A management account is an Alibaba Cloud account that is used to create a resource directory and manages all member accounts in the resource directory. This topic helps you get started with Cloud Config by using a management account.

Process

The following figure shows the steps to get started with Cloud Config by using a management account. Quick start for management accounts
The following table describes the steps to get started with Cloud Config by using a management account.
Category Step Description
Basic operations Step 1: Authorize Cloud Config to access your resources Before you use Cloud Config, you must authorize Cloud Config to access your resources.
Step 2: Create an account group You can use a management account to create an account group and add all or some member accounts in your resource directory to the account group. This way, you can manage the resources, compliance packages, and rules of multiple member accounts in an account group in a centralized manner.
Step 3: View the resource list You can use a management account to view the resources of all member accounts in a specified account group.
Step 4: Create a compliance package You can use a management account to create a compliance package based on a compliance package template for a specified account group. After you create a compliance package, you can view the compliance evaluation results of associated resources based on the specified account and rule.
Advanced operations Step 5: (Optional) Create a rule You can create rules by enabling managed rules provided by Cloud Config to audit specified resources.
Step 6: (Optional) Configure resource delivery You can use a management account to specify an Object Storage Service (OSS) bucket to receive the scheduled resource snapshots and the snapshots of resource configuration changes of the management account and its member accounts. Only management accounts are authorized to configure the delivery settings of resource data. No member accounts have the relevant permissions.
Step 7: (Optional) Subscribe to resource events You can use a management account to specify a Message Service (MNS) topic to receive the resource non-compliance events and the logs of resource configuration changes of the management account and its member accounts. Only management accounts are authorized to configure the delivery settings of resource data. No member accounts have the relevant permissions.

Step 1: Authorize Cloud Config to access your resources

  1. Log on to the Cloud Config console.
  2. In the Authorize step, click Allow to create the service-linked role that authorizes Cloud Config to access your resources.
    Authorize Cloud Config
    Note Cloud Config needs 2 to 10 minutes to scan your resources and generate a resource list.

Step 2: Create an account group

  1. Log on to the Cloud Config console.
  2. In the left-side navigation pane, click Account Group.
  3. On the Account Group page, click Create.
  4. On the Create page, specify a name and a description for the account group, and then click Add Member.
  5. Specify member accounts from the resource directory and click OK.
  6. Click Commit.
    In the Account Group list, find the account group that you created. If the status of the account group is Created, the account group is created. You can view the name, description, member account quantity, and type of the account group, and the time when the account group was created.

Step 3: View the resource list

  1. Log on to the Cloud Config console.
  2. In the left-side navigation pane, choose Resources > Global Resources.
  3. On the Global Resources page, click the required account group tab.
  4. On the account group tab, enter a resource ID or set filter conditions to search for the specified resource.
    • You can enter a resource ID to search for the specified resource.
    • You can filter the resources based on the resource type, region, compliance status, and resource status to search for the specified resource with high efficiency.
  5. Click the resource ID in the Resource ID / Resource Name column.
  6. On the Details tab, view the basic information, core configurations, and latest compliance evaluation results of the resource.
    • In the Basic Information section, you can view the ID, name, type, and tags of the resource, the time when the resource was created, and the region and zone in which the resource resides.
    • In the Configuration Details section, you can click View JSON to view the core configurations in the JSON format.
    • In the Latest Evaluation Results section, you can view the latest compliance evaluation results of the resource.

Step 4: Create a compliance package

  1. Log on to the Cloud Config console.
  2. In the left-side navigation pane, click Compliance Package.
  3. On the Compliance Package page, click the tab of the account group for which you want to create a compliance package.
  4. On the account group tab, click Enable Compliance Package in the upper-right corner.
  5. In the Basic Information step, specify a name and a risk level for the compliance package. Then, click Next.
  6. In the Select a rule step, select Compliance Package Template, Rules, or Managed rule from the drop-down list. Then, select one or more rules from the rule list. If you select Compliance Package Template, select a compliance package template from the drop-down list that appears. Then, click Next.
  7. In the Rule Settings step, configure the Rule Name, Risk Level, and Description parameters for each rule, and then click Finish.

Step 5: (Optional) Create a rule

  1. Log on to the Cloud Config console.
  2. In the left-side navigation pane, click Rules.
  3. On the Rules page, click the required account group tab.
  4. On the account group tab, click Create Rule.
  5. On the Create Rule page, search for a managed rule by rule name, tag, evaluation logic, or risk level.
  6. Click Apply Rule.
  7. In the Properties step, configure the Rule Name, Risk Level, and Description parameters. Then, click Next.
    The default values are specified for the Rule Name, Risk Level, and Trigger Type parameters. You can change the values of the Rule Name and Risk Level parameters based on your business requirements.
  8. In the Assess Resource Scope step, use the default resource type and click Next.
  9. In the Parameters step, click Next.
    If the managed rule contains an input parameter, you must specify an expected value for the input parameter.
  10. In the Modify step, click Next.

    For managed rules that allow you to modify the remediation settings, you can select the check box next to Modify and set the remediation method, remediation type, and parameters involved. For more information, see Configure automatic remediation or Configure manual remediation.

  11. In the Preview and Save step, verify the configurations and click Submit.
  12. Verify that the rule is created.
    • Click View Details. On the page that appears, you can view the rule details on the Rule Details, Result, and Correction Details tabs.
    • Click Return to Rule List. In the Rules list, you can view the status of the created rule in the Status column. In normal cases, the rule is in the Active state.

Step 6: (Optional) Configure resource delivery

  1. Log on to the Cloud Config console.
  2. In the left-side navigation pane, choose Settings > Delivery Channels.
  3. On the Delivery Settings page, click Deliver Logs to OSS.
  4. On the Deliver Logs to OSS tab, turn on OSS Settings.
  5. Configure the parameters to deliver resource data.
    You can create an OSS bucket in the management account, or select an existing OSS bucket that belongs to the management account or a member account. The OSS bucket stores the resource data of the management account and member accounts of the relevant resource directory.
    • To deliver resource data to an OSS bucket that belongs to the management account, select Create a bucket in the account or Select an existing bucket from the account, and configure the parameters. The following table describes the parameters.
      Parameter Description
      Select Acceptable Content The type of the resource data that you want to deliver to the OSS bucket. Valid values:
      • Scheduled Snapshots: scheduled resource snapshots. Cloud Config delivers resource snapshots to the OSS bucket at 00:00:00 and 12:00:00 every day.
      • Historical Configuration Changes: resource change logs. Cloud Config delivers resource change logs to the OSS bucket when the configurations of resources are changed.
      Bucket Source The source of the OSS bucket.
      • If you select Create a bucket in the account, specify a bucket name.
      • If you select Select an existing bucket from the account, select an existing bucket from the Bucket drop-down list.
      Region The region where the OSS bucket resides.
      Bucket The name of the OSS bucket. The bucket name must be unique.
      Server-side Encryption Specifies whether to encrypt log files and the method that is used to encrypt the log files. This parameter is required only if you select Create a bucket in the account in the Bucket Source section.
      Valid values:
      • No
      • AES256
      • KMS
    • To deliver resource data to an OSS bucket that belongs to a member account, select Select an existing bucket from other enterprise management accounts or delegated accounts, and then configure the parameters. Before you configure the parameters, make sure that the member account has an available bucket. The following table describes the parameters.
      Parameter Description
      Select Acceptable Content The type of the resource data that you want to deliver to the OSS bucket. Valid values:
      • Scheduled Snapshots: scheduled resource snapshots. Cloud Config delivers resource snapshots to the OSS bucket at 00:00:00 and 12:00:00 every day.
      • Historical Configuration Changes: resource change logs. Cloud Config delivers resource change logs to the OSS bucket when the configurations of resources are changed.
      The ARN of the bucket that belongs to the destination account The Alibaba Cloud Resource Name (ARN) of the bucket within the member account. The ARN consists of the following information: the ID of the region where the bucket resides, the ID of the member account, and the name of the bucket. You can select the region from the Region drop-down list, the member account from the Member Accounts drop-down list, and the bucket from the Bucket drop-down list.
      The role ARN that belongs to the destination account The ARN of the role that you want to assign to the member account. The ARN consists of the following information: the ID of the member account and the service-linked role for Cloud Config. You can select the member account from the drop-down list and use the default service-linked role.
  6. Click OK.

Step 7: (Optional) Subscribe to resource events

  1. Log on to the Cloud Config console.
  2. In the left-side navigation pane, choose Settings > Delivery Channels.
  3. On the Delivery Settings page, click Deliver Data to Message Service.
  4. On the Deliver Data to Message Service tab, turn on MNS Settings.
  5. Configure the parameters to deliver resource data.
    You can create an MNS topic in the management account, or select an existing MNS topic that belongs to the management account or a member account. The specified MNS topic receives the resource data of the management account and member accounts of the relevant resource directory.
    • To deliver resource data to a topic that belongs to the management account, select Create a topic in the account or Select an existing topic from the account, and then configure the parameters. The following table describes the parameters.
      Parameter Description
      Select Acceptable Content
      The type of the resource data that you want to deliver to the MNS topic. Valid values:
      • Historical Configuration Changes: resource change logs. Cloud Config delivers resource change logs to the MNS topic when the configurations of resources change.
      • Non-compliance Events: resource non-compliance events. If a resource is evaluated as incompliant, Cloud Config delivers the resource non-compliance event to the MNS topic.
      MNS Topic Source The source of the MNS topic.
      • If you select Create a topic in the account, specify a topic name.
      • If you select Select an existing topic from the account, select an existing topic from the Topic Name drop-down list.
      Topic name The name of the MNS topic. The topic name must be unique in the management account in the specified region.
      MNS Region The region where the MNS topic resides.
      Maximum Message Size (Byte) The maximum length of the message body that can be received by the topic. Unit: bytes. Valid values: 1024 to 65536. Default value: 65536.
      Note We recommend that you set this parameter to a value greater than or equal to 8192. Otherwise, the message delivery may fail due to the length limit.
      Enable Logging Specifies whether to store the operation logs of the MNS topic in the associated Log Service Logstore. Operation logs are generated when messages are received, forwarded, and deleted.
      Minimum Risk Level of the Events to Subscribe The lowest risk level of the events to which you want to subscribe. Valid values:
      • All Risk Levels
      • High Risk
      • Medium Risk
      • Low Risk

      For example, if you select Medium Risk, Cloud Config delivers non-compliance events at the Medium Risk and High Risk levels. Non-compliance events at the Low Risk level are ignored.

      Events of Specified Resource Type The types of the resources whose events to which you want to subscribe. Valid values:
      • All Supported Resource Types: subscribes to the events of all supported types of resources. If a new service is integrated with Cloud Config, the resource type of the service is automatically added to the monitoring scope.
      • Custom Resource Types: subscribes to the events of the specified types of resources.
      Recipient Address for Large Files
      The Object Storage Service (OSS) bucket that is used to receive the large messages that Cloud Config delivers to the MNS topic.
      • If you configure this parameter, a message that Cloud Config delivers to the MNS topic is automatically transferred to the specified OSS bucket when the message size exceeds 64 KB.
      • If you leave this parameter empty, the excess part of a message that Cloud Config delivers to the MNS topic is automatically discarded when the message size exceeds 64 KB.
      Note The Region and Account parameters are automatically configured based on the settings in the Content and Recipient Address section. You need to only select a bucket.
    • To deliver resource data to a topic that belongs to a member account, select Select an existing topic from other enterprise management accounts or delegated accounts, and then configure the parameters. Before you configure the parameters, make sure that the member account has an available topic. The following table describes the parameters.
      Parameter Description
      Select Acceptable Content
      The type of the resource data that you want to deliver to the MNS topic. Valid values:
      • Historical Configuration Changes: resource change logs. Cloud Config delivers resource change logs to the MNS topic when the configurations of resources change.
      • Non-compliance Events: resource non-compliance events. If a resource is evaluated as incompliant, Cloud Config delivers the resource non-compliance event to the MNS topic.
      The ARN of the topic that belongs to the destination account The Alibaba Cloud Resource Name (ARN) of the topic within the member account. The ARN consists of the following information: the ID of the region where the topic resides, the ID of the member account, and the name of the topic. You can select the region from the Region drop-down list, the member account from the Member Accounts drop-down list, and the topic from the Topic Name drop-down list.
      The role ARN that belongs to the destination account The ARN of the role to be assumed by the member account. The ARN consists of the following information: the ID of the member account and the service-linked role for Cloud Config. You can select the member account from the drop-down list and use the default service-linked role.
      Minimum Risk Level of the Events to Subscribe The lowest risk level of the events to which you want to subscribe. Valid values:
      • All Risk Levels
      • High Risk
      • Medium Risk
      • Low Risk

      For example, if you select Medium Risk, Cloud Config delivers non-compliance events at the Medium Risk and High Risk levels. Non-compliance events at the Low Risk level are ignored.

      Events of Specified Resource Type The types of the resources whose events you want to subscribe to. Valid values:
      • All Supported Resource Types: subscribes to the events of all supported types of resources. If a new service is integrated with Cloud Config, the resource type of the service is automatically added to the monitoring scope.
      • Custom Resource Types: subscribes to the events of the specified types of resources.
      Recipient Address for Large Files
      The Object Storage Service (OSS) bucket that is used to receive the large messages that Cloud Config delivers to the MNS topic.
      • If you configure this parameter, a message that Cloud Config delivers to the MNS topic is automatically transferred to the specified OSS bucket when the message size exceeds 64 KB.
      • If you leave this parameter empty, the excess part of a message that Cloud Config delivers to the MNS topic is automatically discarded when the message size exceeds 64 KB.
      Note The Region and Account parameters are automatically configured based on the settings in the Content and Recipient Address section. You need to only select a bucket.
  6. Click OK.