Best practice for using the Tag Policy feature in single-account mode -

This topic describes the best practice for using a tag policy in single-account mode to standardize tag-related operations that are performed by using an Alibaba Cloud account.

Background information

As business in the cloud evolves, the requirements of enterprises for resource management may increase. If the resources of an enterprise are shared by multiple subsidiaries or departments, resource management operations may be more complex. In the initial development stage of an enterprise, the enterprise needs to produce resources for internal use to meet the requirement of rapid development. As the business of the enterprise develops, the resources of the enterprise may be shared by multiple subsidiaries or departments to achieve fine-grained development. In the further development stage of the enterprise, the enterprise may need to perform resource management, implement unified resource production and planning, and achieve resource reuse based on specific business scenarios. Tag-based resource management lays a foundation for unified resource production and sharing and allows you to classify resources by purpose, use scenario, and attribution. The prerequisite for resource classification is to add tags to resources in a standard manner. An enterprise can use a tag policy to define the tags that must be added to resources.

Important

When you use a tag policy, we recommend that you attach the tag policy to an account that has a small number of resources to perform a test. If the test is successful, you can attach the tag policy to a production account.

Use the Tag Policy feature for the first time

Step	Operation	Result	References
Step 1: Enable the Tag Policy feature	Log on to the Resource Management console. In the left-side navigation pane, choose Tag Policy > Policy Library. On the Policy Library page, enable the Tag Policy feature in single-account mode.	The Tag Policy feature in single-account mode is enabled.	Use an Alibaba Cloud account to enable the Tag Policy feature
Step 2: Create a tag policy	On the Policy Library page, click Create Tag Policy to create a tag policy. Specify the tag keys, tag values, and resource types that you want to detect. Do not select Automatic Remediation. You can configure the document of the tag policy in quick mode or JSON mode. If this is the first time that you configure a tag policy, we recommend that you configure the document of the tag policy in quick mode.	The tag policy, such as p-xxxx, is created.	Create a tag policy in single-account mode
Step 3: Attach the tag policy to an account	On the Policy Library page, attach the tag policy to the current logon account. This way, the system can detect tag compliance for the account based on the tag policy.	The status of the tag policy on the Policy Library page is Attached.	Attach a tag policy
Step 4: View the effective policy	On the Effective Policies page, view the effective policy of the account. You can click a tag key to view the details of the related tag policy.	The tag policy is effective for the account as expected.	View an effective policy
Step 5: View the detection results	On the Detection Results page, view information about the resources to which non-compliant tags are attached within the account, such as the number of the resources, the percentage of the resources, and the list of the resources. You can also click Generate Latest Report to generate a report for the resources to which non-compliant tags are attached and download the report.	The detection results are obtained. You can check whether the detection results meet your business requirements.	View and download non-compliance detection results
Step 6: Manually remediate non-compliant tags	Log on to the consoles of Alibaba Cloud services to which resources with non-compliant tags belong and attach the tags defined in the tag policy to the resources. Then, view the detection results again.	All resources within the account are attached compliant tags.	None

Use the advanced features of a tag policy

In addition to automatic detection of non-compliant tags, you can also use a tag policy to implement automatic remediation and pre-event interception of non-compliant tags, and enable automatic tag inheritance from a resource group. For information about the Alibaba Cloud services and resource types that support the advanced features, see Services that work with tag policies.

You can use the advanced features described in the following table based on your business requirements.

Advanced feature	Operation	Result	References
Automatic tag remediation	When you create or modify a tag policy, select Automatic Remediation.	The system remediates non-compliant tags.	Enable automatic tag remediation
Pre-event interception	When you create or modify a tag policy, select Pre-event Interception. Pre-event interception is a pre-event method that is used to ensure tag compliance. You can use this feature in one of the following scenarios: Intercept non-compliant tags when you create a resource. By default, this feature takes effect only for tags that are defined in a tag policy. This feature is in invitational preview for resources to which no tags are added or other tags are added. If you want this feature to take effect for a resource to which no tags are added or other tags are added when you create the resource, you must contact the customer business manager (CBM) of Alibaba Cloud to apply for a trial. Intercept non-compliant tags when you add tags to a resource.	When you create a resource or add tags to an existing resource, the system performs a check. If the tags defined in the tag policy are not added to the resource, the resource creation or tag addition operation fails.	Enable pre-event interception of non-compliant tags
Automatic tag inheritance from a resource group	When you create or modify a tag policy, select Automatically Inherit Tags for Resources from Resource Groups.	After you create a resource in the specified resource group or add a resource to the resource group, the resource inherits the tags that are added to the resource group.	Enable automatic tag inheritance from a resource group