This topic describes the basic concepts in Cloud Config to help you understand and use this service.
Cloud Config is a specialized service for evaluating resources. A resource type is a category of resources. For example, the resource type of an Elastic Compute Service (ECS) instance is Instance. The resource type code is ACS::ECS::Instance. Resources can be divided into the following categories:
- Resources, such as compute instances and storage instances
- Management elements of application products, such as workspaces and workflows
- Management resources related to permissions, such as roles and policies
You can query the configurations of all resources under the current account through the API operations provided by the corresponding cloud services.
The monitoring scope refers to the scope of the resource types to be tracked. The monitoring granularity is the resource type.
- If a resource type is added to the monitoring scope, Cloud Config tracks all resources of this type under the current account and records their configuration snapshots every 10 minutes.
- If a resource type is removed from the monitoring scope, Cloud Config stops recording configuration changes for all resources of this type under the current account.
Cloud Config provides you with the configuration timeline for each resource that is monitored.
- If a resource is created before you activate Cloud Config, the start point of the configuration timeline is the time when you activate Cloud Config.
- If a resource is created after you activate Cloud Config, the start point of the configuration timeline is the time when the resource is created. Cloud Config checks the configuration changes every 10 minutes. If a configuration changes at a time point, a node is generated on the configuration timeline. You can view the configurations, configuration changes, and related operations at the time point.
A rule is a rule function used to determine whether a resource configuration is compliant. Rules in Cloud Config are developed by using the rule functions created in Function Compute. A rule checks whether the value of an input parameter is as required. Assume that a rule is bound with a resource type in Cloud Config. If the configurations of a resource of this type change, Cloud Config automatically re-evaluates the resource based on the rule and checks whether the configuration changes are compliant. Cloud Config can also trigger rules at the frequency you specify to periodically evaluate the compliance of all resources. For more information about how to manage rules, see Create a rule.
Rules in Cloud Config are divided into two categories.
- Managed rules
Cloud Config provides you with more than 40 managed rules. For more information, see Managed rules.
- Custom rules
To create a custom rule, log on to the Function Compute console and create a rule function. When you create a custom rule in the Cloud Config console, enter the Alibaba Cloud Resource Name (ARN) of the rule function. For more information, see Create a custom rule. You can use custom rules to complete the compliance evaluation in different scenarios.
Cloud Config evaluates a resource based on rules if the configurations of the resource change, and generates compliance evaluation records every time. The historical compliance evaluation records are presented in the form of a timeline for the resource. The compliance evaluation records displayed in the compliance timeline depend on the trigger method of rules.
- If the trigger method is Periodic, the compliance timeline displays the records of periodical compliance evaluations.
- If the trigger method is Configuration Changes, the compliance timeline displays the records of compliance evaluations for configuration changes.
- If both trigger methods are selected, the compliance timeline displays the records of all compliance evaluations.