Create account groups in the Cloud Config console using a management account or delegated administrator account in a resource directory. Account groups let you centrally manage resources, compliance packages, and rules across multiple members. Add members that share the same compliance baseline to one group for consistent rule enforcement.
Prerequisites
-
You are logged on with a management account or a delegated administrator account.
-
A resource directory is enabled. Enable a resource directory.
-
Members are created or invited in the resource directory. Create a member, Invite an Alibaba Cloud account to join a resource directory.
Background
After you create an account group:
-
Cloud Config automatically adds a tab for the account group to the Overview, Resource, Compliance Package, and Rules pages. Each account group gets a separate tab. A member can belong to multiple groups — resources appear the same, but compliance results may differ based on each group's rules.
-
Cloud Config automatically creates a service-linked role for each member, granting Cloud Config access to their resource configuration.
-
Cloud Config automatically builds a resource list for each member. This takes 2 to 10 minutes.
Cloud Config supports these account group types:
|
Type |
Description |
|
global account group |
Includes all members in a resource directory and automatically syncs member changes. Only one global account group can exist per management or delegated administrator account. |
|
custom account group |
Select all or some members from the resource directory. New members added to the resource directory are not synced automatically. The management account or delegated administrator account must manually add them to the group. When a member is removed from the resource directory, the management account or delegated administrator account loses permissions to manage that member's compliance. The group automatically detects and removes the member. |
|
account group for a folder |
Membership mirrors the selected folder. Member changes in the folder sync automatically. You can select only one non-empty folder per account group. |
Procedure
To create a custom account group:
-
Log on to the Cloud Config console.
-
In the left-side navigation pane, click Account Group.
-
On the Account Group page, click Create Aggregator.
-
On the Create Aggregator page, set a name and description for the account group, select Type for Custom, and then select members from the resource directory.
-
Click Submit.
In the Account Group list, Active status indicates the account group was created.
What to do next
After creating the account group, select it from the drop-down list in the upper-left corner of the console: