Help Center> Config> User Guide> Resource Compliance> Rule> Adding a Custom Rule
Updated on 2024-05-22 GMT+08:00
View PDF

Adding a Custom Rule

Scenario

You can create custom rules to supplement predefined rules.

To create a custom rule, you need to use FunctionGraph. You associate each custom rule with a Function Graph function, then the function collects rule parameters and resource attributes and evaluates whether your resources comply with the rule. The function is invoked either in response to configuration changes or periodically. For details about how to use FunctionGraph, see FunctionGraph User Guide.

To evaluate resources with Config rules, you need to enable the resource recorder. Resource evaluation is subject to the following rules:

  • If you have never enabled the resource recorder, no resources will be available for evaluation.
  • If you have enabled the resource recorder and a monitoring scope is specified, only resources within the monitoring scope can be evaluated with a rule.
  • If you enable the resource recorder and then disable it after a period of time, only resource data collected during the period when the resource recorder is enabled can be evaluated with a rule.

For details about how to enable and configure the resource recorder, see Configuring the Resource Recorder.

This section describes how to create a custom rule by following steps:

  1. Creating a function using FunctionGraph
  2. Adding a Custom Rule

Creating a function using FunctionGraph

  1. Sign in to FunctionGraph console. In the left navigation, choose Functions > Function List.
  2. In the upper right corner, click Create Function. The Create from scratch tab is displayed by default.
  3. Set Function Type to Event Function and configure the required IAM agency. They agency grants the function required permissions, including rms:policyStates:update.
  4. Click Create Function and then on the Code tab, configure the code.
  5. Click Deploy.

    For details about example code, see Example Functions (Python).

  6. Click Configurations, modify Execution Timeout (s) and Memory (MB) in the Basic Settings area as required. Configure Concurrency.
  7. Click Save.

    For details, see Creating an Event Function.

Adding a Custom Rule

  1. Log in to the management console.
  2. Click in the upper left corner. Under Management & Governance, click Config.
  3. In the navigation pane on the left, choose Resource Compliance.
  4. Click Add Rule in the middle of the page.
  5. Set Policy Type to Custom Policy. Set related parameters, select Quick granting or Custom granting to grant permissions, and click Next.

    • Quick granting: Quick granting quickly grants you permissions of the rms_custom_policy_agency agency. The permissions ensure proper functioning of a custom policy, including the permissions for obtaining and asynchronously execute a function through FunctionGraph.
    • Custom granting: You can create an agency using IAM and and grants necessary permissions to Config by yourself. The permission content is as follows:
        {
      "Version": "1.1",
      "Statement": [
          {
              "Effect": "Allow",
              "Action": [
                  "functiongraph:function:invokeAsync",
                  "functiongraph:function:getConfig"
              ]
          }
      ]
  }

      For details about how to create an agency, see Creating an Agency (by a Delegating Party).

    Figure 1 Adding a rule using a custom policy

  6. On the displayed Configure Rule Parameters page, configure required parameters and click Next.
  7. On the Confirm page, confirm the rule information and click Submit.
Parent topic: Rule