All Products
Search
Document Center

Cloud Config:Terms

Last Updated:Aug 29, 2023

This topic describes the terms involved in Cloud Config.

Term

Description

resource type

A resource type is a category of resources. For example, the resource type of Elastic Compute Service (ECS) instances is Instance. Resources can be divided into the following types:

  • Instances, such as compute instances and storage instances

  • Management elements of application services, such as workspaces and workflows

  • Management resources related to permissions, such as roles and policies

resource configurations

Cloud Config retrieves all your resources by using the APIs of Alibaba Cloud services. In a resource list, you can click a resource ID to view the configurations of the resource. You can also manage the resource in the Alibaba Cloud Management Console.

monitoring scope

You can configure the monitoring scope of Cloud Config by specifying the types of resources to be monitored.

  • If a resource type is added to the monitoring scope, Cloud Config tracks your resources of this type and records the configuration changes every 10 minutes.

  • If a resource type is removed from the monitoring scope, Cloud Config does not record the configuration changes to the resources of this type.

rule

A rule is a function that is used to determine whether a resource configuration is compliant. Cloud Config runs rule code by using functions of Function Compute. Assume that a rule is applied to a resource type in Cloud Config. If the configurations of a resource of this type change, Cloud Config re-evaluates the resource based on the rule and checks whether the configuration is compliant. Cloud Config can also trigger rules at a specified time to periodically evaluate the compliance of all resources. The rules in Cloud Config are divided into the following categories:

  • Managed rule

    For information about managed rules, see Rule templates.

  • Custom rule

    You can use Function Compute to create a rule. Before you can create a rule, you must create a function in the Function Compute console. Then, you can select the function ARN in the Cloud Config console. For more information, see Create a custom rule function.

configuration timeline

Cloud Config provides a configuration timeline for each monitored resource.

  • If a resource has been created before you activate Cloud Config, the configuration timeline starts from the time when you activate Cloud Config.

  • If a resource is created after you activate Cloud Config, the configuration timeline starts from the time when the resource is created. Cloud Config detects configuration changes every 10 minutes. If resource configuration changes at a point in time, a node is generated on the configuration timeline. You can then view the basic information, configuration changes, and related operations of the resource.

compliance timeline

Cloud Config evaluates resources based on rules. A compliance record is generated when a rule is triggered. Cloud Config displays the compliance records over time in a compliance timeline. The compliance records that are displayed in the compliance timeline depend on the trigger type.

  • If the trigger type is Periodic, the compliance timeline displays the records of periodical compliance evaluations.

  • If the trigger type is Configuration Changes, the compliance timeline displays the records of compliance evaluations of every configuration change.

  • If both trigger types are selected, the compliance timeline displays the compliance records of both types.

classified protection precheck

The classified protection precheck feature of Cloud Config monitors and evaluates your Alibaba Cloud resources in a continuous manner. You can view the compliance evaluation result in real time and remediate non-compliant resources. This simplifies the procedure of an official assessment. For more information, see ClassifiedProtectionPreCheck.

CIS

The Center for Internet Security (CIS) is a community of organizations and individuals that want actionable security resources. The CIS Controls are a set of 20 control points or objectives designed to help enterprises safeguard their systems and data.

resource directory

Resource Directory allows you to establish an organizational structure for the accounts used by your enterprise and manage the relationships between the accounts.

management account

A management account is an account that is used to enable a resource directory and is the super administrator of the resource directory. The management account has all administrative permissions on the resource directory and the members in the resource directory. Only an Alibaba Cloud account that has passed enterprise real-name verification can be used as a management account. Each resource directory has only one management account.

Note

A management account does not belong to a resource directory and is not limited by the access control policies of a resource directory.

member account

A member can be a resource account or cloud account. Members that are created in a resource directory are resource accounts. A resource account is used to isolate the resources of a project or application on Alibaba Cloud from other resources. You can invite existing Alibaba Cloud accounts to join your resource directory. After the owners of the Alibaba Cloud accounts accept the invitations, the accounts become the members of the resource directory. These members are cloud accounts.

  • Resource account

    A member that is created in a resource directory is a resource account. Resource accounts do not have root users. Therefore, resource accounts provide higher security. For more information about how to create a resource account, see Create a member.

  • Cloud account

    A member that is invited to join a resource directory is a cloud account. Cloud accounts have root users. For more information about how to invite an Alibaba Cloud account to join a resource directory, see Invite an Alibaba Cloud account to join a resource directory.

account group

An account group is a collection of member accounts. In a resource directory, the management account can add all or some member accounts to an account group for centralized compliance management. An account group is also a resource pool formed by gathering resources from multiple member accounts.

The management account can view the resource lists, resource details, resource configuration timelines, resource compliance timelines, and associated resources of all member accounts in the account group. It can also create rules and compliance packages in the account group. These rules and compliance packages take effect on resources of all member accounts in the account group for continuous compliance evaluation.