Cloud Config for Enterprise is an integration of Cloud Config and Resource Management. You can use Cloud Config for Enterprise to audit configuration compliance for resources that belong to different master accounts.

Note For more information about Resource Management, see What is Resource Management?.

Features

Cloud Config for Enterprise supports the following features and has certain limits:
  • After you use the master account to upgrade Cloud Config to Cloud Config for Enterprise, Cloud Config for Enterprise is activated for all member accounts, including new member accounts.
  • After you use the master account to configure rules that are used to audit configuration compliance, you can apply the rules to all member accounts.
  • You can use the master account to view the list, configuration history, and configuration compliance status of resources that belong to each member account.
  • After you use the master account to enable the snapshot feature, you can store the snapshots of resource configurations in Object Storage Service (OSS) buckets.
  • You cannot perform create, modify, or delete operations by using member accounts in Cloud Config for Enterprise. This facilitates centralized compliance control.

Architecture

The following figure shows how Cloud Config for Enterprise works with resource directories. You can use resource directories to manage multiple master accounts of your enterprise and construct a directory tree that represents the logical relationships among the accounts. You can use Cloud Config for Enterprise to evaluate whether resource configurations are compliant with specific rules. You can use the master account to view the list, configurations, configuration history, and configuration compliance status of resources that belong to each member account.Architecture of Cloud Config for Enterprise

Terms

Term Description
Master account

A master account is the account used to enable a resource directory and is the super administrator of the resource directory. The master account has administrative permissions on the resource directory and the member accounts in the resource directory. Only an Alibaba Cloud account that has passed enterprise real-name verification can be used as a master account. Each resource directory has only one master account.

Member account

A member account is an Alibaba Cloud account. It serves as a container for resources and is also an organizational unit in a resource directory. A member account indicates a project or application. The resources under different member accounts are isolated.

A member account is an account that a master account invites to join a resource directory or creates in a resource directory.

Rule A rule is created by the master account and is used to audit configuration compliance. The rule is applied to all member accounts of the master account.
Audit record storage Audit record storage is a feature provided for master accounts. This feature creates snapshots for configurations of resources that belong to master accounts or member accounts, and saves the snapshots as objects in OSS buckets.
Cloud Config for individuals If you do not need to manage resource configuration compliance across master accounts, you can use Cloud Config for individuals.
Cloud Config for Enterprise If your enterprise has multiple master accounts, you can upgrade Cloud Config to Cloud Config for Enterprise to achieve centralized management. Cloud Config for Enterprise is an integration of Cloud Config and Resource Management. This allows you to manage resource configuration compliance across all member accounts by using only one master account.
Note Certain features such as protection screening and event subscription will be unavailable after you upgrade Cloud Config to Cloud Config for Enterprise. These features will be integrated into Cloud Config for Enterprise in the future.

Upgrade Cloud Config

Before you upgrade Cloud Config to Cloud Config for Enterprise, you must create a resource directory in the Resource Management console. Otherwise, the entry to upgrade the service is unavailable in the Cloud Config console. To upgrade Cloud Config, perform the following steps:

Log on to the Cloud Config console by using the master account. On the Overview page, click Upgrade. The upgrade takes a few minutes to complete. The required time varies based on the number of member accounts. Note the following feature and action changes related to service upgrades or changes:
  • An upgrade will change the features that are available in the console to the master account and member accounts. The following table compares the features that are supported by Cloud Config for individuals and Cloud Config for Enterprise by using different accounts.
    Feature Account in Cloud Configure for individuals Master account in Cloud Config for Enterprise Member account in Cloud Config for Enterprise
    Compliance management The account manages compliance for its resources. The master account manages compliance for the resources of the master account and member accounts. The compliance of resources that belong to the member account is managed by the master account.
    Overview pages The Overview page is available. The page shows the compliance status of resources that belong to the account. Two overview pages are available: the Account Overview page and the Master Account Overview page. These pages show the compliance status of resources that belong to the master account and the compliance status of resources that belong to all accounts, respectively. Only the Member Account Overview page is available. This page shows the compliance status of resources that belong to the member account.
    Resource monitoring Monitors specific types of resource. Monitors all types of resource, which cannot be changed. Monitors all types of resource, which cannot be changed.
    Resource check The account can be used to check the list, configuration history, and configuration compliance status of resources that belong to the account. The account can be used to check the list, configuration history, and configuration compliance status of resources that belong to the master account and member accounts. The account can be used to check the list, configuration history, and configuration compliance status of resources that belong to the account.
    Rules The rules take effect on resources that belong to the account. The rules take effect on resources that belong to the master account or each member account. The rules are assigned to the member account by using the master account. The member account cannot be used to create, modify, or delete rules.
    Audit record storage The account can be used to modify the configurations of this feature. The master account can be used to modify the configurations of this feature. By default, the modification is applied to all member accounts. Both the resource configuration snapshots of the master account and member accounts are saved in the OSS bucket that is specified by the master account. The member account cannot be used to modify the configurations of this feature. The resource configuration snapshots of the member account are saved in the OSS bucket that is specified by the master account.
    Protection screening Supported. Not supported. Not supported.
    Event subscription Supported. Not supported. Not supported.
  • The following table lists the actions that Cloud Config for Enterprise performs when member accounts in a resource directory change.
    Change Action that Cloud Config for Enterprise performs
    A member account is added. After a member account is added to the resource directory, Cloud Config for Enterprise is automatically activated for the member account. The member account inherits the rules that the master account assigns to all member accounts. The resource configuration snapshots of the member accounts are saved in the OSS bucket that is specified by the master account.
    A member account is removed. After a member account is removed, the rules that are assigned by the master account are removed from the member account. The resource configuration snapshots of the member account are no longer saved in the OSS bucket that is specified by the master account. Then, the member account uses Cloud Config for individuals.
    A member account is transferred. The directory trees on the Resources page and the Rules page of the master account are changed. The snapshots of rule evaluation and resource configurations are still saved in the OSS bucket that is specified by the master account.

Limits

The following list describes the limits when you are using Cloud Config for Enterprise:
  • Cloud Config for Enterprise is in invitational preview. Therefore, you must submit a ticket or contact the service manager for the permission to use Cloud Config for Enterprise.
  • Before you use Cloud Config for Enterprise, you must log on to the Resource Management console to create a resource directory on the Resource Directory page.
  • To create a rule or configure the audit record storage feature, you must log on to the Cloud Config for Enterprise console by using the master account. You can also log on to the console as a RAM user with the administrator permissions. The configurations are applied to all member accounts.
  • You cannot use a member account to perform write operations in the Cloud Config for Enterprise console.
  • The master account can create up to 200 rules.
  • After you upgrade Cloud Config to Cloud Config for Enterprise, the original configurations of the master account and member accounts are deleted. All member accounts are managed by the master account.
  • You cannot downgrade Cloud Config for Enterprise to Cloud Config for individuals.
    Note Both Cloud Config for Enterprise and Cloud Config for individuals are free.