Cloud Config:Create a custom rule based on conditions

Background information

For more information about the concepts, use scenarios, and core features of custom condition rules, see Condition rules.

Procedure

1. Log on to the Cloud Config console.

2. Optional. In the upper-left corner, select an account group.

   This operation is required only if you are using a management account of a resource directory. Otherwise, you do not need to perform the operation.

3. In the left-side navigation pane, choose Compliance & Audit > Rules.

4. On the Rules page, click Create Rule.

5. In the Select Create Method step, select Based on Condition, select a resource type, configure conditions for the resource type, and then click Next.

   Perform the following steps to configure conditions:

   1. Configure conditions.

      Note

      • For more information about the resource types and resource properties that are supported by Cloud Config, see Alibaba Cloud services and resource types supported by Cloud Config.

      • The resource configuration code in Dry Run Panel is the data of the first resource entry of the specified resource type. For more information about how to view resources, see Query a resource.

      • For more information about how to specify the elements (featurePath, operator, and desired) for a condition rule, see Basic elements of a custom condition rule.

      • Single-condition judgement

        Example: Checks whether the deletion protection feature is enabled for each Elastic Compute Service (ECS) instance. If yes, the evaluation result is Compliant. If not, the evaluation result is Non-compliant.

        1. Choose Elastic Compute Service > Ecs Instance from the Select resource types drop-down list.

        2. Click Show Dry Run Panel.

        3. On the Visual Editor tab, use the default conditional relationship and, choose Resource Configuration > DeletionProtection from the Resource Feature drop-down list, select BoolEquals from the Operator drop-down list, and then specify false in the Desired Value field.

      • Multi-condition judgement

        Example: If one of the following conditions is met, the evaluation result of the condition rule is Compliant. If none of the following conditions is met, the evaluation result of the condition rule is Non-compliant.

        Condition 1: Checks whether at least one active trail exists in ActionTrail. If yes, the evaluation result is Compliant. If not, the evaluation result is Non-compliant.

        Condition 2: Checks whether each ActionTrail trail delivers events from all regions. If yes, the evaluation result is Compliant. If not, the evaluation result is Non-compliant.

        1. Choose ActionTrail > ActionTrail Trail from the Select resource types drop-down list.

        2. Click Show Dry Run Panel.

        3. On the Visual Editor tab, use the conditional relationship or, choose Resource Configuration > Status from the Resource Feature drop-down list, select StringEquals from the Operator drop-down list, and then specify Enable in the Desired Value field.

        4. Click Add Condition, choose Resource Configuration > TrailRegion from the Resource Feature drop-down list, select StringEquals from the Operator drop-down list, and then specify All in the Desired Value field.

      Note

      You can also click Script Editor in the upper-right corner of Dry Run Panel and write code in the editor.

   2. In the upper-right corner of Dry Run Panel, click Dry Run.

      The Visual Editor tab displays the evaluation result. The following evaluation results are supported: Compliant and Non-compliant. The evaluation result is returned after Cloud Config evaluates the resource configuration of Dry Run Panel based on the condition rule that you configured.

      • The evaluation result is Compliant.

        In most cases, the result indicates that the condition rule is configured as expected. You can proceed to the next step to configure the condition rule.

      • The evaluation result is Non-compliant.

        • The result may indicate that the value that you specified in the Desired Value field of the condition rule is invalid. Check invalid conditions and change the value to perform another dry run.

        • The result may indicate that the resource configuration is Non-compliant. If the result meets your expectation, you can proceed to the next step to configure the condition rule.

6. In the Set Basic Properties step, set the Rule Name, Risk Level, Trigger, and Description parameters and click Next.

7. In the Set Effective Scope step, specify effective scopes for the condition rule and click Next.

8. In the Set Remediation step, click Submit.

   You can turn on Set Remediation and configure custom remediation for the rule as prompted. For more information, see Configure custom remediation.

References

• Why does no resource data exist in the Dry Run Panel?

• How do the conditions of a condition rule work?

• What is a resource feature and how can I obtain the value of a resource feature?

• How can I save or share rule conditions that I configured?