what are the basic concepts of cloud config - Cloud Config

This topic defines the basic terms related to Cloud Config.

Term	Description
Resource type	A resource type is a category of resources. For example, the resource type of Elastic Compute Service (ECS) instances is ECS Instance. Resources can be divided into the following types: Entity resources, such as compute instances and storage instances. Management resources of application-level products, such as workgroups and workflows. Permission-related management resources, such as roles and policies.
Resource configuration details	Cloud Config gets all resources under your Alibaba Cloud account using the resource query APIs of Alibaba Cloud services. You can view the configuration information of each resource in the resource list. You can also go to the console of the corresponding Alibaba Cloud service to manage a specific resource.
Monitoring scope	The monitoring scope specifies the range of resource types to monitor. The monitoring granularity is at the resource type level. If a resource type is within the monitoring scope, all resources of this type under the current Alibaba Cloud account are tracked. Configuration changes are recorded every 10 minutes. If a resource type is removed from the monitoring scope, Cloud Config stops recording configuration changes for all resources of this type under the current Alibaba Cloud account.
Rule	A rule is a function used to determine whether a resource configuration is compliant. Cloud Config uses functions in Function Compute to host rule code. After a rule is attached to a resource type, the rule is automatically triggered for evaluation when a resource of that type has a configuration change. This checks the compliance of the change. You can also set rules to trigger periodically. Cloud Config then periodically checks the compliance of all your resources. Cloud Config supports the following types of rules: Rule template For more information about rule templates, see List of rule templates. Custom rule First, create a function in the Function Compute console. Then, select the function's Alibaba Cloud Resource Name (ARN) in the Cloud Config console. For more information about how to create a rule using Function Compute, see Definition and working principle of custom function rules.
Configuration history	Cloud Config provides a configuration history for each monitored resource. For resources that already exist when you enable Cloud Config, the configuration history starts from the time you enable the service. For resources that you create after you enable Cloud Config, the configuration history starts from the time the resource is created. Cloud Config records configuration changes every 10 minutes. If a resource configuration changes, a node appears in the configuration history. The node shows the resource configuration details, change details, and related management events at that point in time.
Compliance history	Rule evaluations are triggered when resource configurations change. The configuration history has a corresponding compliance history, which is a record of each compliance evaluation result. The compliance evaluation records in the compliance history depend on the rule's trigger method. If the rule is triggered periodically, the history includes only records of periodic evaluations. If the rule is triggered by configuration changes, the history includes only records of evaluations that are triggered by configuration changes. If the rule is triggered both periodically and by configuration changes, the history includes records from both trigger methods.
Classified protection precheck	The MLPS 2.0 precheck is a cloud-based compliance check. It dynamically and continuously checks the compliance of your Alibaba Cloud resources. This helps you avoid repeated rectifications during the official assessment and pass the assessment quickly.
CIS	CIS (Center for Internet Security) is a community of organizations and individuals that want actionable security resources. The CIS Controls are a list of the top 20 control points or objectives that enterprises must meet to achieve basic network security.
Resource directory	Resource Directory is an Alibaba Cloud service that provides multi-level resource and account relationship management for enterprise customers.
Management account	A management account is an Alibaba Cloud account that has passed enterprise verification. After you use this Alibaba Cloud account to enable a resource directory, the account becomes the management account of the resource directory. The management account is the super administrator of the resource directory. It has all administrative permissions on the resource directory and the folders and members in the resource directory. Each resource directory has only one management account. Note A management account does not belong to a resource directory and is not limited by the access control policies of a resource directory.
Member	A member can be a resource account or cloud account. Members that are created in a resource directory are resource accounts. A resource account is used to isolate the resources of a project or application on Alibaba Cloud from other resources. You can invite existing Alibaba Cloud accounts to join your resource directory. After the owners of the Alibaba Cloud accounts accept the invitations, the accounts become the members of the resource directory. These members are cloud accounts. Resource account A member that is created in a resource directory is a resource account. A root user of an Alibaba Cloud account is the administrator of the account. The root users of resource accounts are disabled. Therefore, resource accounts provide higher security. For more information about how to create a resource account, see Create a member. Cloud account A member that is invited to join a resource directory is a cloud account. Cloud accounts have root users. For more information about how to invite an Alibaba Cloud account to join a resource directory, see Invite an Alibaba Cloud account to join a resource directory.
Account group	An account group is a collection of members. In a resource directory, the management account can add all or some members to an account group for centralized compliance management. An account group is also a resource pool formed by gathering resources from multiple members. The management account can view the resource lists, resource details, resource configuration histories, resource compliance histories, and linked instances of all members in the account group. The management account can also create rules and compliance packages in the account group. These rules and compliance packages apply to the resources of all members in the account group for continuous compliance evaluation.