When you evaluate the compliance of cloud resources, you may be unable to unify multiple compliance standards. For example, the requirements for resources in the production environment are different from the requirements for resources in the test environment, the specification requirements for resources in a department are different from the specification requirements for resources in another department, and the auditing standard for a resource varies based on the regulation. When you evaluate the compliance of resources, you can use the managed rules of Cloud Config to configure different compliance policies for different scenarios.

Background information

In this example, the following accounts are used:
  • Ordinary account: An ordinary account is an independent Alibaba Cloud account that is not included in a resource directory.
  • Management account: A management account is an Alibaba Cloud account that enables a resource directory and manages all member accounts in the resource directory.
  • Delegated administrator account: For more information, see Manage a delegated administrator account.
  • Member account: A member account is an Alibaba Cloud account in a resource directory.

Use resource tags

Prerequisites: Tags are attached to the resources that you want to evaluate.

This section describes how to evaluate resources in different development environments by tag. In this section, the development environments include a production environment and a test environment. In this section, a tag of Env:Prod is attached to all resources in the production environment, and a tag of Env:Test is attached to all resources in the test environment. You can specify custom tags. The tags are used to identify resources in different development environments.

Scope: single-account scenarios and multi-account scenarios. In this example, a single-account scenario is used.

  1. Log on to the Cloud Config console with an ordinary account.
  2. In the left-side navigation pane, click Rules.
  3. On the Rules page, click Create Rule.
  4. On the Create Rule page, search for a managed rule by rule name, tag, evaluation logic, or risk level. Then, click Apply Rule.
  5. In the Properties step, use the default values for the Rule Name, Risk Level, and Trigger Type parameters, and click Next.
  6. In the Assess Resource Scope step, use the default resource type and select Set Effective Tag, set the Key parameter to Env and the Value parameter to Prod, and then click Next.

    You can use the new rule to evaluate only resources to which the Env:Prod tag is attached.

    Resources
  7. In the Parameters step, click Next.
  8. In the Modify step, click Next.
  9. In the Preview and Save step, verify the rule configurations and click Submit.
  10. Click Return to Rule List.
    On the Rules page, view the evaluation result in the Compliance column of the new rule.

Use resource groups

Prerequisites: The resources that you want to evaluate are added to the required resource groups.

This section describes how to evaluate resources in different development environments by resource group. In this section, the development environments include a production environment and a test environment. In this section, all resources in the production environment are added to a resource group named ProEn and all resources in the test environment are added to a resource group named TestEn.

Scope: single-account scenarios and multi-account scenarios. In this section, a single-account scenario is used.

  1. Log on to the Cloud Config console with an ordinary account.
  2. In the left-side navigation pane, click Rules.
  3. On the Rules page, click Create Rule.
  4. On the Create Rule page, search for a managed rule by rule name, tag, evaluation logic, or risk level. Then, click Apply Rule.
  5. In the Properties step, use the default values for the Rule Name, Risk Level, and Trigger Type parameters, and click Next.
  6. In the Assess Resource Scope step, use the default resource type, select Set Effective Resource Group ID, select TestEn from the drop-down list, and then click Next.

    You can use the new rule to evaluate only resources in the test environment.

    Resource groups
  7. In the Parameters step, click Next.
  8. In the Modify step, click Next.
  9. In the Preview and Save step, verify the rule configurations and click Submit.
  10. Click Return to Rule List.
    On the Rules page, view the evaluation result in the Compliance column of the new rule.

Use account groups

Prerequisites: A resource directory is enabled and the members to which the resources that you want to evaluate are added to the resource directory.

This section describes how to evaluate resources in different development environments by account group. In this section, the development environments include a production environment and a test environment. Alibaba Cloud accounts whose resources reside in the production environment and Alibaba Cloud accounts whose resources reside in the test environment are added to the resource directory. In this section, only the resources of all Alibaba Cloud account in the production environment are evaluated.

Scope: multi-account scenarios.

  1. Create an account group named ProEnv for the production environment.
    1. Log on to the Cloud Config console with a management account or a delegated administrator account.
    2. In the left-side navigation pane, click Account Group.
    3. On the Account Group page, click Create.
    4. On the Create page, set the Account Group Name parameter to ProEnv, set the Description parameter to All member accounts in the production environment., and then click Add Member.
    5. In the panel that appears, select all members in the production environment and click OK.
    6. Click Submit.
      If the account group is created as expected after you click Submit, you are redirected to the Account Group page. The new account group appears on the page.
  2. Create a rule based on a managed rule
    If you create a rule for the ProEnv account group, the rule can be used to evaluate the resources of all Alibaba Cloud accounts of the account group.
    1. In the left-side navigation pane, click Rules.
    2. On the Rules page, click Create Rule.
    3. On the Create Rule page, search for a managed rule by rule name, tag, evaluation logic, or risk level and click Apply Rule.
    4. In the Properties step, use the default values for the Rule Name, Risk Level, and Trigger Type parameters and click Next.
    5. In the Assess Resource Scope step, use the default resource type and click Next.
    6. In the Parameters step, click Next.
    7. In the Modify step, click Next.
    8. In the Preview and Save step, verify the rule configurations and click Submit.
    9. Click Return to Rule List.
      On the Rules page, view the evaluation result in the Compliance column of the new rule.