Home PageCloud ConfigUse CasesBest PracticesSubscribe to configuration change events for resources in a multi-account environment
Search for Help Content

Subscribe to configuration change events for resources in a multi-account environment

Updated at: 2025-03-26 09:08
Product
Community

If your enterprise has multiple accounts in the cloud, the security and emergency response team and O&M team need to monitor all resource changes of the enterprise in the cloud in real time. The teams must subscribe to configuration change events of critical or high-risk resources to monitor and maintain the resources at the earliest opportunity. When you use a resource directory to manage the resources of multiple accounts in a centralized manner, you can deliver configuration change events for the resources to EventBridge by using Cloud Config. You can also use triggers provided by Function Compute 2.0 to deliver the configuration change events for the resources in EventBridge to Function Compute 2.0.

Scenarios

The following figure shows the structure of multiple accounts in Enterprise A. You can manage the configuration change events for the resources of the accounts in a centralized manner based on the structure.应用场景

You log on to the Cloud Config console by using a management account and use Log Archive Account A to view configuration change events for the resources of Business Account B and Business Account C. This topic provides an example on how to view configuration change events for the resources of RAM roles whose names are prefixed with sg-.

Prerequisites

Configuration items

This topic describes how to use Cloud Config, EventBridge, and Function Compute to subscribe to configuration change events for resources. In this example, configuration change events for the resources of RAM roles are subscribed to. The following table describes the relevant configuration items.

Alibaba Cloud service

Account

Item

Example

Alibaba Cloud service

Account

Item

Example

Resource Management

Management account

Log Archive Account A (RAM user)

-

Business Account B (RAM user)

-

Business Account C (RAM user)

-

EventBridge

Business Account B

Rule name

b-eb-filter-ram-role

Business Account C

Rule name

c-eb-filter-ram-role

Function Compute

Log Archive Account A

Service

eb_event_action

System policy

AliyunFCDefaultRolePolicy

Function

eb_event_trigger

Trigger

ConfigurationItemChangeTrigger

Resource Access Management (RAM)

Log Archive Account A

RAM role

account-eb-role

Business Account B

RAM role

sg-01

Business Account C

RAM role

sg-02

Procedure

The following figure shows the process of subscribing to configuration change events for the resources in a multi-account environment.操作流程

Step 1: Use Log Archive Account A to create a RAM role

Ship the events of Business Account B and Business Account C to EventBridge of Log Archive Account A by using the cross-account event routing feature provided by EventBridge. You can use Log Archive Account A to view configuration change events for the resources of Business Account B and Business Account C in a centralized manner.

Create a RAM role named account-eb-role, grant the role the permissions to ship events across accounts, assign the role to Log Archive Account A, and then grant EventBridge the permissions to ship events to Log Archive Account A.

  1. Create a RAM role and assign the role to EventBridge.

    1. Log on to the RAM console.

    2. In the left-side navigation pane, choose Identities > Roles.

    3. On the Roles page, click Create Role.

    4. On the Create Role page, select Cloud Account for the Principal Type parameter, select the default value Current Account for the Principal Name parameter, and then click OK.

    5. In the Create Role dialog box, enter account-eb-role in the Role Name field.

    6. On the role details page, click Grant Permission. In the Policy section of the Grant Permission panel, search for and click AliyunEventBridgePutEventsPolicy. Retain the default values for other parameters. Then, click Grant permissions.

  2. Modify the trust policy.

    1. On the Roles page, click the name of the desired RAM role.

    2. Click the Trust Policy tab. On the Trust Policy tab, click Edit Trust Policy.

    3. Modify the content of the trust policy.

      After you grant Log Archive Account A the permissions on Business Account B and Business Account C, EventBridge of Log Archive Account A can assume the RAM role. Sample trust policy:

      {
    "Statement":[
        {
            "Action":"sts:AssumeRole",
            "Effect":"Allow",
            "Principal":{
                "Service":[
                    "<ID of Business Account B>@eventbridge.aliyuncs.com",
                    "<ID of Business Account C>@eventbridge.aliyuncs.com"
                ]
            }
        }
    ],
    "Version":"1"
}

    4. Click OK.

Step 2: Use business accounts to configure event buses

Use Business Account B to create an event bus rule named b-eb-filter-ram-role and use Business Account C to create an event bus rule named c-eb-filter-ram-role. Use the account-eb-role RAM role to ship configuration change events for the resources of Business Account B and Business Account C to EventBridge of Log Archive Account A.

  1. Log on to the EventBridge console.

  2. In the left-side navigation pane, click Event Buses.

  3. In the top navigation bar, select a region, such as Singapore.

  4. On the Event Buses page, click Create Rule in the System Event Bus section.

  5. In the Create Rule panel, configure the parameters.

    1. In the Configure Basic Info step, enter a name for the event bus and click Next Step.

    2. In the Configure Event Pattern step, set the Event Source Type parameter to Alibaba Cloud Service Event Source, set the Event Source parameter to acs.ram Resource Access Management, set the Event Type parameter to ram:Config:ConfigurationItemChangeNotification, enter the following code in the Pattern Content section, and then click Next Step.

      EventBridge generates events only when the configurations of resources of RAM users or RAM roles whose names are prefixed with sg- change. Sample event pattern:

      {
    "source": [
        "acs.ram"
    ],
    "data": {
        "resourceName": [
            {
                "prefix": "sg-"
            }
        ]
    },
    "type": [
        "ram:Config:ConfigurationItemChangeNotification"
    ]
}

    3. In the Configure Targets step, set the Service Type parameter to EventBridge, set the Destination Type parameter to Cross-account Event Bus, select a region, set the Account ID parameter to the ID of Log Archive Account A, set the Event Bus Name parameter to default, set the Role parameter to account-eb-role, set the Event parameter to Complete Event, and then click Create.

Step 3: Use Log Archive Account A to configure Function Compute

Use Log Archive Account A to create a function in Function Compute and use a trigger to ship configuration change events for resources to Function Compute.

  1. Create a service.

    1. Log on to the Function Compute console.

    2. In the left-side navigation pane, click Services & Functions.

    3. In the top navigation bar, select a region, such as Singapore.

    4. On the Services page, click Create Service.

    5. In the Create Service panel, enter eb_event_action in the Name field.

    6. Click OK.

  2. Create a function.

    1. On the Functions page of the eb_event_action service, click Create Function.

    2. On the Create Function page, specify the basic information and configure a trigger.

      • In the Basic Settings section, enter eb_event_trigger in the Function Name field. In the Code section, set the Runtime parameter to Python 3.6 and retain the default values for other parameters.

      • In the Trigger Configurations section, set the Trigger Type parameter to Resource Access Management in Event triggers for Alibaba Cloud services, set the Name parameter to ConfigurationItemChangeTrigger, and then set the Event Type parameter to Select All Event Types. Sample event pattern:

        {
    "source": [
        "acs.ram"
    ],
    "type": [
        "ram:ActionTrail:AliyunServiceEvent",
        "ram:ActionTrail:ApiCall",
        "ram:ActionTrail:ConsoleOperation",
        "ram:Config:ConfigurationItemChangeNotification",
        "ram:Config:NonCompliantNotification"
    ]
}

      • Retain the default values for other parameters.

      Note

      The first time Function Compute accesses EventBridge, you are prompted to grant Function Compute the permissions to access EventBridge.

    3. Click Create.

  3. View the invocation logs of the function.

    1. On the Code tab of the eb_event_trigger function page, change logger.info('hello world') in the index.py file to logger.info(event).

    2. In the upper-left corner of the editor, click Deploy.

Step 4: Use business accounts to create resources

Use Business Account B to create a RAM role named sg-01 and use Business Account C to create a RAM role named sg-02. For more information, see Create a RAM role for a trusted Alibaba Cloud account.

Step 5: Use Log Archive Account A to view configuration change events for resources

Use Log Archive Account A to view configuration change events for the resources of Business Account B and Business Account C. Use one of the following methods:

  • View the events by using the EventBridge console

    1. Log on to the EventBridge console.

    2. In the top navigation bar, select a region, such as Singapore.

    3. In the left-side navigation pane, click Event Buses.

    4. Find default and click Event Tracking in the Actions column.

    5. Specify a time range, set the Event Source parameter to acs.ram Resource Access Management, set the Event Type parameter to ram:Config:ConfigurationItemChangeNotification, and then click Query.

    6. Find the event that you want to view and click Event Detail in the Actions column.

      • The following figure shows the details of a sample event for the sg-01 RAM role that is created by using Business Account B.事件总线(sg-01)

      • The following figure shows the details of a sample event for the sg-02 RAM role that is created by using Business Account C.事件总线(sg-02)

  • View the events by using the Function Compute console

    1. Log on to the Function Compute console.

    2. In the top navigation bar, select a region, such as Singapore.

    3. In the left-side navigation pane, click Services & Functions.

    4. On the page that appears, click eb_event_action.

    5. On the page that appears, click eb_event_trigger.

    6. On the page that appears, click Logs. On the tab that appears, specify a time range.

      Note

      The first time you view the invocation logs of a function, you must click Enable to enable the feature.

      • The following figure shows the details of a sample event for the sg-01 RAM role that is created by using Business Account B.函数计算(sg-01)

      • The following figure shows the details of a sample event for the sg-02 RAM role that is created by using Business Account C.函数计算(sg-02)

Previous: Use CloudMonitor to trigger alert notifications for non-compliance eventsNext: Security and Compliance
  • On this page (1)
  • Scenarios
  • Prerequisites
  • Configuration items
  • Procedure
  • Step 1: Use Log Archive Account A to create a RAM role
  • Step 2: Use business accounts to configure event buses
  • Step 3: Use Log Archive Account A to configure Function Compute
  • Step 4: Use business accounts to create resources
  • Step 5: Use Log Archive Account A to view configuration change events for resources
Feedback