DocsICP FilingConsole
官方文档
首页

Use Cloud Config to perform compliance auditing on resources that reside in multiple environments

更新时间:
复制 MD 格式
产品详情
我的收藏

When evaluating cloud resource compliance, you often face varying standards across environments, departments, and regulations. Cloud Config provides managed rules that let you configure different compliance policies for different scenarios.

Use resource tags

Prerequisites: Tags are attached to the resources that you want to evaluate. For more information, see Add a custom tag.

The following example evaluates resources across a production environment and a test environment by tag. The Env:Prod tag is attached to all production resources, and the Env:Test tag is attached to all test resources. You can specify custom tags to identify resources in different environments.

Scope: single-account scenarios and multi-account scenarios. In this section, a single-account scenario is used.

  1. Log on to the Cloud Config console.

  2. In the left-side navigation pane, choose Compliance & Audit > Rules.

  3. On the Rules page, click Create Rule.

  4. On the Properties page, keep the default settings for the rule name, risk level, and trigger type, and then click Next.

  5. On the Assess Resource Scope page, keep the default resource type. Select the checkbox for Set Effective Tag, enter Env for Key and Prod for Value, and then click Next.

    You can use the new rule to evaluate only resources to which the Env:Prod tag is attached.

  6. On the Parameter Settings page, click Next.

  7. On the Remediation Settings page, click Next.

  8. On the Preview and Save page, review the rule settings and click Submit.

  9. Click Return to Rule List.

    In the Rules list, view the Compliance of the new rule.

Use resource groups

Prerequisites: The resources that you want to evaluate are added to the required resource groups. For more information, see Create a resource group.

The following example evaluates resources across a production environment and a test environment by resource group. All production resources are added to a resource group named ProEn, and all test resources are added to a resource group named TestEn.

Scope: single-account scenarios and multi-account scenarios. In this section, a single-account scenario is used.

  1. Log on to the Cloud Config console.

  2. In the left-side navigation pane, choose Compliance & Audit > Rules.

  3. On the Rules page, click Create Rule.

  4. On the Properties page, keep the default settings for the rule name, risk level, and trigger type, and then click Next.

  5. On the Assess Resource Scope page, keep the default resource type. Select the checkbox for Set Effective Resource Group ID, select Test Environment Resource Group, and then click Next.

    You can use the new rule to evaluate only resources in the test environment.

  6. On the Parameter Settings page, click Next.

  7. On the Remediation Settings page, click Next.

  8. On the Preview and Save page, review the rule settings and click Submit.

  9. Click Return to Rule List.

    In the Rules list, view the Compliance of the new rule.

Use account groups

Prerequisites: A resource directory is enabled and the members to which the resources that you want to evaluate are added to the resource directory. For more information, see Enable a resource directory.

The following example evaluates resources across a production environment and a test environment by account group. Alibaba Cloud accounts for both environments are added to the resource directory. Only the resources of all Alibaba Cloud accounts in the production environment are evaluated.

Scope: multi-account scenarios.

  1. Create an account group named ProEnv for the production environment.

    1. Log on to the Cloud Config console with a management account or a delegated administrator account.

    2. In the left-side navigation pane, click Account Group.

    3. On the Account Group page, click Create Account Group.

    4. On the Create Account Group panel, enter Production Environment Account Group for Account Group Name, enter All member accounts in the production environment for Description, and then click Add Member.

    5. From the resource directory, select all member accounts that belong to the production environment, and then click OK.

    6. Click Submit.

      If the account group is created as expected after you click Submit, you are redirected to the Account Group page. The new account group appears on the page.

  2. Create a rule based on a managed rule

    If you create a rule for the ProEnv account group, the rule can be used to evaluate the resources of all Alibaba Cloud accounts of the account group.

    1. In the left-side navigation pane, choose Compliance & Audit > Rules.

    2. On the Rules page, click Create Rule.

    3. On the Create Rule page, find the desired managed rule by filtering by rule name, tag, detection logic, or risk level, and then click Apply Rule.

    4. On the Properties page, keep the default settings for the rule name, risk level, and trigger type, and then click Next.

    5. On the Assess Resource Scope page, keep the default resource type and click Next.

    6. On the Parameter Settings page, click Next.

    7. On the Remediation Settings page, click Next.

    8. On the Preview and Save page, review the rule settings and click Submit.

    9. Click Return to Rule List.

      In the Rules list, view the Compliance of the new rule.

Previous:Automate resource remediation with MNS notificationsNext:Use CloudMonitor to trigger alert notifications for non-compliance events