Help Center/ Cloud Adoption Framework / Cloud Adoption Framework and Practices/ Solution Design/ Designing a Tag Solution/ Best Practices for Tags
Updated on 2025-06-19 GMT+08:00
View PDF
Share

Best Practices for Tags

Tag Design Principles

Follow these tips when designing tags for Huawei Cloud resources:

  1. Avoid keeping personally identifiable information (PII) or other sensitive information in tags.
  2. Apply consistent case-sensitive formatting to tags on all resources.
  3. Keep tags brief but detailed enough to convey specific information. Avoid making them unnecessarily long.
  4. Identify tag application scenarios like cost management, O&M, automation, fine-grained permission control, data classification, and security operations. Formulate tag key and value specifications based on these scenarios.

Tag Key and Value Specifications

Formulate enterprise-wide tag key and value specifications based on tag design principles. Follow the specifications when tagging cloud resources. The following table provides examples for tag key and value specifications.

Table 1 Examples for tag key and value specifications

Scenario

Tag Key

Allowed Tag Value

Cost management

Department

Marketing, Engineering, Sales, Service, Research, etc.

Cost management

Application

CRM, ERP, HRM, Financial management system, etc.

Cost management

CostCenter

123, 456, 789, etc.

Permission management

Environment

Development, Test, Stage, Product, etc.

Permission management

Layer

DB, App, Web, etc.

Data classification

DataClass

Public, Private, Confidential, etc.

Security operations

Compliance

PCI-DSS, HIPPA, etc.

O&M and automation

Status

Active, Inactive, Deprecated, etc.

Tag Policies

Always follow the tag key and value specifications when tagging cloud resources. If not, tags might get mixed up, and their effectiveness could suffer. Huawei Cloud provides tag policies to help you manage tags added to cloud resources in your Huawei Cloud account.

For example, a tag policy can specify that a tag attached to a resource must use the case treatment and tag key and value specifications defined in the tag policy. If the case, key, and value of the tag do not comply with the tag policy, the resource will be marked as non-compliant.

Currently, tag policies can be used as preventive governance policies. Specifically, if enforcement is enabled for a tag policy, non-compliant tagging operations will be prevented from being performed on specified resource types.

You can attach tag policies to the root OU, other OUs, and accounts within your organization. When you attach a tag policy to the root OU and other OUs, all their child OUs and member accounts inherit that tag policy. The effective tag policy for an account specifies the tagging rules that apply to the account. It is the combination of tag policies that account inherits and tag policies directly attached to that account.

Tag Restrictions and Requirements

  1. Each resource can have a maximum of 20 user-created tags. Note that system-created tags starting with _sys_ are reserved for Huawei Cloud and are not counted in the 20 tags.
  2. For each resource, each tag key must be unique and can have only one tag value.
  3. A tag key must contain 1 to 128 Unicode characters in UTF-8 format.
  4. A tag value must contain 0 to 255 Unicode characters in UTF-8 format.
  5. Tag keys and values are case-sensitive. You are advised to use tag policies to apply consistent tag case treatment rules for all resource types. For example, choose one from HuaweiCloud, huaweicloud, or Huaweicloud for all resource types.
Parent topic: Designing a Tag Solution