Adding a Predefined Organization Rule
Scenarios
If you are an organization administrator or a delegated administrator of Config, you can add organization rules and deploy the rules to member accounts that are in the normal state in your organization.
A deployed organization rule will be displayed in the rule list of each member in the organization. An organization rule can only be modified or deleted with the account that was used to create it. Members can only trigger an organization rule and view evaluation results.
You can use a built-in policy or a custom policy to create an organization rule. This section describes how to create an organization rule with a built-in policy.
Constraints and Limitations
- You can add up to 500 rules in an account.
- The resource recorder must be enabled for adding, modifying, and triggering organization rules. If the resource recorder is disabled, you can only view and delete organization rules.
- The Organization Rules tab is inaccessible for an account that is not associated any organizations.
- To deploy an organization rule to a member, the member account must be in the normal state, and the resource recorder must be enabled for the member.
To evaluate resources with rules, you need to enable the resource recorder. Resource evaluation is subject to the following rules:
- If the resource recorder is disabled, no resources will be available for evaluation. You can still view historical evaluation results.
- If the resource recorder is enabled and a monitoring scope is configured, only resources within the monitoring scope can be evaluated.
For details about how to enable and configure the resource recorder, see Configuring the Resource Recorder.
Procedure
- Log in to the Config console as an organization administrator or an agency administrator of Config.
- Click in the upper left corner. Under Management & Governance, click Config.
- In the navigation pane on the left, choose Resource Compliance.
- Select the Organization Rules tab and click Add Rule. Complete the basic configurations and click Next.
Figure 1 Basic configuration
Table 1 Parameters of the basic configuration Parameter
Description
Policy Type
Select Built-in policy.
Built-in policies are provided by Config. You can select a built-in policy to quickly add a rule. You can also search for a built-in policy by policy name or tag.
For more information about built-in policies, see Built-In Policies.
Rule Name
By default, the predefined policy name is reused as the rule name. A rule name must be unique.
A rule name can contain only digits, letters, underscores (_), and hyphens (-).
Description
By default, the rule description is the same as the description of the predefined policy. You can also customize the rule description.
There are no restrictions on the rule description.
- On the displayed Configure Rule Parameters page, configure required parameters and click Next.
Figure 2 Rule parameters
Table 2 Rule parameter description Parameter
Description
Trigger Type
Specifies the conditions under which rules are triggered .
Trigger types are as follows:
- Configuration change: A rule is triggered when there is a change in configuration of the resource.
- Periodic execution: A rule is triggered at a specific frequency.
Filter Type
Specifies the resource scope.
Filter types are as follows:
- Specific resources: Resources of a specific type will be evaluated.
- All resources: All resources from your account will be evaluated.
This parameter is mandatory only when Trigger Type is set to Configuration change.
Resource Scope
If you set Filter Type to Specific resources, you need to specify a resource scope.
- Service: The service to which a resource belongs.
- Resource type: The resource type of the corresponding service.
- Region: The region where the resource is located.
This parameter is mandatory only when Trigger Type is set to Configuration change.
Filter Scope
After you enable Filter Scope, you can filter resources by resource ID or tag.
You can specify a specific resource for compliance evaluation.
This parameter is mandatory only when Trigger Type is set to Configuration change.
Execute Every
Indicates how often a rule is triggered.
This parameter is mandatory only when Trigger Type is set to Periodic execution.
Rule Parameter
Parameters of a built-in policy.
For example, if you select the required-tag-check policy, you need to specify a tag, so that resources that do not have the tag will be determined as noncompliant.
Not all built-in policies require Configure Rule Parameters. For example, the rule, volumes-encrypted-check, does not require Configure Rule Parameters.
Destination
Specifies where the organization rule will be deployed.
- Organization: A policy is deployed to all member accounts in an organization.
- Current Account: A policy is deployed to the current account.
When creating an organization rule, select Organization.
Excluded Account
Member accounts to which organization rules will not be deployed.
This parameter is only required when Destination is set to Organization.
- Confirm rule information and click Submit.
Figure 3 Confirming a rule
After you add a rule, the first evaluation is automatically triggered immediately.
Triggering a Rule Evaluation
For details about how a member can trigger an organization rule, see Triggering a Rule.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot