Overview
Functions
A conformance package is a collection of rules. With conformance packages, you can evaluate resource compliance using multiple rules at the same time and centrally query conformance data.
After a conformance package is created, the compliance rules included will be displayed in the rule list. These rules cannot be updated, disabled, or deleted separately. They can only be deleted together with the conformance package.
If you are an organization administrator or a delegated administrator of Config, you can add organization conformance packages and deploy these packages to all member accounts that are in the normal state in your organization.
Constraints and Limitation
- Up to 50 conformance packages (including organization conformance packages) and 500 rules can be created in an account.
- The resource recorder must be enabled before you create a conformance package. Config only evaluates resources that are recorded by the resource recorder.
- To deploy an organization conformance package to a member, the member account must be in the normal state, and the resource recorder must be enabled for the member.
Concepts
Sample template
Sample templates are provided by Config for you to quickly create conformance packages quickly. Sample templates are scenario-based with appropriate compliance rules and parameters.
Pre-defined conformance package:
A pre-defined conformance package is created using a sample template. To deploy a pre-defined conformance package, you only need to configure a few parameters.
Custom conformance package:
A custom conformance package is created using a custom template. You can include both predefined and custom rules in a custom template. When you deploy a conformance package, you can upload a package template or use a package template stored in an OBS bucket. A custom template must be a JSON file. Other file formats, such as tf or zip, are not supported.
Compliance data
Compliance data is the results of resource compliance evaluation against a conformance package. Conformance data includes the following:
- Evaluation results of a conformance package: All rules in the conformance package are used to evaluate resources. If a resource is found to be noncompliant by any of the rules in the package, the evaluation result is noncompliant. If all resources are compliant, the evaluation result is compliant.
- Evaluation results of a rule: Each rule in the conformance package has an evaluation result. If a resource is found to be noncompliant, the result is noncompliant. If all resources are compliant, the result is compliant.
- Compliance score: The percentage of resources that are evaluated as compliant by a conformance package. A compliance score of 100 indicates that all resources evaluated are compliant. A score of 0 indicates that all resources evaluated are noncompliant.
Figure 1 Compliance score formula:
Stack:
To create, update, and delete rules in a conformance package, an RFS resource stack is required. Stack is a concept of Resource Formation Service (RFS). For details, see Basic Concepts.
Status
|
Value |
State |
Description |
|---|---|---|
|
CREATE_SUCCESSFUL |
Deployed |
A conformance package has been deployed. |
|
CREATE_IN_PROGRESS |
Deploying |
A conformance package is being deployed. |
|
CREATE_FAILED |
Abnormal |
A conformance package fails to be deployed. |
|
DELETE_IN_PROGRESS |
Deleting |
A conformance package is being deleted. |
|
DELETE_FAILED |
Deletion failed |
A conformance package fails to be deleted. |
|
ROLLBACK_SUCCESSFUL |
Rolled back |
Some rules in a conformance package failed to be created and were rolled back, and created rules were deleted. |
|
ROLLBACK_IN_PROGRESS |
Rolling back |
Some rules in a conformance package failed to be created and were rolled back, and created rules were being deleted. |
|
ROLLBACK_FAILED |
Rollback failed |
Some rules in a conformance package failed to be created, and rollback also failed. You can access RFS to check out the reasons. |
|
UPDATE_SUCCESSFUL |
Updated |
A conformance package is updated. |
|
UPDATE_IN_PROGRESS |
Updating |
A conformance package is being updated. |
|
UPDATE_FAILED |
Update failed |
A conformance package fails to be updated. |
Authorization
RFS resource stacks need to be authorized to create, delete, and update resources in a conformance package. When you create a conformance package, you need to assign RFS a required agency.
If you decide to not use custom authorization, Config will be automatically assigned an agency that contains required RFS permissions. You can also create a custom agency with IAM. The agency must contain required permissions for RFS to create, modify, and delete rules in a conformance package. For details about how to create an agency, see Creating an Agency (by a Delegating Party).
If you want to use a template in your OBS bucket to create a conformance package, configure a proper IAM policy and an OBS bucket policy to ensure that the template can be accessed. For more details, see Object Storage Service User Guide and Resource Formation Service User Guide.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
