All Products
Search
Document Center

:Overview

Last Updated:Nov 01, 2024

Resource Management provides the Tag Policy feature. This feature allows you to create and configure tag policies. Tag policies are a type of policy that is used to standardize the tags that are added to resources. You can use a tag policy to define the tags that must be added to your resources. Compliant tags can help you improve the efficiency in aspects such as tag-based cost allocation, tag-based access control, and automated O&M. The Tag Policy feature supports the single-account mode and resource directory mode. The two modes can meet your business requirements for standardized tag management in different stages.

Scenarios

As your resources on the cloud increase, you can add tags to the resources to classify the resources. This way, you can allocate costs by tag and implement automated O&M. When you add tags to a resource, issues may occur. For example, after you create a resource, you forget to add tags to the resource, you add only some tags such as O&M-related tags but forget to add finance-related tags, or the tags that you added contain spelling errors. If these issues occur, the costs of some resources cannot be allocated based on your business requirements when you allocate costs by tag, or automated O&M operations cannot be performed for some resources. The Tag Policy feature provides solutions to these issues in the following scenarios:

  • Automatic tag detection

    After you create a resource and add tags to the resource, you can use a tag policy to periodically check the following items to determine the tag compliance of the resource:

    • Whether the tags added to the resource are compliant

    • Whether the tags defined in the tag policy are added to the resource

    Automatic tag detection can help you identify issues at the earliest opportunity.

    For more information, see Perform automatic tag detection.

  • Automatic remediation for tags

    If you enable automatic remediation for tags and the remediation rules that you configure match the conditions for triggering automatic remediation, the system remediates the non-compliant tags based on the detection results.

    For more information, see Enable automatic tag remediation.

  • Pre-event interception of non-compliant tags

    Automatic tag detection starts with a latency. After a resource is created, non-compliant tags for the resource cannot be detected before automatic tag detection is started. We recommend that you perform standardized tag management when you create a resource. To achieve this, you can use a tag policy to implement pre-event interception of non-compliant tags for a resource type. This way, when you create a resource of this type, the resource can be successfully created only if tags defined in the tag policy are attached to the resource.

    By default, pre-event interception of non-compliant tags takes effect only for tags that are defined in a tag policy. After you enable strong verification for pre-event interception of non-compliant tags, the system performs pre-event interception on a resource to which no tags are added or other tags are added when you create the resource.

    For more information, see Enable pre-event interception of non-compliant tags.

  • Automatic tag inheritance from a resource group

    After you add a tag to a resource group, if you create a resource in or add a resource to the resource group, the tag is automatically added to the resource.

    For more information, see Enable automatic tag inheritance from a resource group.

Modes of the Tag Policy feature

Resource Management allows you to enable the Tag Policy feature in single-account mode or in resource directory mode. You can enable the Tag Policy feature that is in a specific mode based on your business scenario and the type of your logon account. The following table describes the two modes.

Scenario

Type of the logon account

Mode of the Tag Policy feature

References

If your business in the cloud is simple and you use a single Alibaba Cloud account and the RAM users within the Alibaba Cloud account to perform management operations, you can use the Alibaba Cloud account to enable the Tag Policy feature that is in single-account mode. Then, you can use tag policies to manage the tag-related operations performed by using the Alibaba Cloud account or the RAM users.

Alibaba Cloud account that is not the management account or a member of a resource directory

Single-account mode: The Tag Policy feature in this mode can be used to manage tag-related operations performed by using an Alibaba Cloud account or the RAM users within the Alibaba Cloud account.

Use an Alibaba Cloud account to enable the Tag Policy feature

If your business in the cloud is complex and you use a resource directory to manage all your accounts, you can use the management account of the resource directory to enable the Tag Policy feature that is in resource directory mode. Then, you can use tag policies to manage the tag-related operations performed by using a member of the resource directory.

Management account of a resource directory

You can enable the Tag Policy feature in both modes or in one of the modes based on your business requirements.

  • Resource directory mode: The Tag Policy feature in this mode can be used to manage the tag-related operations performed by using a member of the resource directory.

    Important

    If a member of the resource directory is used to enable the Tag Policy feature that is in single-account mode, the management account of the resource directory cannot be used to enable the Tag Policy feature that is in resource directory mode. To enable the Tag Policy feature that is in resource directory mode, you must first disable the Tag Policy feature that is in single-account mode and enabled by using the member.

  • Single-account mode: The Tag Policy feature in this mode can be used to manage only tag-related operations performed by using the management account of the resource directory.

Use the management account of a resource directory to enable the Tag Policy feature

Member of a resource directory

The following situations may occur based on whether the Tag Policy feature is enabled for a resource directory:

  • If the Tag Policy feature is not enabled for the resource directory, you can use a member of the resource directory to enable the Tag Policy feature that is in single-account mode to manage only the tag-related operations performed by using the member.

  • If the Tag Policy feature is enabled for the resource directory, you cannot use a member of the resource directory to enable the Tag Policy feature that is in single-account mode. Tag policies are managed by using the management account of the resource directory in a centralized manner. You can use the member only to view the effective policy of the member.

Use a member of a resource directory to enable the Tag Policy feature

Limits

Item

Limit

Maximum number of tag policies you can create when you use the Tag Policy feature that is in single-account mode

100

Maximum number of tag policies you can create when you use the Tag Policy feature that is in resource directory mode

100

Maximum number of characters that each tag policy can contain

2,048

Time required before pre-event interception of non-compliant tags takes effect

  • After you attach a tag policy for which pre-event interception of non-compliant tags is enabled to an object, pre-event interception takes effect for the object within 5 minutes.

  • After you modify a tag policy for which pre-event interception of non-compliant tags is enabled, pre-event interception takes effect for the attached object within 5 minutes.

Time required before automatic tag detection is started or complete

  • After you attach a tag policy to an object, automatic tag detection starts within 1 hour.

  • After a resource is created within the account to which a tag policy is attached, automatic tag detection starts within 10 minutes.

  • After a resource within the account to which a tag policy is attached is modified, automatic tag detection starts in real time.

  • After the document of a tag policy that is attached to an account is modified, automatic tag detection is performed for all resources within the account. The time required for the detection depends on the number of the resources within the account. A larger number of resources require longer detection time.

Time required before automatic remediation is complete

After resources to which compliant tags are not added or non-compliant tags are added are detected, the system remediates tags for the resources within 10 minutes.

Best practices

Services that support tag policies

Service

Service code

Resource type

Support for automatic tag detection and automatic tag remediation

Support for automatic tag inheritance from a resource group

Support for pre-event interception of non-compliant tags

API operation that supports the default feature for pre-event interception of non-compliant tags1

API operation that supports strong verification for pre-event interception of non-compliant tags2

Elastic Compute Service (ECS)

ecs

instance

Yes

Yes

Yes

RunInstances

RunInstances

CreateInstance

CreateInstance

TagResources

None

eni

Yes

No

Yes

CreateNetworkInterface

CreateNetworkInterface

TagResources

None

securitygroup

Yes

Yes

Yes

CreateSecurityGroup

CreateSecurityGroup

TagResources

None

disk

Yes

Yes

Yes

CreateDisk

CreateDisk

TagResources

None

snapshot

Yes

No

Yes

CreateSnapshot

CreateSnapshot

TagResources

None

ddh

Yes

Yes

Yes

AllocateDedicatedHosts

AllocateDedicatedHosts

TagResources

None

image

No

No

Yes

CreateImage

CreateImage

CopyImage

None

TagResources

None

keypair

No

No

Yes

ImportKeyPair

ImportKeyPair

CreateKeyPair

CreateKeyPair

TagResources

None

launchtemplate

Yes

Yes

Yes

CreateLaunchTemplate

CreateLaunchTemplate

TagResources

None

snapshotpolicy

No

No

Yes

CreateAutoSnapshotPolicy

CreateAutoSnapshotPolicy

ApsaraDB RDS

rds

instance

Yes

Yes

Yes

CreateDBInstance

None

TagResources

None

Server Load Balancer (SLB)

slb

instance

Yes

Yes

Yes

TagResources

None

certificate

No

No

Yes

TagResources

None

acl

No

No

Yes

TagResources

None

Application Load Balancer (ALB)

alb

acl

No

No

Yes

TagResources

None

loadbalancer

No

No

Yes

TagResources

None

securitypolicy

No

No

Yes

TagResources

None

servergroup

No

No

Yes

TagResources

None

Virtual Private Cloud (VPC)

vpc

vpc

Yes

Yes

Yes

TagResources

None

vswitch

Yes

No

Yes

TagResources

None

routetable

Yes

No

Yes

TagResources

None

NAT Gateway

vpc

natgateway

Yes

Yes

Yes

TagResources

None

VPN Gateway

vpc

vpngateway

No

No

Yes

TagResources

None

Internet Shared Bandwidth

vpc

commonbandwidthpackage

No

No

Yes

TagResources

None

Elastic IP Address (EIP)

vpc

eip

Yes

Yes

Yes

TagResources

None

Cloud Enterprise Network (CEN)

cen

cen

Yes

Yes

Yes

TagResources

None

bandwidthpackage

No

No

Yes

TagResources

None

Alibaba Cloud CDN (CDN)

cdn

domain

Yes

Yes

No

None

None

Object Storage Service (OSS)

oss

bucket

Yes

Yes

No

None

None

ApsaraDB for Redis

kvstore

instance

Yes

Yes

Yes

CreateInstance

None

TagResources

None

ApsaraDB for MongoDB

dds

instance

Yes

Yes

Yes

TagResources

None

ApsaraDB for HBase

multimod

cluster

Yes

Yes

Yes

TagResources

None

PolarDB

polardb

cluster

Yes

Yes

No

None

None

File Storage NAS (NAS)

nas

filesystem

Yes

Yes

Yes

None

None

Anti-DDoS

ddoscoo

instance

Yes

Yes

Yes

TagResources

None

CreateTagResources

None

Container Service for Kubernetes (ACK)

cs

cluster

Yes

Yes

No

None

None

API Gateway

apigateway

api

Yes

Yes

No

None

None

apigroup

Yes

Yes

No

None

None

app

No

No

No

None

None

instance

No

No

No

None

None

plugin

No

No

No

None

None

Alibaba Cloud DNS (DNS)

alidns

domain

No

No

Yes

None

None

Auto Scaling

ess

scalinggroup

No

No

Yes

CreateScalingGroup

CreateScalingGroup

TagResources

None

Elastic Container Instance

eci

containergroup

No

No

Yes

CreateContainerGroup

CreateContainerGroup

UpdateContainerGroup

None

imagecache

No

No

Yes

UpdateImageCache

None

CreateImageCache

None

virtualnode

No

No

Yes

UpdateVirtualNode

None

CreateVirtualNode

CreateVirtualNode

ApsaraMQ for RocketMQ

mq

group

No

No

Yes

TagResources

None

instance

No

No

Yes

TagResources

None

topic

No

No

Yes

TagResources

None

Bastionhost

bastionhost

instance

No

No

Yes

TagResources

None

Resource Orchestration Service (ROS)

ros

changeset

No

No

Yes

TagResources

None

stack

No

No

Yes

CreateStack

CreateStack

UpdateStack

None

TagResources

None

template

No

No

Yes

TagResources

None

Additional information:

1Pre-event interception of non-compliant tags supports two scenarios: pre-event interception when you create a resource and pre-event interception when you add tags to a resource. Support for the two scenarios varies based on the Alibaba Cloud service, resource type, and API operation. For example, non-compliant tags can be intercepted when you call the CreateInstance operation to create an ECS instance or when you call the TagResources operation to add tags to an ECS instance.

2Strong verification for pre-event interception of non-compliant tags takes effect only after you manually enable it. For more information, see Enable pre-event interception of non-compliant tags.