When you create a rule, you can bind a correction template to the rule and set the template to be run automatically. If the resource configuration is non-compliant, the template can be automatically run to correct the configuration.

Background information

This topic describes how to set automatic correction by using the required-tags rule as an example.

The managed rule required-tags is used to check whether resources are bound to specified tags. For example, if you want all Elastic Compute Service (ECS) instances to be bound to the tag "Project=A", you can use the required-tags rule to monitor all ECS instances. When Cloud Config detects that some ECS instances are not bound to the tag, the rule is evaluated as Non-compliant. If you subscribe to resource compliance events, Cloud Config sends a non-compliance alert to the specified Message Service (MNS) topic. For more information, see Subscribe to events.

Procedure

  1. Log on to the Cloud Config console.
  2. In the left-side navigation pane, click Rules.
  3. On the Rules page that appears, click Create Rule.
  4. In the Basic Settings step of the Create Rule wizard, set Execution Method to Managed Rule, search for and select the required-tags rule, set the risk level of the rule, and then click Next.
    Basic Settings step
  5. In the Scheduling Settings step of the Create Rule wizard, enter the key and value of a tag and click Next.
    Scheduling Settings step

    If you need to check multiple tags, you can set the keys and values of these tags one by one. Cloud Config allows you to check up to six tags. The rule is evaluated as Compliant only when the target resources are bound to all the tags that you have specified. If you want to check whether resources are bound to any tag in a group of tags, create a rule for each of the tags based on the required-tags rule.

    For example, if you want all the resources in your account to be bound to the tag "Project=A", you can create a rule based on the required-tags rule to check the resources for this tag. When Cloud Config detects that some resources are not bound to the tag, the rule is evaluated as Non-compliant.

    Note Use the default values for the trigger type, related resources, and input parameters.
  6. In the Correction Settings step of the Create Rule wizard, set Correction Method to Automatic Execution, use the official template selected by default in the Workflow drop-down list, complete service authorization as prompted, and then click Submit.
    Correction settings
  7. View the correction results.
    If the rule is evaluated as non-compliant, Cloud Config triggers the correction template. The resource configuration is automatically changed to your preset expected value.
    • View the correction results on the Rules page
      1. On the Rules page, find the rule whose Compliance is Non-compliant.
      2. Click the link in the Rule Name/Rule ID column or Details in the Action column.
      3. Click the Correction Details tab. On the Correction Details tab, you can view the correction settings and correction history.
    • View the correction results on Resources page
      1. On the Resources page, find the non-compliant resource by using the filter or search feature.
      2. Click the link in the Resource ID/Resource Name column. On the resource details page that appears, check the most recent evaluation results.
      3. Click View Details in the Evaluation Result column or the link in the Rule Name column of the target rule to go to the rule details page.
      4. Click the Correction Details tab. On the Correction Details tab, you can view the correction settings and correction history.
    Note
    • If you modify the parameters of a correction template and then save the correction template, the existing correction results and history are deleted.
    • Modifying the execution method of a correction template does not affect the existing correction results and history.
    Results of the required-tags rule