Cloud Config is a specialized service for evaluating resources. Cloud Config tracks configuration changes of your resources and evaluates configuration compliance. Cloud Config can help you evaluate numerous resources and maintain the continuous compliance of your cloud infrastructure.


Feature Description
Manage the monitoring scope Cloud Config monitors the changes of resources within your account, tracks configuration changes, and evaluates configuration compliance in real time. You can configure the scope of resources to monitor in the Cloud Config console. If you select All Supported Resource Types, new resource types that are supported by Cloud Config are automatically added to the monitoring scope. If you select Custom Resource Types, new resource types are not automatically added to the monitoring scope.
Manage resources After you activate Cloud Config, you can view your resources in different regions. You can filter resources. This allows you to query the configuration details of a specified resource. You can also go to the corresponding cloud service console from the Cloud Config console to manage the resource.
View the compliance timeline of a resource Cloud Config records each configuration change of a monitored resource and displays the configuration changes over time in a configuration timeline. You can view the configuration changes and the details of related events.
Evaluate resource compliance Cloud Config can monitor resources based on managed rules and custom rules. After you configure rules, you can view the compliance results and compliance timeline of each resource. You can also re-evaluate the non-compliant resources. You can edit, disable, or delete the rules that do not meet your requirements.
Subscribe to resource events You can subscribe to configuration change events and non-compliance events of resources. You can also deliver these events to other cloud services at the earliest opportunity.
Remediate non-compliant resources You can specify a remediation template for a rule. If a resource is evaluated as non-compliant based on a rule, Cloud Config remediates the resource based on your settings.
Store resource configuration snapshots to OSS buckets After you specify an Object Storage Service (OSS) bucket, Cloud Config stores the configuration snapshots as objects to the OSS bucket.
Store resource logs to Log Service After you specify a Log Service project, Cloud Config stores the resource change data as logs to Log Service.
Perform classified protection precheck The classified protection precheck feature of Cloud Config monitors and evaluates your Alibaba Cloud resources in a continuous manner. You can view the compliance evaluation result in real time and remediate non-compliant resources. This simplifies the procedure of an official assessment.


Cloud Config provides the following benefits:

  • Aggregated resources across multiple regions: Cloud Config provides a list of resources in different regions and allows you to find a resource by searching or filtering.
  • Configuration change tracking based on operations logs: Cloud Config creates a configuration snapshot for each configuration change and tracks the operation that triggers the changes. If a non-compliant event occurs, you can locate the change that results in the event. This simplifies the troubleshooting process.
  • Continuous compliance evaluation: Cloud Config tracks configuration changes of resources and evaluates configuration compliance. This automates the compliance review process.
  • Classified protection precheck: Cloud Config provides rules based on the specifications in Multi-Level Protection Scheme (MLPS) 2.0 and uses the rules to evaluate the compliance of resources. You can enable the classified protection precheck feature with a few clicks.

Usage notes

Before you use Cloud Config, you must note the following information:
  • Some of your resources may not be displayed in the resource list because Cloud Config does not support those Alibaba Cloud services. If you set the monitoring scope to All Supported Resource Types, a new resource type is automatically added to the monitoring scope after Cloud Config supports the resource type. You can manually remove the resource type from the monitoring scope.
  • Cloud Config detects configuration changes at 10-minute intervals. If a change occurs in an interval and is restored to the original state within the interval, Cloud Config cannot detect the change.
  • Data accuracy is not guaranteed when Cloud Config is in public preview. If the resource list, configuration details, or evaluation results displayed in Cloud Config are not as expected, or you have other requirements such as support for new resource types, submit a ticket.