This topic describes the definition, scenarios, and limits of account groups, and the impacts of member account changes on Cloud Config. The member account can belong to a resource directory or an account group.
Definition
An account group is a collection of member accounts. In a resource directory, the management account can add all or some member accounts to an account group for centralized compliance management. An account group is also a resource pool formed by gathering resources from multiple member accounts.
The management account can view the resource lists, resource details, resource configuration timelines, resource compliance timelines, and associated resources of all member accounts in the account group. The management account can also create rules and compliance packages in the account group. These rules and compliance packages take effect on resources of all member accounts in the account group for continuous compliance evaluation.
Scenarios
A management account can add all or some member accounts in a resource directory to an account group. An account group can be used to manage resource compliance across Alibaba Cloud accounts. It allows enterprises to manage compliance and collect data for multiple services and Alibaba Cloud accounts in a comprehensive manner.
- You can view the global resources of all member accounts in an account group. A management account can view the resources of all member accounts in an account group, or filter or search for resources in a resource list. A management account can also view the details and configuration timeline of resources.
- You can set a compliance baseline for all member accounts in an account group. A management account can create rules and compliance packages in an account group. These rules and compliance packages take effect on the resources of all member accounts in the account group. Member accounts cannot modify or delete the rules and compliance packages. This way, a management account can forcibly set a unified compliance baseline for multiple member accounts.
- You can view the compliance check results of all member accounts. A management account can view the compliance check results of a rule on the resources of each member account. A management account can also view the compliance check results of a rule on all the resources of multiple member accounts. This facilitates centralized compliance management for multiple services and accounts.
- You can collect the resource data of all member accounts. After an account group is created, the management account takes over some Cloud Config permissions of member accounts. The management account can configure a unified data delivery method for all the member accounts in the account group. Then, the resource configuration history of all member accounts is delivered to the management account or a member account that is used to store enterprise configuration data.
- You can send the resource events of all accounts. A management account can send the resource change events and resource non-compliance events of all member accounts to a Message Service (MNS) topic.
Limits
- Only a management account in a resource directory can create an account group. The management account can add all or some member accounts of a resource directory to the account group.
- Each management account can create a maximum of five account groups. Each account group can contain a maximum of 200 member accounts.
Impacts of member account changes in a resource directory on Cloud Config
Item | Impact |
---|---|
Add a member account to a resource directory |
|
Change the resource directory to which a member account belongs | Cloud Config is not affected. Cloud Config does not perform operations. |
Remove a member account from a resource directory | Cloud Config is affected. If you remove a member account from a resource directory, the management account loses the management permissions on the member account. Then, the member account is automatically removed from all account groups. |
Impacts of member account changes in an account group on Cloud Config
Item | Impact |
---|---|
Add a member account to no account group | The member account uses Cloud Config as an independent Alibaba Cloud account. |
Add a member account to an account group |
|
Remove a member account from an account group |
|