Help Center/ Config/ User Guide/ Resource Compliance/ Compliance Rule Concepts/ Rule
Updated on 2024-10-15 GMT+08:00
View PDF
Share

Rule

A rule mainly consists of a policy and an applicable scope, for example, some resources in a region.

You can use a JSON expression to represent a rule, as shown in Table 1.

Table 1 Rule parameters (JSON)

Parameter

Description

Limitations

Remarks

id

Specifies the unique ID of a rule.

N/A

N/A

policy_assignment_type

Specifies the rule type.

N/A

The options are as follows:

  • builtin: Built-in policy. In this case, policy_definition_id for the rule is mandatory.
  • custom: Custom policy. In this case, custom_policy for the rule is mandatory.

If this parameter is not configured, builtin is used by default.

name

Specifies the rule name.

Its value must be a string with up to 64 characters.

By default, the rule name is the same as the selected policy name. You can customize the rule name.

You can set a name of up to 64 characters.

description

Specifies supplementary information about the rule.

Its value must be a string with up to 512 characters.

By default, the rule description is the same as the description of the selected policy. You can customize the rule description.

You can set the description of up to 512 characters.

period

Specifies how often the rule is executed.

N/A

Possible values are:

  • One_Hour
  • Three_Hours
  • Six_Hours
  • Twelve_Hours
  • TwentyFour_Hours

policy_filter

Specifies the rule filter, which is used to filter the resources that will be evaluated by this rule.

A filter has the following properties:

  • region_id: Specifies the region ID.
  • resource_provider: Specifies the service.
  • resource_type: Specifies the resource type of the service.
  • resource_id: Specifies the resource ID.
  • tag_key: Specifies the resource tag key.
  • tag_value: Specifies the resource tag value.
policy_filter: The value must be an object.
  • region_id: Its value must be a string with up to 128 characters. Only letters, digits, and hyphens (-) are allowed.
  • resource_provider: Its value must be a string with up to 128 characters. Only letters and digits are allowed.
  • resource_type: Its value must be a string with up to 128 characters. Only letters and digits are allowed.
  • resource_id: Its value must be a string with up to 256 characters.
  • tag_key: Its value must be a string with up to 128 characters.
  • tag_value: Its value must be a string with up to 256 characters.
NOTE:

resource_provider is used to determine the filter type (Specific resources or All resources).

  • If resource_provider exists in policy_filter, the filter type is Specific resources.
  • If resource_provider does not exist in policy_filter, the filter type is All resources.

Therefore, no separate filter type property is set in policy_filter.

state

Specifies the rule status.

N/A

Possible values are:

  • Enabled: The rule is available.
  • Disabled: The rule is disabled.
  • Evaluating: The rule is being used for resource compliance evaluation.

created

Specifies the time when the rule was created.

N/A
NOTE:

The time is a UTC time in a fixed format complying with ISO-8601 (for example, 2018-11-14T08:59:14Z).

updated

Specifies the time when the rule was updated.

N/A

policy_definition_id

Specifies the ID of the compliance policy bound to the rule.

Its value must be a string with up to 64 characters. Only letters, digits, and hyphens (-) are allowed.

Policy ID

custom_policy

Custom policy, which contains the following attributes:

  • function_urn: Specifies the URN of the function.
  • auth_type: Specifies the authentication type for the function to be invoked.
  • auth_value: Specifies the authentication value of the function to be invoked.

custom_policy: Its value is an object type.

  • function_urn: Its value must be a string with up to 1,024 characters.
  • auth_type: Its value must be a string. Only agency is supported.
  • auth_value: The value must be an object which is related to auth_type. Only the {"agency_name": value_name} structure is supported, where value_name indicates the IAM agency name configured for Config.

custom_policy specifies the URN of the function in the custom policy and the authentication type for invoking the function.

parameters

Specifies the values of rule parameters.
parameters: The value must be an object.
  • key: The value must be a string including only letters and numbers. If the policy type of the rule is Custom policy, the value can have up to 1,024 characters.
  • value: The value must be an object, and the value restrictions vary depending on the parameter type.

The compliance policy bound to the rule has corresponding parameters. The number, type, and value range of those parameters depend on the selected compliance policy.

tags

Tags added to a rule

-
  • A tag key can contain up to 128 Unicode characters.
  • A tag value can contain up to 255 Unicode characters.

created_by

The creator of a rule

-

A rule can be created by a user or a service with the required service-link agency.

You cannot create a rule to evaluate another rule or a conformance package.

The following shows a predefined policy that is used to check whether ECSs in regionid_1 have a specific tag (env: production).

{
  "id": "5fcd8696dfb78231e6f2f899",
  "name": "required-tag-check",
  "description": "A resource is non-compliant if it does not contain the specific tag.",
  "policy_filter": {
        "region_id": "regionid_1",
        "resource_provider": "ecs",
        "resource_type": "cloudservers",
        "tag_key": "env",
        "tag_value": "production"
  },
  "period": null,
  "state": "Enabled",
  "created": "2020-12-07T01:34:14.266Z",
  "updated": "2020-12-07T01:34:14.266Z",
  "policy_definition_id": "5fa9f89b6eed194ccb2c04db",
  "parameters": {
        "specifiedTagKey": {
        "value": "a"    },
        "specifiedTagValue": {
        "value": []
    }
  }
  "tags": [],
  "created_by": "custom"
}

The following JSON expression shows a custom rule for evaluating ECSs in regionid_1:

{
  "id": "719d8696dfb78231e6f2f719",
  "name": "test_consume_policy",
"description": "A resource is non-compliant if it does not contain the specific tag.",
  "policy_filter": {
        "region_id": "regionid_1",
        "resource_provider": "ecs",
        "resource_type": "cloudservers",
        "tag_key": null,
        "tag_value": null
  },
  "period": null,
  "state": "Enabled",
  "created": "2022-07-19T01:34:14.266Z",
  "updated": "2022-07-19T01:34:14.266Z",
  "policy_definition_id": null,
  "custom_policy": {  
    "function_urn": "urn:fss:regionid_1:projectidforpolicy:function:default:test_consume_policy:latest",  
    "auth_type": "agency",  
    "auth_value": {"agency_name": "rms_fg_agency"}
  },
  "parameters": {
        "vpcId": {"value": "allowed-vpc-id"}
    }
  }
  "tags": [],
  "created_by": "custom"
}
Parent topic: Compliance Rule Concepts