Get started with tag policies

更新时间:
复制 MD 格式

Use a tag policy to enforce consistent tagging across your Alibaba Cloud resources.

Overview

Tag policies support two modes: single-account mode and resource directory mode. Modes of the Tag Policy feature.

Test the feature on an account with few resources before you enable it in production.

Single-account mode

Step 1: Enable the Tag Policy feature

  1. Log on to the Resource Management console.

  2. In the left-side navigation pane, choose Tag Policy > Settings.

  3. On the Settings for Current Account tab, set Tag Policy to Enable.

  4. In the Enable Tag Policy dialog box, click Enable.

    When you enable the Tag Policy feature, the system creates the service-linked role AliyunServiceRoleForTag. This role can resolve cross-service access issues. For more information, see Service-linked role for Tag.

Step 2: Create a tag policy

Create a tag policy that defines required tags for a resource. Resources are then validated against this policy.

  1. In the navigation pane on the left, choose Tag Policy > Policy Library.

  2. On the Policy Library page, click Create Tag Policy.

  3. In the Basic Information section, enter a policy name and description.

  4. In the Details section, use one of the following methods to configure the policy.

    • Quick Mode (Recommended)

      Select a policy scenario and configure rules based on your business requirements.

      • Add Tags with Specified Tag Values to Resources

        In a tag policy, you can specify tags that must be added to resources. You can also enable features such as automatic detection, automatic remediation, and pre-event interception for non-compliant tags based on the execution modes you specify for the tag policy.

        Parameter

        Description

        Tag Key

        Enter a tag key.

        Specify Allowed Tag Values

        The tag value that is allowed for the tag key. You can specify multiple tag values. You can also use an asterisk (*) as a wildcard to indicate any tag values.

        Policy Execution Mode

        • Post-event Detection

          Post-event detection is the default execution mode of a tag policy used in this scenario. You can enable the following detection rules based on your business requirements. You can view the detection results on the details page of the related effective policy.

          • Specify Resource Types for Detection: By default, all supported resource types are detected. You can also specify resource types to limit the scope of detection.

          • Resource Groups: By default, resources in all resource groups are detected. You can also specify resource groups to limit the scope of detection. You can specify up to 20 resource groups.

            Note

            The Resource Groups parameter is not supported for tag policies for a Resource Directory.

          • Regions: By default, resources in all regions are detected. You can also specify regions to limit the scope of detection. You can specify up to 20 regions.

          • Specify Tag Scope: You can specify tags to limit the scope of detection. Only resources with all specified tags are detected. The tags are combined using a logical AND. You can specify up to 20 tags.

          • Specify Regular Expression of Resource Names: You can specify a regular expression to detect only resources whose names match the expression. For example, if you set the regular expression to abc-.*, only resources whose names start with abc- are detected.

          • Automatic Remediation: Automatically remediates tags on non-compliant resources. For each tag value for which you enable this feature, you must specify a unique remediation scope.

        • Pre-event Interception

          When you create a resource or add tags to an existing resource, the system performs a check. If the tags defined in the tag policy are not added to the resource, the resource creation or tag addition operation fails. For more information, see Enable pre-event interception of non-compliant tags.

      • Match Tag Values with Specified Regular Expression

        You can specify a regular expression in a tag policy to limit the format of tag values. Tag values that do not match the regular expression can be automatically remediated.

        Parameter

        Description

        Tag Key

        Enter a tag key.

        Specify Allowed Tag Values

        Enter a regular expression to limit the format of tag values.

        Policy Execution Mode

        Post-event Detection is the default execution mode for this policy scenario. You can enable the following detection rules and view the results on the details page of the effective policy.

        • Specify Resource Types for Detection: By default, all supported resource types are detected. You can also specify resource types to limit the scope of detection.

        • Resource Groups: By default, resources in all resource groups are detected. You can also specify resource groups to limit the scope of detection. You can specify up to 20 resource groups.

          Note

          The Resource Groups parameter is not supported for tag policies for a Resource Directory.

        • Regions: By default, resources in all regions are detected. You can also specify regions to limit the scope of detection. You can specify up to 20 regions.

        • Specify Tag Scope: You can specify tags to limit the scope of detection. Only resources with all specified tags are detected. The tags are combined using a logical AND. You can specify up to 20 tags.

        • Specify Regular Expression of Resource Names: You can specify a regular expression to detect only resources whose names match the expression. For example, if you set the regular expression to abc-.*, only resources whose names start with abc- are detected.

        • Automatic Remediation: Automatically remediates tags on non-compliant resources. For each tag value for which you enable this feature, you must specify a unique remediation scope.

      • Automatically Inherit Tags for Resources from Resource Groups

        After you add tags to a resource group, you can configure a tag policy to use the automatic tag inheritance feature. This feature allows resources that are added to or created in a resource group to automatically inherit the tags that are added to the resource group.

        Parameter

        Description

        Tag Key

        Enter a tag key.

        For Tag Policy in single-account mode, you can click View Resource Groups with the Tag Key to view the resource groups to which the tag key is added.

        Specify Resource Types for Detection

        By default, all the supported types of resources are detected. You can specify resource types based on your business requirements. If you specify resource types, post-event detection is performed only for the specified types of resources.

        Resource Groups

        By default, resources in all resource groups are detected. You can specify resource groups based on your business requirements. You can specify up to 20 resource groups.

        Note

        The Resource Groups parameter is not supported for tag policies for a Resource Directory.

        Specify IDs of Resources to Be Excluded

        You can specify the IDs of resources that do not inherit tags from the resource groups to which the resources belong. You can specify up to 20 resource IDs.

        Regions

        By default, resources in all regions are detected. You can specify regions based on your business requirements. You can specify up to 20 regions.

        Specify Tag Scope

        You can specify a tag scope based on your business requirements. After you specify a tag scope, post-event detection is performed only for resources with the specified tags. The tags you specify have an AND relation. You can specify up to 20 tags.

      You can click Add Policy Scenario and Tag Key to configure rules for multiple policy scenarios and tag keys.

    • JSON

      In this mode, you need to specify the policy details in the JSON format. If you have high requirements for tag policies, use this mode. Before you use this mode, you must have a command of the syntax of a tag policy. For more information, see Syntax of a tag policy.

  5. Click Create.

Step 3: Attach the tag policy

Attach the tag policy to your Alibaba Cloud account to enforce it on resources within the account.

  1. In the navigation pane on the left, choose Tag Policy > Policy Library.

  2. For the tag policy you want to attach, click Attach in the Actions column.

  3. In the Add dialog box, click Attach.

    This attaches the tag policy to your current Alibaba Cloud account.

Step 4: (Optional) View the effective policy

View the effective policy applied to your account after attachment.

  1. In the left-side navigation pane, choose Tag Policy > Effective Policies.

  2. Click a tag key to view its effective policy details, including basic information, involved tag policies, detection results, and remediation records.

Step 5: Check whether the tag policy is in effect

Perform a tag operation with your account or a RAM user to verify that the policy is enforced. For example, if a policy requires the tag CostCenter:Beijing on a VPC, only the compliant tag CostCenter:Beijing can be added. Non-compliant tags such as costCenter:Shanghai are rejected.

Resource directory mode

For security purposes, create a RAM user under the management account of your resource directory, attach the AdministratorAccess policy, and then perform the following operations as that RAM user. Create a RAM user and Grant permissions to RAM users.

Step 1: Enable the Tag Policy feature

  1. Log on to the Resource Management console.

  2. In the left-side navigation pane, choose Tag Policy > Settings.

  3. On the Settings for Resource Directory tab, set Tag Policy to Enable.

    Note

    The management account can also enable a tag policy for itself on the Settings for Current Account tab.

  4. In the Enable Tag Policy dialog box, click Enable.

    When you enable the Tag Policy feature, the system creates the service-linked role AliyunServiceRoleForTag. This role can resolve cross-service access issues. For more information, see Service-linked role for Tag.

Step 2: Create a tag policy

Create a tag policy that defines required tags for a resource. Resources are then validated against this policy.

  1. In the navigation pane on the left, choose Tag Policy > Policy Library.

  2. On the Policy Library page, click the Resource Directory tab, and then click Create Tag Policy.

  3. In the Basic Information section, enter a policy name and description.

  4. In the Details section, use one of the following methods to configure the policy.

    • Quick Mode (Recommended)

      Select a policy scenario and configure rules based on your business requirements.

      • Add Tags with Specified Tag Values to Resources

        In a tag policy, you can specify tags that must be added to resources. You can also enable features such as automatic detection, automatic remediation, and pre-event interception for non-compliant tags based on the execution modes you specify for the tag policy.

        Parameter

        Description

        Tag Key

        Enter a tag key.

        Specify Allowed Tag Values

        The tag value that is allowed for the tag key. You can specify multiple tag values. You can also use an asterisk (*) as a wildcard to indicate any tag values.

        Policy Execution Mode

        • Post-event Detection

          Post-event detection is the default execution mode of a tag policy used in this scenario. You can enable the following detection rules based on your business requirements. You can view the detection results on the details page of the related effective policy.

          • Specify Resource Types for Detection: By default, all supported resource types are detected. You can also specify resource types to limit the scope of detection.

          • Resource Groups: By default, resources in all resource groups are detected. You can also specify resource groups to limit the scope of detection. You can specify up to 20 resource groups.

            Note

            The Resource Groups parameter is not supported for tag policies for a Resource Directory.

          • Regions: By default, resources in all regions are detected. You can also specify regions to limit the scope of detection. You can specify up to 20 regions.

          • Specify Tag Scope: You can specify tags to limit the scope of detection. Only resources with all specified tags are detected. The tags are combined using a logical AND. You can specify up to 20 tags.

          • Specify Regular Expression of Resource Names: You can specify a regular expression to detect only resources whose names match the expression. For example, if you set the regular expression to abc-.*, only resources whose names start with abc- are detected.

          • Automatic Remediation: Automatically remediates tags on non-compliant resources. For each tag value for which you enable this feature, you must specify a unique remediation scope.

        • Pre-event Interception

          When you create a resource or add tags to an existing resource, the system performs a check. If the tags defined in the tag policy are not added to the resource, the resource creation or tag addition operation fails. For more information, see Enable pre-event interception of non-compliant tags.

      • Match Tag Values with Specified Regular Expression

        You can specify a regular expression in a tag policy to limit the format of tag values. Tag values that do not match the regular expression can be automatically remediated.

        Parameter

        Description

        Tag Key

        Enter a tag key.

        Specify Allowed Tag Values

        Enter a regular expression to limit the format of tag values.

        Policy Execution Mode

        Post-event Detection is the default execution mode for this policy scenario. You can enable the following detection rules and view the results on the details page of the effective policy.

        • Specify Resource Types for Detection: By default, all supported resource types are detected. You can also specify resource types to limit the scope of detection.

        • Resource Groups: By default, resources in all resource groups are detected. You can also specify resource groups to limit the scope of detection. You can specify up to 20 resource groups.

          Note

          The Resource Groups parameter is not supported for tag policies for a Resource Directory.

        • Regions: By default, resources in all regions are detected. You can also specify regions to limit the scope of detection. You can specify up to 20 regions.

        • Specify Tag Scope: You can specify tags to limit the scope of detection. Only resources with all specified tags are detected. The tags are combined using a logical AND. You can specify up to 20 tags.

        • Specify Regular Expression of Resource Names: You can specify a regular expression to detect only resources whose names match the expression. For example, if you set the regular expression to abc-.*, only resources whose names start with abc- are detected.

        • Automatic Remediation: Automatically remediates tags on non-compliant resources. For each tag value for which you enable this feature, you must specify a unique remediation scope.

      • Automatically Inherit Tags for Resources from Resource Groups

        After you add tags to a resource group, you can configure a tag policy to use the automatic tag inheritance feature. This feature allows resources that are added to or created in a resource group to automatically inherit the tags that are added to the resource group.

        Parameter

        Description

        Tag Key

        Enter a tag key.

        For Tag Policy in single-account mode, you can click View Resource Groups with the Tag Key to view the resource groups to which the tag key is added.

        Specify Resource Types for Detection

        By default, all the supported types of resources are detected. You can specify resource types based on your business requirements. If you specify resource types, post-event detection is performed only for the specified types of resources.

        Resource Groups

        By default, resources in all resource groups are detected. You can specify resource groups based on your business requirements. You can specify up to 20 resource groups.

        Note

        The Resource Groups parameter is not supported for tag policies for a Resource Directory.

        Specify IDs of Resources to Be Excluded

        You can specify the IDs of resources that do not inherit tags from the resource groups to which the resources belong. You can specify up to 20 resource IDs.

        Regions

        By default, resources in all regions are detected. You can specify regions based on your business requirements. You can specify up to 20 regions.

        Specify Tag Scope

        You can specify a tag scope based on your business requirements. After you specify a tag scope, post-event detection is performed only for resources with the specified tags. The tags you specify have an AND relation. You can specify up to 20 tags.

      You can click Add Policy Scenario and Tag Key to configure rules for multiple policy scenarios and tag keys.

    • JSON

      In this mode, you need to specify the policy details in the JSON format. If you have high requirements for tag policies, use this mode. Before you use this mode, you must have a command of the syntax of a tag policy. For more information, see Syntax of a tag policy.

  5. Click Create.

Step 3: Attach the tag policy

Attach the tag policy to the Root folder, a specific folder, or a specific member to enforce it on resources within those members.

  1. In the left navigation bar, select Tag Policy > Policy Library.

  2. On the Policy Library page, click the Resource Directory tab.

  3. For the tag policy you want to attach, click Attach in the Actions column.

  4. In the Add dialog box, select a target and then click Add.

    The policy's effective scope depends on the selected target:

    • Root folder: The tag policy applies to all members in the resource directory.

    • Specific folder: The tag policy applies only to members in the selected folder.

    • Specific member: The tag policy applies only to the selected member.

    Note

    You cannot attach a tag policy for a resource directory to the management account. However, you can use the single-account mode to create and attach a tag policy to the management account.

Step 4: (Optional) View the effective policy

View the effective policy of the Root folder, a folder, or a member. An effective policy is derived from the inheritance hierarchy of tag policies. Inheritance of a tag policy and calculation of an effective tag policy.

  1. In the left-side navigation pane, choose Tag Policy > Effective Policies.

  2. View the related effective policy.

    • Click the All Members tab to view members with attached tag policies. Click View Detection Results in the Actions column for a member to view its effective policy details, including basic information, involved tag policies, detection results, and remediation records.

    • On the Effective Policies for Resource Directory tab, view the effective policies attached to nodes in the resource directory. Click a tag key to view its effective policy details, including basic information, attachment relationships, detection results, and remediation records.

Step 5: Check whether the tag policy is in effect

  1. Use the RAM user to access a member to which the tag policy is attached.

  2. Perform a tag-related operation on a resource within the member to check whether the tag policy is in effect.

    For example, if a policy requires the tag CostCenter:Beijing on a VPC, only the compliant tag CostCenter:Beijing can be added. Non-compliant tags such as costCenter:Shanghai are rejected.