Help Center/ Config/ User Guide/ Resource Compliance/ Rules/ Adding a Rule with a Predefined Policy
Updated on 2024-11-12 GMT+08:00
View PDF
Share

Adding a Rule with a Predefined Policy

Scenarios

This section describes how to add predefined rules.

Constraints and Limitations

  • You can add up to 500 rules in an account.
  • The resource recorder must be enabled for adding, modifying, enabling, or triggering a rule. If the resource recorder is disabled, you can only view, disable, and delete rules.

To evaluate resources with rules, you need to enable the resource recorder. Resource evaluation is subject to the following rules:

  • If the resource recorder is disabled, no resources will be available for evaluation. You can still view historical evaluation results.
  • If the resource recorder is enabled and a monitoring scope is configured, only resources within the monitoring scope can be evaluated.

For details about how to enable and configure the resource recorder, see Configuring the Resource Recorder.

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner. Under Management & Governance, click Config.
  3. In the navigation pane on the left, choose Resource Compliance.
  4. In the Rules tab, click Add Rule.
  5. Configure basic details, and click Next.

    Figure 1 Basic Configurations
    Table 1 Parameters of basic configurations

    Parameter

    Description

    Policy Type

    Select Built-in policy.

    Built-in policies are provided by Config. You can select a built-in policy to quickly add a rule. You can also search for a built-in policy by policy name or tag.

    For details, see Built-In Policies.

    Rule Name

    By default, the rule name is consistent with the predefined policy name. Rule names must be unique.

    A rule name can contain digits, letters, underscores (_), and hyphens (-) and cannot exceed 64 characters.

    Description

    By default, the rule description is the same as the selected predefined policy description. You can also customize the rule description.

    A rule description can contain any types of characters and cannot exceed 512 characters.

  6. On the displayed Configure Rule Parameters page, configure required parameters and click Next.

    Figure 2 Configure Rule Parameters
    Table 2 Parameter descriptions

    Parameter

    Description

    Trigger Type

    Specifies the conditions under which rules are triggered.

    Possible values are:

    • Configuration change: The rule is triggered when a specific cloud resource is changed.
    • Periodic execution: The rule is triggered at a specific frequency.
      NOTE:

      You cannot modify the Trigger Type of predefined policies. The Trigger Type varies depending on different predefined policies.

    Filter Type

    Specifies the resources to be evaluated.

    Possible types are:

    • Specific resources: Resources of a specific type will be evaluated.
    • All resources: All resources from your account will be evaluated.

    This parameter is mandatory only when Trigger Type is set to Configuration change.

    Resource Scope

    If you set Filter Type to Specific resources, you need to specify a resource scope.

    • Service: The service that the resource belongs to.
    • Resource type: The resource type
    • Region: The region where the resource resides.
    NOTE:
    • You can specify a service and a resource type for Resource Scope only when Trigger Type is set to Configuration change.
    • You can specify a region for Resource Scope when Trigger Type is set to Periodic execution and the resources are not of the account type. You can check more predefined policies on Config console or in Predefined Policy List.

    (Optional) Filter Scope

    After you enable Filter Scope, you can filter resources by resource ID or tag.

    You can specify a specific resource for compliance evaluation.

    This parameter is optional for a rule whose trigger type is configuration change.

    Execute Every

    Indicates how often a rule is triggered.

    Available options: 1 hour, 3 hours, 6 hours, 12 hours, 24 hours.

    This parameter is mandatory only when Trigger Type is set to Periodic execution.

    Configure Rule Parameters

    Parameters of a built-in policy.

    For example, if you select the required-tag-check policy, you need to specify a tag, so that resources that do not have the tag will be determined as noncompliant.

    Some default policies, such as volumes-encrypted-check, do not require Configure Rule Parameters.

    Tag

    Tag of the rule. To add a tag, click Add Tag and enter a tag key and a tag value. You can add up to 20 tags to a rule.

    • A tag key cannot be empty. It can contain letters, digits, spaces, and special characters (_.:=+-@), but cannot start or end with a space or start with _sys_. A tag key can contain up to 128 characters.
    • A tag value cannot be empty. It can contain letters, digits, spaces, and special characters (_.:=+-@), but cannot start or end with a space. A tag value can contain up to 255 characters.

  7. On the Confirm page displayed, confirm the rule information and click Submit.

    Figure 3 Confirm

    After you add a rule, the first evaluation is automatically triggered immediately.

Parent topic: Rules