Tag Policy overview - - Alibaba Cloud Documentation Center

Resource Management provides the Tag Policy feature. This feature allows you to create and configure tag policies. Tag policies are a type of policy that is used to standardize the tags that are added to resources. You can use a tag policy to define the tags that must be added to your resources. Compliant tags can help you improve the efficiency in aspects such as tag-based cost allocation, tag-based access control, and automated O&M. The Tag Policy feature supports the single-account mode and resource directory mode. The two modes can meet your business requirements for standardized tag management in different stages.

Scenarios

As your resources on the cloud increase, you can add tags to the resources to classify the resources. This way, you can allocate costs by tag and implement automated O&M. When you add tags to a resource, issues may occur. For example, after you create a resource, you forget to add tags to the resource, you add only some tags such as O&M-related tags but forget to add finance-related tags, or the tags that you added contain spelling errors. If these issues occur, the costs of some resources cannot be allocated based on your business requirements when you allocate costs by tag, or automated O&M operations cannot be performed for some resources. The Tag Policy feature provides solutions to these issues in the following scenarios:

Automatic tag detection
After you create a resource and add tags to the resource, you can use a tag policy to periodically check the following items to determine the tag compliance of the resource:
- Whether the tags added to the resource are compliant
- Whether the tags defined in the tag policy are added to the resource
Automatic tag detection can help you identify issues at the earliest opportunity.
For more information, see Perform automatic tag detection.
Automatic remediation for tags
If you enable automatic remediation for tags and the remediation rules that you configure match the conditions for triggering automatic remediation, the system remediates the non-compliant tags based on the detection results.
For more information, see Enable automatic tag remediation.
Pre-event interception of non-compliant tags
Automatic tag detection starts with a latency. After a resource is created, non-compliant tags for the resource cannot be detected before automatic tag detection is started. We recommend that you perform standardized tag management when you create a resource. To achieve this, you can use a tag policy to implement pre-event interception of non-compliant tags for a resource type. This way, when you create a resource of this type, the resource can be successfully created only if tags defined in the tag policy are attached to the resource.
By default, pre-event interception of non-compliant tags takes effect only for tags that are defined in a tag policy. After you enable strong verification for pre-event interception of non-compliant tags, the system performs pre-event interception on a resource to which no tags are added or other tags are added when you create the resource.
For more information, see Enable pre-event interception of non-compliant tags.
Automatic tag inheritance from a resource group
After you add a tag to a resource group, if you create a resource in or add a resource to the resource group, the tag is automatically added to the resource.
For more information, see Enable automatic tag inheritance from a resource group.

Modes of the Tag Policy feature

Resource Management allows you to enable the Tag Policy feature in single-account mode or in resource directory mode. You can enable the Tag Policy feature that is in a specific mode based on your business scenario and the type of your logon account. The following table describes the two modes.

Scenario	Type of the logon account	Mode of the Tag Policy feature	References
If your business in the cloud is simple and you use a single Alibaba Cloud account and the RAM users within the Alibaba Cloud account to perform management operations, you can use the Alibaba Cloud account to enable the Tag Policy feature that is in single-account mode. Then, you can use tag policies to manage the tag-related operations performed by using the Alibaba Cloud account or the RAM users.	Alibaba Cloud account that is not the management account or a member of a resource directory	Single-account mode: The Tag Policy feature in this mode can be used to manage tag-related operations performed by using an Alibaba Cloud account or the RAM users within the Alibaba Cloud account.	Use an Alibaba Cloud account to enable the Tag Policy feature
If your business in the cloud is complex and you use a resource directory to manage all your accounts, you can use the management account of the resource directory to enable the Tag Policy feature that is in resource directory mode. Then, you can use tag policies to manage the tag-related operations performed by using a member of the resource directory.	Management account of a resource directory	You can enable the Tag Policy feature in both modes or in one of the modes based on your business requirements. Resource directory mode: The Tag Policy feature in this mode can be used to manage the tag-related operations performed by using a member of the resource directory. Important If a member of the resource directory is used to enable the Tag Policy feature that is in single-account mode, the management account of the resource directory cannot be used to enable the Tag Policy feature that is in resource directory mode. To enable the Tag Policy feature that is in resource directory mode, you must first disable the Tag Policy feature that is in single-account mode and enabled by using the member. Single-account mode: The Tag Policy feature in this mode can be used to manage only tag-related operations performed by using the management account of the resource directory.	Use the management account of a resource directory to enable the Tag Policy feature
	Member of a resource directory	The following situations may occur based on whether the Tag Policy feature is enabled for a resource directory: If the Tag Policy feature is not enabled for the resource directory, you can use a member of the resource directory to enable the Tag Policy feature that is in single-account mode to manage only the tag-related operations performed by using the member. If the Tag Policy feature is enabled for the resource directory, you cannot use a member of the resource directory to enable the Tag Policy feature that is in single-account mode. Tag policies are managed by using the management account of the resource directory in a centralized manner. You can use the member only to view the effective policy of the member.	Use a member of a resource directory to enable the Tag Policy feature

Limits

Item	Limit
Maximum number of tag policies you can create when you use the Tag Policy feature that is in single-account mode	100
Maximum number of tag policies you can create when you use the Tag Policy feature that is in resource directory mode	100
Maximum number of characters that each tag policy can contain	2,048
Time required before pre-event interception of non-compliant tags takes effect	After you attach a tag policy for which pre-event interception of non-compliant tags is enabled to an object, pre-event interception takes effect for the object within 5 minutes. After you modify a tag policy for which pre-event interception of non-compliant tags is enabled, pre-event interception takes effect for the attached object within 5 minutes.
Time required before automatic tag detection is started or complete	After you attach a tag policy to an object, automatic tag detection starts within 1 hour. After a resource is created within the account to which a tag policy is attached, automatic tag detection starts within 10 minutes. After a resource within the account to which a tag policy is attached is modified, automatic tag detection starts in real time. After the document of a tag policy that is attached to an account is modified, automatic tag detection is performed for all resources within the account. The time required for the detection depends on the number of the resources within the account. A larger number of resources require longer detection time.
Time required before automatic remediation is complete	After resources to which compliant tags are not added or non-compliant tags are added are detected, the system remediates tags for the resources within 10 minutes.

Best practices

Services that support tag policies

Service	Service code	Resource type	Support for automatic tag detection and automatic tag remediation	Support for automatic tag inheritance from a resource group	Support for pre-event interception of non-compliant tags	API operation that supports the default feature for pre-event interception of non-compliant tags¹	API operation that supports strong verification for pre-event interception of non-compliant tags²
Elastic Compute Service (ECS)	ecs	instance	Yes	Yes	Yes	RunInstances	RunInstances
						CreateInstance	CreateInstance
						TagResources	None
		eni	Yes	No	Yes	CreateNetworkInterface	CreateNetworkInterface
		eni	Yes	No	Yes	TagResources	None
		securitygroup	Yes	Yes	Yes	CreateSecurityGroup	CreateSecurityGroup
		securitygroup	Yes	Yes	Yes	TagResources	None
		disk	Yes	Yes	Yes	CreateDisk	CreateDisk
		disk	Yes	Yes	Yes	TagResources	None
		snapshot	Yes	No	Yes	CreateSnapshot	CreateSnapshot
		snapshot	Yes	No	Yes	TagResources	None
		ddh	Yes	Yes	Yes	AllocateDedicatedHosts	AllocateDedicatedHosts
		ddh	Yes	Yes	Yes	TagResources	None
		image	No	No	Yes	CreateImage	CreateImage
						CopyImage	None
						TagResources	None
		keypair	No	No	Yes	ImportKeyPair	ImportKeyPair
						CreateKeyPair	CreateKeyPair
						TagResources	None
		launchtemplate	Yes	Yes	Yes	CreateLaunchTemplate	CreateLaunchTemplate
		launchtemplate	Yes	Yes	Yes	TagResources	None
		snapshotpolicy	No	No	Yes	CreateAutoSnapshotPolicy	CreateAutoSnapshotPolicy
ApsaraDB RDS	rds	instance	Yes	Yes	Yes	CreateDBInstance	None
ApsaraDB RDS	rds	instance	Yes	Yes	Yes	TagResources	None
Server Load Balancer (SLB)	slb	instance	Yes	Yes	Yes	TagResources	None
		certificate	No	No	Yes	TagResources	None
		acl	No	No	Yes	TagResources	None
Application Load Balancer (ALB)	alb	acl	No	No	Yes	TagResources	None
		loadbalancer	No	No	Yes	TagResources	None
		securitypolicy	No	No	Yes	TagResources	None
		servergroup	No	No	Yes	TagResources	None
Virtual Private Cloud (VPC)	vpc	vpc	Yes	Yes	Yes	TagResources	None
		vswitch	Yes	No	Yes	TagResources	None
		routetable	Yes	No	Yes	TagResources	None
NAT Gateway	vpc	natgateway	Yes	Yes	Yes	TagResources	None
VPN Gateway	vpc	vpngateway	No	No	Yes	TagResources	None
Internet Shared Bandwidth	vpc	commonbandwidthpackage	No	No	Yes	TagResources	None
Elastic IP Address (EIP)	vpc	eip	Yes	Yes	Yes	TagResources	None
Cloud Enterprise Network (CEN)	cen	cen	Yes	Yes	Yes	TagResources	None
Cloud Enterprise Network (CEN)	cen	bandwidthpackage	No	No	Yes	TagResources	None
Alibaba Cloud CDN (CDN)	cdn	domain	Yes	Yes	No	None	None
Object Storage Service (OSS)	oss	bucket	Yes	Yes	No	None	None
ApsaraDB for Redis	kvstore	instance	Yes	Yes	Yes	CreateInstance	None
ApsaraDB for Redis	kvstore	instance	Yes	Yes	Yes	TagResources	None
ApsaraDB for MongoDB	dds	instance	Yes	Yes	Yes	TagResources	None
ApsaraDB for HBase	multimod	cluster	Yes	Yes	Yes	TagResources	None
PolarDB	polardb	cluster	Yes	Yes	No	None	None
File Storage NAS (NAS)	nas	filesystem	Yes	Yes	Yes	None	None
Anti-DDoS	ddoscoo	instance	Yes	Yes	Yes	TagResources	None
Anti-DDoS	ddoscoo	instance	Yes	Yes	Yes	CreateTagResources	None
Container Service for Kubernetes (ACK)	cs	cluster	Yes	Yes	No	None	None
API Gateway	apigateway	api	Yes	Yes	No	None	None
		apigroup	Yes	Yes	No	None	None
		app	No	No	No	None	None
		instance	No	No	No	None	None
		plugin	No	No	No	None	None
Alibaba Cloud DNS (DNS)	alidns	domain	No	No	Yes	None	None
Auto Scaling	ess	scalinggroup	No	No	Yes	CreateScalingGroup	CreateScalingGroup
Auto Scaling	ess	scalinggroup	No	No	Yes	TagResources	None
Elastic Container Instance	eci	containergroup	No	No	Yes	CreateContainerGroup	CreateContainerGroup
		containergroup	No	No	Yes	UpdateContainerGroup	None
		imagecache	No	No	Yes	UpdateImageCache	None
		imagecache	No	No	Yes	CreateImageCache	None
		virtualnode	No	No	Yes	UpdateVirtualNode	None
		virtualnode	No	No	Yes	CreateVirtualNode	CreateVirtualNode
ApsaraMQ for RocketMQ	mq	group	No	No	Yes	TagResources	None
		instance	No	No	Yes	TagResources	None
		topic	No	No	Yes	TagResources	None
Bastionhost	bastionhost	instance	No	No	Yes	TagResources	None
Resource Orchestration Service (ROS)	ros	changeset	No	No	Yes	TagResources	None
		stack	No	No	Yes	CreateStack	CreateStack
						UpdateStack	None
						TagResources	None
		template	No	No	Yes	TagResources	None

Additional information:

¹Pre-event interception of non-compliant tags supports two scenarios: pre-event interception when you create a resource and pre-event interception when you add tags to a resource. Support for the two scenarios varies based on the Alibaba Cloud service, resource type, and API operation. For example, non-compliant tags can be intercepted when you call the CreateInstance operation to create an ECS instance or when you call the TagResources operation to add tags to an ECS instance.

²Strong verification for pre-event interception of non-compliant tags takes effect only after you manually enable it. For more information, see Enable pre-event interception of non-compliant tags.