Cloud Config:CreateCompliancePack - Cloud Config - Alibaba Cloud - Cloud Config

Creates a compliance package for the current account.

Operation description

Each ordinary account can create up to five compliance packages.

This topic provides an example on how to create a compliance package named ClassifiedProtectionPreCheck. The compliance package contains a managed rule named eip-bandwidth-limit.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.
API: The API that you can call to perform the action.
Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.
Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.
- For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.
- For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.
Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.
Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

config:CreateCompliancePack

create

*CompliancePack

acs:config:*:{#accountId}:compliancepack/*

None

Request parameters

Parameter	Type	Required	Description	Example
CompliancePackTemplateId	string	No	The ID of the compliance package template. You can call the ListCompliancePackTemplates operation to obtain the ID of the compliance package.	ct-5f26ff4e06a300c4****
CompliancePackName	string	Yes	The name of the compliance package.	等保三级预检合规包
Description	string	No	The description of the compliance package.	等保三级预检合规包
RiskLevel	integer	No	The risk level of the resources that are not compliant with the rules in the compliance package. Default value: 2. Valid values: 1: high. 2: medium. 3: low.	2
ConfigRules	array<object>	No	The rules in the compliance package. You must specify either this parameter or TemplateContent.
	array<object>	No
ManagedRuleIdentifier	string	No	The identifier of the managed rule. Cloud Config automatically creates a managed rule based on the specified identifier and adds the rule to the compliance package. You need to only specify `ManagedRuleIdentifier` or `ConfigRuleId`. If you specify both parameters, Cloud Config adds a rule based on the value of `ConfigRuleId`. You can call the ListCompliancePackTemplates operation to obtain the identifier of the managed rule.	eip-bandwidth-limit
ConfigRuleName	string	No	The name of the rule.	弹性IP实例带宽满足最低要求
ConfigRuleParameters	array<object>	No	The input parameters of the rule.
	object	No
ParameterName	string	No	The name of the input parameter. You must specify both `ParameterName` and `ParameterValue` or neither of them. If the managed rule has an input parameter but no default value is specified, you must specify this parameter. You can call the ListCompliancePackTemplates operation to obtain the names of input parameters of the managed rule.	bandwidth
ParameterValue	string	No	The value of the input parameter. You must specify both `ParameterName` and `ParameterValue` or neither of them. If the managed rule has an input parameter but no default value is specified, you must specify this parameter. You can call the ListCompliancePackTemplates operation to obtain the values of input parameters of the managed rule.	10
ConfigRuleId	string	No	The rule ID. If you specify this parameter, Cloud Config adds the rule that has the specified ID to the compliance package. You need to only specify `ManagedRuleIdentifier` or `ConfigRuleId`. If you specify both parameters, Cloud Config adds a rule based on the value of `ConfigRuleId`. You can call the ListConfigRules operation to obtain the rule ID.	cr-e918626622af000f****
Description	string	No	The description of the rule.	弹性公网已绑定到ECS或者NAT实例，非闲置状态，视为“合规”。
RiskLevel	integer	No	The risk level of the resources that do not comply with the rule. Valid values: 1: high. 2: medium. 3: low.	1
TemplateContent	string	No	The information about the template that is used to generate the compliance package. You can call an API operation to view the details of an existing compliance package or write a compliance package template. For more information, see Write a compliance package template in a configuration file. You must specify one of ConfigRules and TemplateContent.	{ "configRuleTemplates": [ { "configRuleName": "自定义条件规则示例", "scope": { "complianceResourceTypes": [ "ACS::ECS::Instance" ] }, "description": "", "source": { "owner": "CUSTOM_CONFIGURATION", "identifier": "acs-config-configuration", "sourceDetails": [ { "messageType": "ScheduledNotification", "maximumExecutionFrequency": "Twelve_Hours" }, { "messageType": "ConfigurationItemChangeNotification" } ], "conditions": "{\"ComplianceConditions\":\"{\\\"operator\\\":\\\"and\\\",\\\"children\\\":[{\\\"operator\\\":\\\"GreaterOrEquals\\\",\\\"featurePath\\\":\\\"$.Cpu\\\",\\\"featureSource\\\":\\\"CONFIGURATION\\\",\\\"desired\\\":\\\"2\\\"}]}\"}" }, "inputParameters": {} }, { "configRuleName": "OSS存储空间Referer在指定的防盗链白名单中", "scope": { "complianceResourceTypes": [ "ACS::OSS::Bucket" ] }, "description": "OSS存储空间开启防盗链并且Referer在指定白名单中，视为“合规”。", "source": { "owner": "ALIYUN", "identifier": "oss-bucket-referer-limit", "sourceDetails": [ { "messageType": "ConfigurationItemChangeNotification" } ] }, "inputParameters": { "allowEmptyReferer": "true", "allowReferers": "http://www.aliyun.com" } } ] }
ClientToken	string	No	The client token that you want to use to ensure the idempotency of the request. You can use the client to generate the value, but you must ensure that it is unique among different requests. The token can contain only ASCII characters and cannot exceed 64 characters in length.``	1594295238-f9361358-5843-4294-8d30-b5183fac****
DefaultEnable	boolean	No	Specifies whether to enable the rule together with the compliance package. Valid values: true: The system enables the rule together with the compliance package. false: The system does not enable the rule together with the compliance package.	false
RegionIdsScope	string	No	The ID of the region whose resources you want to evaluate by using the compliance package. Separate multiple region IDs with commas (,).	cn-hangzhou
ExcludeRegionIdsScope	string	No	ExcludeRegionIdsScope	cn-hangzhou
ExcludeResourceIdsScope	string	No	The ID of the resource that you do not want to evaluate by using the compliance package. Separate multiple resource IDs with commas (,).	eip-8vbf3x310fn56ijfd****
ResourceIdsScope	string	No	ResourceIdsScope	eip-8vbf3x310fn56ijfd****
ResourceGroupIdsScope	string	No	The ID of the resource group whose resources you want to evaluate by using the compliance package. Separate multiple resource group IDs with commas (,).	rg-aekzdibsjjc****
ExcludeResourceGroupIdsScope	string	No	ExcludeResourceGroupIdsScope. Separate multiple resource group IDs with commas (,).	rg-bnczc6r7rml****
TagKeyScope	string	No	The tag key of the resource that you want to evaluate by using the compliance package.	ECS
TagValueScope	string	No	The tag value of the resource that you want to evaluate by using the compliance package. Note You must configure the TagValueScope parameter together with the TagKeyScope parameter.	test
TagsScope	array<object>	No	TagsScope
	object	No
TagKey	string	No	Tagkey	key-1
TagValue	string	No	TagValue	value-1
ExcludeTagsScope	array<object>	No	ExcludeTagsScope
	object	No	The tags that are excluded.
TagKey	string	No	TagKey	key-2
TagValue	string	No	TagValue	value-2
Tag	array<object>	No	The tags of the resource. You can add up to 20 tags to a resource.
	object	No	The tags of the resource. You can add up to 20 tags to a resource.
Key	string	No	The tag keys. The tag keys cannot be an empty string. The tag keys can be up to 64 characters in length. The tag keys cannot start with `aliyun` or `acs:` and cannot contain `http://` or `https://`. You can specify at most 20 tag keys in each call.	key-1
Value	string	No	The tag values. The tag values can be an empty string or up to 128 characters in length. The tag values cannot start with `aliyun` or `acs:` and cannot contain `http://` or `https://`. Each key-value must be unique. You can specify at most 20 tag values in each call.	value-1

For more information about common request parameters, see Common parameters.

Response elements

Element	Type	Description	Example
	object	The response parameters.
CompliancePackId	string	The compliance package ID.	cp-a8a8626622af0082****
RequestId	string	The request ID.	6EC7AED1-172F-42AE-9C12-295BC2ADB751

Examples

Success response

JSON format

{
  "CompliancePackId": "cp-a8a8626622af0082****",
  "RequestId": "6EC7AED1-172F-42AE-9C12-295BC2ADB751"
}

Error codes

HTTP status code	Error code	Error message	Description
400	CompliancePackExceedMaxCount	The maximum number of compliance pack is exceeded.
400	Invalid.ConfigRules.Empty	You must specify ConfigRules.
400	Invalid.ConfigRules.Value	The specified ConfigRules is invalid.	The specified ConfigRules is invalid.
400	ConfigRuleExceedMaxRuleCount	The maximum number of config rules is exceeded.
400	Invalid.CompliancePackName.Empty	You must specify CompliancePackName.	You must specify compliance pack name.
400	Invalid.CompliancePackName.Value	The specified CompliancePackName is invalid.	The specified compliance pack name is invalid.
400	Invalid.CompliancePackTemplateId.Value	The specified CompliancePackTemplateId does not exist.	The specified compliance pack template ID does not exist.
400	CompliancePackExists	The compliance pack already exists.	The compliance pack name already exists.
404	AccountNotExisted	Your account does not exist.
503	ServiceUnavailable	The request has failed due to a temporary failure of the server.	The request has failed due to a temporary failure of the server.

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.