All Products
Search
Document Center

Cloud Config:Differences between each account in single-account and multi-account modes

Last Updated:Aug 29, 2023

This topic describes the differences between each account in single-account and multi-account modes.

Note

You can use the management account of your resource directory to specify a member account as the delegated administrator account of Cloud Config. After the delegated administrator account is configured, the delegated administrator account is granted the same permissions as the management account.

The following table lists the differences between each account in single-account and multi-account modes.

Item

Alibaba Cloud account (single-account mode)

Member account (multi-account mode)

Management account (multi-account mode)

Accounts

An independent Alibaba Cloud account that is not included in a resource directory by a management account.

An Alibaba Cloud account that is included in a resource directory by a management account.

An Alibaba Cloud account that enables a resource directory and manages all member accounts.

Console pages

On the Overview, Resources, Compliance Package, Rules, and Deliveries pages, you can view only the information of the current account.

On the Overview, Resources, Compliance Package, Rules, and Deliveries pages, you can view only the Current Account tab and the tab of the account group to which the current account belongs.

On the Overview, Resources, Compliance Package, Rules, and Deliveries pages, you can view the Current Account tab and the tabs of all the account groups.

Resources

You can view the resources within the current account, and the configuration timeline and compliance timeline of each resource.

You can view only the resources within the current account, and the configuration timeline and compliance timeline of each resource.

You can view the resources within the current account and the member accounts in all account groups, and the configuration timeline and compliance timeline of each resource.

Compliance packages

You can create, modify, delete, or view the compliance packages within the current account. You can also download compliance evaluation reports.

If a member account is added to an account group, the Current Account tab and the tab of the account group to which the member account belongs are displayed.

  • On the Current Account tab, you can create, modify, delete, or view the compliance packages within the current account. You can also download compliance evaluation reports. The compliance packages take effect only on the current member account.

  • The compliance packages created by the management account in the account group take effect on the current member account. On the tab of the account group to which the member account belongs, you cannot perform operations on the compliance packages. You can only view compliance packages or compliance evaluation results.

You can create, modify, delete, or view compliance packages within the current account and the member accounts in all account groups. You can also download compliance evaluation reports.

Rules

You can create, modify, delete, enable, disable, or view rules. You can also download compliance evaluation reports.

If a member account is added to an account group, the Current Account tab and the tab of the account group to which the member account belongs are displayed.

  • On the Current Account tab, you can create, modify, delete, enable, disable, or view rules. You can also download compliance evaluation reports. The rules take effect only on the current member account.

  • The rules created by the management account in the account group take effect on the current member account. On the tab of the account group to which the member account belongs, you cannot perform operations on the rules. You can only view rules or compliance evaluation results.

You can create, modify, delete, enable, disable, or view rules within the current account and the member accounts in all account groups. You can also download compliance evaluation reports.

Account groups

You cannot create, modify, delete, or view account groups.

You cannot create, modify, delete, or view account groups. This type of account exists only as a member account in an account group.

You can create, modify, delete, or view account groups.

Service-linked role for Cloud Config

When you grant permissions on Cloud Config, a service-linked role for Cloud Config is automatically created.

If no member accounts have created a service-linked role for Cloud Config, a service-linked role is automatically created when the management account creates an account group. All the member accounts in the account group can use the service-linked role.

When you grant permissions on Cloud Config, a service-linked role for Cloud Config is automatically created.

Resource delivery

You can configure resource delivery for the current account.

You can configure resource delivery for the current account or follow the configurations of the management account.

You can configure resource delivery for the management account and the member accounts in all account groups.