Config
Config
All results for "
" in this service
All results for "
" in this service
What's New
Service Overview
Config Infographics
What Is Config?
Function Overview
Billing
Permissions
Basic Concepts
Relationships with Other Services
Constraints and Limitations
Getting Started
Enabling the Resource Recorder
Filtering Resources
Evaluating Resource Compliance
User Guide
Resource List
Viewing Resources
Querying All Resources
Querying Details About a Resource
Filtering Resources
Exporting the Resource List
Viewing Resource Conformance Data
Viewing Resource Relationships
Viewing Resource Changes
Resource Recorder
Overview
Configuring the Resource Recorder
Batch Configuring the Resource Recorder
Notifications
Storing Resource Snapshots
Storing Resource Change Notifications
Resource Recorder Event Monitoring
Resource Compliance
Overview
Rules
Adding a Rule Based on a Built-in Policy
Adding a Custom Rule
Viewing a Rule
Triggering a Rule Evaluation
Editing a Rule
Example Custom Rules
Example Functions (Python)
Events
Organization Rules
Adding a Predefined Organization Rule
Creating a Custom Organization Rule
Viewing an Organization Rule
Modifying an Organization Rule
Deleting an Organization Rule
Example Custom Organization Rules
Example Functions (Python)
Events
Viewing Non-Compliant Resources
Configuring Remediation for Compliance Rules
Introduction
Configuring Remediation
Remediation Configuration Examples
Manual Remediation
Setting Remediation Exceptions
Editing a Remediation Configuration
Deleting Remediation Configurations
Compliance Rule Concepts
Policy
Rule
Evaluation Results
Built-In Policies
Predefined Policy List
General Policies
Resource Names Meet Regular Expression Requirements
Resources Have All the Specified Tags Attached
Resources Have One of the Specified Tags Attached
Tag Prefixes and Suffixes Check
Resources Have at Least One Tags Attached
Resource Tag Check
Resources Are in Specified Enterprise Projects
Resources Are in Specified Regions
Resource Type Check by Specifying Allowed Resource Types
Resource Type Check by Specifying Unallowed Resource Types
Resource Status Check
API Gateway
Dedicated API Gateways Have an Authorization Type Set
Dedicated API Gateways Have Logging Enabled
Dedicated API Gateways Use SSL Certificates
Dedicated API Gateway Bound to a Specified VPC
Dedicated API Gateway Deployed in Multiple AZs
EIP Bound to a Dedicated API Gateway
CodeArts Deploy
Clusters Are Available
Project Parameter Encryption Check
MapReduce Service
MRS Clusters Have Specified Security Groups Attached
MRS Clusters Are in Specified VPCs
MRS Clusters Have Kerberos Enabled
MRS Clusters Are Deployed Across AZs
MRS Clusters Should Not Use EIPs
KMS Encryption Is Enabled for MRS Clusters
NAT Gateway
Private NAT Gateways Are in Specified VPCs
VPC Endpoint
VPC Endpoint Check for Specified Services
Web Application Firewall
Protection Policies Must Be Configured for Domain Names Protected with WAF
WAF Protection Policies Must Have Rules Configured
WAF Instances Must Be Enabled to Protect Domain Names
Geolocation Access Control Rule Must be Configured
Protective Action for WAF Instance Protection Policies Must Be "Block"
Elastic Load Balance
Load Balancers Should Not Use EIPs
ELB Listeners Have Specified Security Policies Added
ELB Listeners Are Configured to Use HTTPS or TLS
Weight Check for Backend Servers
HTTPS Redirection Check
Single-AZ Load Balancer Check
ELB Load Balancers Have Access Logging Configured
Elastic IP
EIP Bandwidth Limit Check
Idle EIP Check
EIPs Bound Within Specified Days
Auto Scaling
AS Priority Policy Check
AS Groups Are Associated with an Elastic Load Balancer that Uses Health Check
Multi-AZ Deployment Has Been Configured
IPv6 Bandwidth Check
AS Groups Are in Specified VPCs
Scalable File Service Turbo (SFS Turbo)
SFS Turbo File Systems Have KMS Encryption Enabled
SFS Turbo Systems Are Associated with Backup Vaults
SFS Turbo Backup Time Check
Elastic Cloud Server
Flavor Check
Image Check
Image Check by Tag
Security Group Check by ID
Number of ECS vCPUs
ECS Instances Are in the Specified VPC
ECSs Have Key Pairs Attached
ECS Memory Size
ECSs Cannot Be Accessed Through Public Networks
ECS Status Check
An ECS Must Have No More Than One EIP
Idle ECS Check
ECSs Have IAM Agencies Attached
Image Check by Name
ECSs Have Backup Vaults Attached
ECS Backup Time Check
ECSs Have HSS Agents Attached
Distributed Cache Service
DCS for Memcached Instances Support SSL
DCS Memcached Instances Are in a Specified VPC
DCS for Memcached Instances Should Not Use EIPs
DCS for Memcached Access Password Check
DCS for Redis Instances Support SSL
Cross-AZ Deployment Check
DCS Redis Instances Are in the Specified VPC
DCS for Redis Instances Should Not Use EIPs
DCS for Redis Access Password Check
DCS for Redis Instance Version
DCS for Redis Instance Port Check
FunctionGraph
Concurrency Check
FunctionGraph Functions Are Allowed to Access Resources in a Specified VPC Only
Public Access Check
Basic Configuration Check
FunctionGraph Functions Have Log Collection Enabled
Content Delivery Network (CDN)
CDN Domains Use HTTPS Certificates
Origin Protocol Policy Check
TLS Version Check
Certificate Source Check
Config
(Discarded) The Resource Recorder Is Enabled
Resource Recorder Configuration Check
Data Warehouse Service
KMS Encryption Check
Audit Log Dump Is Enabled for DWS Clusters
Automated Snapshots are Enabled for DWS Clusters
SSL Encryption Is Enabled for DWS Clusters
DWS Clusters Should Not Use EIPs
O&M Time Window Check
DWS Clusters Are in Specified VPCs
Data Replication Service
Network Type Check for DR Tasks
Network Type Check for Migration Tasks
Network Type Check for Synchronization Tasks
SSL Enabled for DRS Tasks
Data Encryption Workshop
Key Status Check
Key Rotation Has Been Enabled
CSMS Secretes Are Rotated
CSMS Secrets Have Enabled Automatic Rotation
CSMS Secrets Must Use the Specified KMS Keys
CSMS Secrets Have Been Rotated Within the Specified Period
Identity and Access Management
Key Rotation Check
IAM Policies Do Not Allow Blocked Actions on KMS Keys
Each User Group Has at Least One User
Password Strength Check
Unintended Policy Check
Admin Permissions Check
Custom Policies Do Not Allow All Actions for a Service
The Root User Should Not Have Available Access Keys
Access Mode Check
Access Key Check
IAM Users Are in Specified User Groups
Last Login Check
Multi-Factor Authentication Check
A User Does Not have Multiple Active Access Keys
MFA Has Been Enabled for Console Login
The Root User Has MFA Enabled
All IAM Policies Are in Use
All IAM Roles Are in Use
Login Protection Check
IAM Agencies Contain Specified Policies
The Admin User Group Only Contains the Root User
IAM Users Do Not Have Directly Assigned Policies or Permissions
Access Key Used Within the Specified Period
Document Database Service
SSL Has Been Enabled
DDS Instance Type Check
DDS Instances Should Not Use EIPs
DDS Instances Should Not Use Unallowed Ports
DDS Instance Version Check
Simple Message Notification
Log Reporting to LTS Has Been Enabled
Virtual Private Cloud
Idle ACL Check
VPC Connected to a Specified VPC Endpoint Service
Default Security Group Check
VPCs Have Enabled Flow Logs
Security Group Port Check
Inbound Traffic Is Allowed on Specified Ports Only
Inbound Traffic Is Allowed on SSH Ports Only
Non-whitelisted Ports Must Be Disabled in a Security Group
A Security Group Should Connect to At Least One Elastic Network Interface
Virtual Private Network
Connection State Check
Cloud Eye
Alarm Rules Are Enabled
Alarm Rules Have Been Configured for Key Disablement and Deletion
Alarms Have Been Created for OBS Bucket Policy Changes
Specified Resources Have Certain Metric Attached
Alarm Rule Configurations Check
Alarms Have Been Configured for VPC Changes
Cloud Container Engine
End of Maintenance Check
Oldest Supported Version Check
CCE Clusters Should Not Use EIPs
Flavor Check
CCE Clusters Are in Specified VPCs
Cloud Trace Service
CTS Trackers Have Traces Encrypted
Log Transfer to LTS Is Enabled
CTS Trackers Have Been Created for the Specified OBS Bucket
Trace File Verification Is Enabled
At Least One Tracker Is Enabled
There Are CTS Trackers In the Specified Regions
CTS Trackers Comply with Security Best Practices
Relational Database Service
Backup Is Enabled for RDS DB Instances
Error Log Collection Is Enabled for RDS Instances
RDS Instances Support Slow Query Logs
Single-AZ Cluster Check
RDS DB Instances Should Not Use EIPs
RDS Instances Use KMS Encryption
RDS Instances Are in the Specified VPC
Both Error Logs and Slow Query Logs Are Collected for RDS Instances
Flavor Check
RDS Instances Have SSL Enabled
RDS Default Port Check
Version Check for RDS Instance Engines
RDS Instances Have Audit Log Enabled
GaussDB
GaussDB Instances Are in the Specified VPC
Audit Log Collection Is Enabled
Automated Backup Is Enabled
Error Log Collection Is Enabled
Slow Query Log Collection Is Enabled
GaussDB Instance EIP Check
Cross-AZ Deployment Check
Data Transmission Encryption Is Enabled
GaussDB Instance Port Check
TaurusDB
The Slow Query Log Is Enabled
Error Logging Is Enabled
Backup Is Enabled
The Audit Log Reporting Is Enabled
Data Transmission Encryption Is Enabled
Cross-AZ Deployment Check
TaurusDB Instance EIP Check
VPC Check
TaurusDB Database Engine Version
TaurusDB Instance Port Check
GeminiDB
GeminiDB Instances Have Slow Logs Enabled
GeminiDB Instances Have Error Logs Enabled
GeminiDB Instances Have Disk Encryption Enabled
GeminiDB Instances Have Backup Enabled
GeminiDB Instances Are Deployed Across AZs
GeminiDB Database Engine Version
GeminiDB Instance Port Check
SSL-Encrypted Transmission for GeminiDB Instances
Cloud Search Service
CSS Clusters Have the Security Mode Enabled
The Snapshot Function Is Enabled for CSS Clusters
Disk Encryption Is Enabled for CSS Clusters
HTTPS Access Is Enabled for CSS Clusters
CSS Clusters Are in Specified VPCs
Single-AZ CSS Cluster Check
A CSS Cluster Has at Least Two Instances
CSS Clusters Are Not Publicly Accessible
CSS Clusters Support the Security Mode
CSS Clusters Have Access Control Enabled
CSS Clusters Have Kibana Public Access Control Enabled
CSS Clusters Have Slow Query Log Enabled
CSS Cluster Update Check
Elastic Volume Service
EVS Disk Type Check
Disks Are Used Within the Specified Time
Idle EVS Disk Check
EVS Disks Are Encrypted
Disk Encryption Are Enabled
EVS Disks Have Backup Vaults Attached
EVS Backup Time Check
Cloud Certificate Manager
Expiration Check for Private CAs
Expiration Check for Private Certificates
Private Root CAs Are Disabled
Private CA Algorithm Check
Distributed Message Service for Kafka
SSL Is Enabled for Private Networks Access of DMS for Kafka
SSL Is Enabled for Public Networks Access of DMS for Kafka
DMS for Kafka Should Not Be Publicly Accessible
Distributed Message Service for RabbitMQ
SSL Is Enabled for DMS RabbitMQ Queues
DMS for RabbitMQ Should Not Be Publicly Accessible
Distributed Message Service for RocketMQ
DMS RocketMQ Instances Have SSL Enabled
RocketMQ Allows Public Access
Organizations
Accounts Have Been Added to Organizations
Cloud Firewall
CFW Instances Have Protection Policies Attached
Cloud Backup and Recovery
Backup Encryption Check
Backup Policy Execution Frequency Check
Minimum Retention Days of CBR Vault
Cross-Region Replication for CBR Backup Vaults
Backup Locked for CBR Vaults
Multi-AZ Backup for CBR Vaults
Object Storage Service
OBS Bucket Policies Do Not Allow Blacklisted Actions
OBS Bucket Policies Only Allow Access from the Specified Objects
Permission Boundary Check
OBS Bucket Policies Should Not Allow Public Read Access
OBS Bucket Policies Should Not Allow Public Write Access
OBS Buckets Do Not Allow HTTP Requests
OBS Buckets Have Logging Enabled
OBS Buckets Have Enabled Versioning
OBS Buckets Are Not Associated with Non-Default ACLs
OBS Buckets Have Cross-Region Replication Enabled
OBS Buckets Have Server-side Encryption Enabled
OBS Buckets Have Lifecycle Management Enabled
OBS Buckets Have WORM Enabled
OBS Buckets Use Server-side Encryption with KMS-Managed Keys
Storage Class Check
OBS Bucket Policy Check
Image Management Service
Private Images Have Encryption Enabled
Bare Metal Server
BMSs Have Key Pair Login Enabled
Graph Engine Service
GES Graphs Are Encrypted Using KMS
GES Graphs Have LTS Enabled
GES Graphs Support Cross-AZ HA
IAM Identity Center
IdP Certificate Validity Check
SCIM Token Validity Check
Workspace
Workspace Backup Time Window
Workspace Attached to a Backup Vault
Resource Compliance Event Monitoring
Conformance Packages
Overview
Conformance Packages
Creating a Conformance Package
Viewing Conformance Packages and Compliance Data
Modifying a Conformance Package
Deleting a Conformance Package
Organization Conformance Packages
Creating an Organization Conformance Package
Viewing an Organization Conformance Package
Modifying an Organization Conformance Package
Deleting an Organization Conformance Package
Custom Conformance Packages
Conformance Package Templates
Overview
Conformance Package for Classified Protection of Cybersecurity Level 3 (2.0)
Conformance Package for the Financial Industry
Conformance Package for Network Security
Conformance Package for Identity and Access Management
Conformance Package for Cloud Eye
Conformance Package for Compute Services
Conformance Package for ECS
Conformance Package for ELB
Conformance Package for Management and Regulatory Services
Conformance Package for RDS
Conformance Package for AS
Conformance Package for CTS
Conformance Package for AI and Machine Learning
Conformance Package for Autopilot
Conformance Package for Enabling Public Access
Conformance Package for Logging and Monitoring
Conformance Package for Architecture Reliability
Conformance Package for Hong Kong Monetary Authority of China Requirements
Conformance Package for ENISA Requirements
Conformance Package for SWIFT CSP
Conformance Package for Germany Cloud Computing Compliance Criteria Catalogue
Conformance Package for PCI DSS
Conformance Package for Healthcare Industry
Best Practices of Network and Data Security
Conformance Package for Landing Zone
Architecture Security Best Practices
Best Practices for Network and Content Delivery Service Operations
Best Practices for Idle Asset Management
Multi-AZ Deployment Best Practices
Resource Stability Best Practices
Best Practices for API Gateway
Best Practices for Cloud Container Engine
Best Practices for Content Delivery Network
Best Practices for FunctionGraph
Best Practices for GaussDB
Best Practices for GeminiDB
Best Practices for MapReduce Service
Best Practices for NIST Requirements
Best Practices for Singapore Financial Industry
Best Practices for Secure Identity and Compliance Operations
Conformance Package for Huawei Cloud Security Configuration Guide (Level 1)
Conformance Package for Huawei Cloud Security Configuration Guide (Level 2)
Best Practices for Static Data Encryption
Best Practices for Data Transmission Encryption
Best Practices for Cloud Backup and Recovery
Best Practices for Cloud Search Service
Best Practices for Distributed Cache Service
Best Practices for Distributed Message Service
Best Practices for Data Warehouse Service
Best Practices for TaurusDB
Best Practices for Object Storage Service
Best Practices for Virtual Private Cloud
Best Practices for Web Application Firewall
Compliance Package for GDPR Standards
Advanced Queries
Overview
Restrictions
Creating a Custom Query
Viewing a Query
Modifying a Custom Query
Deleting a Query
Resource Aggregation
Overview
Creating a Resource Aggregator
Viewing Resource Aggregators
Modifying an Aggregator
Deleting a Resource Aggregator
Viewing Aggregated Rules
Viewing Aggregated Resources
Authorizing an Aggregator Account
Advanced Queries
Cloud Trace Service
Supported Config Operations
Viewing CTS Traces in the Trace List
Cloud Eye Monitoring
Monitored Config Events
Creating an Alarm Rule
Appendix
Supported Services and Regions
Relationships with Supported Resources
Supported Services and Resources
Notification Models
Resource Change Notification Model
Resource Relationship Change Notification Model
Resource Snapshot Storage Notification Model
Notification Model of Resource Change Notification Storage
Storage Models
Resource Snapshot Storage Model
Storage Model of Resource Change Notifications
ResourceQL Syntax
Overview
Syntax
Functions
API Reference
Before You Start
API Overview
Calling APIs
Making an API Request
Authentication
Response
APIs
Resource List
Querying Resources of a Specific Type
Querying Cloud Services
Listing All Interconnected Cloud Services
Querying a Resource
Querying All Resources Recorded by the Resource Recorder
Querying How Many Resources Are Recorded by the Resource Recorder
Querying Resource Tags Recorded by the Resource Recorder
Querying Resource Overview Recorded by the Resource Recorder
Querying a Specific Resource Recorded by the Resource Recorder
Querying All Resources Under an Account
Querying a Resource Under an Account
Querying Resource Tags
Querying the Number of Resources
Querying Resource Overview
Resource Recorder
Querying the Resource Recorder
Deleting the Resource Recorder
Creating or Modifying the Resource Recorder
Resource Relationships
Querying Resource Relationships
Querying Details About Resource Relationships
Resource Change Records
Querying Change Records of a Resource
Compliance
Querying Built-in Policies
Querying Specific Built-in Policy
Adding a Rule
Querying Rules
Modifying a Rule
Querying a Specific Rule
Deleting a Rule
Enabling a Rule
Disabling a Rule
Running a Resource Compliance Evaluation
Querying the Evaluation Status of a Rule
Querying Resource Compliance Summary
Querying the Compliance of a Resource
Querying the Compliance of a Rule
Querying Compliance Summary by Rule
Querying Compliance of an Account
Updating the Compliance Result
Querying Compliance Summary by User
Creating an Organization Rule
Querying Organization Rules
Querying a Specific Organization Rule
Deleting an Organization Rule
Updating an Organization Rule
Querying the Deployment Status of an Organization Rule
Querying Statuses of Organization Rule Deployment to Member Accounts
Setting up or Updating Remediation Configurations
Querying Remediation Configurations
Deleting Remediation Configurations
Batch Creating Remediation Exceptions
Batch Deleting Remediation Exceptions
Querying Remediation Exceptions
Starting Remediation
Querying Remediation Results
Collect Remediation Results
Region Management
Querying Available Regions
Advanced Queries
Running Advanced Queries
Creating an Advanced Query
Querying Advanced Queries
Querying an Advanced Query
Updating an Advanced Query
Deleting an Advanced Query
Querying Schemas
Resource Aggregators
Creating a Resource Aggregator
Querying Resource Aggregators
Querying a Specific Resource Aggregator
Querying Account Aggregation Statuses of a Specific Aggregator
Updating a Resource Aggregator
Deleting a Resource Aggregator
Authorizing an Aggregator Account
Querying Authorized Aggregator Accounts
Deleting Authorization for an Aggregator Account
Querying All Pending Aggregation Requests
Deleting Pending Authorization Requests
Querying the Number of Resources of an Aggregator Account
Querying Resources of an Aggregator Account
Querying Details About a Specific Resource in a Source Account
Performing an Advanced Query on a Specific Aggregator
Querying the Compliance Summary of One or More Source Accounts in an Aggregator
Querying Aggregated Rules
Querying Compliance Results of Aggregated Resources
Querying Details About a Specified Aggregated Rule
Conformance Packages
Querying Conformance Packages
Creating a Conformance Package
Querying a Specific Conformance Package
Deleting a Conformance Package
Updating Conformance Packages
Querying Compliance of all Conformance Packages
Querying Compliance of all Rules in a Conformance Package
Querying Compliance of All Resources Evaluated with a Conformance Package
Querying Scores of All Conformance Packages
Querying Built-in Conformance Package Templates
Querying the Template of a Built-in Conformance Package
Creating organization conformance packages.
Querying Organization Conformance Packages
Querying an Organization Conformance Package
Delete organization conformance packages.
Updating Organization Conformance Packages
Querying the Deployment Status of the Organization Conformance Package
Querying the Statuses of Organization Conformance Package Deployment to Members.
Resource Tags
Querying Resources
Querying Resource Statistics
Batch Adding Resource Tags
Batch Deleting Resource Tags
Querying Tags of a Resource
Querying Tags of a Resource Type
Permissions Policies and Supported Actions
Permissions Policies and Supported Actions
Resource Query
Resource Recorder
Compliance
Advanced Queries
Resource Aggregation
Conformance Packages
Resource Tag
Appendixes
Error Codes
Supported Services and Resource Types
Obtaining an Account ID
Status Codes
Obtaining a Project ID
Best Practices
Creating Alarm Rules for Noncompliant Resources with Cloud Eye
Using Advanced Queries
Querying Resources That Do Not Have Specific Tags
Ensuring Resource Compliance by Tag, Region, and Organization
Automating Resource Management
SDK Reference
SDK Overview
Using the SDK to Create Rules
Using the SDK to Query Resource Details, Relationships, and Change Records
FAQs
Resource List
Resource Compliance
Resource Recorder
General Reference
Glossary
Service Level Agreement
White Papers
Endpoints
Permissions