Help Center/ Config/ Getting Started/ Evaluating Resource Compliance
Updated on 2024-11-12 GMT+08:00
View PDF
Share

Evaluating Resource Compliance

Scenario

You can create a rule to evaluate your resource compliance. When creating a rule, you need to select a built-in policy or a custom policy, specify a monitoring scope, and specify the trigger. After the evaluation, you can check the evaluation results.

This section uses the built-in policy, Last Login Check as an example to describe how to detect inactive IAM users. This policy can help reduce idle users and password leakage risks for enhanced account security.

Preparations

  1. If you already have a Huawei account, skip this step. If you do not have one, follow the following steps to create one:
    1. Go to Huawei Cloud and click Sign Up.
    2. Sign up for a Huawei account and enable Huawei Cloud services.

      After your account is created, you will be directed to your personal information page.

    3. Complete real-name authentication by following the instructions in Individual Real-Name Authentication or Enterprise Real-Name Authentication.
  2. Topping Up Your Account

    Config is free of charge, but the SMN topic and the OBS bucket that you configured for the resource recorder will be charged. For details, see SMN billing and OBS billing.

    Ensure your account has sufficient balance to avoid unavailability of the resource recorder and other functions of Config. For more details, see Topping up an Account.

  3. Enabling the Resource Recorder

    The resource recorder must be enabled for adding, modifying, enabling, or triggering a rule. If the resource recorder is disabled, you can only view, disable, and delete rules. In addition, only resources within the monitoring scope of the resource recorder can be evaluated by Config rules, so you are advised to select all your resources when you configure the resource recorder.

Step 1: Add a Rule

The following procedure involves specific parameters for the example rule. Other rules may contain different parameters. For more details, see Adding a Rule with a Predefined Policy.

  1. Log in to the management console.
  2. Click in the upper left corner of the page. In the service list that is displayed, under Management & Governance, select Config.
  3. In the navigation pane on the left, choose Resource Compliance.
  4. On the Rules tab, click Add Rule.

  5. On the Basic Configurations page, select iam-user-last-login-check and click Next.

  6. On the Configure Rule Parameters page, configure required parameters based on the following picture and click Next.

    Parameter

    Example

    Description

    Execute Every

    24 hours

    How often a rule will be triggered.

    The rule will be periodically triggered at the configured frequency.

    Available options: 1 hour, 3 hours, 6 hours, 12 hours, 24 hours.

    Resource Scope

    All

    The region where your resources are deployed.

    Only resources in the specified region will be evaluated.

    Configure Rule Parameters

    90

    Number of days during which an IAM user has not logged in the system. The default value is 90.

    If an IAM user does not log in to the system within the specified period of time, this user is noncompliant.

  7. On the Confirm page, confirm the rule information and click Submit.

    After you add a rule, the first evaluation is automatically triggered immediately.

Step 2: View evaluation results.

  1. On the Rules tab of the Resource Compliance page, click the name of the rule that was added in Step 1.

  2. View evaluation results and rule details on the Basic Information tab.

    By default, noncompliant resources are displayed. Above the list, you can filter the resources by evaluation result, resource name, and resource ID. You can also export all evaluation results.

    IAM users that do not log in to the management console within 90 days are listed as noncompliant users. You can make adjustments on these users as needed.

Related Information

Config also provides the following features to meet your requirements of resource compliance audit:

  • Custom rules: You can create custom rules with FunctionGraph if built-in policies cannot meet your resource audit requirements.
  • Organization rules: If you are an organization administrator or a delegated administrator of Config, you can add organization rules, and then the organization rules can apply to all member accounts in your organization.
  • Conformance packages: A conformance package is a collection of rules. With conformance packages, you can evaluate resource compliance using multiple rules at the same time and centrally query conformance data.