Write a compliance package template in a configuration file - Cloud Config

Cloud Config allows you to write compliance package templates in configuration files. You can define, import, and export a compliance package template that contains the managed rules supported by Cloud Config or condition rules that you create based on your business requirements. This provides you with a powerful tool to manage compliance for your business. This topic describes the structure and parameters of a compliance package template to help you efficiently define sets of compliance rules based on your business requirements.

Template structure

A compliance package template is exported in a JSON file. The file name is the name of the compliance package and the file name extension is .json. You can import a compliance package template in a .txt or .json file. The file size cannot exceed 1 MB. The file content consists of two parts: compliancePackTemplate (optional) and configRuleTemplates (required).

compliancePackTemplate

compliancePackTemplate contains the name, description, and risk level of the compliance package. Syntax in the JSON format:

{
  "riskLevel": 1,
  "compliancePackName": "The name of the compliance package",
  "description": "The description of the compliance package",
  "scope": {
    "complianceResourceTypes": [
      "The resource types to which the rule is applicable"
    ],
    "complianceResourceIds": [
      "The ID of the evaluated resource"
    ],
    "complianceExcludeResourceIds": [
      "The ID of the excluded resource"
    ],
    "complianceRegionIds": [
      "The ID of the evaluated region"
    ],
    "complianceExcludeRegionIds": [
      "The ID of the excluded region"
    ],
    "complianceResourceGroupIds": [
      "The ID of the evaluated resource group"
    ],
    "complianceExcludeResourceGroupIds": [
      "The ID of the excluded resource group"
    ],
    "complianceTagsScope": [
      {
        "tagKey": "The effective tag key",
        "tagValue": "The effective tag value"
      }
    ],
    "complianceExcludeTagsScope": [
      {
        "tagKey": "The excluded tag key",
        "tagValue": "The excluded tag value"
      }
    ]
  }
}

Parameter	Required	Description
compliancePackName	No	The name of the compliance package. We recommend that you specify a name based on the compliance scenario. The name of a compliance package is determined based on the following rules: If the name of the compliance package is not specified in an API request or the configuration file, the compliance package is named in the format of `Millisecond-level UNIX timestamp.json` by default. If the name of the compliance package is specified in an API request and the configuration file, the name specified in the configuration file takes precedence.
riskLevel	No	The risk level of the compliance package. This parameter is used to distinguish the importance of different compliance packages. Valid values: 1: low risk. 2: medium risk. 3: high risk.
description	No	The description of the compliance package. This parameter is used to describe the application scenarios of the compliance package.
scope	No	The application scope of the rule.

Example:

{
  "configRuleTemplates": [],
  "compliancePackTemplate": {
    "riskLevel": 2,
    "compliancePackName": "Write a compliance package template in a configuration file",
    "scope": {
      "complianceResourceIds": [
        "i-t4n3u1pz97547xg****.i-t4n3u1pz97547xg0****.",
        "i-t4n1bxf3xr70wjh5****",
        "i-t4n133q6k9czgun****",
        "i-t4n3s3qqti2zaxu****"
      ],
      "complianceResourceGroupIds": [
        "rg-aek2yl36l*****"
      ],
      "complianceTagsScope": [
        {
          "tagKey": "config",
          "tagValue": "configTest"
        }
      ],
      "complianceRegionIds": [
        "ap-southeast-1"
      ]
    },
    "description": "Performs the import and export testing for writing a compliance package template in a configuration file."
  }
}

configRuleTemplates

configRuleTemplates contains the rules in the compliance package. The rules are of the JSON ARRAY type. Syntax:

[
    {
        "configRuleName": "The name of the rule",
        "riskLevel": 3,
        "scope": {
            "complianceResourceTypes": [
                "The resource types to which the rule is applicable"
    ],
    "complianceResourceIds": [
      "The ID of the evaluated resource"
    ],
    "complianceExcludeResourceIds": [
      "The ID of the excluded resource"
    ],
    "complianceRegionIds": [
      "The ID of the evaluated region"
    ],
    "complianceExcludeRegionIds": [
      "The ID of the excluded region"
    ],
    "complianceResourceGroupIds": [
      "The ID of the evaluated resource group"
    ],
    "complianceExcludeResourceGroupIds": [
      "The ID of the excluded resource group"
    ],
    "complianceTagsScope": [
      {
        "tagKey": "The effective tag key",
        "tagValue": "The effective tag value"
      }
    ],
    "complianceExcludeTagsScope": [
      {
        "tagKey": "The excluded tag key",
        "tagValue": "The excluded tag value"
        }
      ]
    },
    "description": "The description of the rule",
        "source": {
            "owner": "The source of the rule",
            "identifier": "The identifier of the rule",
            "sourceDetails": [
                {
                    "messageType": "The trigger type of the rule",
                    "maximumExecutionFrequency": "The interval at which the rule is triggered"
                },
                {
                    "messageType": "The trigger type of the rule"
                }
            ],
            "conditions": "The content of the condition rule"
        },
        "inputParameters": {
            "paramName1": "The value of the paramName1 parameter",
            "paramName2": "The value of the paramName2 parameter"
        }
    }
]

Parameter	Required	Description
configRuleName	Yes	The name of the rule.
scope.complianceResourceTypes	Yes	The resource types to which the rule is applicable. The value can be a JSON array.
description	No	The description of the rule.
source.owner	Yes	The source of the rule. Valid values: ALIYUN: a managed rule supported by Cloud Config. CUSTOM_CONFIGURATION: a user-defined condition rule. Compliance package templates support user-defined condition rules. You can use the `conditions` parameter to define complex compliance conditions in JSON strings based on your business requirements.
source.identifier	Yes	The identifier of the rule. The value varies based on the source of the rule: If the rule is a user-defined condition rule, set the value to acs-config-configuration. If the rule is a managed rule supported by Cloud Config, set this parameter to the identifier of the managed rule. Example: oss-bucket-referer-limit. For more information about all the managed rules supported by Cloud Config, see Rule template list.
source.sourceDetails.messageType	Yes	The trigger type of the rule. Valid values: ConfigurationItemChangeNotification: The rule is triggered by configuration changes. The relevant resource is checked against the rule only when the configurations of the resource are changed. ScheduledNotification: The rule is periodically triggered. The relevant resource is checked against the rule periodically. If you set this parameter to ScheduledNotification, you must also specify the `maximumExecutionFrequency` parameter.
source.sourceDetails.maximumExecutionFrequency	No	The interval at which the rule is triggered. Valid values: One_Hour Three_Hours Six_Hours Twelve_Hours TwentyFour_Hours Note This parameter is required if you set the `source.sourceDetails.messageType` parameter to `ScheduledNotification`.
source.conditions	No	The content of the condition rule. Note This parameter is required if you set the `source.identifier` parameter to acs-config-configuration.
inputParameters	No	The input parameters of the rule. For information about the input parameters of a managed rule, click the corresponding link in Rule template list, and see the description of the Input parameter item in the Rule details section. All input parameters are of the STRING type.
scope	No	The application scope of the rule.
riskLevel	No	The risk level of the rule. Valid values: 1: high risk. 2: medium risk. 3: low risk.

Example:

{
  "configRuleTemplates": [
    {
      "configRuleName": "ecs-instance-deletion-protection-enabled",
      "riskLevel": 3,
      "scope": {
        "complianceResourceIds": [
          "i-t4n3u1pz97547xg0****.i-t4n3u1pz97547xg0****",
          "i-t4n1bxf3xr70wjh5****",
          "i-t4n133q6k9czgun****",
          "i-t4n3s3qqti2zaxu****"
        ],
        "complianceResourceGroupIds": [
          "rg-aek2yl36lg****"
        ],
        "complianceTagsScope": [
          {
            "tagKey": "config",
            "tagValue": "configTest"
          }
        ],
        "complianceRegionIds": [
          "ap-southea****"
        ],
        "complianceResourceTypes": [
          "ACS::ECS::Instance"
        ]
      },
      "description": "Checks whether the release protection feature is enabled for each Elastic Compute Service (ECS) instance. If so, the evaluation result is Compliant.",
      "source": {
        "owner": "ALIYUN",
        "identifier": "ecs-instance-deletion-protection-enabled",
        "sourceDetails": [
          {
            "messageType": "ConfigurationItemChangeNotification"
          }
        ]
      },
      "inputParameters": {}
    }
  ],
  "compliancePackTemplate": {
    "riskLevel": 2,
    "compliancePackName": "Write a compliance package template in a configuration file",
    "scope": {
      "complianceResourceIds": [
        "i-t4n3u1pz97547xg****.i-t4n3u1pz97547xg****",
        "i-t4n1bxf3xr70wjh5****",
        "i-t4n133q6k9czgunx****",
        "i-t4n3s3qqti2zaxux****"
      ],
      "complianceResourceGroupIds": [
        "rg-aek2yl36lgo****"
      ],
      "complianceTagsScope": [
        {
          "tagKey": "config",
          "tagValue": "configTest"
        }
      ],
      "complianceRegionIds": [
        "ap-southeast-1"
      ]
    },
    "description": "Performs the import and export testing for writing a compliance package template in a configuration file."
  }
}

Example

{
  "configRuleTemplates": [
    {
      "configRuleName": "ecs-instance-chargetype-check",
      "riskLevel": 3,
      "scope": {
        "complianceResourceIds": [
          "i-t4n3u1pz97547xg0****.i-t4n3u1pz97547xg*****",
          "i-t4n1bxf3xr70wjh5*****",
          "i-t4n133q6k9czgun*****",
          "i-t4n3s3qqti2zaxu*****"
        ],
        "complianceResourceGroupIds": [
          "rg-aek2yl36l*****"
        ],
        "complianceTagsScope": [
          {
            "tagKey": "config",
            "tagValue": "configTest"
          }
        ],
        "complianceRegionIds": [
          "ap-southeast-1"
        ],
        "complianceResourceTypes": [
          "ACS::ECS::Instance"
        ]
      },
      "description": "Checks whether the billing method of each ECS instance is subscription. If so, the evaluation result is Compliant.",
      "source": {
        "owner": "ALIYUN",
        "identifier": "ecs-instance-chargetype-check",
        "sourceDetails": [
          {
            "messageType": "ConfigurationItemChangeNotification"
          }
        ]
      },
      "inputParameters": {}
    },
    {
      "configRuleName": "ecs-public-access-check",
      "riskLevel": 3,
      "scope": {
        "complianceResourceIds": [
          "i-t4n3u1pz97547x*****.i-t4n3u1pz97547*****",
          "i-t4n1bxf3xr70w*****",
          "i-t4n133q6k9czg*****",
          "i-t4n3s3qqti2zax******"
        ],
        "complianceResourceGroupIds": [
          "rg-aek2yl36l*****"
        ],
        "complianceTagsScope": [
          {
            "tagKey": "config",
            "tagValue": "configTest"
          }
        ],
        "complianceRegionIds": [
          "ap-southeast-1"
        ],
        "complianceResourceTypes": [
          "ACS::ECS::Instance"
        ]
      },
      "description": "Checks whether a public IPv4 address or an EIP is specified for each ECS instance. If not, the evaluation result is Compliant.",
      "source": {
        "owner": "ALIYUN",
        "identifier": "ecs-instance-no-public-ip",
        "sourceDetails": [
          {
            "messageType": "ConfigurationItemChangeNotification"
          }
        ]
      },
      "inputParameters": {}
    },
    {
      "configRuleName": "ecs-instance-deletion-protection-enabled",
      "riskLevel": 3,
      "scope": {
        "complianceResourceIds": [
          "i-t4n3u1pz9754*****.i-t4n3u1pz97547x*****",
          "i-t4n1bxf3xr70wj*****",
          "i-t4n133q6k9czgu*****",
          "i-t4n3s3qqti2zaxu*****"
        ],
        "complianceResourceGroupIds": [
          "rg-aek2yl36l****"
        ],
        "complianceTagsScope": [
          {
            "tagKey": "config",
            "tagValue": "configTest"
          }
        ],
        "complianceRegionIds": [
          "ap-southeast-1"
        ],
        "complianceResourceTypes": [
          "ACS::ECS::Instance"
        ]
      },
      "description": "Checks whether the release protection feature is enabled for each ECS instance. If so, the evaluation result is Compliant.",
      "source": {
        "owner": "ALIYUN",
        "identifier": "ecs-instance-deletion-protection-enabled",
        "sourceDetails": [
          {
            "messageType": "ConfigurationItemChangeNotification"
          }
        ]
      },
      "inputParameters": {}
    }
  ],
  "compliancePackTemplate": {
    "riskLevel": 2,
    "compliancePackName": "Write a compliance package template in a configuration file",
    "scope": {
      "complianceResourceIds": [
        "i-t4n3u1pz97547xg0*****.i-t4n3u1pz97547xg******",
        "i-t4n1bxf3xr70w******",
        "i-t4n133q6k9czgun*****",
        "i-t4n3s3qqti2zaxux*****"
      ],
      "complianceResourceGroupIds": [
        "rg-aek2yl36l******"
      ],
      "complianceTagsScope": [
        {
          "tagKey": "config",
          "tagValue": "configTest"
        }
      ],
      "complianceRegionIds": [
        "ap-southeast-1"
      ]
    },
    "description": "Performs the import and export testing for writing a compliance package template in a configuration file."
  }
}

Import and export a compliance package template

You can import a compliance package template in a .json or .txt file to Cloud Config. You can also export a compliance package template in a .json file. Then, you can share and back up the exported template. This helps you flexibly and conveniently manage rules.