Configuring the Resource Recorder
Scenarios
You must enable the resource recorder before Config can track your resource configurations.
You can modify or disable the resource recorder at any time.
To enable, configure, or modify the resource recorder, you need required permissions. For details about Config permissions, see Permissions Management.
This section includes the following content:
Enabling the Resource Recorder
After the resource recorder is enabled, you will be notified of any resource changes (creations, modifications, deletions, or relationship changes) and have your notifications and resource snapshots stored periodically.
- Log in to the management console.
- Click
in the upper left corner. Under Management & Governance, click Config. - In the left navigation, choose Resource Recorder.
- Toggle on the resource recorder. In the dialog box, click Yes.
Figure 1 Enabling the resource recorder
- Select the monitoring scope.
By default, the resource recorder records all supported resources. You can specify a resource scope for the resource recorder.
- Specify an OBS bucket.
Specify an OBS bucket to store notifications of resource changes and resource snapshots. If no OBS bucket is available, create one. For details about how to create an OBS bucket, see Object Storage Service User Guide.
- Select an OBS bucket from the current account:
Click Your bucket. If the OBS bucket name has a prefix, you need to enter the prefix. If no OBS buckets are available of the current account, create one. For details about how to create an OBS bucket, see Object Storage Service User Guide.
- Select an OBS bucket from another account:
Select Other users' bucket, then configure Region ID and Bucket Name. If the OBS bucket name has a prefix, you need to enter the prefix. If you select a bucket from another account, you need required permissions granted by the account. For details, see Cross-Account Authorization.
After you have specified an OBS bucket, Config writes an empty file named ConfigWritabilityCheckFile to the OBS bucket to verify whether resources can be written to the OBS bucket.
- Select an OBS bucket from the current account:
- Select an SMN topic.
Toggle on Topic, then select a region and an SMN topic for receiving notifications of resource changes. If no SMN topics are available, create one. For details about how to create an SMN topic, see Simple Message Notification User Guide.
- Select a topic from the current account:
Select Your topic, then select a region and an SMN topic. If no SMN topics are available, create one. For details about how to create an SMN topic, see Simple Message Notification User Guide.
- Select a topic from another account.
Select Topic under other account, then enter a topic URN. If you select a topic from another account, you need required permissions granted by the account. For details, see Cross-Account Authorization.
After you create a topic, you must add subscriptions to the topic and confirm the subscriptions. For details, see Simple Message Notification User Guide.
- Select a topic from the current account:
- Grant permissions.
- Quick granting: This option will automatically create an agency named rms_tracker_agency to grant the required permissions for the resource recorder to work properly. The agency contain permissions, such as the SMN Administrator and the OBS OperateAccess permissions, for sending notifications using an SMN topic and for writing data into an OBS bucket. The agency created by quick granting doesn't contain KMS permissions. So, the resource recorder is unable to store resource change messages and resource snapshots to an OBS bucket encrypted using KMS. If you need to do so, you can add the KMS Administrator permission to the agency or use custom authorization. For details, see Storing Resource Change Messages and Resource Snapshots to an Encrypted OBS Bucket.
- Custom granting: You can create an agency using IAM to customize authorization for RMS. The agency must include permissions for sending notifications using an SMN topic and for writing data into an OBS bucket. To store resource change messages and resource snapshots to an OBS bucket encrypted using KMS, you need the KMS Administrator permission. For details, see Storing Resource Change Messages and Resource Snapshots to an Encrypted OBS Bucket. For details about how to create an agency, see Identity and Access Management User Guide.
This agency grants Config related SMN and OBS permissions that are required for sending resource change notifications using an SMN topic and storing resource snapshots into an OBS bucket.
- Click Save.
Figure 2 Configuring the resource recorder
- In the displayed dialog box, click Yes.
Modifying the Resource Recorder
You can modify the resource recorder at any time.
- In the left navigation, choose Resource Recorder.
- Click Modify Resource Recorder.
Figure 3 Modifying the resource recorder
- Modify configurations.
- Click Save.
- In the displayed dialog box, click Yes.
Disabling the resource recorder
You can disable the resource recorder at any time.
- In the left navigation, choose Resource Recorder.
- Toggle off the resource recorder.
- In the displayed dialog box, click OK.
Figure 4 Disabling the resource recorder
Cross-Account Authorization
- Granting SMN topic permissions to another account
- Sign in to the management console using the account which owns the topic and go to the SMN console.
- To grant accounts related SMN permissions, see Configuring Topic Policies.
- Granting OBS bucket permissions to another account
- Sign in to the Huawei Cloud console and go to the OBS console.
- To grant accounts related OBS permissions, see Creating a Custom Bucket Policy (JSON View).
Add the following bucket policy:
{ "Statement": [ { "Sid": "org-bucket-policy", "Effect": "Allow", "Principal": { "ID": [ "domain/account ID:agency/rms_tracker_agency" //account IDindicates the domain ID of the account to be authorized. rms_tracker_agency indicates the name of the agency to be authorized. ] }, "Action": [ "PutObject" ], "Resource": [ "targetBucketName/RMSLogs/*/Snapshot/*", "targetBucketName/RMSLogs/*/Notification/*" ] } ] }
You need to set Principal to the agency required for enabling the resource recorder. Set Resource to the path where the resource recorder dumped files. If the OBS bucket name has a prefix, include the prefix. Set Action to PutObject.
Storing Resource Change Messages and Resource Snapshots to an Encrypted OBS Bucket
- Encrypting an OBS bucket using SSE-OBS
If you need to store resource change messages and snapshots to an OBS bucket encrypted using SSE-OBS, you only need to select the corresponding OBS bucket and no other operations are required.
- Encrypting an OBS bucket using a default key of SSE-KMS
If you need to store resource change messages and snapshots to an OBS bucket encrypted using a default key of SSE-KMS, you need to add the KMS Administrator permission to the agency assigned to the resource recorder.
- Encrypting an OBS bucket using a custom key of SSE-KMS
If you need to store resource change messages and snapshots to an OBS bucket that is from the current account and that is encrypted using a custom key of SSE-KMS, you need to add the KMS Administrator permission to the agency assigned to the resource recorder.
If you need to store resource change messages and snapshots to an OBS bucket that is from another account, and that is encrypted using a custom key of SSE-KMS, you need to add the KMS Administrator permission to the agency assigned to the resource recorder, and set the cross-account permission for the key at the same time. The procedure is as follows:
- Sign in to the Data Encryption Workshop (DEW) console and go to the Key Management Service page.
- In the Custom Keys tab, click the alias of a target key to go to its details page and create a grant on it.
- Grant the account the permission for using the key based on Creating a Grant.
- Select Account for User or Account and enter an account ID.
- Select Create Data Key for Granted Operations.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
