Adding a Predefined Organization Rule
Scenarios
If you are an organization administrator or delegated administrator of Config, you can add organization rules, and then the organization rules can apply to all member accounts in your organization.
A deployed organization rule will be displayed in the rule list of each member in the organization. If you create an organization rule using an account, you can only use the same account to delete or modify the organization rule. Members can only trigger an organization rule and view evaluation results.
You can use a built-in policy or a custom policy to create an organization rule. This section describes how to create an organization rule with a built-in policy.
Constraints and Limitations
- Up to 500 rules can be added to an account.
- The Organization Rules tab is inaccessible for a non-organization member.
To evaluate resources with Config rules, you need to enable the resource recorder. Resource evaluation is subject to the following rules:
- If you have never enabled the resource recorder, no resources will be available for evaluation.
- If you have enabled the resource recorder and a monitoring scope is specified, only resources within the monitoring scope can be evaluated with a rule.
- If you enable the resource recorder and then disable it after a period of time, only resource data collected during the period when the resource recorder is enabled can be evaluated with a rule.
For details about how to enable and configure the resource recorder, see Configuring the Resource Recorder.
Procedure
- Sign in to the Config console as an organization administrator or an agency administrator of Config.
- Click in the upper left corner. Under Management & Governance, click Config.
- In the navigation pane on the left, choose Resource Compliance.
- Select the Organization Rules tab and click Add Rule. Complete the basic configurations and click Next.
Figure 1 Basic configuration
For details about parameter settings, see Table 1.
Table 1 Basic parameters Parameter
Description
Policy Type
There are two types of policies:
- Built-in policy
Built-in Policy
Built-in policies are provided by Config.
You can use built-in policies to quickly add rules.
For more information about built-in policies, see Predefined Policies.
Rule Name
By default, the predefined policy name is reused as the rule name. A rule name must be unique.
A rule name can contain only digits, letters, underscores (_), and hyphens (-).
Description
By default, the rule description is the same as the description of the predefined policy. You can also customize the rule description.
There are no restrictions on the rule description.
- On the displayed Configure Rule Parameters page, configure required parameters and click Next.
Figure 2 Rule parameters
For details about parameter settings, see Table 2.
Table 2 Rule parameter description Parameter
Description
Trigger Type
Specifies the conditions under which rules are triggered .
Trigger types are as follows:
- Configuration change: A rule is triggered when there is a change in configuration of the resource.
- Periodic execution: A rule is triggered at a specific frequency.
Filter Type
Specifies the resource scope.
Filter types are as follows:
- Specific resources: Resources of a specific type will be evaluated.
- All resources: All resources from your account will be evaluated.
This parameter is mandatory only when Trigger Type is set to Configuration change.
Resource Scope
If you set Filter Type to Specific resources, you need to specify a resource scope.
- Service: The service to which a resource belongs.
- Resource type: The resource type of the corresponding service.
- Region: The region where the resource is located.
This parameter is mandatory only when Trigger Type is set to Configuration change.
Filter scope
After you enable Filter Scope, you can filter resources by resource ID or tag.
You can specify a specific resource for compliance evaluation.
This parameter is mandatory only when Trigger Type is set to Configuration change.
Execute every
Indicates how often a rule is triggered.
This parameter is mandatory only when Trigger Type is set to Periodic execution.
Rule parameter
Parameters of a built-in policy.
For example, if you select a built-in policy required-tag-check and the policy stipulates that resources without a specific tag added are noncompliant, the rule parameters you need to specify are a tag key and a tag value.
This parameter is not mandatory for all built-in policies, for example, a built-in policy volumes-encrypted-check stipulates that if a mounted EVS disk is not encrypted, this disk is noncompliant.
Destination
Specifies where the organization rule will be deployed.
- Organization: A policy is deployed to all member accounts in an organization.
- Current Account: A policy is deployed to the current account.
When creating an organization rule, select Organization.
Excluded Account
Specifies member accounts in an organization for which organization rules will not be deployed.
This parameter is only required when Destination is set to Organization.
- Confirm rule information and click Submit.
Figure 3 Confirming a rule
After you add a rule, the first evaluation is automatically triggered immediately.
Triggering a Rule Evaluation
For details about how a membe can trigger an organization rule, see Triggering Resource Compliance Evaluation.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot