Warning

An official English-language version of the documentation is not available. For your convenience only, we have introduced the use of machine-translation software capable of producing rough translations in various languages, including English.This machine-translated version of the documentation was produced using only machine-translation software and without any human intervention. We are making continuous efforts to improve the machine-translation software. HOWEVER, MACHINE TRANSLATIONS MAY CONTAIN ERRORS. ANY RELIANCE BY YOU UPON THIS MACHINE TRANSLATION IS SOLELY AT YOUR OWN RISK, AND ALIBABA CLOUD SHALL NOT BE LIABLE TO YOU OR ANY OTHER PARTIES FOR ANY ADVERSE CONSEQUENCES (DIRECT, INDIRECT, CONSEQUENTIAL OR OTHERWISE) ARISING FROM OR IN CONNECTION WITH THE DOCUMENTATION OR ANY TRANSLATIONS THEREOF.

To request a human-translated version of this article or to comment on the quality of machine translation, please use the "More suggestions" text area in the feedback form below to submit feedback.

Compliance is the code. Rules are a sample interpretation of the compliance requirements of enterprises. A compliance clause is a piece of Rule code. The essence of the code is the judgment logic of a resource configuration. The configuration audit service uses function compute functions to carry rule codes, which are called "rule functions". After the rule functions are referenced in the configuration audit service, after the associated resources and trigger mechanism are configured, the rules in the configuration audit service are formed.

In actual compliance monitoring, real-time resource configuration changes trigger the execution of rule functions to determine whether a resource configuration is compliant. By combining multiple rules, you can monitor the compliance of the entire resource configuration.

Rule definition

A rule is a judgment logic that determines whether a configuration item of a resource is compliant. It has the following features:

  • The input parameters of a rule function are configuration items that can be obtained through the resource Query API, such as the resource type, Region, name, status, port/port switch status, and so on. The input parameter name must be consistent with the configuration item name.
  • The logic of the rule function is to determine the input parameter value. The judgment logic is determined by your code. For example, if the HTTPS listening status of SLB is "on", it is considered "compliant ". The input parameter is the configuration field on the SLB resource that represents the HTTPS listener status. When this field value indicates "off", it is considered "non-compliance ".
  • The output parameters of rule functions are compliant.

Resource type to which the rule points

The rule functions defined in function compute do not have target direction, and do not indicate which resource type to point to. Configuration parameters with the same name may exist between different resources, an accurate compliance assessment cannot be implemented based on input parameters of rule functions.

Therefore, you must bind the created rule function to the specified resource type in configuration audit. When the configuration of this type of entity resource is changed, the system first finds the rules associated with the resource, and then determines which rule to trigger based on which configuration is changed.

Trigger a rule

As mentioned above, when a resource configuration change occurs, configuration audit can accurately know which configuration has changed. The rule function with changed parameters as input parameters will be triggered to evaluate whether the change results are compliant. Therefore, the input parameter name of the rule function must be consistent with that of the actual resource configuration.

In addition, configuration audit allows you to set the rule to be triggered regularly to perform compliance assessment for you on a regular basis.

Compliance Assessment results

Configuration audit uses the obtained change results as input parameters and passes them to the rule function. The rule function returns the compliance results to the configuration audit, which presents and collects statistics in various ways in the configuration audit console. For more information, see View rule assessment results.

You can customize rule functions in function Compute. For more information, see Develop custom rules. You can also use the preset rules provided by configuration audit. For more information, see List of preset rules.