Cloud Config is a specialized service that is used to evaluate resources. Cloud Config tracks configuration changes of your resources and evaluates configuration compliance.

Features

Feature Description
Manage the monitoring scope Cloud Config monitors the changes of your resources. It also tracks the configuration changes and evaluates configuration compliance in real time. You can configure the monitoring scope of resources in the Cloud Config console. If you select All Supported Resource Types, new resource types that are supported by Cloud Config are automatically added to the monitoring scope. If you select Custom Resource Types, new resource types are not automatically added to the monitoring scope.
Manage resources After you activate Cloud Config, you can view your resources in different regions. You can filter resources. This allows you to query the configuration details of a specified resource. You can also go to the corresponding cloud service console from the Cloud Config console to manage the resource.
View the configuration timeline of a resource Cloud Config records each configuration change of the resources that it monitors, and displays the configuration changes over time in a configuration timeline. You can view the configuration changes and the details of related events.
Evaluate resource compliance Cloud Config can monitor resources based on managed rules and custom rules. After you configure a rule, you can view the compliance results and compliance timeline of each resource. You can also re-evaluate the non-compliant resources. You can edit, disable, or delete the rules that do not meet your requirements.
Subscribe to resource events You can subscribe to configuration change events and non-compliance events of resources. You can also deliver these events to other cloud services in a timely manner.
Remediate non-compliant resources You can specify a remediation template for a rule. If a resource is evaluated as non-compliant based on a rule, Cloud Config remediates the resource based on your settings.
Store resource configuration snapshots in an OSS bucket If you specify an Object Storage Service (OSS) bucket, Cloud Config stores the configuration snapshots as objects in the OSS bucket.
Store resource logs in Log Service If you specify a Log Service project, Cloud Config stores the resource change data as logs in Log Service.
Perform Classified Protection pre-check The Classified Protection pre-check feature of Cloud Config monitors and evaluates your Alibaba Cloud resources in a continuous manner. You can view the compliance evaluation result in real time and remediate non-compliant resources. This simplifies the procedure of the official assessment.

Benefits

Cloud Config provides the following benefits:

  • Aggregated resources across multiple regions: Cloud Config provides a list of resources in different regions and allows you to find a resource by searching or filtering.
  • Configuration change tracking based on operations logs: Cloud Config creates a configuration snapshot for each configuration change and tracks the operation that triggers the changes. If a non-compliant event occurs, you can locate the change that results in the event. This simplifies the troubleshooting process.
  • Continuous compliance evaluation: Cloud Config tracks configuration changes of resources and evaluates configuration compliance. This automates the compliance review process.
  • Classified Protection pre-check: Cloud Config provides rules based on the specifications in Baseline for Classified Protection of Cybersecurity 2.0 and uses the rules to evaluate the compliance of resources. You can enable the Classified Protection pre-check feature with one click.

Usage notes

Before you use Cloud Config, you must note the following information:
  • Some of your resources may not be displayed in the resource list because Cloud Config does not support those Alibaba Cloud services. If you set the monitoring scope to All Supported Resource Types, a new resource type is automatically added to the monitoring scope after Cloud Config supports the resource type. You can manually remove the resource type from the monitoring scope.
  • Cloud Config detects configuration changes at 10-minute intervals. If a change occurs in an interval and is restored to the original state within the interval, Cloud Config cannot detect the change.
  • Data accuracy is not guaranteed when Cloud Config is in public preview. If the resource list, configuration details, or evaluation results are not displayed as expected in Cloud Config, we recommend that you submit a ticket. If you want Cloud Config to support more resource types, you can also submit a ticket.