The Config AI assistant is an intelligent tool from Config. Powered by a large language model and an expert knowledge base, it uses natural language input to recommend or generate compliance rules.
Key features
Recommend or generate rules
Based on your natural language description of required compliance checks, the AI assistant recommends built-in template rules or generates custom rules. The assistant prioritizes matching and recommending template rules. If no matching template is found, it generates a condition-based custom rule that meets your requirements.
Automatically populate rule configurations
You can then use the assistant's one-click apply feature to automatically populate the rule's configuration with the details from the matched template rule or the generated custom rule.
The AI assistant only provides suggestions and populates rule configurations. It does not make any changes to your resources or configurations. You perform all actions manually, so you retain full control.
Billing
The Config AI assistant is currently available free of charge.
Prerequisites
A RAM user must have the required RAM permissions to use the Config AI assistant. You can grant the AliyunConfigFullAccess system policy or the following custom policy to the user.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"config:Chat",
"config:StopChat"
],
"Resource": "*"
}
]
}The preceding custom policy includes only the minimum permissions required to use the Config AI assistant. To view or create rules in the Config console, you must also grant permissions for specific actions, such as config:CreateConfigRule to create rules and config:ListConfigRules to list them.
Step 1: Open the Config AI assistant
Follow these steps to open the Config AI assistant:
-
Log on to the Config console.
-
You can open the Config AI assistant from any of the following entry points:
Rules list
In the left-side navigation pane, choose . In the upper part of the right-side panel, click the AI assistant icon.
Template
Go to and click Create Rule. Keep the default creation method, Based on Template. Click AI Recommended Rule Templates.
Custom condition
Go to and click Create Rule. Switch the creation method to Based on Custom Conditions. Click Generate Conditions with AI.
Step 2: Interact with the Config AI assistant
-
In the Config AI assistant dialog box, enter your compliance requirement, or click a sample prompt to quickly get started.
How to write effective prompts
To get more accurate results, include the following key information in your prompt:
-
Product name: Specify the cloud product, such as ECS, RDS, or OSS.
-
Resource type: Specify the type of resource to check, such as an instance, disk, or security group.
-
Target property: Specify the property to check, such as a public IP address, SSL encryption, or a tag.
-
Desired state: Clearly describe the compliant state you expect for the resource, such as "must be enabled," "should not be associated with," or "must contain."
Example: A prompt like "RDS instances must have SSL encryption enabled" is more likely to yield an accurate result than a general prompt like "Check database security."
NoteIf the initial result does not meet your expectations, you can ask follow-up questions. The AI assistant understands context and can refine its suggestions through a multi-turn conversation.
-
-
Click Send. The AI assistant analyzes your request and returns one of the following two results:
-
A matching template rule is found: The corresponding rule template is displayed.
The Config AI assistant displays information about the recommended rule template, including the rule name (e.g., oss-bucket-public-write-prohibited), template ID (e.g.,
oss-bucket-public-write-prohibited), resource type (e.g., ACS::OSS::Bucket), rule description, a link to remediation guidance, and risk level. An Apply button is also provided. -
No matching template rule is found: A condition-based custom rule is generated.
On the Create Rule page, select Based on Custom Conditions as the creation method. After selecting a resource type, click Generate Conditions with AI to open the Config AI assistant panel. In the input box, describe the scenario you want to check, for example, "Check if the IPv4 CIDR block of the vSwitch associated with an RDS instance is 172.16.0.0/24". The AI assistant generates the corresponding resource type and condition logic, which is a JSON structure with parameters such as
operator,featurePath, anddesired. After you review the generated output and click Apply, the assistant automatically populates the condition formula area with this logic, for example, by setting the$.CidrBlockpath and using the StringEquals operator. Then, click Next to continue the configuration.
-
-
(Optional) For AI-generated content, you can click Copy to copy the response to your clipboard. If the response does not meet your expectations, click Regenerate to get a new suggestion.
Step 3: Apply rules
Click Apply in the assistant's response. The assistant automatically populates the rule creation page with the details from the recommended template or generated conditions.
The populated fields include the rule name, template ID, resource type, and risk level. You can confirm or modify these settings before proceeding to create the rule.
-
For the auto-population feature to work, you must be on the Create Rule page when you click Apply in the assistant's panel. Clicking Apply from the panel on any other page has no effect.
-
AI-generated content is for reference only and may not be 100% accurate. Always review and validate a rule's logic to ensure it meets your business requirements before you apply it.
Feedback
You can provide feedback on the AI assistant's responses to help us improve the service:
-
Click the Thumbs Up or Thumbs Down icon for the response.
-
Click Feedback, select a problem type, and submit your comments. To provide detailed suggestions, select Other as the problem type and enter your feedback.
FAQ
Why no template rule recommendation?
This may happen if there is no template rule that matches your request, or if your prompt was not specific enough. Try rephrasing your prompt with more details about the product, resource, and specific compliance requirement to help the assistant better understand your request.