When you create a rule, you can specify a remediation template for the rule and configure automatic execution for the template. If the configuration of a resource is non-compliant, the template automatically runs to correct the configuration.

Background information

This topic describes how to configure automatic remediation by creating a rule based on the required-tags managed rule.

The required-tags managed rule checks whether the associated resources have all the specified tags. You may want the tag "Project=A" to be attached to all Elastic Compute Service (ECS) instances within your Alibaba Cloud account. In this case, you can create a rule based on the required-tags managed rule to monitor all your ECS instances. If Cloud Config detects that the tag is not attached to one or more ECS instances, these resources are evaluated to be non-compliant based on the rule. If you subscribe to resource non-compliance events, Cloud Config sends notifications of resource non-compliance events to a specified Message Service (MNS) topic. For more information, see Send notifications of resource events to an MNS topic.

Use an ordinary account

  1. Log on to the Cloud Config console.
  2. In the left-side navigation pane, click Rules.
  3. On the Rules page, click Create Rule.
  4. On the Create Rule page, find the managed rule based on which you want to create a rule.
  5. Click Apply Rule.
  6. In the Properties step, set the Rule Name and Risk Level parameters. Then, click Next.
    The Rule Name, Risk Level, and Trigger Type parameters have default values. You can change the values of the Rule Name and Risk Level parameters.
  7. In the Access Resource Scope step, keep the default resource type and click Next.
  8. In the Parameters step, enter the key and value of a tag and click Next.

    If you want to check multiple tags, you can specify multiple key-value pairs in sequence. You can specify up to six key-value pairs. If specific resources have all the specified tags, these resources are evaluated to be compliant based on the rule. If you want to check whether a specified tag is attached to specific resources, you must create a rule for each tag based on the required-tags managed rule.

    You may want the tag "Project=A" to be attached to all the resources within your Alibaba Cloud account. In this case, you can create a rule based on the required-tags managed rule to monitor all your resources. If Cloud Config detects that the tag is not attached to one or more of your resources, these resources are evaluated to be non-compliant.

  9. In the Modify step, select the check box next to Modify, select Automatic Remediation, set the Remediation Type parameter to Operation Orchestration Service, enter the key-value pairs of the required tags, and then click Next.
    Note You must specify the key-value pairs of the tags that you want to attach to your resources.
  10. In the Preview and Save step, check the settings and click Submit.
  11. View the remediation results.

    If a resource is evaluated to be non-compliant based on the rule, Cloud Config triggers the remediation template. The configurations of the non-compliant resource are automatically changed to the preset values.

    1. In the left-side navigation pane, click Rules.
    2. On the Rules page, find the created rule, and click Details in the Actions column or the rule name in the Rule Name/Rule ID column.
    3. On the rule details page, click the Correction Details tab.
    4. On the Correction Details tab, view the remediation results.

Use a management account

  1. Log on to the Cloud Config console.
  2. In the left-side navigation pane, click Rules.
  3. On the Rules page, click the required account group tab.
  4. On the account group tab, click Create Rule.
  5. On the Create Rule page, find the managed rule based on which you want to create a rule.
  6. Click Apply Rule.
  7. In the Properties step, set the Rule Name and Risk Level parameters. Then, click Next.
    The Rule Name, Risk Level, and Trigger Type parameters have default values. You can change the values of the Rule Name and Risk Level parameters.
  8. In the Access Resource Scope step, keep the default resource type and click Next.
  9. In the Parameters step, enter the key and value of a tag and click Next.

    If you want to check multiple tags, you can specify multiple key-value pairs in sequence. You can specify up to six key-value pairs. If specific resources have all the specified tags, these resources are evaluated to be compliant based on the rule. If you want to check whether a specified tag is attached to specific resources, you must create a rule for each tag based on the required-tags managed rule.

    You may want the tag "Project=A" to be attached to all the resources within your Alibaba Cloud account. In this case, you can create a rule based on the required-tags managed rule to monitor all your resources. If Cloud Config detects that the tag is not attached to one or more of your resources, these resources are evaluated to be non-compliant.

  10. In the Modify step, select the check box next to Modify, select Automatic Remediation, set the Remediation Type parameter to Operation Orchestration Service, enter the key-value pairs of the required tags, and then click Next.
    Note You must specify the key-value pairs of the tags that you want to attach to your resources.
  11. In the Preview and Save step, check the settings and click Submit.
  12. View the remediation results.

    If a resource is evaluated to be non-compliant based on the rule, Cloud Config triggers the remediation template. The configurations of the non-compliant resource are automatically changed to the preset values.

    1. In the left-side navigation pane, click Rules.
    2. On the Rules page, find the created rule, and click Details in the Actions column or the rule name in the Rule Name/Rule ID column.
    3. On the rule details page, click the Correction Details tab.
    4. On the Correction Details tab, view the remediation results.