Getting Started

Enabling the Resource Recorder

After the resource recorder is enabled, you will receive notifications of resource changes (creation, modification, and deletion) and resource relationship changes, and the resource change notifications and snapshots of your resources will be dumped into an OBS bucket periodically.

Configuring the Resource Recorder

After you enable the resource recorder, you need to set required configurations on the Resource Recorder page.

1. Select the monitoring scope.

   All resources supported by RMS are monitored by default. You can modify the monitoring scope by selecting specific resources.

2. Select an SMN topic.

   Select a region and an SMN topic for receiving notifications of any changes to resources. If no SMN topics are available, create one. For details about how to create an SMN topic, see Creating a Topic.

   

   After you create a topic, you must add subscriptions to the topic and confirm the subscriptions. For details, see Simple Message Notification User Guide.

3. Enable Data Dump.

   Select an OBS bucket in the current region for storing resource change notifications and resource snapshots. If no OBS bucket is available, create one. For details about how to create an OBS bucket, see Object Storage Service User Guide.

4. Select Quick granting.

   If you select Quick granting, the system automatically creates an agency named rms_tracker_agency to grant the minimum permissions required for the resource recorder to work properly. With the permissions, RMS can use SMN to send notifications and dump resource snapshots in the OBS bucket.

5. Click Save.

Adding an Assignment

1. In the left navigation pane, choose Resource Compliance.
2. In the middle of the page, click Add Assignment. On the displayed Configure Basic Details page, select a policy, specify Assignment Name and Description, and click Next.
   Figure 5 Configure Basic Details
   

   For details about parameter settings, see Table 1.

   Table 1 Basic configuration parameters

   Parameter	Description
   Policy Type	Possible values are: Built-in policy Custom policy
   Built-in Policy	Specifies the policy that has been developed for a service. You can use built-in policies to quickly add assignments. For details, see Built-in Policies.
   Custom policy	RMS allows you to customize policies to add assignment. For details, see Custom Policies.
   Assignment Name	By default, the assignment name is the same as the name of the selected policy. You can also customize the assignment name. There are no restrictions on the assignment name.
   Description	By default, the assignment description is the same as the description of the selected policy. You can also customize the assignment description. There are no restrictions on the assignment description.
   FunctionGraph Function	Specifies the URN of the FunctionGraph function in the custom policy. This parameter is mandatory only when Policy Type is set to Custom policy.
   Grant Permissions	Specifies the name of the IAM agency with which RMS is able to invoke FunctionGraph. This parameter is mandatory only when Policy Type is set to Custom policy.

3. On the displayed Configure Assignment Parameters page, configure required parameters and click Next.
   Figure 6 Configure Assignment Parameters
   

   For details about parameter settings, see Table 2.

   Table 2 Parameter descriptions

   Parameter	Description
   Trigger Type	Specifies the condition for triggering the assignment. Possible values are: Configuration change: The assignment is triggered when a specific cloud resource is changed. Periodic execution: The assignment is triggered at a specific frequency.
   Filter Type	Specifies the resources to evaluate. Possible types are: Specific resources: Resources of a specific type will be evaluated. All resources: All resources under your account will be evaluated. This parameter is mandatory only when Trigger Type is set to Configuration change.
   Resource Scope	If you set Filter Type to Specific resources, you need to specify a resource scope. Service: Select the service the resource belongs to. Resource type: Select the resource type of the corresponding service. Region: Select the region where the resource is located. This parameter is mandatory only when Trigger Type is set to Configuration change.
   Filter Scope	After you enable Filter Scope, you can filter resources by resource ID or tag. You can specify a specific resource for compliance evaluation. This parameter is mandatory only when Trigger Type is set to Configuration change.
   Execute Every	Specifies the frequency at which the trigger is triggered. This parameter is mandatory only when Trigger Type is set to Periodic execution.
   Configure Assignment Parameters	Specifies the parameter configuration for the built-in policy or custom policy you selected in step Configure Basic Details. For example, if you select policy required-tag-check and Keywords is tag, you need to specify a tag key and a tag value here. Then, resources that do not have this tag are non-compliant. Not all built-in policies have parameters to be configured. For example, if you select policy volumes-encrypted-check, you do not need to configure any assignment parameters. You can set up to 10 assignment parameters for a custom policy.

4. On the Confirm page displayed, confirm the assignment information and click Submit.
   Figure 7 Confirm
   
   Figure 8 Querying an assignment
   
   

   After you add an assignment, the first evaluation is automatically triggered immediately.

Viewing Evaluation Results

After the resource compliance evaluation is complete, you can view the evaluation results.

1. Go to the Resource Compliance page.
2. Click the name of the assignment you want to view.
3. View the evaluation results on the displayed Assignment Details page.

An assignment has the following states:

• Running: The assignment is available.
• Disabled: The assignment is disabled.
• Evaluating: The assignment is being used for resource compliance evaluation.

During the evaluation, the assignment is in the Evaluating state. After the evaluation is complete, the assignment status changes to Running. At this time, you can view the evaluation results.

Advanced Queries

Advanced Queries allow you to use ResourceQL to query how your resources in one or more regions are configured.

Advanced Queries allows you to query and browse your resources on Huawei Cloud. You can use ResourceQL to edit SQL statements and query resources in the query editor.

ResourceQL is part of the Structured Query Language (SQL) SELECT syntax. It can perform attribute-based query and aggregation on the current resource data. The query complexity varies. You can query resources by tag or resource identifier, or by using complex SQL statements. For example, you can query an ECS with a specified OS version.

You can use Advanced Queries to:

• Manage inventory. For example, you can query ECSs with certain specifications.
• Check security compliance of your resources. For example, you can query resources for which specific configuration attributes (EIP and encrypted EVS disks) have been enabled or disabled.
• Optimize costs. For example, query EVS disks that are not attached to any ECS.