Help Center/ Config/ User Guide/ Conformance Packages/ Organization Conformance Packages/ Creating an Organization Conformance Package
Updated on 2024-11-12 GMT+08:00

Creating an Organization Conformance Package

Scenario

If you are an organization administrator or a delegated administrator of Config, you can add organization conformance packages and deploy these packages to all member accounts that are in the normal state in your organization.

Each member can view organization packages that are deployed to their accounts in the conformance package list. If you create an organization conformance package using an account, you can only use the same account to delete the package. Members can only initiate resource evaluation and view evaluation results.

After an organization conformance package is created, your resources are evaluated with the rules in the package by default. Evaluations will be initiated each time the package is triggered. You can also trigger evaluation with a single rule in the rule list page.

Restrictions and Limitations

  • Up to 50 conformance packages (including organization conformance packages) and 500 rules can be created in an account.
  • To create or modify an organization conformance package, the resource recorder must be enabled. If the resource recorder is disabled, you can only view or delete organization conformance packages. For details, see Configuring the Resource Recorder.
  • The Organization Conformance Package tab is inaccessible for non-organization members on Config console.
  • Organization conformance packages will only be deployed to member accounts that are in the normal state.

Procedure

  1. Log in to the Config console as an organization administrator or an agency administrator of Config.
  2. Click in the upper left corner. Under Management & Governance, click Config.
  3. On the left navigation pane, choose Conformance Package.
  4. Select the Organization Conformance Package tab and click Create Organization Conformance Package.

    Figure 1 Creating an organization conformance package

  5. On the Select Template page, select a sample template, upload a local template, or enter an OBS template URL, and click Next.

    • Sample template: templates provided by Config. You can select a sample template from the dropdown list.

      For details about the rules contained in each sample template, see conformance package sample template.

    • Local template: Templates uploaded locally. You can create a custom template and upload the template.

      The template must be a JSON file (with the name extension: .tf.json). For details, see custom conformance packages.

    • OBS bucket: The location of the OBS bucket that stores the custom conformance package template. If your local template file exceeds 50 KB, upload it to an OBS bucket and enter the OBS URL when you need to select a package template.

      The OBS URL specifies the location of an object stored in an OBS bucket. To obtain an OBS URL on the OBS console, you need to locate the object and choose More > Copy Object URL in the Operation column on the Objects page.

    Figure 2 Selecting a conformance package template

  6. Configure detailed information and click Next.

    Figure 3 Detailed information
    Table 1 Detailed information

    Parameter

    Description

    Name

    The name of an organization conformance package. An organization conformance package name is customized and must be unique.

    The name can contain letters, numbers, underscores (_), and hyphens (-) and cannot exceed 64 characters.

    Parameters

    Parameters of an organization conformance package are consistent with rules in the package. For details, see Built-in Policies.

    Destination

    Specifies where an organization conformance package will be deployed.

    • Organization indicates that a conformance package will be deployed to all members in a specified organization.
    • Current Account indicates that a conformance package will be deployed to the current account.

    When creating an organization conformance package, select Organization.

    Excluded Account

    Member accounts to which organization conformance packages will not be deployed.

    This parameter is only required when Destination is set to Organization.

  7. On the confirm information page, confirm configuration and click OK.

    Figure 4 Confirming configurations

    After an organization conformance package is created or updated, an evaluation will be automatically triggered.