You can use the management account or delegated administrator account of a resource directory to create an account group in the Cloud Config console. This way, you can manage the resources, compliance packages, and rules of multiple members in the account group in a centralized manner. We recommend that you add members that need to comply with a centralized compliance baseline to the same account group. This way, you can create consistent compliance packages and rules in the account group.
Prerequisites
A management account or delegated administrator account is used to log on to the Cloud Config console.
A resource directory is enabled. For more information, see Enable a resource directory.
Members are created in the resource directory, or Alibaba Cloud accounts are invited to join the resource directory. For more information, see Create a member and Invite an Alibaba Cloud account to join a resource directory.
Background information
After you create an account group, the following changes occur in the Cloud Config console:
Multiple account groups may contain the same member. The resources of a member in different account groups are the same. However, the compliance check results of a member in different account groups may be different due to different account group rules.
Cloud Config creates a service-linked role for the members of an account group. The service-linked role allows Cloud Config to obtain the resource configurations of the members.
Cloud Config creates a resource list for each member account. The process takes about 2 to 10 minutes.
The following table describes the types of account groups supported by Cloud Config.
Account group type | Description |
Global account group | A global account group contains all members of a resource directory. If the members of the resource directory change, the members added to the global account group automatically change. A management account or delegated administrator account can create only one global account group. |
Custom account group | When a management account or delegated administrator account creates a custom account group, the management account or delegated administrator account can select all or specific members from a resource directory. When a member is added to the resource directory, the member is not automatically added to the custom account group. The management account or delegated administrator account can manually add the new member to the account group. When a member is removed from the resource directory, the management account or delegated administrator account is not authorized to perform compliance checks on the member. The custom account group automatically removes the member. |
Account group for a folder | After a management account or delegated administrator account creates an account group based on a folder, the changes of members in the folder can be automatically synchronized to the account group. The members in the account group are always the same as the members in the folder. Each time a management account or delegated administrator account creates an account group for a folder, only one non-empty folder can be selected. |
Procedure
In this example, a custom account group is created.
Log on to the Cloud Config console.
In the left-side navigation pane, click Account Group.
On the Aggregators page, click Create Aggregator.
On the Create Aggregator page, configure the Name and Description parameters, select Custom for the Type parameter, and select members for the Member parameter.
Click Submit.
In the account group list, find the account group that you created. If the account group is in the Enabled state, the account group is created.
What to do next
After you create an account group, you can select the account group in the upper-left corner of the Cloud Config console and perform the following operations: