Share compliance rule sets across accounts

更新时间:
复制 MD 格式

Use the import and export features of Cloud Config compliance packages to share compliance rule sets across multiple accounts. This approach lets you create identical rules in different cloud accounts to evaluate resource compliance, improving the efficiency of your cloud compliance configuration.

Use cases

To ensure the security, stability, and cost-effectiveness of their Alibaba Cloud CDN domains, the parent company uses a Cloud Config compliance package specific to Alibaba Cloud CDN. This package combines custom rules with rules from the CDN compliance management best practices template to audit and manage their Alibaba Cloud CDN configurations for compliance.

If Subsidiary A has already configured its environment to meet the CDN compliance management requirements, you can use the import and export feature of Cloud Config compliance packages to apply the same standards to Subsidiary B. You can export a standard JSON file, such as CDN compliance management best practices.json, from Subsidiary A's account and import it into Subsidiary B's account. This is a fast and effective way to ensure consistent and compliant Alibaba Cloud CDN configurations across both subsidiaries.

image

Background

  • The CDN compliance management best practices template includes product best practices for auditing compliance in areas such as access control, cache configuration, performance, and cost. For information about the default rules in the CDN compliance management best practices template, see CDN compliance management best practices.

  • Configurable compliance packages let you import and export compliance rules and extend compliance package templates, allowing you to efficiently customize compliance rule sets for your specific business needs. For more information about the structure of a compliance package template, see Create a configurable compliance package template.

Prerequisites

  • Subsidiary A and Subsidiary B each have a stable business server (an origin server) and a domain name for acceleration. For more information, see Create an ECS instance by using the wizard and Purchase a domain name.

  • Subsidiary A and Subsidiary B have each created domain names for Alibaba Cloud CDN to accelerate their business servers (origin servers). For instructions, see Add a domain name to Alibaba Cloud CDN.

  • Cloud Config must be enabled for the accounts of Subsidiary A and Subsidiary B. For more information, see Enable Cloud Config.

Procedure

Step 1: Create a custom rule

You can create custom rules based on conditions to meet compliance requirements that are not covered by the CDN compliance management best practices template or other rule templates. For example, the operations team for Subsidiary A needs to verify that their Alibaba Cloud CDN domains are running properly. A domain is considered compliant if it is active.

  1. The operations team for Subsidiary A logs on to the Cloud Config console.

  2. In the left-side navigation pane, choose Compliance & Audit > Rules.

  3. On the Rules page, click Create Rule in the upper-left corner.

  4. On the Select Create Method page, select Based on Condition. Then, select a resource type, set its conditions, and click Next.

    To set the conditions, perform the following steps:

    1. From the Select Resource Type drop-down list, select CDN > domainNames.

    2. Click Expand Dry Run Panel.

    3. On the Visual Editor tab, keep the default logical operator and. In the resource feature field, select Resource Property > DomainStatus. For Operator, select StringEquals. In the desired value field, enter online.

      Note

      For more information about the features, operators, and desired values of a custom condition rule, see Basic elements of a custom condition rule.

    4. Click Dry Run in the upper-left corner of the panel.

      A Compliant result indicates the condition is configured correctly. You can now proceed.

  5. On the Set Basic Properties page, enter Check whether the CDN domain is running properly for Rule Name, select Low Risk for Risk Level, set the Trigger to Configuration Changes, and then click Next.

  6. On the Set Effective Scope page, click Next.

  7. On the Set Correction page, click Submit.

Step 2: Create a compliance package

The maintenance personnel of Subsidiary A use the compliance package template CDN compliance management best practices and a custom rule from Step 1 named Check whether the status of CDN domain names is normal to create a compliance package for checking the compliance of CDN domain names.

  1. In the left-side navigation pane, choose Compliance Evaluation > Compliance Package.

  2. On the Compliance Package page, click Create Package in the upper-left corner.

  3. On the Select Template (Optional) page, click the image.png icon in the upper-right corner of the CDN compliance management best practices compliance package template, and then click Next.

  4. On the Set Basic Properties page, keep the default parameter settings and click Next.

  5. On the Select rules page, add the custom rule created in Step 1, and then click Next.

    To add the rule, perform the following steps:

    1. Click Add rule.

    2. In the Add rule panel, click List of existing rules and select the custom rule that you created in Step 1.

    3. Click OK.

  6. On the Set Rule Parameters page, click OK.

  7. Review the compliance evaluation results for the Alibaba Cloud CDN domains.

    On the Compliance Package page, click the ID of the compliance package.

    On the Rule Result tab, prioritize reviewing rules with a Risk Level of High and a Compliance Status of Non-compliant. Remediate any non-compliant resources. The following are examples:

    • Example 1: If the result for the cdn-domain-enabled-cache rule is Non-compliant, it means that a cache expiration time is not configured for the Alibaba Cloud CDN domain. For information about how to fix this issue, see Configure TTL for a domain name.

    • Example 2: If the result for the cdn-domain-https-enabled rule is Non-compliant, it means that HTTPS is not enabled for the Alibaba Cloud CDN domain. For information about how to fix this issue, see Configure an HTTPS certificate.

    • Example 3: If the result for the cdn-domain-aliauth-enabled rule is Non-compliant, it means that URL signing is not enabled for the Alibaba Cloud CDN domain. For information about how to fix this issue, see Configure URL signing.

Step 3: Export the compliance package

The operations team for Subsidiary A exports the compliance package from Step 2 to share with Subsidiary B.

  1. In the left-side navigation pane, choose Compliance Evaluation > Compliance Package.

  2. On the Compliance Package page, find the target compliance package and click Export in the Actions column.

    Obtain the compliance package in JSON format: CDN_Compliance_Management_Best_Practices.json.

    Note

    For more information about the structure of a compliance package template in JSON format, see Create a configurable compliance package template.

Step 4: Import the compliance package

Personnel from Subsidiary B import the compliance package CDN Compliance Management Best Practices.json from Subsidiary A to check the compliance of Alibaba Cloud CDN domain names in the current account.

  1. The operations team for Subsidiary B logs on to the Cloud Config console.

  2. In the left-side navigation pane, choose Compliance Evaluation > Compliance Package.

  3. On the Compliance Package page, click Import Package in the upper-left corner.

  4. In the Import Package dialog box, click Upload File, select Alibaba-Cloud-CDN-Compliance-Management-Best-Practices.json, and then click OK.

    The imported file must be a text file with a .json or .txt extension, and its size cannot exceed 1 MB.

  5. View the newly imported compliance package and its evaluation results.

    On the CDN compliance management best practices compliance package page, you can view the detection results by rule and by resource, and remediate non-compliant resources. For information about the remediation approach and methods, see substep 7 in Step 2.