If the managed rules provided by Cloud Config cannot meet your requirements on resource auditing, you can create custom rules based on Function Compute to audit associated resources. When a rule is triggered, Cloud Config invokes the corresponding rule function to evaluate the associated resources and returns the compliance evaluation results of the resources.

Prerequisites

Function Compute is activated. For more information, see Activate Function Compute.

Background information

Before you create a rule, you must familiarize yourself with the definition of rules and how rules work. For more information, see Rule definition and implementation.

Cloud Config allows you to manage the following two types of rules:
  • Managed rules

    A managed rule is a rule function that Cloud Config creates in Function Compute. If you want to create a rule based on a managed rule, you can directly select the managed rule in the Cloud Config console. For more information about the managed rules that Cloud Config provides, see List of managed rules by cloud service.

  • Custom rules

    A custom rule is created based on a rule function that you create in Function Compute. To create a rule based on a rule function, you must create the rule function in Function Compute and enter the Alibaba Cloud Resource Name (ARN) of the rule function in the Cloud Config console. For more information about the code and input parameters of a custom rule function, see Custom rule functions.

Use a standard account

If you use a standard account, you can create custom rules only for your account.

  1. Log on to the Cloud Config console.
  2. In the left-side navigation pane, click Rules.
  3. On the Rules page, click Create Rule.
  4. On the Create Rule page, click Create Custom Rule.
  5. In the Properties step, set the Function ARN, Rule Name, Risk Level, Trigger Type, and Description parameters. Then, click Next.
    • If you have created a rule function, directly select the ARN of the function.
    • If you have not created a rule function, click Create New Function to create a rule function in the Function Compute console. For more information, see Function overview.

      When you create a function, set the Runtime Environments parameter to Python 3.6 and the Request Type parameter to Event Requests. Set other parameters based on your business requirements.

    Note If you select Configuration Changes for the Trigger Type parameter, Cloud Config pushes the configurations of all associated resources to Function Compute one by one and triggers the rule function to evaluate the resources when you create a rule, modify a rule, or re-evaluate resources. If you select Periodical Execution for the Trigger Type parameter, Cloud Config triggers the rule to evaluate associated resources only once within the specified period.
  6. In the Assess Resource Scope step, specify the one or more resource types associated with the rule and click Next.
    Note Select only the types of resources that need to be evaluated. Do not select all resource types because this causes an invalid evaluation.
  7. In the Parameters step, click Add Rule Parameter, specify a name and an expected value for an input parameter, and then click Next.
    • After you specify the resource types, Cloud Config monitors all your resources of the specified types based on the rule. Each rule can be applied to one or more resource types.
    • The names of the input parameters must be the same as those of the configuration items to be evaluated.
  8. In the Modify step, click Next.
  9. In the Preview and Save step, verify the configurations and click Submit.
  10. Verify that the rule is created.
    • Click View Details. On the page that appears, you can view the rule details on the Rule Details and Result tabs.
    • Click Return to Rule List. In the Rules list, you can view the status of the created rule in the Status column. In normal cases, the rule is in the Active state.

Use a management account

If you use a management account, you can create custom rules for your account and member accounts in the relevant resource directory.

  1. Log on to the Cloud Config console.
  2. In the left-side navigation pane, click Rules.
  3. On the Rules page, click the tab of the account group for which you want to create a custom rule.
  4. On the account group tab, click Create Rule.
  5. On the Create Rule page, click Create Custom Rule.
  6. In the Properties step, set the Function ARN, Rule Name, Risk Level, Trigger Type, and Description parameters. Then, click Next.
    • If you have created a rule function, directly select the ARN of the function.
    • If you have not created a rule function, click Create New Function to create a rule function in the Function Compute console. For more information, see Function overview.

      When you create a function, set the Runtime Environments parameter to Python 3.6 and the Request Type parameter to Event Requests. Set other parameters based on your business requirements.

    Note If you select Configuration Changes for the Trigger Type parameter, Cloud Config pushes the configurations of all associated resources to Function Compute one by one and triggers the rule function to evaluate the resources when you create a rule, modify a rule, or re-evaluate resources. If you select Periodical Execution for the Trigger Type parameter, Cloud Config triggers the rule to evaluate associated resources only once within the specified period.
  7. In the Assess Resource Scope step, specify the one or more resource types associated with the rule and click Next.
    Note Select only the types of resources that need to be evaluated. Do not select all resource types because this causes an invalid evaluation.
  8. In the Parameters step, click Add Rule Parameter, specify a name and an expected value for an input parameter, and then click Next.
    • After you specify the resource types, Cloud Config monitors all your resources of the specified types based on the rule. Each rule can be applied to one or more resource types.
    • The names of the input parameters must be the same as those of the configuration items to be evaluated.
  9. In the Modify step, click Next.
  10. In the Preview and Save step, verify the configurations and click Submit.
  11. Verify that the rule is created.
    • Click View Details. On the page that appears, you can view the rule details on the Rule Details and Result tabs.
    • Click Return to Rule List. In the Rules list, you can view the status of the created rule in the Status column. In normal cases, the rule is in the Active state.