All Products
Search
Document Center

Cloud Config:Definition and execution of rules

Last Updated:Jun 02, 2026

Compliance as code means encoding your enterprise's compliance requirements as rule code that evaluates whether resource configurations meet your standards. Cloud Config runs this logic using rule functions deployed on Function Compute. Each rule specifies the associated resources, trigger type, and input parameters that determine how and when compliance is evaluated.

When a resource configuration changes, Cloud Config invokes the rule function to evaluate compliance. Multiple rules can monitor all configuration items of the same resource simultaneously.

Rule definition

A rule is logic that determines whether a configuration item of a resource is compliant. Each rule has three components:

  • Input parameters — configuration items retrieved from cloud service APIs, such as resource specifications, region, name, status, HTTP port, or internet network port. The key of each input parameter must match the name of the corresponding configuration item.

  • Rule function — code that checks whether the value of an input parameter meets the compliance condition. For example, a rule that requires an HTTPS listener on a Server Load Balancer (SLB) instance uses the HTTPS listener status as its input parameter. If the listener is disabled, the rule determines that the SLB instance is non-compliant.

  • Output parameters — the compliance evaluation result returned by the rule function.

Associated resource types of a rule

A rule function created in the Function Compute console is not associated with any resource type by default. Because different resource types can have configuration items with identical names, Cloud Config cannot accurately evaluate compliance based solely on input parameter names.

Associate the rule function with a resource type in Cloud Config. When a resource configuration changes, Cloud Config identifies all rules associated with that resource type and determines whether to trigger them based on the specific changes.

Triggering of a rule

Cloud Config supports the following trigger types:

Trigger type

Description

Configuration changes

Cloud Config detects the changed configuration item, uses its value as the input parameter, and invokes the matching rules for evaluation. The input parameter keys must match the configuration item names of the resource.

Periodic

Cloud Config invokes the rule at a set frequency to evaluate resource compliance on a schedule.

Compliance evaluation results

Cloud Config passes the obtained configuration change result as an input parameter to the rule function. After evaluation, the rule function returns a compliance result to Cloud Config. Results are displayed and aggregated in the Cloud Config console. See View the compliance evaluation results.

To write custom compliance logic, create a custom rule function in Function Compute. See Create a custom rule function. To use a built-in compliance rule, see Rule templates.