Help Center/ Config/ User Guide/ Resource Compliance/ Organization Rules/ Adding a Predefined Organization Rule
Updated on 2024-12-10 GMT+08:00

Adding a Predefined Organization Rule

Scenarios

If you are an organization administrator or a delegated administrator of Config, you can add organization rules and deploy the rules to member accounts that are in the normal state in your organization.

A deployed organization rule will be displayed in the rule list of each member in the organization. An organization rule can only be modified or deleted with the account that was used to create it. Members can only trigger an organization rule and view evaluation results.

You can use a built-in policy or a custom policy to create an organization rule. This section describes how to create an organization rule with a built-in policy.

Constraints and Limitations

  • You can add up to 500 rules in an account.
  • The resource recorder must be enabled for adding, modifying, and triggering organization rules. If the resource recorder is disabled, you can only view and delete organization rules.
  • The Organization Rules tab is inaccessible for an account that is not associated any organizations.
  • To deploy an organization rule to a member, the member account must be in the normal state, and the resource recorder must be enabled for the member.

To evaluate resources with rules, you need to enable the resource recorder. Resource evaluation is subject to the following rules:

  • If the resource recorder is disabled, no resources will be available for evaluation. You can still view historical evaluation results.
  • If the resource recorder is enabled and a monitoring scope is configured, only resources within the monitoring scope can be evaluated.

For details about how to enable and configure the resource recorder, see Configuring the Resource Recorder.

Procedure

  1. Log in to the Config console as an organization administrator or an agency administrator of Config.
  2. Click in the upper left corner. Under Management & Governance, click Config.
  3. In the navigation pane on the left, choose Resource Compliance.
  4. Select the Organization Rules tab and click Add Rule. Complete the basic configurations and click Next.

    Figure 1 Basic configuration
    Table 1 Parameters of the basic configuration

    Parameter

    Description

    Policy Type

    Select Built-in policy.

    Built-in policies are provided by Config. You can select a built-in policy to quickly add a rule. You can also search for a built-in policy by policy name or tag.

    For more information about built-in policies, see Built-In Policies.

    Rule Name

    By default, the predefined policy name is reused as the rule name. A rule name must be unique.

    A rule name can contain only digits, letters, underscores (_), and hyphens (-).

    Description

    By default, the rule description is the same as the description of the predefined policy. You can also customize the rule description.

    There are no restrictions on the rule description.

  5. On the displayed Configure Rule Parameters page, configure required parameters and click Next.

    Figure 2 Rule parameters
    Table 2 Rule parameter description

    Parameter

    Description

    Trigger Type

    Specifies the conditions under which rules are triggered .

    Trigger types are as follows:

    • Configuration change: A rule is triggered when there is a change in configuration of the resource.
    • Periodic execution: A rule is triggered at a specific frequency.

    Filter Type

    Specifies the resource scope.

    Filter types are as follows:

    • Specific resources: Resources of a specific type will be evaluated.
    • All resources: All resources from your account will be evaluated.

    This parameter is mandatory only when Trigger Type is set to Configuration change.

    Resource Scope

    If you set Filter Type to Specific resources, you need to specify a resource scope.

    • Service: The service to which a resource belongs.
    • Resource type: The resource type of the corresponding service.
    • Region: The region where the resource is located.

    This parameter is mandatory only when Trigger Type is set to Configuration change.

    Filter Scope

    After you enable Filter Scope, you can filter resources by resource ID or tag.

    You can specify a specific resource for compliance evaluation.

    This parameter is mandatory only when Trigger Type is set to Configuration change.

    Execute Every

    Indicates how often a rule is triggered.

    This parameter is mandatory only when Trigger Type is set to Periodic execution.

    Rule Parameter

    Parameters of a built-in policy.

    For example, if you select the required-tag-check policy, you need to specify a tag, so that resources that do not have the tag will be determined as noncompliant.

    Not all built-in policies require Configure Rule Parameters. For example, the rule, volumes-encrypted-check, does not require Configure Rule Parameters.

    Destination

    Specifies where the organization rule will be deployed.

    • Organization: A policy is deployed to all member accounts in an organization.
    • Current Account: A policy is deployed to the current account.

    When creating an organization rule, select Organization.

    Excluded Account

    Member accounts to which organization rules will not be deployed.

    This parameter is only required when Destination is set to Organization.

  6. Confirm rule information and click Submit.

    Figure 3 Confirming a rule

    After you add a rule, the first evaluation is automatically triggered immediately.

Triggering a Rule Evaluation

For details about how a member can trigger an organization rule, see Triggering a Rule.