Help Center/ Config/ User Guide/ Resource Compliance/ Resource Compliance Overview

Updated on 2025-12-04 GMT+08:00

View PDF

Resource Compliance Overview

Introduction

Config can help you quickly create a group of rules to evaluate the compliance of your resource configurations. You can create a rule based on a built-in policy or a custom policy. You need to specify the monitoring scope and the trigger type. Evaluation results are provided for you to check resource compliance.

Restrictions and Limitations

You can add up to 500 rules with an account.
The resource recorder must be enabled for adding, modifying, enabling, or triggering a rule. If the resource recorder is disabled, you can only view, disable, and delete rules.
The Organization Rules tab is inaccessible for an account that is not associated with any organizations.
To deploy an organization rule to a member, the member account must be in the normal state, and the resource recorder must be enabled for the member.

To evaluate resources with rules, you need to enable the resource recorder. Resource evaluation is subject to the following rules:

If the resource recorder is disabled, no resources will be available for evaluation, but you can still view historical evaluation results.
If the resource recorder is enabled and a monitoring scope is configured, only resources within the monitoring scope can be evaluated.

For details about how to enable and configure the resource recorder, see Configuring the Resource Recorder.

Compliance Policy

A policy is a logical expression used to evaluate resource compliance.

A policy cannot work on its own. To apply a policy to resources, you need to create a rule based on the policy.

You can define a policy with JSON elements. JSON elements of a policy lists the parameters for defining a policy.

**Table 1** JSON elements of a policy
Parameter	Description	Description
id	Policy ID	-
name	Policy name	The name can contain up to 64 characters.
display_name	Display name of a policy	A policy display name can contain up to 64 characters.
description	Policy description	The description can contain up to 512 characters.
parameters	Parameters of each policy rule The following attributes are used to describe each rule: name description type default_value allowed_values minimum maximum min_items max_items min_length max_length pattern	You can set different values for the parameters as required. name: parameter name description: parameter description type: the data type of the parameter, which can be String, Array, Boolean, Integer, or Float. default_value: the default value of the parameters If the default value is specified, the parameter can be left empty and the default value will be used upon rule creation. allowed_values: allowed values If the parameter is specified, you can only use a listed value. minimum: the minimum value, which is valid when type is Integer or Float. maximum: the maximum value, which is valid when type is Integer or Float. min_items: the minimum number of items in an array, which is valid when type is Array. max_items: the maximum number of items in an array, which is valid when type is Array. min_length: the minimum length for a string or each array item, which is valid when type is String or Array. max_length: the maximum length for a string or each array item, which is valid when type is String or Array. pattern: Regular expression requirements for strings, which is valid when type is String or Array.
keywords	Policy keywords	Generally, the name abbreviation of the related product is used as a keyword.
policy_type	Policy type The options are as follows: builtin custom	builtin: the type of policies that are provided and maintained by Config. custom: the type of policies that are customized by users. builtin: the type of policies that are provided and maintained by Config.
policy_rule_type	Policy syntax	Domain Specific Language (DSL): a compliance policy description language provided by Config to describe compliance check logic into a specific policy.
trigger_type	Trigger type. The options are as follows: resource period	resource: The evaluation runs when a specified resource is changed. period: The evaluation runs at the frequency you specify.
default_resource_types	Resource type you want to evaluate with this compliance policy	Most policies only apply to a limited resource types. The types specified by default_resource_types are recommended.

The following JSON is an example policy for checking whether the image ID of an ECS instance is in the specified range:

{
  "id": "5fa265c0aa1e6afc05a0ff07",
  "name": "allowed-images-by-id",
  "description": "If the ID of an ECS's image does not match the specified image ID range, this ECS is non-compliant."
  "parameters": {
    "listOfAllowedImages": {
      "name": "null",
      "description": "The list of allowed image IDs",
      "type": "Array"
      "allowed_values": null,
      "default_value": null,
    }
  },
  "keywords": [
    "ecs",
    "ims"
  ],
  "policy_type": "builtin",
  "policy_rule_type": "dsl",
  "trigger_type": "resource",
  "policy_rule": {
    "allOf": [
      {
         "value": "${resource().provider}",
         "comparator": "equals",
         "pattern": "ecs"
      },
      {
       "value": "${resource().type}",
       "comparator": "equals",
       "pattern": "cloudservers"
      },
      {
       "value": "${resource().properties.metadata.meteringImageId}",
        "comparator": "notIn",
        "pattern": "${parameters('listOfAllowedImages')}"
      }
    ]
   },
}

Compliance Rules

A rule mainly consists of a policy and an applicable scope, for example, some resources in a region.

You can use a JSON expression to represent a rule, as shown in Table 2.

**Table 2** JSON elements of a rule
Parameter	Definition	Constraints	Description
id	The unique ID of a rule	-	-
policy_assignment_type	The tule type	-	The options are as follows: builtin: The rule is based on a built-in policy. If you select this option, policy_definition_id is mandatory. custom: The rule is based on a custom policy. If you select this option, custom_policy is mandatory. If this parameter is not configured, builtin is used by default.
name	The rule name	Its value must be a string with up to 64 characters.	By default, the rule name is the same as the selected policy name. You can customize the rule name. The name can contain up to 64 characters.
description	Supplementary information about the rule	Its value must be a string with up to 512 characters.	By default, the rule description is the same as the description of the selected policy. You can customize the rule description. The description can contain up to 512 characters.
period	How often the rule is executed	-	The options are as follows: One_Hour Three_Hours Six_Hours Twelve_Hours TwentyFour_Hours
policy_filter	The rule filter, which is used to search for the resources that will be evaluated by this rule. A filter has the following properties: region_id: Specifies the region ID. resource_provider: Specifies the service. resource_type: Specifies a resource type of the service. resource_id: Specifies the resource ID. tag_key: Specifies the resource tag key. tag_value: Specifies the resource tag value.	The value must be an object. region_id: Its value must be a string with up to 128 characters. Only letters, digits, and hyphens (-) are allowed. resource_provider: Its value must be a string with up to 128 characters. Only letters and digits are allowed. resource_type: Its value must be a string with up to 128 characters. Only letters and digits are allowed. resource_id: Its value must be a string with up to 256 characters. tag_key: Its value must be a string with up to 128 characters. tag_value: Its value must be a string with up to 256 characters.	NOTE: You use resource_provider in policy_filter to specify target resources. If you do not use resource_provider in policy_filter, the rule will be applied to all resources. There is no other filter type property in policy_filter.
state	The rule status	-	The options are as follows: Enabled: The rule is available. Disabled: The rule is disabled. Evaluating: The rule is being used for resource compliance evaluation.
created	The time when the rule was created	-	NOTE: The value must be a UTC time in the ISO-8601 format (for example, 2018-11-14T08:59:14Z).
updated	The time when the rule was updated	-
policy_definition_id	The ID of the compliance policy bound to the rule	Its value must be a string with up to 64 characters. Only letters, digits, and hyphens (-) are allowed.	Policy ID
custom_policy	The custom policy, which has the following properties: function_urn: Specifies the URN of the function. auth_type: Specifies the authentication type for the function to be invoked. auth_value: Specifies the authentication value of the function to be invoked.	Its value is an object type. function_urn: Its value must be a string with up to 1,024 characters. auth_type: Its value must be a string. Only agency is supported. auth_value: The value must be an object which is related to auth_type. Only the {"agency_name": value_name} structure is supported, where value_name indicates the IAM agency that allows Config to invoke the function.	custom_policy specifies the URN of the function in the custom policy and the authentication type for invoking the function.
parameters	The values of rule parameters	The value must be an object. key: The value must be a string including only letters and numbers. For a custom policy–based rule, the key can contain up to 1,024 characters. value: The value must be an object, and the value restrictions vary depending on the parameter type.	The number, type, and range of rule parameters depend on the compliance policy bound to the rule.
tags	The tags you want to add to a rule	-	A tag key can contain up to 128 Unicode characters. A tag value can contain up to 255 Unicode characters.
created_by	The creator of a rule	-	A rule can be created by a user or by a service-linked agency.

You cannot create a rule to evaluate another rule.

The following predefined policy evaluates compliance based on whether ECSs in regionid_1 have a specific tag (env: production):

{
  "id": "5fcd8696dfb78231e6f2f899",
  "name": "required-tag-check",
  "description": "A resource is non-compliant if it does not contain the specific tag.",
  "policy_filter": {
        "region_id": "regionid_1",
        "resource_provider": "ecs",
        "resource_type": "cloudservers",
        "tag_key": "env",
        "tag_value": "production"
  },
  "period": null,
  "state": "Enabled",
  "created": "2020-12-07T01:34:14.266Z",
  "updated": "2020-12-07T01:34:14.266Z",
  "policy_definition_id": "5fa9f89b6eed194ccb2c04db",
  "parameters": {
        "specifiedTagKey": {
        "value": "a"    },
        "specifiedTagValue": {
        "value": []
    }
  }
  "tags": [],
  "created_by": "custom"
}

Evaluation Results

After an evaluation is triggered, the corresponding evaluation result (PolicyState) will be generated.

An evaluation result is represented in JSON format, as shown in Table 3.

**Table 3** Evaluation result in JSON
Parameter	Definition	Description
domain_id	Account ID	This parameter distinguishes users. domain_id will never be empty in the evaluation result.
resource_id	The ID of the evaluated resource	-
resource_name	The name of the evaluated resource	-
resource_provider	The service the resource belongs to	-
resource_type	The resource type	-
trigger_type	The trigger type	The options are as follows: resource period
compliance_state	The evaluation result	The options are as follows: Compliant NonCompliant
policy_assignment_id	Rule ID	-
policy_definition_id	Policy ID	-
evaluation_time	The evaluation timestamp	-

The following JSON expression shows a non-compliant evaluation result:

{
  "domain_id": "domainidforpolicy",
  "resource_id": "special-ecs1-with-public-ip-with-tag",
  "resource_name": "ecs1-with-public-ip-with-tag",
  "resource_provider": "ecs",
  "resource_type": "cloudservers",
  "trigger_type": "resource",
  "compliance_state": "NonCompliant",
  "policy_assignment_id": "5fa9f8a2501013093a192b07",
  "policy_definition_id": "5fa9f8a2501013093a192b06",
  "evaluation_time": 1604974757084
}

Parent topic: Resource Compliance

Previous topic: Resource Compliance

Next topic: Rules