Help Center/ Config/ Best Practices/ Ensuring Resource Compliance by Tag, Region, and Organization
Updated on 2025-01-21 GMT+08:00
View PDF
Share

Ensuring Resource Compliance by Tag, Region, and Organization

When implementing cloud resource compliance, enterprises usually face the following problems:

  • The security requirements of the production environment are different from those of the test environment.
  • Different regions have different requirements of resource compliance due to varying laws and regulations.

In addition, all accounts in an organization are required to be configured with unified security baseline requirements. Config provides a wealth of built-in policies to help enterprises manage resource compliance based on different scenarios.

Evaluating Resources By Tag

Prerequisite: Your resources have been tagged. For details, see Principles for Naming Tags.

Scenario: If you tag resources by environment, you can use these tags to audit resources in different environments. Assume that you have added the tag key: Env:Prod to all resources in the production environment and Env:Test to all resources in the test environment. You can define tag values as needed.

Procedure

  1. Log in to the Config Console.
  2. In the navigation pane on the left, choose Resource Compliance.
  3. On the Rules tab, click Add Rule.
  4. Select a built-in policy, for example, allowed-images-by-name, and click Next.
  5. On the Configure Rule Parameters page, remain the default settings for Resource Scope and select All for Region.
  6. Toggle on Filter Scope, click Tag, and enter Env for Tag key and Prod for Tag value.

  1. Click Submit. The rule is intended to evaluate the specified resource type in the production environment.
  2. Return to the Rules tab to view evaluation results.

Evaluating Resources By Region

Scenario: If you do not want your OBS buckets in the regions outside of the Chinese mainland to be publicly accessed, you can create a rule to check if your OBS buckets are correctly configured to meet your exceptions.

Procedure

  1. Log in to the Config Console.
  2. In the navigation pane on the left, choose Resource Compliance.
  3. On the Rules tab, click Add Rule.
  4. On the Basic Configurations page, select obs-bucket-public-read-policy-check in the Built-in Policy area, and click Next.
  5. On the Configure Rule Parameters page, remain the default settings for Resource Scope and select AP-Singapore for Region.

  6. Click Submit. The rule is intended to evaluate your OBS buckets in the AP-Singapore region.
  7. Return to the Rules tab to view evaluation results.

Creating an Organization Rule

Prerequisites: You have created an organization and you are the organization administrator or a delegated administrator of Config. For more details, see Overview of Organizations and Specifying, Viewing, or Removing a Delegated Administrator.

Scenario: You can deploy an organization rule to some or all member accounts in your organization. Generally, the security administrator that is not in charge of service specific tasks is responsible for deploying organization rules.

Procedure

  1. Log in to the Config Console.
  2. In the navigation pane on the left, choose Resource Compliance.
  3. On the Organization Rules tab, click Add Rule.
  4. Select a built-in policy, for example, iam-user-mfa-enabled, and click Next.
  5. On the Configure Rule Parameters page, remain the default settings for Resource Scope and click Next.
  6. Return to the Organization Rules tab to view evaluation results.

Aggregating Resource Data from an Organization

Prerequisites: You have created an organization and you are the organization administrator or a delegated administrator of Config. For more details, see Overview of Organizations and Specifying, Viewing, or Removing a Delegated Administrator.

Scenario: The security administrator of an organization can create aggregators to query rules deployed to and resource compliance of member accounts in the organization.

Procedure

  1. Log in to the Config Console.
  2. In the navigation pane on the left, choose Resource Aggregation > Aggregators.
  3. On the Aggregators page, click Create Aggregator.
  4. Select Allow data replication, enter an aggregator name, set the Source Type to Add my organization, and click OK.
  5. On the Rules page, select the created aggregator to view rules aggregated from the member accounts.

  6. Click a rule name to view its evaluation results.

FAQs

Why Is There No Organization Rule Page on Config Console?

The organization rule function is only available to an organization administrator or an organization member who is a delegated administrator of Config.

Why Is an Organization Rule Abnormal After Being Deployed?

The resource recorder has not been enabled in the member account.

To get full functionality of Config, you need to enable the resource recorder. If the resource recorder is disabled, you may have problems using rules and conformance packages.

To deploy organization rules or conformance packages to member accounts, the resource recorder must be enabled for both the organization administrator or the delegated administrator of Config and all the involved members.