Cloud Config is a specialized service for evaluating resources. Cloud Config tracks configuration changes of your resources and evaluates configuration compliance. Cloud Config can help you evaluate numerous resources and maintain the continuous compliance of your cloud infrastructure.
|Manage the monitoring scope||Cloud Config monitors the changes of resources under your account, tracks configuration changes, and evaluates configuration compliance in real time. You can manage the scope of resources to be monitored through simple configuration. If you select all supported resource types and more services are connected to Cloud Config, new resource types supported by Cloud Config are automatically added to the monitoring scope by default. If you customize resource types, the resource types are not automatically added to the monitoring scope.|
|Manage the resource list||After you activate Cloud Config, you can view the resources of different regions under your account in Cloud Config. You can search for a resource and view the configuration snapshots of the resource. After finding the specified resource, you can go to the management page of the resource in the corresponding cloud service console from Cloud Config to manage the resource.|
|View the compliance timeline of a resource||Cloud Config records each detailed configuration change of the resources it monitors, and displays the configuration changes over time in a configuration timeline. You can query the events related to each configuration change and event details, including the username, source IP address, time, and API operation name.|
|Evaluate resource compliance||Cloud Config supports managed rules and custom rules. After configuring rules, you can view the compliance evaluation results and compliance timeline of each resource and re-evaluate non-compliant resources. You can modify, delete, or deactivate the rules that fail to meet your requirements.|
|Subscribe to resource events||You can subscribe to resource change events, resource non-compliance events, and resource snapshot delivery events in Cloud Config and receive notifications in a timely manner.|
|Remediate non-compliant resources||You can specify a remediation template for a rule. When a resource is evaluated by the rule as Non-compliant, Cloud Config automatically remediates non-compliant resources. You can also manually remediate non-compliant resources as required.|
|Store resource snapshots to an OSS bucket||If you specify the target Object Storage Service (OSS) bucket, Cloud Config stores configuration snapshots and compliance evaluation snapshots as objects in the OSS bucket.|
|Screen resources based on Baseline for Classified Protection of Cybersecurity 2.0||Cloud Config provides the protection screening feature free of charge. The feature monitors the compliance of your cloud resources in an automatic and continuous manner based on Baseline for Classified Protection of Cybersecurity 2.0. The feature simplifies the rectification process and helps you pass the official evaluation with ease.|
Cloud Config provides the following benefits:
- An aggregated list of resources in multiple regions: Cloud Config displays an integrated view of resources in different regions and allows you to search for resources with ease.
- Configuration change tracking based on operations logs: Cloud Config creates a configuration snapshot for each configuration change and tracks the operation that triggered the change. When an issue occurs, you can easily attribute the issue to a specific change for troubleshooting.
- Continuous compliance evaluation: Cloud Config tracks configuration changes of resources and automatically evaluates configuration compliance. This automates the compliance review process.
- Protection screening based on Baseline for Classified Protection of Cybersecurity 2.0: Cloud Config interprets the specifications of Baseline for Classified Protection of Cybersecurity 2.0 as rules. Before the official evaluation, you can enable continuous protection screening with one-click.
Before you start
- Cloud Config is expanding its monitoring scope to include more Alibaba Cloud services. Currently, Cloud Config only supports some Alibaba cloud services. Therefore, the resource list may only display a part of your resources. After Cloud Config supports a new resource type, the new resource type is automatically added to the monitoring scope. You can later remove the resource type from the monitoring scope as required.
- Cloud Config detects configuration changes at a regular interval of 10 minutes. Cloud Config may fail to identify a change if it occurs and is restored within the same 10-minute interval.
- Data accuracy is not guaranteed when Cloud Config is in public preview. If the resource list, configuration details, or evaluation results displayed in Cloud Config are not as expected or you have other requirements, we recommend that you submit a ticket.