Adding a Predefined Organization Rule

Scenarios

If you are an organization administrator or delegated administrator of Config, you can add organization rules, and then the organization rules can apply to all member accounts in your organization.

A deployed organization rule will be displayed in the rule list of each member in the organization. If you create an organization rule using an account, you can only use the same account to delete or modify the organization rule. Members can only trigger an organization rule and view evaluation results.

You can use a built-in policy or a custom policy to create an organization rule. This section describes how to create an organization rule with a built-in policy.

Constraints and Limitations

• Up to 500 rules can be added to an account.
• The Organization Rules tab is inaccessible for a non-organization member.

To evaluate resources with Config rules, you need to enable the resource recorder. Resource evaluation is subject to the following rules:

• If you have never enabled the resource recorder, no resources will be available for evaluation.
• If you have enabled the resource recorder and a monitoring scope is specified, only resources within the monitoring scope can be evaluated with a rule.
• If you enable the resource recorder and then disable it after a period of time, only resource data collected during the period when the resource recorder is enabled can be evaluated with a rule.

For details about how to enable and configure the resource recorder, see Configuring the Resource Recorder.

Procedure

1. Sign in to the Config console as an organization administrator or an agency administrator of Config.
2. Click in the upper left corner. Under Management & Governance, click Config.
3. In the navigation pane on the left, choose Resource Compliance.
4. Select the Organization Rules tab and click Add Rule. Complete the basic configurations and click Next.
   Figure 1 Basic configuration
   

   For details about parameter settings, see Table 1.

   Table 1 Basic parameters

   Parameter	Description
   Policy Type	There are two types of policies: Built-in policy
   Built-in Policy	Built-in policies are provided by Config. You can use built-in policies to quickly add rules. For more information about built-in policies, see Predefined Policies.
   Rule Name	By default, the predefined policy name is reused as the rule name. A rule name must be unique. A rule name can contain only digits, letters, underscores (_), and hyphens (-).
   Description	By default, the rule description is the same as the description of the predefined policy. You can also customize the rule description. There are no restrictions on the rule description.

5. On the displayed Configure Rule Parameters page, configure required parameters and click Next.
   Figure 2 Rule parameters
   

   For details about parameter settings, see Table 2.

   Table 2 Rule parameter description

   Parameter	Description
   Trigger Type	Specifies the conditions under which rules are triggered . Trigger types are as follows: Configuration change: A rule is triggered when there is a change in configuration of the resource. Periodic execution: A rule is triggered at a specific frequency.
   Filter Type	Specifies the resource scope. Filter types are as follows: Specific resources: Resources of a specific type will be evaluated. All resources: All resources from your account will be evaluated. This parameter is mandatory only when Trigger Type is set to Configuration change.
   Resource Scope	If you set Filter Type to Specific resources, you need to specify a resource scope. Service: The service to which a resource belongs. Resource type: The resource type of the corresponding service. Region: The region where the resource is located. This parameter is mandatory only when Trigger Type is set to Configuration change.
   Filter scope	After you enable Filter Scope, you can filter resources by resource ID or tag. You can specify a specific resource for compliance evaluation. This parameter is mandatory only when Trigger Type is set to Configuration change.
   Execute every	Indicates how often a rule is triggered. This parameter is mandatory only when Trigger Type is set to Periodic execution.
   Rule parameter	Parameters of a built-in policy. For example, if you select a built-in policy required-tag-check and the policy stipulates that resources without a specific tag added are noncompliant, the rule parameters you need to specify are a tag key and a tag value. This parameter is not mandatory for all built-in policies, for example, a built-in policy volumes-encrypted-check stipulates that if a mounted EVS disk is not encrypted, this disk is noncompliant.
   Destination	Specifies where the organization rule will be deployed. Organization: A policy is deployed to all member accounts in an organization. Current Account: A policy is deployed to the current account. When creating an organization rule, select Organization.
   Excluded Account	Specifies member accounts in an organization for which organization rules will not be deployed. This parameter is only required when Destination is set to Organization.

6. Confirm rule information and click Submit.
   Figure 3 Confirming a rule
   
   

   After you add a rule, the first evaluation is automatically triggered immediately.

Triggering a Rule Evaluation

For details about how a membe can trigger an organization rule, see Triggering Resource Compliance Evaluation.