Use a tag policy to enforce consistent tagging across your Alibaba Cloud resources.
Overview
Tag policies support two modes: single-account mode and resource directory mode. Modes of the Tag Policy feature.
Test the feature on an account with few resources before you enable it in production.
Single-account mode
Step 1: Enable the Tag Policy feature
-
Log on to the Resource Management console.
-
In the left-side navigation pane, choose Tag Policy > Settings.
-
On the Settings for Current Account tab, set Tag Policy to Enable.
-
In the Enable Tag Policy dialog box, click Enable.
When you enable the Tag Policy feature, the system creates the service-linked role AliyunServiceRoleForTag. This role can resolve cross-service access issues. For more information, see Service-linked role for Tag.
Step 2: Create a tag policy
Create a tag policy that defines required tags for a resource. Resources are then validated against this policy.
-
In the navigation pane on the left, choose Tag Policy > Policy Library.
-
On the Policy Library page, click Create Tag Policy.
-
In the Basic Information section, enter a policy name and description.
-
In the Details section, use one of the following methods to configure the policy.
-
Quick Mode (Recommended)
Select a policy scenario and configure rules based on your business requirements.
-
Add Tags with Specified Tag Values to Resources
In a tag policy, you can specify tags that must be added to resources. You can also enable features such as automatic detection, automatic remediation, and pre-event interception for non-compliant tags based on the execution modes you specify for the tag policy.
Parameter
Description
Tag Key
Enter a tag key.
Specify Allowed Tag Values
The tag value that is allowed for the tag key. You can specify multiple tag values. You can also use an asterisk (*) as a wildcard to indicate any tag values.
Policy Execution Mode
-
Post-event Detection
Post-event detection is the default execution mode of a tag policy used in this scenario. You can enable the following detection rules based on your business requirements. You can view the detection results on the details page of the related effective policy.
-
Specify Resource Types for Detection: By default, all supported resource types are detected. You can also specify resource types to limit the scope of detection.
-
Resource Groups: By default, resources in all resource groups are detected. You can also specify resource groups to limit the scope of detection. You can specify up to 20 resource groups.
NoteThe Resource Groups parameter is not supported for tag policies for a Resource Directory.
-
Regions: By default, resources in all regions are detected. You can also specify regions to limit the scope of detection. You can specify up to 20 regions.
-
Specify Tag Scope: You can specify tags to limit the scope of detection. Only resources with all specified tags are detected. The tags are combined using a logical AND. You can specify up to 20 tags.
-
Specify Regular Expression of Resource Names: You can specify a regular expression to detect only resources whose names match the expression. For example, if you set the regular expression to
abc-.*, only resources whose names start withabc-are detected. -
Automatic Remediation: Automatically remediates tags on non-compliant resources. For each tag value for which you enable this feature, you must specify a unique remediation scope.
-
-
Pre-event Interception
When you create a resource or add tags to an existing resource, the system performs a check. If the tags defined in the tag policy are not added to the resource, the resource creation or tag addition operation fails. For more information, see Enable pre-event interception of non-compliant tags.
-
-
Match Tag Values with Specified Regular Expression
You can specify a regular expression in a tag policy to limit the format of tag values. Tag values that do not match the regular expression can be automatically remediated.
Parameter
Description
Tag Key
Enter a tag key.
Specify Allowed Tag Values
Enter a regular expression to limit the format of tag values.
Policy Execution Mode
Post-event Detection is the default execution mode for this policy scenario. You can enable the following detection rules and view the results on the details page of the effective policy.
-
Specify Resource Types for Detection: By default, all supported resource types are detected. You can also specify resource types to limit the scope of detection.
-
Resource Groups: By default, resources in all resource groups are detected. You can also specify resource groups to limit the scope of detection. You can specify up to 20 resource groups.
NoteThe Resource Groups parameter is not supported for tag policies for a Resource Directory.
-
Regions: By default, resources in all regions are detected. You can also specify regions to limit the scope of detection. You can specify up to 20 regions.
-
Specify Tag Scope: You can specify tags to limit the scope of detection. Only resources with all specified tags are detected. The tags are combined using a logical AND. You can specify up to 20 tags.
-
Specify Regular Expression of Resource Names: You can specify a regular expression to detect only resources whose names match the expression. For example, if you set the regular expression to
abc-.*, only resources whose names start withabc-are detected. -
Automatic Remediation: Automatically remediates tags on non-compliant resources. For each tag value for which you enable this feature, you must specify a unique remediation scope.
-
-
Automatically Inherit Tags for Resources from Resource Groups
After you add tags to a resource group, you can configure a tag policy to use the automatic tag inheritance feature. This feature allows resources that are added to or created in a resource group to automatically inherit the tags that are added to the resource group.
Parameter
Description
Tag Key
Enter a tag key.
For Tag Policy in single-account mode, you can click View Resource Groups with the Tag Key to view the resource groups to which the tag key is added.
Specify Resource Types for Detection
By default, all the supported types of resources are detected. You can specify resource types based on your business requirements. If you specify resource types, post-event detection is performed only for the specified types of resources.
Resource Groups
By default, resources in all resource groups are detected. You can specify resource groups based on your business requirements. You can specify up to 20 resource groups.
NoteThe Resource Groups parameter is not supported for tag policies for a Resource Directory.
Specify IDs of Resources to Be Excluded
You can specify the IDs of resources that do not inherit tags from the resource groups to which the resources belong. You can specify up to 20 resource IDs.
Regions
By default, resources in all regions are detected. You can specify regions based on your business requirements. You can specify up to 20 regions.
Specify Tag Scope
You can specify a tag scope based on your business requirements. After you specify a tag scope, post-event detection is performed only for resources with the specified tags. The tags you specify have an AND relation. You can specify up to 20 tags.
You can click Add Policy Scenario and Tag Key to configure rules for multiple policy scenarios and tag keys.
-
-
JSON
In this mode, you need to specify the policy details in the JSON format. If you have high requirements for tag policies, use this mode. Before you use this mode, you must have a command of the syntax of a tag policy. For more information, see Syntax of a tag policy.
-
-
Click Create.
Step 3: Attach the tag policy
Attach the tag policy to your Alibaba Cloud account to enforce it on resources within the account.
-
In the navigation pane on the left, choose Tag Policy > Policy Library.
-
For the tag policy you want to attach, click Attach in the Actions column.
-
In the Add dialog box, click Attach.
This attaches the tag policy to your current Alibaba Cloud account.
Step 4: (Optional) View the effective policy
View the effective policy applied to your account after attachment.
-
In the left-side navigation pane, choose Tag Policy > Effective Policies.
-
Click a tag key to view its effective policy details, including basic information, involved tag policies, detection results, and remediation records.
Step 5: Check whether the tag policy is in effect
Perform a tag operation with your account or a RAM user to verify that the policy is enforced. For example, if a policy requires the tag CostCenter:Beijing on a VPC, only the compliant tag CostCenter:Beijing can be added. Non-compliant tags such as costCenter:Shanghai are rejected.
Resource directory mode
For security purposes, create a RAM user under the management account of your resource directory, attach the AdministratorAccess policy, and then perform the following operations as that RAM user. Create a RAM user and Grant permissions to RAM users.
Step 1: Enable the Tag Policy feature
-
Log on to the Resource Management console.
-
In the left-side navigation pane, choose Tag Policy > Settings.
-
On the Settings for Resource Directory tab, set Tag Policy to Enable.
NoteThe management account can also enable a tag policy for itself on the Settings for Current Account tab.
-
In the Enable Tag Policy dialog box, click Enable.
When you enable the Tag Policy feature, the system creates the service-linked role AliyunServiceRoleForTag. This role can resolve cross-service access issues. For more information, see Service-linked role for Tag.
Step 2: Create a tag policy
Create a tag policy that defines required tags for a resource. Resources are then validated against this policy.
-
In the navigation pane on the left, choose Tag Policy > Policy Library.
-
On the Policy Library page, click the Resource Directory tab, and then click Create Tag Policy.
-
In the Basic Information section, enter a policy name and description.
-
In the Details section, use one of the following methods to configure the policy.
-
Quick Mode (Recommended)
Select a policy scenario and configure rules based on your business requirements.
-
Add Tags with Specified Tag Values to Resources
In a tag policy, you can specify tags that must be added to resources. You can also enable features such as automatic detection, automatic remediation, and pre-event interception for non-compliant tags based on the execution modes you specify for the tag policy.
Parameter
Description
Tag Key
Enter a tag key.
Specify Allowed Tag Values
The tag value that is allowed for the tag key. You can specify multiple tag values. You can also use an asterisk (*) as a wildcard to indicate any tag values.
Policy Execution Mode
-
Post-event Detection
Post-event detection is the default execution mode of a tag policy used in this scenario. You can enable the following detection rules based on your business requirements. You can view the detection results on the details page of the related effective policy.
-
Specify Resource Types for Detection: By default, all supported resource types are detected. You can also specify resource types to limit the scope of detection.
-
Resource Groups: By default, resources in all resource groups are detected. You can also specify resource groups to limit the scope of detection. You can specify up to 20 resource groups.
NoteThe Resource Groups parameter is not supported for tag policies for a Resource Directory.
-
Regions: By default, resources in all regions are detected. You can also specify regions to limit the scope of detection. You can specify up to 20 regions.
-
Specify Tag Scope: You can specify tags to limit the scope of detection. Only resources with all specified tags are detected. The tags are combined using a logical AND. You can specify up to 20 tags.
-
Specify Regular Expression of Resource Names: You can specify a regular expression to detect only resources whose names match the expression. For example, if you set the regular expression to
abc-.*, only resources whose names start withabc-are detected. -
Automatic Remediation: Automatically remediates tags on non-compliant resources. For each tag value for which you enable this feature, you must specify a unique remediation scope.
-
-
Pre-event Interception
When you create a resource or add tags to an existing resource, the system performs a check. If the tags defined in the tag policy are not added to the resource, the resource creation or tag addition operation fails. For more information, see Enable pre-event interception of non-compliant tags.
-
-
Match Tag Values with Specified Regular Expression
You can specify a regular expression in a tag policy to limit the format of tag values. Tag values that do not match the regular expression can be automatically remediated.
Parameter
Description
Tag Key
Enter a tag key.
Specify Allowed Tag Values
Enter a regular expression to limit the format of tag values.
Policy Execution Mode
Post-event Detection is the default execution mode for this policy scenario. You can enable the following detection rules and view the results on the details page of the effective policy.
-
Specify Resource Types for Detection: By default, all supported resource types are detected. You can also specify resource types to limit the scope of detection.
-
Resource Groups: By default, resources in all resource groups are detected. You can also specify resource groups to limit the scope of detection. You can specify up to 20 resource groups.
NoteThe Resource Groups parameter is not supported for tag policies for a Resource Directory.
-
Regions: By default, resources in all regions are detected. You can also specify regions to limit the scope of detection. You can specify up to 20 regions.
-
Specify Tag Scope: You can specify tags to limit the scope of detection. Only resources with all specified tags are detected. The tags are combined using a logical AND. You can specify up to 20 tags.
-
Specify Regular Expression of Resource Names: You can specify a regular expression to detect only resources whose names match the expression. For example, if you set the regular expression to
abc-.*, only resources whose names start withabc-are detected. -
Automatic Remediation: Automatically remediates tags on non-compliant resources. For each tag value for which you enable this feature, you must specify a unique remediation scope.
-
-
Automatically Inherit Tags for Resources from Resource Groups
After you add tags to a resource group, you can configure a tag policy to use the automatic tag inheritance feature. This feature allows resources that are added to or created in a resource group to automatically inherit the tags that are added to the resource group.
Parameter
Description
Tag Key
Enter a tag key.
For Tag Policy in single-account mode, you can click View Resource Groups with the Tag Key to view the resource groups to which the tag key is added.
Specify Resource Types for Detection
By default, all the supported types of resources are detected. You can specify resource types based on your business requirements. If you specify resource types, post-event detection is performed only for the specified types of resources.
Resource Groups
By default, resources in all resource groups are detected. You can specify resource groups based on your business requirements. You can specify up to 20 resource groups.
NoteThe Resource Groups parameter is not supported for tag policies for a Resource Directory.
Specify IDs of Resources to Be Excluded
You can specify the IDs of resources that do not inherit tags from the resource groups to which the resources belong. You can specify up to 20 resource IDs.
Regions
By default, resources in all regions are detected. You can specify regions based on your business requirements. You can specify up to 20 regions.
Specify Tag Scope
You can specify a tag scope based on your business requirements. After you specify a tag scope, post-event detection is performed only for resources with the specified tags. The tags you specify have an AND relation. You can specify up to 20 tags.
You can click Add Policy Scenario and Tag Key to configure rules for multiple policy scenarios and tag keys.
-
-
JSON
In this mode, you need to specify the policy details in the JSON format. If you have high requirements for tag policies, use this mode. Before you use this mode, you must have a command of the syntax of a tag policy. For more information, see Syntax of a tag policy.
-
-
Click Create.
Step 3: Attach the tag policy
Attach the tag policy to the Root folder, a specific folder, or a specific member to enforce it on resources within those members.
-
In the left navigation bar, select Tag Policy > Policy Library.
-
On the Policy Library page, click the Resource Directory tab.
-
For the tag policy you want to attach, click Attach in the Actions column.
-
In the Add dialog box, select a target and then click Add.
The policy's effective scope depends on the selected target:
-
Root folder: The tag policy applies to all members in the resource directory.
-
Specific folder: The tag policy applies only to members in the selected folder.
-
Specific member: The tag policy applies only to the selected member.
NoteYou cannot attach a tag policy for a resource directory to the management account. However, you can use the single-account mode to create and attach a tag policy to the management account.
-
Step 4: (Optional) View the effective policy
View the effective policy of the Root folder, a folder, or a member. An effective policy is derived from the inheritance hierarchy of tag policies. Inheritance of a tag policy and calculation of an effective tag policy.
-
In the left-side navigation pane, choose Tag Policy > Effective Policies.
-
View the related effective policy.
-
Click the All Members tab to view members with attached tag policies. Click View Detection Results in the Actions column for a member to view its effective policy details, including basic information, involved tag policies, detection results, and remediation records.
-
On the Effective Policies for Resource Directory tab, view the effective policies attached to nodes in the resource directory. Click a tag key to view its effective policy details, including basic information, attachment relationships, detection results, and remediation records.
-
Step 5: Check whether the tag policy is in effect
-
Use the RAM user to access a member to which the tag policy is attached.
-
Perform a tag-related operation on a resource within the member to check whether the tag policy is in effect.
For example, if a policy requires the tag
CostCenter:Beijingon a VPC, only the compliant tagCostCenter:Beijingcan be added. Non-compliant tags such ascostCenter:Shanghaiare rejected.