This topic explains how to use the management account of a Resource Directory to check the compliance of OSS buckets across multiple member accounts. The example uses the BestPracticesForOSS compliance package template to evaluate buckets in two member accounts and deliver non-compliance events to Log Service.
Prerequisites
A resource directory is activated, and two member accounts are created in the resource directory. For more information, see Enable a resource directory and Create a member.
Object Storage Service (OSS) is activated and buckets are created for two member accounts. For more information, see Get started by using the OSS console.
-
You have activated Cloud Config. For more information, see Activate Cloud Config.
-
You have activated Simple Log Service. For more information, see Activate Simple Log Service.
ImportantActivating Simple Log Service is free. However, charges apply when Cloud Config delivers resource data to Simple Log Service and when you use the query and analysis features of Simple Log Service. For more information, see Billing overview.
Background information
A management account can use Cloud Config to view the resource lists, configuration change histories, and compliance status of all member accounts. It can also monitor the configuration compliance of these resources. A member account can view its own account group, as well as the rules, compliance packages, and deliveries created for it by the management account. Member accounts can also independently check their own resource compliance and configure deliveries on the Current Account tab.
Step 1: Create an account group
After you create member accounts in the resource directory, you can create an account group in Cloud Config and add the member accounts to the account group. You can use the account group to centrally manage the resources and compliance of all member accounts in the account group.
-
Log on to the Cloud Config console.
-
In the left-side navigation pane, click Account Group.
-
On the Account Group page, click Create Aggregator.
On the Create Account Group page, enter an Account Group Name and Description. For Account Group Type, select Custom. From the member list, select the target member accounts, such as the management account, and then click Submit.
A status of Created in the Account Group list indicates that the account group was created successfully.
Step 2: View the resource list
You can view the resources of the two member accounts in the account group across regions.
In the upper-left corner, select the account group that you want to manage.
-
In the left-side navigation pane, choose .
On the Global Resources page, you can filter resources by Resource ID, Resource Type, Region, or Resource Status. The compliance result for each resource is shown in the list.
Step 3: Create a compliance package
You can use the default rules in the BestPracticesForOSS compliance package template to quickly check the compliance of buckets in member accounts of the current account group.
In the left-side navigation pane, choose .
-
On the Compliance Package page, click Create Package in the upper-left corner.
-
On the Select Template (Optional) page, click the
icon in the upper-right corner of the BestPracticesForOSS template card, and then click Next. -
On the Set Basic Properties page, enter a name for the compliance package. Keep the default values for the other parameters and click Next.
-
On the Select rules page, all rules from the BestPracticesForOSS template are selected by default. Click Next.
-
On the Set Rule Parameters page, configure the required parameters for the rules, and then click OK. For the allowReferers parameter, enter the whitelist for hotlink protection in the expected value field. The expected value for the allowEmptyReferer parameter is
trueby default.NoteFor more information about how to set parameters for the rules, see the Resource type column in Alibaba Cloud services and resource types supported by Cloud Config.
Step 4: View the compliance evaluation results
You can view the evaluation results of the rules in the compliance package on the buckets of all member accounts in the account group, and remediate the non-compliant configurations.
In the left-side navigation pane, choose .
-
On the Compliance Package page, click the ID of the compliance package that you created in Step 3. On the Compliance Package list page, you can view evaluation details for each package, such as its Compliance Package Status, number of Non-compliant Resources, and Risk Level.
-
Click Download Report in the upper-right corner and then click OK in the Download Compliance Report dialog box. After the report is generated, click Download Report again and then click OK in the confirmation dialog to download the file.
You will obtain a ZIP package. After you decompress the ZIP package, you will obtain two compliance reports in the Excel format that are named by member account ID and member account name.
-
Open one of the Excel reports. On the Non-compliant Resources tab, filter for non-compliant rules by bucket ID or name, and then apply the fixes suggested in the Remediation Suggestions column.
Step 5: Deliver resource non-compliance events to Simple Log Service
You can configure the delivery of resource non-compliance events of all member accounts in the account group to a specified Logstore of Simple Log Service, and query and analyze the events.
-
On the Deliveries page, click Create Delivery in the upper-left corner.
-
On the Create Delivery page, enter a Delivery Name. For Channel Type, select Log Service. For Content, select Non-compliance Events. For Logstore Source, select Create a new log item in this account. Then, select a Project Region, and enter a Project Name and Logstore Name. Keep the default value for resource type. The default includes all resource types.
-
Click Confirm.
-
In the Confirm Operation dialog box, click OK.
The newly created delivery task takes effect only on all member accounts in the account group.
In the Simple Log Service console, a Project and a Logstore are automatically created. Cloud Config then delivers resource non-compliance events to this Logstore.
ImportantYou are charged when Cloud Config delivers resource data to Simple Log Service and when you use its query and analysis features. To avoid incurring charges, you can delete the Project in the Simple Log Service console. After deleting the Project, the corresponding delivery in Cloud Config is disabled and stops delivering resource data. For more information, see Manage projects.
-
View the delivery results for the non-compliance events, and then query and analyze them.
-
On the Deliveries page, click the ID of the delivery that you created.

-
In the Extended Information section of the target delivery, click the Logstore name. You are redirected to the page for that Logstore in the Simple Log Service console.

-
In the Error dialog box that appears, click Close.
NoteThis error occurs because indexing is not enabled by default for a Logstore created from the Cloud Config console.
-
Enable indexes for the Logstore.
For more information, see Create indexes.
-
Query and analyze the logs in the Logstore.
For more information, see Query and analyze logs.
NoteFor a JSON-formatted sample of a resource non-compliance event, see Example of resource non-compliance events.
-