Warning

An official English-language version of the documentation is not available. For your convenience only, we have introduced the use of machine-translation software capable of producing rough translations in various languages, including English.This machine-translated version of the documentation was produced using only machine-translation software and without any human intervention. We are making continuous efforts to improve the machine-translation software. HOWEVER, MACHINE TRANSLATIONS MAY CONTAIN ERRORS. ANY RELIANCE BY YOU UPON THIS MACHINE TRANSLATION IS SOLELY AT YOUR OWN RISK, AND ALIBABA CLOUD SHALL NOT BE LIABLE TO YOU OR ANY OTHER PARTIES FOR ANY ADVERSE CONSEQUENCES (DIRECT, INDIRECT, CONSEQUENTIAL OR OTHERWISE) ARISING FROM OR IN CONNECTION WITH THE DOCUMENTATION OR ANY TRANSLATIONS THEREOF.

To request a human-translated version of this article or to comment on the quality of machine translation, please use the "More suggestions" text area in the feedback form below to submit feedback.

This article lists the basic concepts used in configuration audit to help you understand and use them correctly.

Resource type

Configuration audit is a resource-oriented Audit Service. A resource type is a group of entity resources. For example, the ECS Instance resource type is ACS: ECS: Instance. Resources can be divided into the following categories:
  1. Physical resources such as computing instances and storage instances.
  2. Management Concepts of application-level products such as work groups and workflows.
  3. Manage resources related to roles, policies, and other permissions.

Resource configuration details

All information that can be obtained through the resource query interface opened by cloud products.

Monitoring scope

The monitoring range refers to the range of tracked resource types, and the monitoring granularity is the resource type.
  1. When you select a resource type that is within the monitoring range, all physical resources of this type under the account are tracked and configuration change snapshots are recorded every 10 minutes.
  2. When a resource type is removed from the monitoring scope, all entity resources of this type under the account stop recording configuration changes.

Configure the timeline

Configuration audit provides you with the resource configuration timeline for each monitoring range.
  1. For the resources that are stored when you activate the configuration audit service, the starting point of the configuration timeline is the service activation time.
  2. For resources created after you activate the configuration audit service, the starting point of the configuration timeline is the resource creation time. Configuration audit checks the resource configuration changes every 10 minutes. If a configuration change occurs, a node is displayed on the configuration timeline, the resource configuration details, change details, and Operation events at the time point are displayed.

Rules

A rule function is used to determine whether a resource configuration is compliant. Configuration audit relies on function compute for rule Development. The rule content is generally a certain attribute must be/not a certain value. After a rule is bound to a resource type, when the resource type is changed, the rule evaluation is automatically triggered to monitor the compliance of the change. You can also set it to trigger at specified time to verify the compliance of all resources. For more information about rule management, see Create a rule. There are two types of configuration audit rules: default rules and custom rules.
  1. Preset system rules: configure audit service to provide you with dozens of preset system rules. For more information, see List of preset rules
  2. Develop custom rules: To create a custom rule, you must log on to function compute to create a rule function. When creating a custom rule in the configuration audit console, you must enter the rule function ARN. Custom rules can better support personalized compliance scenarios.

Compliance timeline

Rule assessment can be triggered when a change occurs. The corresponding configuration timeline has a compliance timeline, which is the historical records of each compliance assessment result. The compliance assessment records of the compliance timeline are related to the rule triggering method.
  1. If the rule is triggered at a scheduled time, it only includes the records of the scheduled evaluation.
  2. If the rule is triggered by a change, it includes the records assessed at each change.
  3. If you select two triggering methods, an evaluation record is displayed.