The compliance package import and export feature provided by Cloud Config allows you to share compliance rule sets across accounts in an efficient manner. This feature helps you create the same rules for different Alibaba Cloud accounts at a time to check the resource compliance of accounts. This can help improve the efficiency of compliance configuration in the cloud.
Scenarios
For example, a customer has two independent companies: Subsidiary A and Subsidiary B. Both companies purchase the Alibaba Cloud CDN service due to heavy traffic. To ensure the security, stability, and low cost of accelerated domain names of Alibaba Cloud CDN, the customer needs to use an Alibaba Cloud CDN compliance package in Cloud Config. The compliance package consists of customer-defined rules related to Alibaba Cloud CDN and the rules provided in the compliance package template "CDN compliance management best practices". The compliance package is used to detect and manage the compliance of Alibaba Cloud CDN configurations.
For example, the compliance package is configured for Subsidiary A, and Subsidiary A meets the Alibaba Cloud CDN compliance management requirements. You can use the import and export feature to help Subsidiary B quickly meet the same compliance requirements. To use the import and export feature, perform the following steps: Export a standard JSON file from Subsidiary A and import the file to Subsidiary B. For example, the JSON file can be named CDN compliance management best practices.json. This ensures the consistency and compliance of the Alibaba Cloud CDN configurations between the companies.
Background information
The compliance package template named CDN compliance management best practices is developed based on the best practices of Alibaba Cloud CDN and can be used to perform compliance tests on access control, cache configuration, performance, and cost. For more information about the default rules in CDN compliance management best practices, see CDN compliance management best practices.
You can import and export compliance rules in a compliance package. You can also extend compliance package templates to create custom compliance rule sets that meet your business requirements in a more efficient manner. For more information about the structure of a compliance package template, see Write a compliance package template in a configuration file.
Prerequisites
Both Subsidiary A and Subsidiary B have their own origin server that provides stable performance. The domain names of the origin servers are available. For more information, see Create and manage an ECS instance in the console (express version).
Accelerated domain names are added to Alibaba Cloud CDN for the origin servers of Subsidiary A and Subsidiary B. For more information, see For beginners.
Cloud Config is activated for Subsidiary A and Subsidiary B. For more information, see Activate Cloud Config.
Procedure
Step 1: Create a custom rule based on conditions
You can create custom rules based on conditions to meet compliance requirements that are not included in the compliance package template CDN compliance management best practices and rule templates. For example, the O&M personnel of Subsidiary A can create a rule to check whether the accelerated domain name is in a normal state. If so, the evaluation result is Compliant.
Log on to the Cloud Config console as the O&M personnel of Subsidiary A.
In the left-side navigation pane, choose .
In the upper-left corner of the Rules page, click Create Rule.
In the Select Create Method step, select Based on Condition, select a resource type, specify conditions for the resource type, and then click Next.
To specify conditions for the resource type, perform the following steps:
Choose from the Resource Type drop-down list.
Click Show Dry Run Panel.
In the upper-left corner of the Visual Editor tab, select and from the drop-down list that appears. In the Resource Feature field, choose . In the Operator field, select StringEquals. Then, in the Desired Value field, enter online.
In the upper-left corner of the Dry Run panel, click Dry Run.
If the test result is Compliant, the rule that you want to create based on conditions is correctly configured. You can proceed to the next step.
In the Set Basic Properties step, enter check whether the accelerated domain name is in a normal state in the Rule Name field, set Risk Level to Low, set Trigger to Configuration Change, and then click Next.
In the Set Effective Scope step, click Next.
In the Set Remediation step, click Submit.
Step 2: Create a compliance package
The O&M personnel of Subsidiary A create a compliance package based on the compliance package template named CDN compliance management best practices and the custom rule named check whether the CDN domain name is in a normal state created in Step 1. The compliance package is used to check the compliance of the accelerated domain name.
In the left-side navigation pane, choose .
In the upper-left corner of the Compliance Package page, click Create Package.
In the Select Template (Optional) step, click the 
icon in the upper-right corner of CDN compliance management best practices and click Next.
In the Set Basic Properties step, retain the default values for the parameters and click Next.
In the Select Rules step, add the custom rule that is created in Step 1 and click Next.
To add a custom rule, perform the following steps:
Click Add Rule.
In the Add Rule panel, click List of existing rules and select the custom rule that is created in Step 1.
Click OK.
In the Set Rule Parameters step, click OK.
Check the evaluation result of the accelerated domain name.
On the Compliance Package page, click the ID of the compliance package.
On the Rule Result tab, view the rules whose Risk Level is High and whose Compliance Status is NonCompliant. Then, remediate incompliant resources. Examples:
Example 1: If the evaluation result of the cdn-domain-enabled-cache rule is NonCompliant, no cache expiration rule is configured for the domain name. For more information, see Create a cache rule for resources.
Example 2: If the evaluation result of the cdn-domain-https-enabled rule is NonCompliant, HTTPS encryption is not enabled for the domain name. For more information, see Configure an SSL certificate.
Example 3: If the evaluation result of the cdn-domain-aliauth-enabled rule is NonCompliant, URL signing is disabled for the domain name. For more information, see Configure URL signing.
Step 3: Export the compliance package
The O&M personnel of Subsidiary A export the compliance package that is created in Step 2 and provide the compliance package to Subsidiary B.
In the left-side navigation pane, choose .
On the Compliance Package page, find the compliance package that you want to export and click Export in the Actions column.
A compliance package named CDN compliance management best practices.json is exported.
Step 4: Import the compliance package
The O&M personnel of Subsidiary B import the compliance package named CDN compliance management best practices.json provided by Subsidiary A to check the compliance of the accelerated domain name within the current account.
Log on to the Cloud Config console as the O&M personnel of Subsidiary B.
In the left-side navigation pane, choose .
In the upper-left corner of the Compliance Package page, click Import Package.
In the Import Package dialog box, click Upload File, select CDN compliance management best practices.json, and then click OK.
The compliance package that you want to import must be a .json or .txt file. The size of the file cannot exceed 1 MB.
View the imported compliance package and the evaluation result of the compliance package.
On the details page of the compliance package, you can view the evaluation results from the rule and resource dimensions and remediate incompliant resources. For more information about how to remediate incompliant resources, see Substep 7 in Step 2: Create a compliance package.
Elastic Compute Service (ECS)
Container Compute Service (ACS)
