Best practice for using the Tag Policy feature in resource directory mode -

This topic describes the best practice for using a tag policy in resource directory mode to standardize tag-related operations that are performed by using a member in a resource directory.

Background information

If your business in the cloud is complex and you use a resource directory to manage all your accounts, you can use the management account of the resource directory to enable the Tag Policy feature in resource directory mode. Then, you can use tag policies to manage the tag-related operations performed by using a member in the resource directory.

Important

When you use a tag policy, we recommend that you attach the tag policy to a member that has a small number of resources to perform a test. If the test is successful, you can attach the tag policy to multiple members, a folder other than the Root folder, or the Root folder.

Use the Tag Policy feature for the first time

Step	Operation	Result	References
Step 1: Enable the Tag Policy feature	Log on to the Resource Management console by using the management account of a resource directory or a delegated administrator account. In the left-side navigation pane, choose Tag Policy > Policy Library. On the Policy Library page, enable the Tag Policy feature in resource directory mode.	The Tag Policy feature in resource directory mode is enabled.	Use the management account of a resource directory to enable the Tag Policy feature
Step 2: Create a tag policy	On the Policy Library page, click Create Tag Policy to create a tag policy. Specify the tag keys, tag values, and resource types that you want to detect. Do not select Automatic Remediation. You can configure the document of the tag policy in quick mode or JSON mode. If this is the first time that you configure a tag policy, we recommend that you configure the document of the tag policy in quick mode.	The tag policy, such as p-xxxx, is created.	Create a tag policy in resource directory mode
Step 3: Attach the tag policy to a member	On the Policy Library page, attach the tag policy to a member. This way, the system can detect tag compliance for the member based on the tag policy. You can attach the tag policy to a member, a folder other than the Root folder, or the Root folder. If this is the first time that you use a tag policy, we recommend that you attach the tag policy to only a member.	The tag policy is attached to the member.	Attach a tag policy
Step 4: View the effective policy	On the Effective Policies page, view the effective policy of the member. You can click a tag key to view the details of the related tag policy.	The tag policy is effective for the member as expected.	View an effective policy
Step 5: View the detection results	On the Resource Directory tab of the Detection Results page, find the member and click its name. On the page that appears, view information about the resources to which non-compliant tags are attached within the member, such as the number of the resources, the percentage of the resources, and the list of the resources. You can also click Generate Latest Report to generate a report for the resources to which non-compliant tags are attached and download the report.	The detection results are obtained. You can check whether the detection results meet your business requirements.	View and download non-compliance detection results
Step 6: Manually remediate non-compliant tags	Log on to the consoles of Alibaba Cloud services to which resources with non-compliant tags belong and attach the tags defined in the tag policy to the resources. Then, view the detection results again.	All resources within the member are attached compliant tags.	None
Step 7: Attach the tag policy to multiple members or a folder	If the preceding test is successful, attach the tag policy to multiple members, a folder other than the Root folder, or the Root folder. If you attach the tag policy to the Root folder, the system can detect tag compliance for all members in the resource directory based on the tag policy.	The system detects tag compliance for the related members based on the tag policy. You can view detection results for the members.	Attach a tag policy

Use the advanced features of a tag policy

In addition to automatic detection of non-compliant tags, you can also use a tag policy to implement automatic remediation and pre-event interception of non-compliant tags, and enable automatic tag inheritance from a resource group. For information about the Alibaba Cloud services and resource types that support the advanced features, see Services that work with tag policies.

You can use the advanced features described in the following table based on your business requirements.

Advanced feature	Operation	Result	References
Automatic tag remediation	When you create or modify a tag policy, select Automatic Remediation.	The system remediates non-compliant tags.	Enable automatic tag remediation
Pre-event interception	When you create or modify a tag policy, select Pre-event Interception. Pre-event interception is a pre-event method that is used to ensure tag compliance. You can use this feature in one of the following scenarios: Intercept non-compliant tags when you create a resource. By default, this feature takes effect only for tags that are defined in a tag policy. This feature is in invitational preview for resources to which no tags are added or other tags are added. If you want this feature to take effect for a resource to which no tags are added or other tags are added when you create the resource, you must contact the customer business manager (CBM) of Alibaba Cloud to apply for a trial. Intercept non-compliant tags when you add tags to a resource.	When you create a resource or add tags to an existing resource, the system performs a check. If the tags defined in the tag policy are not added to the resource, the resource creation or tag addition operation fails.	Enable pre-event interception of non-compliant tags
Automatic tag inheritance from a resource group	When you create or modify a tag policy, select Automatically Inherit Tags for Resources from Resource Groups.	After you create a resource in the specified resource group or add a resource to the resource group, the resource inherits the tags that are added to the resource group.	Enable automatic tag inheritance from a resource group