Resource Compliance Overview
Introduction
Config can help you quickly create a group of rules to evaluate the compliance of your resource configurations. You can create a rule based on a built-in policy or a custom policy. You need to specify the monitoring scope and the trigger type. Evaluation results are provided for you to check resource compliance.
If you are an organization administrator or a delegated administrator of Config, you can also add organization rules and deploy the rules to all member accounts (in the normal state) in your organization.
Config also allows you to remediate non-compliant resources with an RFS template or FunctionGraph function.
Restrictions and Limitations
- You can add up to 500 rules (including organization rules and rules included in conformance packages) with an account.
- The resource recorder must be enabled for adding, modifying, enabling, or triggering a rule. If the resource recorder is disabled, you can only view, disable, and delete rules.
You cannot modify, disable, enable, or delete an individual organization rule that is deployed to your account or an individual rule of a conformance package. Only the organization administrator or delegated administrator of Config who creates the organization rule can modify or delete it. To modify or delete a rule of a conformance package, modify or delete the package. For details, see Organization Rules and Conformance Packages.
- The resource recorder must be enabled for adding, modifying, and triggering organization rules. If the resource recorder is disabled, you can only view and delete organization rules.
- Currently, you can only add remediation actions to non-organization rules that are not included in a conformance package.
- To create a remediation template with RFS, at least five stacks are required.
- You can only add one remediation action to each rule.
- To delete a rule, you need to delete the remediation action assigned and disable the rule.
- You can select up to 100 resources as remediation exceptions for each rule, however there is no limitation on how many resources the system will automatically add as remediation exceptions based on the remediation retry rules.
To evaluate resources with rules, you need to enable the resource recorder. Resource evaluation is subject to the following rules:
- If the resource recorder is disabled, no resources will be available for evaluation, but you can still view historical evaluation results.
- If the resource recorder is enabled and a monitoring scope is configured, only resources within the monitoring scope can be evaluated.
For details about how to enable and configure the resource recorder, see Configuring the Resource Recorder.
Compliance Policy
A policy is a logical expression used to evaluate resource compliance.
A policy cannot work on its own. To apply a policy to resources, you need to create a rule based on the policy.
You can define a policy with JSON elements. JSON elements of a policy lists the parameters for defining a policy.
|
Parameter |
Description |
Description |
|---|---|---|
|
id |
Policy ID |
- |
|
name |
Policy name |
The name can contain up to 64 characters. |
|
display_name |
Display name of a policy |
A policy display name can contain up to 64 characters. |
|
description |
Policy description |
The description can contain up to 512 characters. |
|
parameters |
Parameters of each policy rule The following attributes are used to describe each rule:
|
You can set different values for the parameters as required.
|
|
keywords |
Policy keywords |
Generally, the name abbreviation of the related product is used as a keyword. |
|
policy_type |
Policy type The options are as follows:
|
|
|
policy_rule_type |
Policy syntax |
Domain Specific Language (DSL): a compliance policy description language provided by Config to describe compliance check logic into a specific policy. |
|
trigger_type |
Trigger type. The options are as follows:
|
|
|
default_resource_types |
Resource type you want to evaluate with this compliance policy |
Most policies only apply to a limited resource types. The types specified by default_resource_types are recommended. |
The following JSON is an example policy for checking whether the image ID of an ECS instance is in the specified range:
{
"id": "5fa265c0aa1e6afc05a0ff07",
"name": "allowed-images-by-id",
"description": "If the ID of an ECS's image does not match the specified image ID range, this ECS is non-compliant."
"parameters": {
"listOfAllowedImages": {
"name": "null",
"description": "The list of allowed image IDs",
"type": "Array"
"allowed_values": null,
"default_value": null,
}
},
"keywords": [
"ecs",
"ims"
],
"policy_type": "builtin",
"policy_rule_type": "dsl",
"trigger_type": "resource",
"policy_rule": {
"allOf": [
{
"value": "${resource().provider}",
"comparator": "equals",
"pattern": "ecs"
},
{
"value": "${resource().type}",
"comparator": "equals",
"pattern": "cloudservers"
},
{
"value": "${resource().properties.metadata.meteringImageId}",
"comparator": "notIn",
"pattern": "${parameters('listOfAllowedImages')}"
}
]
},
}
For more examples, see Example Custom Rules.
Compliance Rules
A rule mainly consists of a policy and an applicable scope, for example, some resources in a region.
You can use a JSON expression to represent a rule, as shown in Table 2.
|
Parameter |
Definition |
Constraints |
Description |
|---|---|---|---|
|
id |
The unique ID of a rule |
- |
- |
|
policy_assignment_type |
The tule type |
- |
The options are as follows:
If this parameter is not configured, builtin is used by default. |
|
name |
The rule name |
Its value must be a string with up to 64 characters. |
By default, the rule name is the same as the selected policy name. You can customize the rule name. The name can contain up to 64 characters. |
|
description |
Supplementary information about the rule |
Its value must be a string with up to 512 characters. |
By default, the rule description is the same as the description of the selected policy. You can customize the rule description. The description can contain up to 512 characters. |
|
period |
How often the rule is executed |
- |
The options are as follows:
|
|
policy_filter |
The rule filter, which is used to search for the resources that will be evaluated by this rule. A filter has the following properties:
|
The value must be an object.
|
NOTE:
You use resource_provider in policy_filter to specify target resources. If you do not use resource_provider in policy_filter, the rule will be applied to all resources. There is no other filter type property in policy_filter. |
|
state |
The rule status |
- |
The options are as follows:
|
|
created |
The time when the rule was created |
- |
NOTE:
The value must be a UTC time in the ISO-8601 format (for example, 2018-11-14T08:59:14Z). |
|
updated |
The time when the rule was updated |
- |
|
|
policy_definition_id |
The ID of the compliance policy bound to the rule |
Its value must be a string with up to 64 characters. Only letters, digits, and hyphens (-) are allowed. |
Policy ID |
|
custom_policy |
The custom policy, which has the following properties:
|
Its value is an object type.
|
custom_policy specifies the URN of the function in the custom policy and the authentication type for invoking the function. |
|
parameters |
The values of rule parameters |
The value must be an object.
|
The number, type, and range of rule parameters depend on the compliance policy bound to the rule. |
|
tags |
The tags you want to add to a rule |
- |
|
|
created_by |
The creator of a rule |
- |
A rule can be created by a user or by a service-linked agency. |
You cannot create a rule to evaluate another rule or a conformance package.
The following predefined policy evaluates compliance based on whether ECSs in regionid_1 have a specific tag (env: production):
{
"id": "5fcd8696dfb78231e6f2f899",
"name": "required-tag-check",
"description": "A resource is non-compliant if it does not contain the specific tag.",
"policy_filter": {
"region_id": "regionid_1",
"resource_provider": "ecs",
"resource_type": "cloudservers",
"tag_key": "env",
"tag_value": "production"
},
"period": null,
"state": "Enabled",
"created": "2020-12-07T01:34:14.266Z",
"updated": "2020-12-07T01:34:14.266Z",
"policy_definition_id": "5fa9f89b6eed194ccb2c04db",
"parameters": {
"specifiedTagKey": {
"value": "a" },
"specifiedTagValue": {
"value": []
}
}
"tags": [],
"created_by": "custom"
}
The following JSON custom rule evaluates compliance based on whether ECSs in the specified region has the specified tag:
{
"id": "719d8696dfb78231e6f2f719",
"name": "test_consume_policy",
"description": "A resource is non-compliant if it does not contain the specific tag.",
"policy_filter": {
"region_id": "regionid_1",
"resource_provider": "ecs",
"resource_type": "cloudservers",
"tag_key": null,
"tag_value": null
},
"period": null,
"state": "Enabled",
"created": "2022-07-19T01:34:14.266Z",
"updated": "2022-07-19T01:34:14.266Z",
"policy_definition_id": null,
"custom_policy": {
"function_urn": "urn:fss:regionid_1:projectidforpolicy:function:default:test_consume_policy:latest",
"auth_type": "agency",
"auth_value": {"agency_name": "rms_fg_agency"}
},
"parameters": {
"vpcId": {"value": "allowed-vpc-id"}
}
}
"tags": [],
"created_by": "custom"
}
Evaluation Results
After an evaluation is triggered, the corresponding evaluation result (PolicyState) will be generated.
An evaluation result is represented in JSON format, as shown in Table 3.
|
Parameter |
Definition |
Description |
|---|---|---|
|
domain_id |
Account ID |
This parameter distinguishes users. domain_id will never be empty in the evaluation result. |
|
resource_id |
The ID of the evaluated resource |
- |
|
resource_name |
The name of the evaluated resource |
- |
|
resource_provider |
The service the resource belongs to |
- |
|
resource_type |
The resource type |
- |
|
trigger_type |
The trigger type |
The options are as follows:
|
|
compliance_state |
The evaluation result |
The options are as follows:
|
|
policy_assignment_id |
Rule ID |
- |
|
policy_definition_id |
Policy ID |
- |
|
evaluation_time |
The evaluation timestamp |
- |
The following JSON expression shows a non-compliant evaluation result:
{
"domain_id": "domainidforpolicy",
"resource_id": "special-ecs1-with-public-ip-with-tag",
"resource_name": "ecs1-with-public-ip-with-tag",
"resource_provider": "ecs",
"resource_type": "cloudservers",
"trigger_type": "resource",
"compliance_state": "NonCompliant",
"policy_assignment_id": "5fa9f8a2501013093a192b07",
"policy_definition_id": "5fa9f8a2501013093a192b06",
"evaluation_time": 1604974757084
}
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
