Cloud Config:Example of resource non-compliance events

For example, you use an ordinary account whose ID is 120886317861**** and you have an Object Storage Service (OSS) bucket named test_bucket in the China (Beijing) region. The non-compliance events of the resource are delivered to Log Service. The following code shows a sample event:

accountId:120886317861****
annotation:{"configuration":"public-read","desiredValue":"read","operator":"NotStringContains","property":"$.AccessControlList.Grant"}
compliancePackId:null
complianceType:NON_COMPLIANT
configAggregatorId:null
configRuleInvokedTimestamp:1630481784685
dataType:NonCompliantNotification
evaluationResultIdentifier:{"orderingTimestamp":1630481784685,"evaluationResultQualifier":{"resourceId":"test_bucket","configRuleName":"oss-bucket-public-read-prohibited","configRuleId":"cr-2d736457e0d90044****","captureTime":1630481784685,"resourceName":"test_bucket","configRuleArn":"acs:config::120886317861****:rule/cr-2d736457e0d90044****","regionId":"cn-beijing","resourceOwnerId":120886317861****,"resourceType":"ACS::OSS::Bucket"}}
eventName:NonCompliant
eventType:ResourceCompliance
invokingEventMessageType:Manual
notificationCreationTime:1630481787932
requestId:62e70b45-1171-4648-8db0-233d18f6adb5
resultRecordedTimestamp:1630481784781
resultToken:null
riskLevel:Critical

The following table describes the parameters involved in resource non-compliance events that are delivered to Log Service.

Parameter	Description
accountId	The ID of the account to which the resource belongs. Cloud Config supports the following types of accounts: Ordinary account: An ordinary account is an independent Alibaba Cloud account that is not included in a resource directory by a management account. Management account: A management account is an Alibaba Cloud account that enables a resource directory and manages all member accounts. Member account: A member account is an Alibaba Cloud account in a resource directory.
annotation	The description of the non-compliant configuration.
compliancePackId	The ID of the compliance package. If the rule triggered does not belong to a compliance package, the value is null.
complianceType	The compliance evaluation result. The value is fixed to NON_COMPLIANT.
configAggregators	The information about the account group, including the ID of the management account that created the account group and the ID of the account group. The value varies with the type of the account to which the resource belongs. If the resource belongs to an ordinary account, the value is null. If the resource belongs to a management account, the information about the account group created by the management account is displayed. If the resource belongs to a member account, the information about the relevant account group is displayed. The relevant account group is created by the management account to which the member account belongs.
configRuleInvokedTimestamp	The timestamp when the rule was triggered.
dataType	The type of the log received by Log Service. Valid values: ConfigurationItemChangeNotification: resource change log NonCompliantNotification: resource non-compliance event
evaluationResultIdentifier	The information about the compliance evaluation result.
eventName	The name of the event. The value is fixed to NonCompliant.
eventType	The type of the event. Valid values: ResourceChange: resource change event ResourceCompliance: resource non-compliance event
invokingEventMessageType	The trigger type of the rule. Valid values: NonCompliantNotification: triggered by configuration non-compliance. ConfigurationItemChangeNotification: triggered by configuration changes. Manual: manually triggered.
notificationCreationTime	The timestamp when the log was generated.
resultRecordedTimestamp	The timestamp when the compliance evaluation result was recorded.
riskLevel	The risk level of the resource based on the rule triggered. Valid values: Info: low risk Warning: medium risk Critical: high risk