Tag policies enforce tag standardization by requiring compliant tags on resources, improving management efficiency for cost allocation, permission control, and automated O&M. Two modes are available: tag policies for the current account and for a resource directory.
Scenarios
As cloud resources grow, tags enable categorization, cost allocation, and automated O&M. However, users often forget to attach tags, attach incomplete tags, or misspell tag values — causing failures in cost allocation and automated management. Tag policies address these scenarios:
-
Pre-emptive blocking of non-compliant tags
Enforce tag compliance at resource creation time. The pre-emptive blocking feature ensures compliant tags are attached when resources are created.
By default, this feature validates only tags defined in the policy. With strong validation enabled, it also blocks resources with no tags or non-policy tags.
-
Automatic tag detection
After resource creation, tag policies monitor resource changes and identify non-compliant tags in the following cases:
-
The tags attached to the resource are not standardized.
-
The resource does not have the specified tags attached.
Automatic detection identifies compliance issues early and comprehensively.
-
-
Automatic tag remediation
When automatic detection finds non-compliant tags and the rule supports automatic remediation, the tag policy fixes tags without manual intervention.
-
Automatic inheritance of tags from resource groups to resources within the group
Resources created in or added to a resource group automatically inherit the group's tags.
Use a tag policy for automatic tag inheritance based on resource groups.
How it works
Tag policies enforce compliance from resource creation (pre-emptive) through ongoing monitoring (post-event).
-
Pre-emptive blocking
When you create a resource or attach tags, the tag policy checks compliance. Non-compliant operations are blocked.
-
Post-event detection and remediation
Existing resources are checked for tag compliance. Non-compliant tags can be fixed manually or through automatic remediation.
Tag policy modes
Resource Management allows you to enable the Tag Policy feature in single-account mode or in resource directory mode. You can enable the Tag Policy feature that is in a specific mode based on your business scenario and the type of your logon account. The following table describes the two modes.
|
Scenario |
Type of the logon account |
Mode of the Tag Policy feature |
References |
|
If your business in the cloud is simple and you use a single Alibaba Cloud account and the RAM users within the Alibaba Cloud account to perform management operations, you can use the Alibaba Cloud account to enable the Tag Policy feature that is in single-account mode. Then, you can use tag policies to manage the tag-related operations performed by using the Alibaba Cloud account or the RAM users. |
Alibaba Cloud account that is not the management account or a member of a resource directory |
Single-account mode: The Tag Policy feature in this mode can be used to manage tag-related operations performed by using an Alibaba Cloud account or the RAM users within the Alibaba Cloud account. |
Use an Alibaba Cloud account to enable the Tag Policy feature in single-account mode |
|
If your business in the cloud is complex and you use a resource directory to manage all your accounts, you can use the management account of the resource directory to enable the Tag Policy feature that is in resource directory mode. Then, you can use tag policies to manage the tag-related operations performed by using a member of the resource directory. |
Management account of a resource directory |
You can enable the Tag Policy feature in both modes or in one of the modes based on your business requirements.
|
|
|
Member of a resource directory |
The following situations may occur based on whether the Tag Policy feature is enabled for a resource directory:
|
Use a member of a resource directory to enable the Tag Policy feature in single-account mode |
Limits
|
Limitations |
Specification |
|
Maximum tag policies per account |
100 |
|
Maximum tag policies per resource directory |
100 |
|
Maximum tag policy length |
2,048 characters |
|
Pre-emptive blocking activation time |
|
|
Automatic detection activation time |
|
|
Automatic remediation activation time |
Starts within 10 minutes after a non-compliant resource is detected. |
Best practices
Alibaba Cloud services that support tag policies
|
Alibaba Cloud service |
Service code |
Resource type |
Supports automatic tag detection and remediation |
Supports automatic inheritance of tags from resource groups |
APIs that support the default pre-emptive blocking feature① |
APIs that support the strong validation pre-emptive blocking feature② |
|
Elastic Computing Service |
ecs |
instance |
Yes |
Yes |
||
|
None |
||||||
|
eni |
Yes |
No |
||||
|
None |
||||||
|
securitygroup |
Yes |
Yes |
||||
|
None |
||||||
|
disk |
Yes |
Yes |
||||
|
None |
||||||
|
snapshot |
Yes |
No |
||||
|
None |
||||||
|
ddh |
Yes |
Yes |
||||
|
None |
||||||
|
image |
No |
No |
||||
|
None |
||||||
|
None |
||||||
|
keypair |
No |
No |
||||
|
None |
||||||
|
launchtemplate |
Yes |
Yes |
||||
|
None |
||||||
|
snapshotpolicy |
No |
No |
||||
|
ApsaraDB RDS |
rds |
instance |
Yes |
Yes |
None |
|
|
None |
||||||
|
Server Load Balancer |
slb |
instance |
Yes |
Yes |
None |
|
|
certificate |
No |
No |
None |
|||
|
acl |
No |
No |
None |
|||
|
Application Load Balancer |
alb |
acl |
No |
No |
None |
|
|
loadbalancer |
No |
No |
None |
|||
|
securitypolicy |
No |
No |
None |
|||
|
servergroup |
No |
No |
None |
|||
|
virtual private cloud |
vpc |
vpc |
Yes |
Yes |
None |
|
|
vswitch |
Yes |
No |
None |
|||
|
routetable |
Yes |
No |
None |
|||
|
NAT Gateway |
vpc |
natgateway |
Yes |
Yes |
None |
|
|
VPN Gateway |
vpc |
vpngateway |
No |
No |
None |
|
|
Internet Shared Bandwidth |
vpc |
commonbandwidthpackage |
No |
No |
None |
|
|
Elastic IP Address |
vpc |
eip |
Yes |
Yes |
None |
|
|
Cloud Enterprise Network (CEN) |
cen |
cen |
Yes |
Yes |
None |
|
|
bandwidthpackage |
No |
No |
None |
|||
|
CDN |
cdn |
domain |
Yes |
Yes |
None |
None |
|
Object Storage Service |
oss |
bucket |
Yes |
Yes |
None |
None |
|
ApsaraDB for Tair (Redis®-compatible) |
kvstore |
instance |
Yes |
Yes |
None |
|
|
None |
||||||
|
ApsaraDB for MongoDB |
dds |
instance |
Yes |
Yes |
None |
|
|
ApsaraDB for HBase |
multimod |
cluster |
Yes |
Yes |
None |
|
|
PolarDB |
polardb |
cluster |
Yes |
Yes |
None |
None |
|
File Storage NAS |
nas |
filesystem |
Yes |
Yes |
None |
|
|
Anti-DDoS |
ddoscoo |
instance |
Yes |
Yes |
None |
|
|
None |
||||||
|
container service |
cs |
cluster |
Yes |
Yes |
None |
None |
|
API Gateway |
apigateway |
api |
Yes |
Yes |
None |
None |
|
apigroup |
Yes |
Yes |
None |
None |
||
|
app |
No |
No |
None |
None |
||
|
instance |
No |
No |
None |
None |
||
|
plugin |
No |
No |
None |
None |
||
|
Alibaba Cloud DNS |
alidns |
domain |
No |
No |
None |
|
|
Auto Scaling |
ess |
scalinggroup |
No |
No |
||
|
None |
||||||
|
Elastic Container Instance |
eci |
containergroup |
No |
No |
||
|
None |
||||||
|
imagecache |
No |
No |
None |
|||
|
None |
||||||
|
virtualnode |
No |
No |
None |
|||
|
Message Queue for Apache RocketMQ |
mq |
group |
No |
No |
None |
|
|
instance |
No |
No |
None |
|||
|
topic |
No |
No |
None |
|||
|
Bastionhost |
bastionhost |
instance |
No |
No |
None |
|
|
Resource Orchestration Service |
ros |
changeset |
No |
No |
None |
|
|
stack |
No |
No |
||||
|
None |
||||||
|
None |
||||||
|
template |
No |
No |
None |
Note:
①Pre-emptive blocking covers two scenarios: resource creation and tag attachment. Support varies by service, resource type, and API. For example, for ECS instances, CreateInstance blocks non-compliant tags during creation, and TagResources blocks them during tag attachment.
②The strong validation feature for pre-emptive blocking must be manually enabled. Strong validation feature.