Compute
Elastic Cloud Server
Huawei Cloud Flexus
Bare Metal Server
Auto Scaling
Image Management Service
Dedicated Host
FunctionGraph
Cloud Phone Host
Huawei Cloud EulerOS
Networking
Virtual Private Cloud
Elastic IP
Elastic Load Balance
NAT Gateway
Direct Connect
Virtual Private Network
VPC Endpoint
Cloud Connect
Enterprise Router
Enterprise Switch
Global Accelerator
Management & Governance
Cloud Eye
Identity and Access Management
Cloud Trace Service
Resource Formation Service
Tag Management Service
Log Tank Service
Config
OneAccess
Resource Access Manager
Simple Message Notification
Application Performance Management
Application Operations Management
Organizations
Optimization Advisor
IAM Identity Center
Cloud Operations Center
Resource Governance Center
Migration
Server Migration Service
Object Storage Migration Service
Cloud Data Migration
Migration Center
Cloud Ecosystem
KooGallery
Partner Center
User Support
My Account
Billing Center
Cost Center
Resource Center
Enterprise Management
Service Tickets
HUAWEI CLOUD (International) FAQs
ICP Filing
Support Plans
My Credentials
Customer Operation Capabilities
Partner Support Plans
Professional Services
Analytics
MapReduce Service
Data Lake Insight
CloudTable Service
Cloud Search Service
Data Lake Visualization
Data Ingestion Service
GaussDB(DWS)
DataArts Studio
Data Lake Factory
DataArts Lake Formation
IoT
IoT Device Access
Others
Product Pricing Details
System Permissions
Console Quick Start
Common FAQs
Instructions for Associating with a HUAWEI CLOUD Partner
Message Center
Security & Compliance
Security Technologies and Applications
Web Application Firewall
Host Security Service
Cloud Firewall
SecMaster
Anti-DDoS Service
Data Encryption Workshop
Database Security Service
Cloud Bastion Host
Data Security Center
Cloud Certificate Manager
Edge Security
Situation Awareness
Managed Threat Detection
Blockchain
Blockchain Service
Web3 Node Engine Service
Media Services
Media Processing Center
Video On Demand
Live
SparkRTC
MetaStudio
Storage
Object Storage Service
Elastic Volume Service
Cloud Backup and Recovery
Storage Disaster Recovery Service
Scalable File Service Turbo
Scalable File Service
Volume Backup Service
Cloud Server Backup Service
Data Express Service
Dedicated Distributed Storage Service
Containers
Cloud Container Engine
Software Repository for Container
Application Service Mesh
Ubiquitous Cloud Native Service
Cloud Container Instance
Databases
Relational Database Service
Document Database Service
Data Admin Service
Data Replication Service
GeminiDB
GaussDB
Distributed Database Middleware
Database and Application Migration UGO
TaurusDB
Middleware
Distributed Cache Service
API Gateway
Distributed Message Service for Kafka
Distributed Message Service for RabbitMQ
Distributed Message Service for RocketMQ
Cloud Service Engine
Multi-Site High Availability Service
EventGrid
Dedicated Cloud
Dedicated Computing Cluster
Business Applications
Workspace
ROMA Connect
Message & SMS
Domain Name Service
Edge Data Center Management
Meeting
AI
Face Recognition Service
Graph Engine Service
Content Moderation
Image Recognition
Optical Character Recognition
ModelArts
ImageSearch
Conversational Bot Service
Speech Interaction Service
Huawei HiLens
Video Intelligent Analysis Service
Developer Tools
SDK Developer Guide
API Request Signing Guide
Terraform
Koo Command Line Interface
Content Delivery & Edge Computing
Content Delivery Network
Intelligent EdgeFabric
CloudPond
Intelligent EdgeCloud
Solutions
SAP Cloud
High Performance Computing
Developer Services
ServiceStage
CodeArts
CodeArts PerfTest
CodeArts Req
CodeArts Pipeline
CodeArts Build
CodeArts Deploy
CodeArts Artifact
CodeArts TestPlan
CodeArts Check
CodeArts Repo
Cloud Application Engine
MacroVerse aPaaS
KooMessage
KooPhone
KooDrive
Help Center/ Config/ User Guide/ Resource Recorder/ Configuring the Resource Recorder

Configuring the Resource Recorder

Updated on 2025-01-22 GMT+08:00

Scenarios

You must enable the resource recorder for Config to track changes to your resource configurations.

You can modify or disable the resource recorder at any time.

You can enable or modify the resource recorder for up to 10 times per day. The number of times will be reset at 00:00 every day.

This section includes the following content:

Enabling the Resource Recorder

If you have enabled the resource recorder and specified an OBS bucket and an SMN topic when you configure the resource recorder, Config will notify you if there is a change (creation, modification, deletion, relationship change) to the resources within the monitoring scope and periodically store your notifications and resource snapshots.

  1. Log in to the management console.
  2. Click in the upper left corner. Under Management & Governance, click Config.
  3. In the navigation pane on the left, choose Resource Recorder.
  4. Toggle on the resource recorder and in the displayed dialog box, click OK.

    Figure 1 Enabling the resource recorder

  5. Select the monitoring scope.

    By default, all resources supported by Config will be recorded by the resource recorder. You can also specify a resource scope for the resource recorder.

    NOTE:

    By default, the resource recorder records all resources of Config, and these resources cannot be deselected.

    Figure 2 Specifying the monitoring scope

  6. Specify an OBS bucket.

    Specify an OBS bucket to store notifications of resource changes and resource snapshots.

    To enable the resource recorder, you must configure either an SMN topic or an OBS bucket.

    • Select an OBS bucket from the current account:

      Select Your bucket and then select a bucket from the drop-down list to store resource change notifications and resource snapshots. If you need to store the notifications and snapshots to a specific folder in the OBS bucket, enter the folder name after you select a bucket. If there are no OBS buckets in the current account, create one first. For details, see Creating a Bucket.

    • Select an OBS bucket from another account:

      Select Other users' bucket and then configure Region ID and Bucket Name. If you need to store the notifications and snapshots to a specific folder in the OBS bucket, enter the folder name after you select a bucket. If you select a bucket from another account, you need required permissions granted by the account. For details, see Cross-Account Authorization.

    NOTE:

    After you specify an OBS bucket from the current or another account, Config will write an empty file named ConfigWritabilityCheckFile to the OBS bucket to verify whether resources can be written to the OBS bucket. If an error is reported, you can address the error based on Why Is an Error Reported When Data Is Dumped to the OBS Bucket After the Resource Recorder Is Enabled?

    Figure 3 Specifying an OBS bucket

  7. Specify a data retention period.

    Select Seven years (2,557 days) or select A custom period and enter a retention period from 30 days to 2,557 days.

    NOTE:

    The data retention period only applies to resource configurations and snapshots reserved by Config. It will not affect your data storage with SMN or OBS.

    After a retention period is configured, Config will delete data older than the retention period.

    If you modify the data retention period, the change is only applied to newly recorded data. Existing data is not affected. For example, if you modify the data retention period from 100 days to 30 days, data recorded after the modification will only be retained for 30 days by Config, and data recorded before the modification will still be retained for 100 days.

    Figure 4 Specifying a data retention period

  8. (Optional) Configure an SMN topic.

    Toggle on Topic, then select a region and an SMN topic for receiving notifications of resource changes.

    • Select a topic from the current account:

      Select Your topic, then select a region and an SMN topic. If there are no SMN topics available, create one first. For details, see Creating a Topic.

    • Select a topic from another account:

      Select Topic under other account, then enter a topic URN. For more details about topic URN, see Concepts. If you select a topic from another account, you need required permissions granted by the account. For details, see Cross-Account Authorization.

    NOTE:

    To send notifications with an SMN topic, you not only need to create the topic, but also add subscriptions and request subscription confirmations.

    Figure 5 Selecting an SMN topic

  9. Grant permissions.

    • Quick granting: This option will automatically create an agency named rms_tracker_agency to grant the required permissions for the resource recorder to work properly. The agency contains permissions, including the SMN Administrator for sending notifications and the OBS OperateAccess permission for writing data into an OBS bucket. The agency created by quick granting does not contain KMS permissions, so the resource recorder is unable to store resource change notifications and snapshots to an OBS bucket that is encrypted using KMS. If you need to use an encrypted bucket, you can add required KMS Administrator permissions to the agency or use custom authorization. For details, see Storing Resource Change Notifications and Resource Snapshots to an Encrypted OBS Bucket.

      For details about how to add permissions in an agency, see Deleting or Modifying Agencies.

    • Custom granting: You can create an agency using IAM to customize authorization for Config. The agency must include either the permissions for sending notifications using an SMN topic or the permissions for writing data into an OBS bucket. To store resource changes and snapshots to an OBS bucket that is encrypted using KMS, you need the required KMS Administrator permissions. For details, see Storing Resource Change Notifications and Resource Snapshots to an Encrypted OBS Bucket. For details about how to create an agency, see Cloud Service Agency.
      Figure 6 Grant permissions

  10. Click Save.
  11. In the displayed dialog box, click OK.

Modifying the Resource Recorder

You can modify the resource recorder at any time.

  1. In the navigation pane on the left, choose Resource Recorder.
  2. Click Modify Resource Recorder.

    Figure 7 Modifying the resource recorder

  3. Modify configurations.
  4. Click Save.
  5. In the displayed dialog box, click OK.

Disabling the Resource Recorder

You can disable the resource recorder at any time.

  1. In the navigation pane on the left, choose Resource Recorder.
  2. Toggle off the resource recorder.
  3. In the displayed dialog box, click OK.

    Figure 8 Disabling the resource recorder

Cross-Account Authorization

  • Granting SMN topic permissions to another account
    1. Log in to the management console with the authorizing account and go to the SMN console.
    2. Attach related SMN permissions to target accounts based on Configuring Topic Policies in Basic Mode.

      If an account is not attached with related SMN permissions, the account cannot receive resource change notifications.

  • Granting OBS bucket permissions to another account
    1. Log in to the management console with the authorizing account and go to the OBS console.
    2. Grant related OBS permissions to target accounts based on Creating a Custom Bucket Policy (JSON View).

      The following is an example of a bucket policy. The policy allows the authorized account to store data into a specific object or folder in an OBS bucket. You need to configure the following parameters in a bucket policy:

      • ${account_id}: ID of the authorized account
      • ${agency_name}: Agency name. If you choose Quick granting, this parameter will be set to rms_tracker_agency.
      • ${bucket_name}: The name of an OBS bucket.
      • ${folder_name}: The name of a folder in an OBS bucket. If you do not need to specify a folder or object in an OBS bucket, you do not need to configure /${folder_name}.
      {
        "Statement": [
          {
            "Sid": "org-bucket-policy",
            "Effect": "Allow",
            "Principal": {
              "ID": [
                "domain/${account_id}:agency/${agency_name}"
              ]
            },
            "Action": [
              "PutObject"
            ],
            "Resource": [
              "${bucket_name}/${folder_name}/RMSLogs/*/Snapshot/*",
              "${bucket_name}/${folder_name}/RMSLogs/*/Notification/*"
            ]
          }
        ]
      }

Storing Resource Change Notifications and Resource Snapshots to an Encrypted OBS Bucket

  • Using an OBS bucket that is encrypted with SSE-OBS

    If you need to store resource change notifications and snapshots to an OBS bucket encrypted using SSE-OBS, you only need to select the corresponding OBS bucket and no other operations are required.

  • Using an OBS bucket that is encrypted with a default key of SSE-KMS

    If you need to store resource change notifications and snapshots to an OBS bucket encrypted using a default key of SSE-KMS, you need to add the KMS Administrator permission to the agency assigned to the resource recorder.

  • Using an OBS bucket that is encrypted with a custom key of SSE-KMS

    If you need to store resource change notifications and snapshots to an OBS bucket that is encrypted using a custom key of SSE-KMS, you need to add the KMS Administrator permission to the agency assigned to the resource recorder.

    If you need to store resource change notifications and snapshots to an OBS bucket that is from another account, and that is encrypted using a custom key of SSE-KMS, you need to add the KMS Administrator permission to the agency assigned to the resource recorder, and set the cross-account permission for the key at the same time. The procedure is as follows:

    1. Log in to the management console and go to the Key Management Service page on the Data Encryption Workshop (DEW) console.
    2. In the Custom Keys tab, click the alias of a target key to go to its details page and create a grant on it.
    3. Grant the account the permissions for using the key based on Creating a Grant.
      • Select Account for User or Account and enter an account ID.
      • Select Create Data Key, Describe Key, and Decrypt Data Key for Granted Operations.

We use cookies to improve our site and your experience. By continuing to browse our site you accept our cookie policy. Find out more

Feedback

Feedback

Feedback

0/500

Selected Content

Submit selected content with the feedback