If your enterprise has multiple accounts in the cloud, the security and emergency response team and O&M team need to monitor all resource changes of the enterprise in the cloud in real time. The teams must subscribe to configuration change events of critical or high-risk resources to monitor and maintain the resources at the earliest opportunity. When you use a resource directory to manage the resources of multiple accounts in a centralized manner, you can deliver configuration change events for the resources to EventBridge by using Cloud Config. You can also use triggers provided by Function Compute to deliver the configuration change events for the resources in EventBridge to Function Compute.
Scenarios
You log on to the Cloud Config console by using a management account and use Log Archive Account A to view configuration change events for the resources of Business Account B and Business Account C. This topic provides an example on how to view configuration change events for the resources of RAM roles whose names are prefixed with sg-.
Prerequisites
Log Archive Account A, Business Account B, and Business Account C are added to a resource directory by using the management account of the resource directory. For more information, see Create a member or Invite an Alibaba Cloud account to join a resource directory.
Function Compute is activated. For more information, see Quickly create a function.
EventBridge is activated. For more information, see Activate EventBridge and grant permissions to a RAM user.
Configuration items
This topic describes how to use Cloud Config, EventBridge, and Function Compute to subscribe to configuration change events for resources. In this example, configuration change events for the resources of Resource Access Management (RAM) roles are subscribed to. The following table describes the relevant configuration items.
Alibaba Cloud service | Account | Item | Example |
Resource Management | Management account | Log Archive Account A (RAM user) | - |
Business Account B (RAM user) | - | ||
Business Account C (RAM user) | - | ||
EventBridge | Business Account B | Rule name | b-eb-filter-ram-role |
Business Account C | Rule name | c-eb-filter-ram-role | |
Function Compute | Log Archive Account A | Service | eb_event_action |
System policy | AliyunFCDefaultRolePolicy | ||
Function | eb_event_trigger | ||
Trigger | ConfigurationItemChangeTrigger | ||
RAM | Log Archive Account A | RAM role | account-eb-role |
Business Account B | RAM role | sg-01 | |
Business Account C | RAM role | sg-02 |
Step 1: Use Log Archive Account A to create a RAM role
Ship the events of Business Account B and Business Account C to EventBridge of Log Archive Account A by using the cross-account event routing feature provided by EventBridge. You can use Log Archive Account A to view configuration change events for the resources of Business Account B and Business Account C in a centralized manner.
Create a RAM role named account-eb-role, grant the role the permissions to ship events across accounts, assign the role to Log Archive Account A, and then grant EventBridge the permissions to ship events to Log Archive Account A.
Create a RAM role and assign the role to EventBridge.
Log on to the RAM console.
In the left-side navigation pane, choose .
On the Roles page, click Create Role.
In the Select Role Type step, select Alibaba Cloud Account in the Select Trusted Entity section and click Next.
In the Configure Role step, enter account-eb-role in the RAM Role Name field. Use the default value Current Alibaba Cloud Account for the Select Trusted Alibaba Cloud Account parameter. Then, click OK.
NoteSelect the default trusted Alibaba Cloud account and configure a suitable trust policy in Step 2.
In the Finish step, click Add Permissions to RAM Role.
In the Add Permissions panel, click the System Policy tab in the Select Policy section and click AliyunEventBridgePutEventsPolicy. Retain the default values for other parameters. Then, click OK.
Modify the trust policy.
On the Roles page, click the name of the RAM role that you created.
Click the Trust Policy Management tab, and click Edit Trust Policy.
Modify the content of the trust policy.
After you grant Log Archive Account A the permissions on Business Account B and Business Account C, EventBridge of Log Archive Account A can assume the RAM role. Sample trust policy:
{ "Statement":[ { "Action":"sts:AssumeRole", "Effect":"Allow", "Principal":{ "Service":[ "<ID of Business Account B>@eventbridge.aliyuncs.com", "<ID of Business Account C>@eventbridge.aliyuncs.com" ] } } ], "Version":"1" }Click OK.
Step 2: Use business accounts to configure event buses
Use Business Account B to create an event bus rule named b-eb-filter-ram-role and use Business Account C to create an event bus rule named c-eb-filter-ram-role. Use the account-eb-role RAM role to ship configuration change events for the resources of Business Account B and Business Account C to EventBridge of Log Archive Account A.
Log on to the EventBridge console.
In the top navigation bar, select a region, such as Singapore.
In the left-side navigation pane, click Event Buses.
On the Event Buses page, click Create Rule in the System Event Bus section.
In the Create Rule panel, configure the parameters.
In the Configure Basic Info step, enter a name for the event bus and click Next Step.
In the Configure Event Pattern step, set the Event Source Type parameter to Alibaba Cloud Service Event Source, set the Event Source parameter to acs.ram Resource Access Management, set the Event Type parameter to ram:Config:ConfigurationItemChangeNotification, enter the following code in the Pattern Content section, and then click Next Step.
EventBridge generates events only when the configurations of resources of RAM users or RAM roles whose names are prefixed with
sg-change. Sample event pattern:{ "source": [ "acs.ram" ], "data": { "resourceName": [ { "prefix": "sg-" } ] }, "type": [ "ram:Config:ConfigurationItemChangeNotification" ] }In the Configure Targets step, set the Service Type parameter to EventBridge, set the Account ID parameter to the ID of Log Archive Account A, set the Event Bus Name parameter to default, set the Role parameter to account-eb-role, and then click Create.
Step 3: Use Log Archive Account A to configure Function Compute
Use Log Archive Account A to create a function in Function Compute and use a trigger to ship configuration change events for resources to Function Compute.
Create a service.
Log on to the Function Compute console.
In the left-side navigation pane, click Services & Functions.
In the top navigation bar, select a region, such as Singapore.
On the Services page, click Create Service.
In the Create Service panel, enter eb_event_action in the Name field.
Click OK.
Create a function.
On the Functions page of the eb_event_action service, click Create Function.
On the Create Function page, specify the basic information and configure a trigger.
In the Basic Settings section, enter eb_event_trigger in the Function Name field. In the Code section, set the Runtime parameter to Python 3.6 and retain the default values for other parameters.
In the Trigger Configurations section, set the Trigger Type parameter to Resource Access Management in Event triggers for Alibaba Cloud services, set the Name parameter to ConfigurationItemChangeTrigger, and then set the Event Type parameter to Select All Event Types. Sample event pattern:
{ "source": [ "acs.ram" ], "type": [ "ram:ActionTrail:AliyunServiceEvent", "ram:ActionTrail:ApiCall", "ram:ActionTrail:ConsoleOperation", "ram:Config:ConfigurationItemChangeNotification", "ram:Config:NonCompliantNotification" ] }Retain the default values for other parameters.
NoteThe first time Function Compute accesses EventBridge, you are prompted to grant Function Compute the permissions to access EventBridge.
Click Create.
View the invocation logs of the function.
On the Code tab of the eb_event_trigger function page, change
logger.info('hello world')in the index.py file tologger.info(event).In the upper-right corner of the editor, click Save. Then, click Deploy.
Step 4: Use business accounts to create resources
Use Business Account B to create a RAM role named sg-01 and use Business Account C to create a RAM role named sg-02. For more information, see Create a RAM role for a trusted Alibaba Cloud account.
Step 5: Use Log Archive Account A to view configuration change events for resources
Use Log Archive Account A to view configuration change events for the resources of Business Account B and Business Account C. Use one of the following methods:
View the events by using the EventBridge console
Log on to the EventBridge console.
In the top navigation bar, select a region, such as Singapore.
In the left-side navigation pane, click Event Buses.
Find default and click Event Tracking in the Actions column.
Specify a time range, set the Event Source parameter to acs.ram Resource Access Management, set the Event Type parameter to ram:Config:ConfigurationItemChangeNotification, and then click Query.
Find the event that you want to view and click Event Detail in the Actions column.
The following figure shows the details of a sample event for the sg-01 RAM role that is created by using Business Account B.
The following figure shows the details of a sample event for the sg-02 RAM role that is created by using Business Account C.
View the events by using the Function Compute console
Log on to the Function Compute console.
In the top navigation bar, select a region, such as Singapore.
In the left-side navigation pane, click Services & Functions.
On the page that appears, click eb_event_action.
On the page that appears, click eb_event_trigger.
On the page that appears, click Logs. On the tab that appears, specify a time range.
NoteThe first time you view the invocation logs of a function, you must click Enable to enable the feature.
The following figure shows the details of a sample event for the sg-01 RAM role that is created by using Business Account B.
The following figure shows the details of a sample event for the sg-02 RAM role that is created by using Business Account C.
