Help Center> Config> User Guide> Resource Compliance> Rule> Adding Predefined Rules
Updated on 2024-03-18 GMT+08:00

Adding Predefined Rules

Scenarios

You can create a rule to evaluate the compliance of your resources. When you creat a rule, you need to select a built-in policy or custom policy, specify the resources to be evaluated, and specify the trigger type.

This section describes how to add predefined rules.

Constraints and Limitations

You can add up to 500 rules for one account.

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner. Under Management & Governance, click Config.
  3. In the navigation pane on the left, choose Resource Compliance.
  4. In the middle of the page, click Add Rule. On the displayed Configure Basic Details page, select a policy, specify Rule Name and Description, and click Next.

    Figure 1 Configuring basic details

    For details about parameter settings, see Table 1.

    Table 1 Basic configuration parameters

    Parameter

    Description

    Policy Type

    Possible values are:

    • Built-in policy
    • Custom policy

    Built-in Policy

    Specifies the policy that has been developed for a service.

    You can use built-in policies to quickly add rules.

    For details, see Predefined Policies.

    Custom Policy

    Config allows you to create custom policies to add rules.

    For details, see Example Custom Policies.

    Rule Name

    By default, the predefined policy name is reused as the rule name. A rule name must be unique.

    The rule name can contain only digits, letters, underscores (_), and hyphens (-).

    Description

    By default, the rule description is the same as the selected predefined policy description. You can also customize the rule description.

    There are no restrictions on the rule description.

    FunctionGraph Function

    Specifies the URN of the FunctionGraph function in the custom policy.

    For details about how to create a FunctionGraph function, see Creating a FunctionGraph Function for a Config Custom Policy.

    This parameter is mandatory only when Policy Type is set to Custom policy.

    Grant Permissions

    This agency grants Config the read-only and call permissions of FunctionGraph. These permissions allow you to customize rules to query FunctionGraph or send events to FunctionGraph.

    This parameter is mandatory only when Policy Type is set to Custom policy.

    NOTE:
    • Quick granting: This option will automatically create an agency named rms_custom_policy_agency to grant the permissions required for the customized rule to work properly. The permissions include the read-only and call permissions for FunctionGraph.
    • Custom granting: This option allows you to create an agency and assign permissions in IAM. The permissions assigned must include the read-only and call permissions of FunctionGraph. For details about how to create an agency, see Identity and Access Management User Guide.

  5. On the displayed Configure Rule Parameters page, configure required parameters and click Next.

    Figure 2 Configure Rule Parameters

    For details about parameter settings, see Table 2.

    Table 2 Parameter descriptions

    Parameter

    Description

    Trigger Type

    Specifies the conditions under which rules are triggered.

    Possible values are:

    • Configuration change: The rule is triggered when a specific cloud resource is changed.
    • Periodic execution: The rule is triggered at a specific frequency.

    Filter Type

    Specifies the resources to be evaluated.

    Possible types are:

    • Specific resources: Resources of a specific type will be evaluated.
    • All resources: All resources from your account will be evaluated.

    This parameter is mandatory only when Trigger Type is set to Configuration change.

    Resource Scope

    If you set Filter Type to Specific resources, you need to specify a resource scope.

    • Service: Select the service the resource belongs to.
    • Resource type: Select the resource type of the corresponding service.
    • Region: Select the region where the resource is located.

    This parameter is mandatory only when Trigger Type is set to Configuration change.

    Filter Scope

    After you enable Filter Scope, you can filter resources by resource ID or tag.

    You can specify a specific resource for compliance evaluation.

    This parameter is mandatory only when Trigger Type is set to Configuration change.

    Execute Every

    Indicates how often a rule is triggered.

    This parameter is mandatory only when Trigger Type is set to Periodic execution.

    Configure Rule Parameters

    Specifies the parameter configuration for the built-in policy or custom policy you selected in step Configure Basic Details.

    For example, if you select policy required-tag-check and Keywords is tag, you need to specify a tag key and a tag value here. Then, resources that do not have this tag are non-compliant.

    Not all built-in policies have parameters to be configured. For example, if you select policy volumes-encrypted-check, you do not need to configure any rule parameters.

    You can set up to 10 rule parameters for a custom policy.

  6. On the Confirm page displayed, confirm the rule information and click Submit.

    Figure 3 Confirm
    Figure 4 Querying a rule

    After you add a rule, the first evaluation is automatically triggered immediately.