All Products
Search

This Product

    Cloud Config:Terms

    Document Center

    Cloud Config:Terms

    Last Updated:Nov 26, 2024

    This topic describes the terms involved in Cloud Config.

    Term

    Description

    resource type

    A resource type is a category of resources. For example, the resource type of Elastic Compute Service (ECS) instances is Instance. Resources can be divided into the following types:

    • Instances, such as compute instances and storage instances

    • Management elements of application services, such as workspaces and workflows

    • Management resources related to permissions, such as roles and policies

    resource configurations

    Cloud Config retrieves all your resources by using the APIs of Alibaba Cloud services. In a resource list, you can click a resource ID to view the configurations of the resource. You can also manage the resource in the Alibaba Cloud Management Console.

    monitoring scope

    You can specify the types of resources that you want Cloud Config to monitor to configure the monitoring scope of Cloud Config.

    • If a resource type is added to the monitoring scope, Cloud Config tracks your resources of this type and records the configuration changes every 10 minutes.

    • If a resource type is removed from the monitoring scope, Cloud Config does not record the configuration changes to the resources of this type.

    rule

    A rule is a function that is used to determine whether a resource configuration is compliant. Cloud Config runs rule code by using functions of Function Compute. For example, a rule is applied to a resource type in Cloud Config. If the configurations of a resource of this type change, Cloud Config re-evaluates the resource based on the rule and checks whether the configuration is compliant. Cloud Config can also trigger rules at a specified time to periodically evaluate the compliance of all resources. The rules in Cloud Config are divided into the following categories:

    • Managed rule

      For more information about managed rules, see Rule templates.

    • Custom rule

      You can create a rule based on Function Compute. Before you can create a rule, you must create a function in the Function Compute console. Then, you can select the function Alibaba Cloud Resource Name (ARN) in the Cloud Config console. For more information about how to create a rule based on Function Compute, see Definition and execution of custom function rules.

    configuration timeline

    Cloud Config provides a configuration timeline for each monitored resource.

    • If a resource is created before you activate Cloud Config, the configuration timeline starts from the time when you activate Cloud Config.

    • If a resource is created after you activate Cloud Config, the configuration timeline starts from the time when the resource is created. Cloud Config detects configuration changes every 10 minutes. If resource configuration changes at a point in time, a node is generated on the configuration timeline. You can view the basic information, configuration changes, and related operations of the resource.

    compliance timeline

    Cloud Config evaluates resources based on rules. A compliance record is generated when a rule is triggered. Cloud Config displays the compliance records over time in a compliance timeline. The compliance records that are displayed in the compliance timeline depend on the trigger type.

    • If the trigger type is Periodic, the compliance timeline displays the records of periodical compliance evaluations.

    • If the trigger type is Configuration Changes, the compliance timeline displays the records of compliance evaluations of every configuration change.

    • If both trigger types are selected, the compliance timeline displays the compliance records of both types.

    classified protection precheck

    The classified protection precheck feature of Cloud Config monitors and evaluates your Alibaba Cloud resources in a continuous manner. You can view the compliance evaluation result in real time and remediate non-compliant resources. This simplifies the procedure of an official assessment.

    CIS

    Center for Internet Security (CIS) is a community of organizations and individuals that want actionable security resources. The CIS Controls are a set of 20 control points or objectives designed to help enterprises safeguard the systems and data.

    resource directory

    Resource Directory is a service that is provided by Alibaba Cloud and allows you to manage the relationships among multiple levels of enterprise resources or accounts.

    management account

    A management account is an Alibaba Cloud account that has passed enterprise verification. After you use this Alibaba Cloud account to enable a resource directory, the account becomes the management account of the resource directory. The management account is the super administrator of the resource directory. It has all administrative permissions on the resource directory and the folders and members in the resource directory. Each resource directory has only one management account.

    Note

    A management account does not belong to a resource directory and is not limited by the access control policies of a resource directory.

    member

    A member can be a resource account or cloud account. Members that are created in a resource directory are resource accounts. A resource account is used to isolate the resources of a project or application on Alibaba Cloud from other resources. You can invite existing Alibaba Cloud accounts to join your resource directory. After the owners of the Alibaba Cloud accounts accept the invitations, the accounts become the members of the resource directory. These members are cloud accounts.

    • Resource account

      A member that is created in a resource directory is a resource account. A root user of an Alibaba Cloud account is the administrator of the account. The root users of resource accounts are disabled. Therefore, resource accounts provide higher security. For more information about how to create a resource account, see Create a member.

    • Cloud account

      A member that is invited to join a resource directory is a cloud account. Cloud accounts have root users. For more information about how to invite an Alibaba Cloud account to join a resource directory, see Invite an Alibaba Cloud account to join a resource directory.

    account group

    An account group is a collection of members. In a resource directory, the management account can add all or some members to an account group for centralized compliance management. An account group is also a resource pool formed by gathering resources from multiple members.

    The management account can view the resource lists, resource details, resource configuration timelines, resource compliance timelines, and associated resources of all members in the account group. The management account can also create rules and compliance packages in the account group. These rules and compliance packages take effect on resources of all members in the account group for continuous compliance evaluation.