You can use this mode if you have high requirements for tag policies. Before you use this mode, you must have a command of the syntax of a tag policy. For more information, see Syntax of a tag policy.

  4. Click Create.

Step 3: Attach the tag policy

After the tag policy is created, you must attach the policy to the current Alibaba Cloud account. This way, you can use the tag policy to standardize tags added to the resources within the account.

  1. In the left-side navigation pane, choose Tag Policy > Policy Library.
  2. On the Policy Library page, find the tag policy that you want to attach and click Attach in the Actions column.
  3. In the Attach message, click OK.
    The tag policy is attached to the Alibaba Cloud account that you use for logon.

Step 4: (Optional) View the effective policy

After the tag policy is attached to the current Alibaba Cloud account, you can view the effective policy of the account.

  1. In the left-side navigation pane, choose Tag Policies > Effective Policies.
  2. View the document of an effective policy.
    You can view the document of an effective policy in visualized mode or display the document in the JSON format. By default, View in Visualized Mode is used. You can switch from View in Visualized Mode to View in JSON Format.

Step 5: Check whether the tag policy is in effect

You can use the current Alibaba Cloud account or a RAM user within the account to perform a tag-related operation to check whether the tag policy is in effect. For example, you apply a tag policy to a VPC, and the tag policy defines that the tag CostCenter:Beijing must be added to the VPC. When you add tags to the VPC, only the compliant tag CostCenter:Beijing is added to the VPC. Non-compliant tags such as costCenter:Shanghai fail to be added to the VPC. This indicates that the tag policy is in effect.

Enable the Tag Policy feature that is in multi-account mode

For security purposes, we recommend that you create a RAM user within the management account of your resource directory, attach the AdministratorAccess policy to the RAM user, and then use the RAM user as the administrator of the resource directory. Perform the following operations by using the RAM user. For more information about how to create a RAM user and grant permissions to the RAM user, see Create a RAM user and Grant permissions to a RAM user.

Step 1: Enable the Tag Policy feature

  1. Log on to the Resource Management console.
  2. In the left-side navigation pane, choose Tag Policy > Policy Library.
  3. On the Policy Library page, click Enable Tag Policy.
  4. In the Enable Tag Policy dialog box, specify the mode of the Tag Policy feature that you want to enable.
    You can select both or one of the following options:
    • Enable Tag Policy for Resource Directory: If you select this option, the Tag Policy feature in multi-account mode is enabled.
    • Enable Tag Policy for Current Account: If you select this option, the Tag Policy feature in single-account mode is enabled.
  5. Click OK.
    When you enable the Tag Policy feature, the system creates the service-linked role AliyunServiceRoleForTag. This role can resolve cross-service access issues. For more information, see Service-linked role for Tag Policy.

Step 2: Create a tag policy

You can create and configure a tag policy to define the tags that must be added to a resource. This ensures that the tags added to the resource are compliant.

  1. In the left-side navigation pane, choose Tag Policy > Policy Library.
  2. On the All Tag Policies tab of the Policy Library page, click Create Tag Policy.
  3. On the Create Tag Policy page, configure the parameters.
    1. Enter a policy name in the Policy Name field.
    2. Optional:Enter a description in the Policy Description field.
    3. Configure the policy details in the Policy Details section.
      You can configure the policy details by using one of the following modes:
      • Quick Mode (recommended)

        In this mode, you need to enter a tag key and configure one or more rules that are described in the following table for the tag key based on your business requirements.

        Rule Description
        Specify Allowed Tag Values The tag values that are allowed for the tag key. You can use an asterisk (*) to indicate any tag values.
        Post-detection This feature enables the system to check the compliance of tags after the tags are added to resources. Post-detection is selected by default.
        Enforcement If you enable the enforcement feature for a tag key, non-compliant operations on the tag key are forcefully stopped.

        You need to specify the resource types for enforcement. For more information about the Alibaba Cloud services and resource types that support the enforcement feature, see Services that work with tag policies.

        For more information, see Enable tag policy enforcement.

        Note The enforcement feature is in invitational preview. You can contact the service manager of Alibaba Cloud to apply for a trial.
        Automatic Remediation If you enable the automatic remediation feature, non-compliant tags of resources are automatically corrected.

        You need to specify compliant tag values and the resource scope for automatic remediation. You can specify the resource scope only by using tags.

        You can click Add Tag Key to add tag keys and configure rules for the tag keys.

      • JSON

        In this mode, you need to specify the policy details in the JSON format. You can use this mode if you have high requirements for tag policies. Before you use this mode, you must have a command of the syntax of a tag policy. For more information, see Syntax of a tag policy.

  4. Click Create.

Step 3: Attach the tag policy

After the tag policy is created, you must attach the tag policy to the Root folder, a specific folder, or a specific member. This way, you can use the tag policy to standardize the tags added to the resources within the members.

  1. In the left-side navigation pane, choose Tag Policy > Policy Library.
  2. On the Policy Library page, click the All Tag Policies tab.
  3. Find the tag policy that you want to attach and click Attach in the Actions column.
  4. In the Attach dialog box, select the objects to which you want to attach the tag policy and click OK.
    The effective scope of the tag policy varies based on the object type.
    • Root folder: If you attach the tag policy to the Root folder, the tag policy takes effect for all members in the resource directory.
    • Specific folder: If you attach the tag policy to a specific folder, the tag policy takes effect only for all members in the folder.
    • Specific member: If you attach the tag policy to a specific member, the tag policy takes effect only for the member.
    Note You cannot attach tag policies to the management account of a resource directory. Tag policies do not take effect for management accounts.

Step 4: (Optional) View the effective policy

After the tag policy is attached, you can use the RAM user to view the effective policy of the Root folder, the specified folder, or the specified member as the administrator of the resource directory. You can use a member to view the effective policy of the member. An effective policy is obtained based on the inheritance relationship of a tag policy. For more information, see Inheritance of a tag policy and calculation of an effective policy.

  1. In the left-side navigation pane, choose Tag Policies > Effective Policies.
  2. View the document of an effective policy.
    You can view the document of an effective policy in visualized mode or display the document in the JSON format. By default, View in Visualized Mode is used. You can switch from View in Visualized Mode to View in JSON Format.

Step 5: Check whether the tag policy is in effect

  1. Use the RAM user to access a member to which the tag policy is attached.
    For more information, see Access a member.
  2. Perform a tag-related operation on a resource within the member to check whether the tag policy is in effect.
    For example, you apply a tag policy to a VPC, and the tag policy defines that the tag CostCenter:Beijing must be added to the VPC. When you add tags to the VPC, only the compliant tag CostCenter:Beijing is added to the VPC. Non-compliant tags such as costCenter:Shanghai fail to be added to the VPC. This indicates that the tag policy is in effect.