{"id":112,"date":"2026-04-12T20:56:00","date_gmt":"2026-04-12T20:56:00","guid":{"rendered":"https:\/\/www.devopsschool.com\/tutorials\/alibaba-cloud-config-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-migration-o-m-management\/"},"modified":"2026-04-12T20:56:00","modified_gmt":"2026-04-12T20:56:00","slug":"alibaba-cloud-config-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-migration-o-m-management","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/tutorials\/alibaba-cloud-config-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-migration-o-m-management\/","title":{"rendered":"Alibaba Cloud Config Tutorial: Architecture, Pricing, Use Cases, and Hands-On Guide for Migration &#038; O&#038;M Management"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Category<\/h2>\n\n\n\n<p>Migration &amp; O&amp;M Management<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">1. Introduction<\/h2>\n\n\n\n<p>Alibaba Cloud <strong>Cloud Config<\/strong> is a configuration governance and compliance service that continuously discovers cloud resources, tracks how they change over time, and evaluates them against compliance rules.<\/p>\n\n\n\n<p>In simple terms: <strong>Cloud Config helps you answer \u201cWhat do I have, how is it configured, what changed, and is it compliant?\u201d<\/strong> across your Alibaba Cloud environment\u2014without manually checking each service.<\/p>\n\n\n\n<p>Technically, Cloud Config builds an inventory of supported Alibaba Cloud resource types, captures <strong>configuration snapshots and change history<\/strong>, and runs a <strong>rule evaluation engine<\/strong> (using managed rules and\/or custom rules). It can also <strong>deliver<\/strong> configuration\/compliance data to other services for retention, audit, and analytics.<\/p>\n\n\n\n<p>The main problem it solves is <strong>configuration drift and compliance blind spots<\/strong>\u2014especially common during cloud adoption and migration waves, and later during day\u20112 operations (O&amp;M). Cloud Config gives platform, DevOps, and security teams a repeatable control plane to detect and report non-compliant resources early, at scale.<\/p>\n\n\n\n<blockquote>\n<p>Service-name check: As of this writing, <strong>Cloud Config<\/strong> is the current product name in Alibaba Cloud documentation and console. If you see a different label (for example, \u201cConfig\u201d in some UIs), <strong>verify in official docs<\/strong> to confirm naming in your region\/account.<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">2. What is Cloud Config?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Official purpose<\/h3>\n\n\n\n<p>Cloud Config is Alibaba Cloud\u2019s service for <strong>resource configuration inventory, configuration change tracking, and compliance evaluation<\/strong> based on rules.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Core capabilities (what you can do)<\/h3>\n\n\n\n<p>Cloud Config typically enables you to:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Discover and inventory<\/strong> supported resource types in your Alibaba Cloud account.<\/li>\n<li>Record <strong>configuration history<\/strong> (who\/what changed, what changed, when).<\/li>\n<li>Evaluate resources with:<\/li>\n<li><strong>Managed rules<\/strong> (prebuilt compliance checks).<\/li>\n<li><strong>Custom rules<\/strong> (policy logic you define; implementation options vary\u2014verify in official docs).<\/li>\n<li>View compliance posture with dashboards and per-resource views.<\/li>\n<li><strong>Deliver<\/strong> configuration\/compliance data to external destinations (commonly <strong>Object Storage Service (OSS)<\/strong> and\/or <strong>Log Service (SLS)<\/strong>; confirm available delivery channels in your account\/region).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Major components (conceptual model)<\/h3>\n\n\n\n<p>While UI terms can evolve, Cloud Config generally consists of:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\n<p><strong>Resource Recorder \/ Resource Inventory<\/strong><br\/>\n   Discovers supported resources and maintains configuration items over time.<\/p>\n<\/li>\n<li>\n<p><strong>Rules &amp; Evaluation Engine<\/strong><br\/>\n   Runs compliance checks against resource configurations on triggers (for example, configuration change, periodic evaluation).<\/p>\n<\/li>\n<li>\n<p><strong>Compliance Results &amp; Reports<\/strong><br\/>\n   Provides per-resource, per-rule compliance status (Compliant \/ Non-compliant \/ Not Applicable), and evidence.<\/p>\n<\/li>\n<li>\n<p><strong>Delivery Channels (Data Export\/Archival)<\/strong><br\/>\n   Pushes configuration snapshots and\/or compliance evaluation results to OSS\/SLS for long-term retention and analysis.<\/p>\n<\/li>\n<li>\n<p><strong>Integrations for audit and ops<\/strong><br\/>\n   Often used alongside <strong>ActionTrail<\/strong> (API audit), <strong>Log Service<\/strong> (analytics\/SIEM), and <strong>Resource Management<\/strong> (accounts, resource groups, tags).<\/p>\n<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">Service type<\/h3>\n\n\n\n<p>Cloud Config is a <strong>governance and compliance<\/strong> service in the <strong>Migration &amp; O&amp;M Management<\/strong> category. It is primarily <strong>control-plane<\/strong> focused (metadata, evaluation, reporting), not data-plane.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Scope: regional vs global<\/h3>\n\n\n\n<p>Cloud governance services can be global or region-scoped depending on how resource discovery and delivery are implemented.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cloud Config is designed to provide a <strong>unified compliance view<\/strong> across a cloud account.  <\/li>\n<li>Some settings (for example, delivery targets such as OSS buckets or SLS projects) can be <strong>region-bound<\/strong> depending on destination service constraints.<\/li>\n<\/ul>\n\n\n\n<p>Because exact scoping can change, <strong>verify in the official Cloud Config docs<\/strong> for:\n&#8211; Supported regions\n&#8211; Which resource types are evaluated in which regions\n&#8211; Where delivery channels can be created<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">How it fits into the Alibaba Cloud ecosystem<\/h3>\n\n\n\n<p>Cloud Config is most effective when paired with:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>RAM (Resource Access Management)<\/strong>: least privilege access and separation of duties.<\/li>\n<li><strong>ActionTrail<\/strong>: \u201cwho did what\u201d API audit logs; complements \u201cwhat changed\u201d config history.<\/li>\n<li><strong>Log Service (SLS)<\/strong>: analytics, alerting, and SIEM export of compliance events.<\/li>\n<li><strong>OSS<\/strong>: durable, low-cost retention of snapshots and results for audits.<\/li>\n<li><strong>Resource Directory \/ Resource Management<\/strong>: organizing and governing multiple accounts and resource groups (capabilities vary; verify aggregator\/multi-account features in docs).<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">3. Why use Cloud Config?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Business reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Audit readiness<\/strong>: produce evidence of configuration compliance over time (not just \u201ccurrent state\u201d).<\/li>\n<li><strong>Risk reduction<\/strong>: identify insecure exposures (public access, overly permissive rules, missing encryption) earlier.<\/li>\n<li><strong>Standardization<\/strong>: encode baseline policies once and apply them consistently across teams.<\/li>\n<li><strong>Faster migrations<\/strong>: validate that migrated workloads meet required controls before cutover.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Technical reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Continuous configuration visibility<\/strong> across many services and regions.<\/li>\n<li><strong>Rule-based compliance<\/strong>: detect drift automatically rather than manual reviews.<\/li>\n<li><strong>API-driven governance<\/strong> (where available): integrate with ticketing, CI\/CD, and remediation tooling.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operational (O&amp;M) reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Operational hygiene<\/strong>: enforce tags, naming, backup retention, or logging enablement policies.<\/li>\n<li><strong>Change investigation<\/strong>: correlate incidents with configuration changes using history and timelines.<\/li>\n<li><strong>Better handoffs<\/strong> between platform\/SRE and app teams with clear compliance ownership.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Security\/compliance reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Prevent common misconfigurations such as:<\/li>\n<li>Publicly accessible resources<\/li>\n<li>Overly broad network rules<\/li>\n<li>Weak identity policies<\/li>\n<li>Unencrypted storage<\/li>\n<li>Establish continuous controls aligned to internal policy or external frameworks (availability depends on compliance packs\/rules\u2014verify in docs).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Scalability\/performance reasons<\/h3>\n\n\n\n<p>Cloud Config scales governance beyond what spreadsheets and manual reviews can handle:\n&#8211; Hundreds to thousands of resources\n&#8211; Frequent change rates\n&#8211; Multiple environments (dev\/test\/prod)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">When teams should choose Cloud Config<\/h3>\n\n\n\n<p>Choose Cloud Config when you need:\n&#8211; <strong>Ongoing compliance<\/strong> checks, not one-time audits\n&#8211; <strong>Evidence and history<\/strong> for audit trails\n&#8211; <strong>Standard guardrails<\/strong> across multiple teams\/projects\n&#8211; Visibility for <strong>migration and day\u20112 operations<\/strong><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">When teams should not choose it<\/h3>\n\n\n\n<p>Cloud Config may not be the right tool if:\n&#8211; You only need <strong>API audit logs<\/strong> \u2192 start with <strong>ActionTrail<\/strong>.\n&#8211; You only need <strong>vulnerability scanning \/ malware \/ host protection<\/strong> \u2192 consider <strong>Security Center<\/strong> (different scope).\n&#8211; You need <strong>in-line enforcement<\/strong> at request time (policy-as-gate) \u2192 Cloud Config is typically <strong>detective<\/strong> rather than strictly <strong>preventive<\/strong> (verify enforcement\/remediation features for your edition\/region).\n&#8211; Your environment is extremely small and static; manual checks may be cheaper (but still risky).<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">4. Where is Cloud Config used?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Industries<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Financial services (audit, least privilege, encryption requirements)<\/li>\n<li>Healthcare and life sciences (data access governance)<\/li>\n<li>Retail and e-commerce (production safety controls)<\/li>\n<li>SaaS and internet companies (multi-tenant governance, change tracking)<\/li>\n<li>Manufacturing and IoT (security baselines across many projects)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Team types<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cloud platform engineering \/ Cloud Center of Excellence (CCoE)<\/li>\n<li>DevOps \/ SRE teams<\/li>\n<li>Security engineering \/ security operations<\/li>\n<li>Governance, risk &amp; compliance (GRC) teams<\/li>\n<li>Migration teams validating target-state baselines<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Workloads<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>ECS-based web applications and microservices<\/li>\n<li>Container platforms (where supported resource types exist)<\/li>\n<li>Data and analytics platforms (OSS, databases, streaming services\u2014resource support varies)<\/li>\n<li>Multi-environment landing zones (dev\/test\/stage\/prod)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Architectures<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Single account with multiple resource groups<\/li>\n<li>Multi-account setups (via Resource Directory), where central teams need posture visibility<\/li>\n<li>Regulated landing zones with standardized guardrails<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Real-world deployment contexts<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>During migration<\/strong>: run Cloud Config rules to detect insecure or nonstandard resources before go-live.<\/li>\n<li><strong>Post-migration O&amp;M<\/strong>: continuously detect drift introduced by hotfixes, manual changes, or automation bugs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Production vs dev\/test usage<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Dev\/test<\/strong>: start with a smaller rule set focused on safe defaults and tagging.<\/li>\n<li><strong>Production<\/strong>: expand to stricter baselines, delivery to OSS\/SLS, alerting, and formal exception processes.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">5. Top Use Cases and Scenarios<\/h2>\n\n\n\n<p>Below are realistic Cloud Config use cases you can implement incrementally. Exact managed rule names and supported services can vary\u2014<strong>verify in Cloud Config managed rule documentation<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1) Detect public SSH exposure in security groups<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: SSH (22) open to <code>0.0.0.0\/0<\/code> is a common breach path.<\/li>\n<li><strong>Why Cloud Config fits<\/strong>: Continuously evaluates security group inbound rules and flags noncompliance.<\/li>\n<li><strong>Scenario<\/strong>: A developer temporarily opens SSH for debugging and forgets to revert\u2014Cloud Config detects and reports it.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">2) Enforce storage buckets are not public<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Public read\/write on object storage can leak data.<\/li>\n<li><strong>Why it fits<\/strong>: Managed rules can check bucket ACL\/policies (support depends on resource type coverage).<\/li>\n<li><strong>Scenario<\/strong>: A team publishes static content but accidentally makes a data bucket public.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">3) Require encryption at rest for supported storage\/database resources<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Unencrypted data increases regulatory and breach impact.<\/li>\n<li><strong>Why it fits<\/strong>: Rules can evaluate encryption flags and configuration fields.<\/li>\n<li><strong>Scenario<\/strong>: A new database instance is created without encryption; Cloud Config flags it.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">4) Ensure critical logging is enabled (auditability baseline)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Without logs, incident response and investigations are slow or impossible.<\/li>\n<li><strong>Why it fits<\/strong>: Cloud Config can evaluate whether certain logging\/audit settings exist.<\/li>\n<li><strong>Scenario<\/strong>: A project disables logs to cut cost; Cloud Config flags the drift.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">5) Tagging policy enforcement (cost allocation and ownership)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Untagged resources cause cost and ownership ambiguity.<\/li>\n<li><strong>Why it fits<\/strong>: Rules can check required tags.<\/li>\n<li><strong>Scenario<\/strong>: Finance requires <code>CostCenter<\/code> and <code>Owner<\/code> tags; Cloud Config identifies missing tags for remediation.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6) Detect configuration drift after migration<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Migrated workloads drift from the approved target architecture.<\/li>\n<li><strong>Why it fits<\/strong>: Configuration history + rules provides continuous drift detection.<\/li>\n<li><strong>Scenario<\/strong>: A migrated ECS instance gets a public IP later, violating landing zone policy.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">7) Produce compliance evidence for audits<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Auditors ask \u201cShow me compliance status over the last 90 days.\u201d<\/li>\n<li><strong>Why it fits<\/strong>: Cloud Config keeps history and can deliver records to OSS\/SLS for retention.<\/li>\n<li><strong>Scenario<\/strong>: A quarterly audit requests evidence that \u201cpublic access is continuously monitored.\u201d<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">8) Central posture dashboard for platform teams<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Platform teams need a consolidated view of compliance across services.<\/li>\n<li><strong>Why it fits<\/strong>: Cloud Config aggregates compliance results by rule\/resource (multi-account depends on features\u2014verify).<\/li>\n<li><strong>Scenario<\/strong>: Weekly governance meetings review noncompliance trends and exceptions.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">9) Automated routing of noncompliance to ops workflows<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Findings without action get ignored.<\/li>\n<li><strong>Why it fits<\/strong>: Delivery to Log Service enables alerting, ticketing, and notifications.<\/li>\n<li><strong>Scenario<\/strong>: Noncompliant findings create an alert routed to the owning team\u2019s on-call rotation.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">10) \u201cGuardrails as code\u201d with custom rules<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Managed rules may not match internal policies.<\/li>\n<li><strong>Why it fits<\/strong>: Custom rules allow organization-specific logic (implementation varies\u2014verify).<\/li>\n<li><strong>Scenario<\/strong>: Only certain CIDR ranges are allowed for inbound admin ports; custom logic enforces it.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">11) Validate environment segmentation (prod vs non-prod)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Mixing prod and dev in same network\/security boundaries increases risk.<\/li>\n<li><strong>Why it fits<\/strong>: Rules can check naming\/tag conventions and network attachments.<\/li>\n<li><strong>Scenario<\/strong>: A dev instance is deployed into a prod VPC; Cloud Config flags it.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">12) Continuous compliance for container and orchestration components (where supported)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Cluster configs drift; network policies\/security boundaries weaken.<\/li>\n<li><strong>Why it fits<\/strong>: If Cloud Config supports the relevant resource types, rules can evaluate cluster settings.<\/li>\n<li><strong>Scenario<\/strong>: A cluster endpoint is made publicly accessible; Cloud Config reports it.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">6. Core Features<\/h2>\n\n\n\n<p>Features below reflect typical Cloud Config capabilities. Availability can depend on region and supported resource types\u2014<strong>verify in official docs<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">6.1 Resource discovery and inventory (configuration items)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Automatically discovers supported Alibaba Cloud resources and records their key configuration properties over time.<\/li>\n<li><strong>Why it matters<\/strong>: You can\u2019t govern what you can\u2019t see.<\/li>\n<li><strong>Practical benefit<\/strong>: A reliable asset inventory for governance, security review, and operations.<\/li>\n<li><strong>Caveats<\/strong>:<\/li>\n<li>Not all Alibaba Cloud services\/resources may be supported.<\/li>\n<li>Discovery\/evaluation can have latency (minutes), not real-time.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.2 Configuration snapshots and history (timeline)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Maintains historical views of resource configurations and changes.<\/li>\n<li><strong>Why it matters<\/strong>: Helps answer \u201cwhat changed\u201d during incidents and audits.<\/li>\n<li><strong>Practical benefit<\/strong>: Faster root cause analysis and audit evidence.<\/li>\n<li><strong>Caveats<\/strong>: Retention and export options vary; long-term retention is often implemented via delivery channels (OSS\/SLS).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.3 Managed rules (prebuilt compliance checks)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Provides a library of pre-defined rules for common best practices.<\/li>\n<li><strong>Why it matters<\/strong>: Faster time-to-value; avoids building everything from scratch.<\/li>\n<li><strong>Practical benefit<\/strong>: Enable governance baselines in hours, not weeks.<\/li>\n<li><strong>Caveats<\/strong>:<\/li>\n<li>Managed rule coverage depends on resource types.<\/li>\n<li>Some policies need custom logic.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.4 Custom rules (organization-specific policies)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Lets you implement rules beyond managed rule capabilities.<\/li>\n<li><strong>Why it matters<\/strong>: Internal policies rarely match generic controls exactly.<\/li>\n<li><strong>Practical benefit<\/strong>: Encode company-specific exceptions, naming rules, or network constraints.<\/li>\n<li><strong>Caveats<\/strong>:<\/li>\n<li>Implementation model may require integration with compute (for example, Function Compute) or policy definitions\u2014<strong>verify in official docs<\/strong>.<\/li>\n<li>Custom rules require testing and lifecycle management.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.5 Compliance evaluation triggers and frequency<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Evaluates resources on configuration changes and\/or scheduled intervals (depending on rule).<\/li>\n<li><strong>Why it matters<\/strong>: Balance responsiveness vs cost\/noise.<\/li>\n<li><strong>Practical benefit<\/strong>: Catch drift quickly without re-evaluating everything unnecessarily.<\/li>\n<li><strong>Caveats<\/strong>: High-frequency evaluation can increase cost (if billed per evaluation) and generate alert fatigue.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.6 Compliance dashboards and drill-down views<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Summarizes compliance posture by rule and by resource; supports drilling into evidence.<\/li>\n<li><strong>Why it matters<\/strong>: Helps teams prioritize what to fix first.<\/li>\n<li><strong>Practical benefit<\/strong>: Clear accountability and progress tracking.<\/li>\n<li><strong>Caveats<\/strong>: Dashboards are only as good as rule coverage and tagging\/ownership metadata.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.7 Delivery channels (export to OSS \/ Log Service)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Sends configuration snapshots and evaluation results to OSS and\/or Log Service for retention and analytics.<\/li>\n<li><strong>Why it matters<\/strong>: Centralize evidence and integrate with SIEM\/analytics.<\/li>\n<li><strong>Practical benefit<\/strong>: Long-term audit trails and queryable logs.<\/li>\n<li><strong>Caveats<\/strong>:<\/li>\n<li>OSS storage costs accumulate.<\/li>\n<li>Log Service ingestion and indexing costs can be significant at scale.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.8 API\/SDK support<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Programmatic management of rules, evaluations, and exported data (APIs vary by version\u2014verify).<\/li>\n<li><strong>Why it matters<\/strong>: Enables automation, CI\/CD, and \u201cgovernance as code.\u201d<\/li>\n<li><strong>Practical benefit<\/strong>: Repeatable rollouts across environments and accounts.<\/li>\n<li><strong>Caveats<\/strong>: Requires careful IAM scoping and change control.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.9 Multi-account \/ aggregation (if supported)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Central visibility across multiple accounts under an organization (often tied to Resource Directory).<\/li>\n<li><strong>Why it matters<\/strong>: Enterprises need centralized governance.<\/li>\n<li><strong>Practical benefit<\/strong>: Standard posture reports across business units.<\/li>\n<li><strong>Caveats<\/strong>: Setup complexity and cross-account roles\/policies; feature availability can vary\u2014<strong>verify<\/strong>.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">7. Architecture and How It Works<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">High-level architecture<\/h3>\n\n\n\n<p>Cloud Config sits in the control plane and continuously:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Discovers supported resources<\/strong> in your Alibaba Cloud account.<\/li>\n<li>Stores their configuration as <strong>configuration items<\/strong>.<\/li>\n<li>Runs <strong>rule evaluations<\/strong> based on triggers (change-based and\/or scheduled).<\/li>\n<li>Records <strong>compliance results<\/strong> and optionally exports them to destinations like OSS\/SLS.<\/li>\n<li>Provides console and API access for search, reporting, and evidence.<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">Request\/data\/control flow (typical)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A resource (for example, a security group) is created or modified.<\/li>\n<li>Cloud Config detects the change and records a new configuration state.<\/li>\n<li>Relevant rules are evaluated.<\/li>\n<li>Compliance results are stored and optionally delivered to OSS\/SLS.<\/li>\n<li>Your alerting\/ops workflows consume delivered logs and open tickets.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Integrations with related services<\/h3>\n\n\n\n<p>Common patterns in Alibaba Cloud:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>RAM<\/strong>: controls who can enable Cloud Config, create rules, and view results.<\/li>\n<li><strong>OSS<\/strong>: destination for long-term storage of configuration\/compliance snapshots.<\/li>\n<li><strong>Log Service (SLS)<\/strong>: analytics, alerting, SIEM export, and correlation with other logs.<\/li>\n<li><strong>ActionTrail<\/strong>: for API-level audit events; complements Cloud Config\u2019s configuration-level history.<\/li>\n<li><strong>Resource Management \/ Resource Directory<\/strong>: organizing accounts\/resource groups; may enable multi-account posture patterns (verify feature compatibility).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Dependency services<\/h3>\n\n\n\n<p>Cloud Config itself is a managed service, but depends on:\n&#8211; Access permissions to read resource metadata (via RAM\/service-linked role).\n&#8211; Optional target services (OSS\/SLS) for delivery.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Security\/authentication model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Users\/operators authenticate via <strong>Alibaba Cloud RAM<\/strong>.<\/li>\n<li>Cloud Config uses a <strong>service-linked role<\/strong> (or equivalent authorized role) to read configurations and deliver data.<\/li>\n<li>Least privilege is essential: separate \u201cview-only auditors\u201d from \u201crule managers.\u201d<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Networking model<\/h3>\n\n\n\n<p>Cloud Config operates on control-plane APIs and does not require VPC connectivity to your workloads. Delivery to OSS\/SLS occurs within Alibaba Cloud\u2019s managed service network.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Monitoring\/logging\/governance considerations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Enable delivery to <strong>SLS<\/strong> if you need alerting and query at scale.<\/li>\n<li>Use <strong>OSS<\/strong> for long retention, audit evidence, and cost-efficient archival.<\/li>\n<li>Pair with <strong>ActionTrail<\/strong> to link configuration changes with identities and API calls.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Simple architecture diagram (Mermaid)<\/h3>\n\n\n\n<pre><code class=\"language-mermaid\">flowchart LR\n  U[Operator \/ Auditor] --&gt;|RAM auth| CC[Alibaba Cloud Config]\n  R[Alibaba Cloud Resources\\n(ECS, VPC, OSS, ...)] --&gt; CC\n  CC --&gt;|Evaluate| RULES[Managed\/Custom Rules]\n  CC --&gt; RES[Compliance Results\\n&amp; Config History]\n  CC --&gt;|Delivery Channel| OSS[OSS Bucket (Archive)]\n  CC --&gt;|Delivery Channel| SLS[Log Service (Analytics\/Alerts)]\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Production-style architecture diagram (Mermaid)<\/h3>\n\n\n\n<pre><code class=\"language-mermaid\">flowchart TB\n  subgraph Org[Organization \/ Cloud Governance]\n    RAM[RAM\\n(Users, Roles, Policies)]\n    RD[Resource Directory \/ Resource Mgmt\\n(Optional for multi-account)]\n  end\n\n  subgraph Config[Cloud Config]\n    INV[Resource Inventory\\n&amp; Config Items]\n    ENG[Rule Evaluation Engine]\n    REP[Compliance Views\\nDashboards\/Reports]\n    DEL[Delivery Channels]\n  end\n\n  subgraph Cloud[Alibaba Cloud Resources]\n    VPC[VPC \/ Security Groups]\n    ECS[ECS Instances]\n    OSSR[OSS Buckets]\n    OTH[Other Supported Resources]\n  end\n\n  subgraph AuditOps[Audit &amp; Operations Tooling]\n    AT[ActionTrail\\n(API Audit)]\n    SLS[Log Service\\n(Alerting\/Query\/SIEM)]\n    OSSA[OSS\\n(Long retention evidence)]\n    ITSM[Ticketing \/ ChatOps\\n(External)]\n  end\n\n  RAM --&gt; Config\n  RD -. optional scope .-&gt; Config\n\n  VPC --&gt; INV\n  ECS --&gt; INV\n  OSSR --&gt; INV\n  OTH --&gt; INV\n\n  INV --&gt; ENG\n  ENG --&gt; REP\n  ENG --&gt; DEL\n\n  DEL --&gt; OSSA\n  DEL --&gt; SLS\n\n  AT --&gt; SLS\n  SLS --&gt; ITSM\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">8. Prerequisites<\/h2>\n\n\n\n<p>Before starting with Cloud Config:<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Account requirements<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>An <strong>Alibaba Cloud account<\/strong> with billing enabled.<\/li>\n<li>If operating in an enterprise, use a <strong>RAM user<\/strong> rather than the root account.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Permissions \/ IAM (RAM)<\/h3>\n\n\n\n<p>You need permissions to:\n&#8211; Enable Cloud Config\n&#8211; Create rules\n&#8211; Create\/modify delivery channels (OSS\/SLS)\n&#8211; Read compliance results<\/p>\n\n\n\n<p>Practical guidance:\n&#8211; Use Alibaba Cloud <strong>system policies<\/strong> for Cloud Config if available (for example, \u201cfull access\u201d vs \u201cread-only\u201d policies).<br\/>\n  Policy names can vary\u2014<strong>verify in the RAM console<\/strong>.\n&#8211; Expect Cloud Config to request creation of a <strong>service-linked role<\/strong> on first use (role name can vary\u2014verify in console prompts).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Billing<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Ensure billing method is configured. Costs may occur for:<\/li>\n<li>Cloud Config evaluations\/records (depending on pricing model)<\/li>\n<li>OSS storage requests and capacity<\/li>\n<li>Log Service ingestion, indexing, and storage<\/li>\n<li>Data transfer in some cross-region scenarios<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Tools<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Console-based lab: no local tools required.<\/li>\n<li>Optional:<\/li>\n<li>Alibaba Cloud CLI (if you later automate via APIs)\u2014<strong>verify current CLI and API names in official docs<\/strong>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Region availability<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cloud Config availability can be region-dependent, and some resource types are region-scoped.<br\/>\n<strong>Verify supported regions<\/strong> in official Cloud Config docs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Quotas\/limits<\/h3>\n\n\n\n<p>Typical quota categories (exact limits vary):\n&#8211; Number of rules per account\n&#8211; Delivery channel limits\n&#8211; Evaluation rate or API quotas\n&#8211; Retention limits in console<\/p>\n\n\n\n<p>Always check <strong>quotas<\/strong> in the Cloud Config console or official docs.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Prerequisite services for the lab in this tutorial<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>VPC<\/strong> (for a security group test resource)<\/li>\n<li><strong>OSS<\/strong> (for a delivery channel destination)<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">9. Pricing \/ Cost<\/h2>\n\n\n\n<p>Cloud Config pricing can vary by region and edition, and can change over time. Do not rely on static blog numbers\u2014use the official pricing pages.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Current pricing model (typical dimensions)<\/h3>\n\n\n\n<p>Cloud Config services commonly charge along these dimensions (confirm for Alibaba Cloud Cloud Config in your region):<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Configuration items recorded<\/strong> (resource snapshots \/ configuration history volume)<\/li>\n<li><strong>Rule evaluations<\/strong> (how often resources are evaluated)<\/li>\n<li><strong>Advanced features<\/strong> (for example, compliance packs, aggregation, or extended retention\u2014if applicable)<\/li>\n<\/ol>\n\n\n\n<blockquote>\n<p>Verify in official docs: Cloud Config billing details and whether there is a free tier for a baseline volume.<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">Free tier (if applicable)<\/h3>\n\n\n\n<p>Some governance services include a limited free tier (for example, a small number of evaluations or recorded items). <strong>Verify in the official Cloud Config billing page<\/strong> whether a free tier exists and what it covers.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Primary cost drivers<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Number of supported resources<\/strong> discovered and tracked<\/li>\n<li><strong>Change rate<\/strong> (frequent updates increase recorded configurations)<\/li>\n<li><strong>Number of enabled rules<\/strong><\/li>\n<li><strong>Evaluation frequency<\/strong> (periodic evaluations across many resources can scale costs quickly)<\/li>\n<li><strong>Delivery destinations<\/strong>:<\/li>\n<li>OSS storage size + request costs<\/li>\n<li>Log Service ingestion\/indexing\/storage costs<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Hidden\/indirect costs<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Log Service<\/strong> can become a major cost center if you export and index everything.<\/li>\n<li><strong>Long retention<\/strong> in OSS accumulates over months\/years.<\/li>\n<li><strong>Operational overhead<\/strong>: managing noise, false positives, and exception workflows.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Network\/data transfer implications<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Delivery to OSS\/SLS inside Alibaba Cloud is usually internal, but cross-region delivery patterns or external SIEM exports can incur transfer costs.<br\/>\n<strong>Verify data transfer pricing<\/strong> for OSS\/SLS in your region and architecture.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">How to optimize cost<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Start with a <strong>small baseline rule set<\/strong> (5\u201320 rules) and expand.<\/li>\n<li>Prefer <strong>change-triggered<\/strong> evaluation when feasible over high-frequency periodic evaluation.<\/li>\n<li>Export only what you need:<\/li>\n<li>OSS for low-cost archive<\/li>\n<li>SLS for analytics\/alerting (filter and set retention)<\/li>\n<li>Use <strong>tags\/resource groups<\/strong> to scope evaluations if supported.<\/li>\n<li>Tune alerting: alert only on high-severity rules.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Example low-cost starter estimate (conceptual)<\/h3>\n\n\n\n<p>A low-cost starter setup typically includes:\n&#8211; A small number of managed rules (for example, network exposure + public storage checks)\n&#8211; OSS delivery with lifecycle rules to archive\/delete older data\n&#8211; Minimal or no SLS export until you need alerting<\/p>\n\n\n\n<p>Because exact unit prices vary, <strong>use the official calculator<\/strong> and plug in:\n&#8211; approximate resource count\n&#8211; expected change frequency\n&#8211; rule count and evaluation frequency\n&#8211; OSS and SLS retention<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Example production cost considerations<\/h3>\n\n\n\n<p>For a production enterprise environment:\n&#8211; Thousands of resources\n&#8211; Dozens to hundreds of rules\n&#8211; SLS export for real-time alerting and SOC workflows<\/p>\n\n\n\n<p>Cost planning should include:\n&#8211; SLS ingestion and index volumes (often the largest variable)\n&#8211; OSS retention policies (e.g., 90 days hot + archive tier beyond)\n&#8211; Evaluation frequency for periodic audits vs change-based<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Official pricing references<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Alibaba Cloud pricing calculator: https:\/\/www.alibabacloud.com\/pricing\/calculator  <\/li>\n<li>Cloud Config product\/docs entry point (navigate to Billing\/Price pages from here): https:\/\/www.alibabacloud.com\/help\/en\/cloud-config\/<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">10. Step-by-Step Hands-On Tutorial<\/h2>\n\n\n\n<p>This lab is designed to be <strong>safe and low-cost<\/strong> by using a <strong>security group<\/strong> misconfiguration as the noncompliant example. Security groups and VPCs are typically free (verify for your region\/account), but always review your account\u2019s pricing.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Objective<\/h3>\n\n\n\n<p>Enable Alibaba Cloud <strong>Cloud Config<\/strong>, set up a <strong>delivery channel to OSS<\/strong>, create a <strong>managed compliance rule<\/strong> to detect an insecure security group (SSH open to the world), and then remediate it to reach a compliant state.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Lab Overview<\/h3>\n\n\n\n<p>You will:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Create a test VPC and Security Group with an insecure inbound rule (<code>0.0.0.0\/0<\/code> to TCP 22).<\/li>\n<li>Enable Cloud Config and create an OSS delivery channel.<\/li>\n<li>Enable a managed rule that checks for overly permissive security group rules (exact managed rule name can vary).<\/li>\n<li>Trigger\/perform an evaluation and observe a <strong>Non-compliant<\/strong> result.<\/li>\n<li>Fix the security group and re-evaluate to get <strong>Compliant<\/strong>.<\/li>\n<li>Clean up resources (delete rule, delivery channel, OSS bucket, VPC artifacts).<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 1: Create a test security group with an insecure SSH rule<\/h3>\n\n\n\n<p><strong>Goal<\/strong>: Create a controlled, known-bad configuration to demonstrate Cloud Config detection.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Sign in to the <strong>Alibaba Cloud Console<\/strong>.<\/li>\n<li>Choose a region where you can create VPC resources (for example, your usual region).<\/li>\n<li>Go to <strong>VPC<\/strong>.<\/li>\n<li>Create:\n   &#8211; One <strong>VPC<\/strong>\n   &#8211; One <strong>vSwitch<\/strong><\/li>\n<li>Create a <strong>Security Group<\/strong> in that VPC.<\/li>\n<li>Add an inbound rule similar to:\n   &#8211; Protocol: TCP\n   &#8211; Port range: <code>22\/22<\/code>\n   &#8211; Authorization object \/ Source: <code>0.0.0.0\/0<\/code>\n   &#8211; Action: Allow<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; You have a security group with inbound SSH open to the internet.<\/p>\n\n\n\n<p><strong>Verification<\/strong>\n&#8211; In the security group rules page, confirm the inbound rule exists and the source is <code>0.0.0.0\/0<\/code>.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 2: Create an OSS bucket for Cloud Config delivery<\/h3>\n\n\n\n<p><strong>Goal<\/strong>: Prepare a destination to store Cloud Config snapshots\/results for audit retention.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Go to <strong>Object Storage Service (OSS)<\/strong>.<\/li>\n<li>Create a bucket with:\n   &#8211; A unique bucket name\n   &#8211; Region: same region you plan to use for delivery (simplifies access patterns)\n   &#8211; Access control: <strong>Private<\/strong> (recommended)<\/li>\n<li>(Recommended) Add a lifecycle rule later to delete\/transition old objects after your retention window.<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; A private OSS bucket exists and is empty.<\/p>\n\n\n\n<p><strong>Verification<\/strong>\n&#8211; Open the bucket and confirm it is accessible and currently has no objects.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 3: Enable Cloud Config<\/h3>\n\n\n\n<p><strong>Goal<\/strong>: Turn on Cloud Config resource recording and prepare the environment for rules.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Go to <strong>Cloud Config<\/strong> in the Alibaba Cloud Console.<br\/>\n   Docs entry point: https:\/\/www.alibabacloud.com\/help\/en\/cloud-config\/<\/li>\n<li>If prompted, click <strong>Enable<\/strong> \/ <strong>Activate<\/strong> Cloud Config.<\/li>\n<li>If Cloud Config requests authorization (for example, creating a service-linked role):\n   &#8211; Review the requested permissions\n   &#8211; Approve creation<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; Cloud Config is enabled and starts discovering supported resources.<\/p>\n\n\n\n<p><strong>Verification<\/strong>\n&#8211; In Cloud Config, find the <strong>resource inventory<\/strong> or <strong>resources<\/strong> view and confirm resources start appearing (this may take several minutes).<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 4: Configure a delivery channel to OSS<\/h3>\n\n\n\n<p><strong>Goal<\/strong>: Export configuration\/compliance data to OSS for retention and audit.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>In Cloud Config, find <strong>Delivery Channel<\/strong> (or similar menu item).<\/li>\n<li>Create a delivery channel with:\n   &#8211; Destination type: <strong>OSS<\/strong>\n   &#8211; Bucket: select the bucket created in Step 2\n   &#8211; Prefix\/path: optional but recommended, for example <code>cloud-config\/<\/code>\n   &#8211; Delivery content: configuration snapshots and\/or compliance results (options vary\u2014choose what you need)<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; Cloud Config can write files\/objects to your OSS bucket.<\/p>\n\n\n\n<p><strong>Verification<\/strong>\n&#8211; Wait a few minutes, then check the OSS bucket for new objects under the chosen prefix.<\/p>\n\n\n\n<p><strong>Common issue<\/strong>\n&#8211; <strong>Access denied<\/strong> writing to OSS: ensure the service-linked role\/authorization was created, and the bucket is in a supported region\/setting for delivery. If you use a KMS-encrypted bucket policy or strict ACLs, confirm Cloud Config is allowed.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 5: Create a managed rule to detect public SSH exposure<\/h3>\n\n\n\n<p><strong>Goal<\/strong>: Use a managed rule to detect the insecure inbound security group rule.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>In Cloud Config, open the <strong>Rules<\/strong> section.<\/li>\n<li>Click <strong>Add Rule<\/strong> \/ <strong>Create Rule<\/strong>.<\/li>\n<li>Choose <strong>Managed Rules<\/strong>.<\/li>\n<li>Search for a rule related to security group overly permissive access, such as:\n   &#8211; \u201cSecurity group should not allow inbound SSH from 0.0.0.0\/0\u201d\n   &#8211; \u201cSecurity group inbound rules restricted for admin ports\u201d\n   &#8211; Equivalent wording depending on your console language\/version<\/li>\n<\/ol>\n\n\n\n<blockquote>\n<p>Managed rule naming can differ. Use the rule description and target resource type (security group) to select the correct one.<\/p>\n<\/blockquote>\n\n\n\n<ol class=\"wp-block-list\" start=\"5\">\n<li>\n<p>Configure:\n   &#8211; Rule name: <code>deny-public-ssh<\/code> (or similar)\n   &#8211; Scope: Security Groups (or the applicable scope the rule supports)\n   &#8211; Trigger type: configuration change and\/or periodic (choose a reasonable cadence)\n   &#8211; Parameters: if the rule supports parameters (for example, a list of restricted ports), set port <code>22<\/code><\/p>\n<\/li>\n<li>\n<p>Save\/enable the rule.<\/p>\n<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; The rule is created and begins evaluation.<\/p>\n\n\n\n<p><strong>Verification<\/strong>\n&#8211; Open the rule details and look for:\n  &#8211; Evaluation status\n  &#8211; Number of resources evaluated\n  &#8211; Non-compliant resources list<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 6: Run\/observe evaluation and identify the non-compliant security group<\/h3>\n\n\n\n<p><strong>Goal<\/strong>: Confirm Cloud Config detects the insecure rule.<\/p>\n\n\n\n<p>Depending on the UI, either:\n&#8211; Wait for the next evaluation cycle, or\n&#8211; Click <strong>Evaluate Now<\/strong> \/ <strong>Re-evaluate<\/strong> (if the console offers a manual evaluation action)<\/p>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; The security group with <code>0.0.0.0\/0 -&gt; TCP\/22<\/code> is flagged <strong>Non-compliant<\/strong>.<\/p>\n\n\n\n<p><strong>Verification<\/strong>\n&#8211; In the rule results, open the non-compliant resource.\n&#8211; Review the evidence section showing which inbound rule triggered the finding.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 7: Remediate by restricting SSH access<\/h3>\n\n\n\n<p><strong>Goal<\/strong>: Fix the misconfiguration and return to compliance.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Go back to <strong>VPC \u2192 Security Groups<\/strong>.<\/li>\n<li>Edit inbound rules:\n   &#8211; Remove the inbound rule that allows <code>0.0.0.0\/0<\/code> on port 22, <strong>or<\/strong>\n   &#8211; Restrict the source to a trusted CIDR (for example, your office VPN public IP range)<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; The security group no longer permits public SSH.<\/p>\n\n\n\n<p><strong>Verification<\/strong>\n&#8211; Confirm the inbound rule source is not <code>0.0.0.0\/0<\/code> for TCP\/22.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 8: Re-evaluate and confirm compliance is restored<\/h3>\n\n\n\n<p>Return to Cloud Config \u2192 your rule \u2192 run <strong>Re-evaluate<\/strong> (or wait for automatic evaluation).<\/p>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; The previously non-compliant security group becomes <strong>Compliant<\/strong> (or \u201cNot Applicable\u201d if the rule scope changed).<\/p>\n\n\n\n<p><strong>Verification<\/strong>\n&#8211; Compliance status shows Compliant.\n&#8211; OSS delivery contains updated evaluation outputs (timing varies).<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Validation<\/h3>\n\n\n\n<p>Use this checklist:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cloud Config is enabled and has discovered resources.<\/li>\n<li>An OSS delivery channel is active and objects are delivered.<\/li>\n<li>A managed rule evaluates security groups.<\/li>\n<li>One security group was detected non-compliant, then became compliant after remediation.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Troubleshooting<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">Issue: No resources appear in Cloud Config<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Wait 5\u201315 minutes; initial discovery can be delayed.<\/li>\n<li>Confirm you are viewing the correct account and region context (if Cloud Config has regional consoles).<\/li>\n<li>Verify Cloud Config has the required service-linked role\/permissions.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Issue: Rule shows \u201c0 resources evaluated\u201d<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Confirm the rule scope includes the resource type you created.<\/li>\n<li>Confirm the security group exists in a supported region for that rule.<\/li>\n<li>Verify the rule is enabled and has an evaluation trigger.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Issue: OSS bucket receives no delivery objects<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Confirm delivery channel status is \u201cenabled\/healthy\u201d.<\/li>\n<li>Confirm OSS bucket is private but allows Cloud Config delivery via authorized role.<\/li>\n<li>Check for errors shown in Cloud Config delivery channel details.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Issue: The rule doesn\u2019t flag <code>0.0.0.0\/0<\/code> as non-compliant<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Confirm the managed rule logic matches your test (some rules only check certain ports).<\/li>\n<li>Choose a different managed rule focused explicitly on SSH or admin ports.<\/li>\n<li>If managed rules don\u2019t fit, consider a custom rule approach (verify supported custom rule mechanisms).<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Cleanup<\/h3>\n\n\n\n<p>To avoid ongoing charges and reduce clutter:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Cloud Config:\n   &#8211; Disable or delete the rule you created.\n   &#8211; Delete\/disable the delivery channel to OSS.<\/li>\n<li>OSS:\n   &#8211; Delete objects delivered to the bucket (or delete the bucket entirely).<\/li>\n<li>VPC:\n   &#8211; Delete the security group (if unused).\n   &#8211; Delete the vSwitch and VPC if created only for this lab.<\/li>\n<\/ol>\n\n\n\n<blockquote>\n<p>If deletion fails due to dependencies, check for attached ECS instances, ENIs, or referenced security groups.<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">11. Best Practices<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Architecture best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Start with a <strong>landing zone baseline<\/strong>: a small set of high-impact rules (public exposure, encryption, logging, tags).<\/li>\n<li>Prefer <strong>detect + route + remediate<\/strong> workflows:<\/li>\n<li>Detect via Cloud Config<\/li>\n<li>Route via SLS\/alerts\/tickets<\/li>\n<li>Remediate via runbooks\/automation (where available)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">IAM\/security best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use <strong>least privilege<\/strong> in RAM:<\/li>\n<li>Security\/audit teams: read-only access to Cloud Config reports<\/li>\n<li>Platform team: manage rules and delivery channels<\/li>\n<li>Require MFA and strong password policies for privileged users.<\/li>\n<li>Use <strong>service-linked roles<\/strong> rather than embedding credentials.<\/li>\n<li>Separate responsibilities:<\/li>\n<li>One team defines rules<\/li>\n<li>Another team approves exceptions<\/li>\n<li>App teams remediate<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Cost best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Limit rule count initially; expand based on risk and operational maturity.<\/li>\n<li>Avoid overly frequent periodic evaluations in large environments unless required.<\/li>\n<li>Use OSS lifecycle policies for retention control:<\/li>\n<li>Keep 30\u201390 days hot<\/li>\n<li>Archive or delete beyond retention<\/li>\n<li>If exporting to Log Service:<\/li>\n<li>Set appropriate log retention<\/li>\n<li>Filter out low-value events before indexing (where possible)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Performance best practices (governance performance)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use change-triggered evaluations when available.<\/li>\n<li>Group related controls into manageable sets (by domain: network, storage, IAM, logging).<\/li>\n<li>Avoid rules that generate excessive noise; tune parameters and scope.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Reliability best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Treat delivery channels as production pipelines:<\/li>\n<li>Monitor delivery failures<\/li>\n<li>Use redundant retention (OSS + SLS) if audit requirements demand it<\/li>\n<li>Document fallback processes for audits if the delivery channel is interrupted.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operations best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Define a severity model for rules:<\/li>\n<li>Critical: public admin ports, public write access, no encryption on sensitive data<\/li>\n<li>High: overly permissive outbound access, missing logging<\/li>\n<li>Medium\/Low: tagging gaps, naming conventions<\/li>\n<li>Establish an <strong>exception process<\/strong>:<\/li>\n<li>Time-bound exceptions<\/li>\n<li>Documented business justification<\/li>\n<li>Periodic review of exceptions<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Governance\/tagging\/naming best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Require tags such as:<\/li>\n<li><code>Owner<\/code>, <code>CostCenter<\/code>, <code>Environment<\/code>, <code>DataClassification<\/code><\/li>\n<li>Use resource groups aligned to org structure.<\/li>\n<li>Use consistent naming to simplify rule targeting and ownership mapping.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">12. Security Considerations<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Identity and access model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cloud Config access is controlled by <strong>RAM<\/strong> policies.<\/li>\n<li>Use:<\/li>\n<li>Read-only roles for auditors<\/li>\n<li>Admin roles for governance engineers<\/li>\n<li>Review and approve the <strong>service-linked role<\/strong> Cloud Config uses to access resource metadata and deliver outputs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Encryption<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cloud Config stores metadata in the managed service. For exported data:<\/li>\n<li><strong>OSS<\/strong>: enable server-side encryption options as required (SSE-OSS or SSE-KMS).<\/li>\n<li><strong>SLS<\/strong>: review encryption and retention options.<\/li>\n<\/ul>\n\n\n\n<p>Because encryption options can vary by region and service configuration, <strong>verify in official OSS\/SLS docs<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Network exposure<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cloud Config itself is control-plane; it does not open inbound network paths to your VPC workloads.<\/li>\n<li>Your main exposure concern is the <strong>resources being evaluated<\/strong> (security groups, public endpoints) and the <strong>delivery destinations<\/strong> (OSS bucket policy, SLS access controls).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Secrets handling<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Avoid embedding secrets in custom rule logic.<\/li>\n<li>If custom rules require secrets:<\/li>\n<li>Use Alibaba Cloud secrets management approaches (verify current recommended service in your region)<\/li>\n<li>Use RAM roles and temporary credentials<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Audit\/logging<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Enable <strong>ActionTrail<\/strong> for API-level auditing.<\/li>\n<li>Export Cloud Config evaluations to <strong>SLS<\/strong> if you need searchable audit trails and alerting.<\/li>\n<li>Restrict who can disable Cloud Config or delete delivery channels.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Compliance considerations<\/h3>\n\n\n\n<p>Cloud Config supports compliance posture monitoring, but does not automatically make you compliant. You still need:\n&#8211; Documented policies\n&#8211; Rule-to-policy mapping\n&#8211; Evidence retention\n&#8211; Exception management\n&#8211; Remediation SLAs<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Common security mistakes<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Allowing broad access to modify rules (attackers can disable detection).<\/li>\n<li>Exporting to OSS buckets with overly permissive bucket policies.<\/li>\n<li>Not retaining evidence long enough for audits.<\/li>\n<li>Treating managed rules as sufficient without validating they match internal policy.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Secure deployment recommendations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use a dedicated governance admin role with MFA.<\/li>\n<li>Enable OSS delivery with encryption and lifecycle rules.<\/li>\n<li>Export to SLS only for high-value signals and alert on critical findings.<\/li>\n<li>Implement \u201cbreak-glass\u201d procedures for emergency changes and ensure Cloud Config tracks them.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">13. Limitations and Gotchas<\/h2>\n\n\n\n<p>Because Cloud Config evolves, validate details in official docs. Common limitations include:<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Supported resource coverage<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Not all Alibaba Cloud services or resource types may be supported for recording\/evaluation.<\/li>\n<li>Some rules apply only to specific resource types.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Evaluation latency<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Detection is often <strong>near real-time<\/strong> but not instant. Expect minutes of delay.<\/li>\n<li>This is important during incident response\u2014use ActionTrail and service logs too.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Rule logic nuance<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Managed rules may not cover your exact security standard.<\/li>\n<li>Parameters (ports, CIDRs, allowed values) must be tuned carefully to avoid false positives\/negatives.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Multi-account posture<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Centralized aggregation across accounts can be complex and may require Resource Directory features.<\/li>\n<li>Availability and setup steps can differ\u2014<strong>verify<\/strong>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Delivery channel constraints<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>OSS bucket region and permission model can block deliveries.<\/li>\n<li>SLS costs can grow quickly if you export everything and index it.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Quotas<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Limits on number of rules, evaluation concurrency, or delivery channels may apply.<\/li>\n<li>Large environments should plan quota increases ahead of time.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operational gotchas<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>If teams can \u201cfix\u201d findings by simply disabling rules, governance fails. Restrict permissions.<\/li>\n<li>Without ownership tags, findings become unassigned and stay unresolved.<\/li>\n<li>Too many low-severity rules lead to alert fatigue.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Migration challenges<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>During migrations, resources change frequently; evaluation noise can spike.<\/li>\n<li>Use phased rollouts:<\/li>\n<li>Observe-only mode first (reporting)<\/li>\n<li>Then enforce operational SLAs<\/li>\n<li>Then add automation for remediation<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">14. Comparison with Alternatives<\/h2>\n\n\n\n<p>Cloud Config is a governance\/compliance tool, but it\u2019s not the only way to achieve similar outcomes. Here\u2019s how it compares.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Alternatives within Alibaba Cloud<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>ActionTrail<\/strong>: API auditing (\u201cwho called what API and when\u201d)<\/li>\n<li><strong>Security Center<\/strong>: threat detection and vulnerability management (different scope than configuration compliance)<\/li>\n<li><strong>Resource Management \/ Tagging<\/strong>: organization and tagging controls (not full compliance evaluation)<\/li>\n<li><strong>Log Service (SLS)<\/strong>: analytics platform (Cloud Config can feed into it)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Comparable services in other clouds<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>AWS Config<\/strong>: resource config history, rules, conformance packs<\/li>\n<li><strong>Azure Policy<\/strong>: policy enforcement + compliance reporting<\/li>\n<li><strong>Google Cloud<\/strong>: Organization Policy + Cloud Asset Inventory (similar governance pieces)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Open-source\/self-managed alternatives<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Cloud Custodian<\/strong>: policy-as-code for multiple clouds (requires running and maintaining)<\/li>\n<li><strong>Open Policy Agent (OPA)<\/strong>: policy engine (you build integrations)<\/li>\n<li>Custom scripts + CMDB (high maintenance, weak evidence)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Comparison table<\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Option<\/th>\n<th>Best For<\/th>\n<th>Strengths<\/th>\n<th>Weaknesses<\/th>\n<th>When to Choose<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>Alibaba Cloud Config (Cloud Config)<\/strong><\/td>\n<td>Continuous configuration compliance in Alibaba Cloud<\/td>\n<td>Native resource discovery, rule evaluations, history, delivery to OSS\/SLS<\/td>\n<td>Coverage depends on supported resource types; rule library may not match every internal standard<\/td>\n<td>You run workloads primarily on Alibaba Cloud and want native governance<\/td>\n<\/tr>\n<tr>\n<td><strong>ActionTrail (Alibaba Cloud)<\/strong><\/td>\n<td>API auditing and forensic investigations<\/td>\n<td>Strong \u201cwho did what\u201d trail; complements config history<\/td>\n<td>Not a compliance rules engine; doesn\u2019t directly evaluate posture<\/td>\n<td>You need audit logs and identity attribution for changes<\/td>\n<\/tr>\n<tr>\n<td><strong>Security Center (Alibaba Cloud)<\/strong><\/td>\n<td>Threat\/vuln\/host security posture<\/td>\n<td>Security-focused detection and response capabilities<\/td>\n<td>Not primarily configuration compliance; different control objectives<\/td>\n<td>You need vulnerability management and threat detection beyond config<\/td>\n<\/tr>\n<tr>\n<td><strong>Log Service (SLS) + custom logic<\/strong><\/td>\n<td>Highly customized analytics\/alerting<\/td>\n<td>Flexible queries, dashboards, alerting<\/td>\n<td>You must build and maintain detection logic<\/td>\n<td>You have mature logging\/SIEM practice and need custom detections<\/td>\n<\/tr>\n<tr>\n<td><strong>AWS Config \/ Azure Policy \/ GCP governance tools<\/strong><\/td>\n<td>Governance in those clouds<\/td>\n<td>Deep integration within each cloud ecosystem<\/td>\n<td>Not applicable if your governance target is Alibaba Cloud<\/td>\n<td>You operate in multi-cloud and need native tools per cloud<\/td>\n<\/tr>\n<tr>\n<td><strong>Cloud Custodian \/ OPA (self-managed)<\/strong><\/td>\n<td>Multi-cloud policy-as-code<\/td>\n<td>Portable policies; flexible<\/td>\n<td>Operational burden; requires pipelines and runtime<\/td>\n<td>You need multi-cloud uniformity and can operate tooling reliably<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">15. Real-World Example<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Enterprise example: regulated fintech migrating to Alibaba Cloud<\/h3>\n\n\n\n<p><strong>Problem<\/strong>\nA fintech is migrating customer-facing services and data stores to Alibaba Cloud. Regulators require continuous controls for:\n&#8211; public exposure restrictions\n&#8211; encryption at rest\n&#8211; logging\/auditability\n&#8211; change tracking and evidence retention<\/p>\n\n\n\n<p><strong>Proposed architecture<\/strong>\n&#8211; Cloud Config enabled across production accounts (and optionally aggregated to a central governance account if supported).\n&#8211; Baseline managed rules:\n  &#8211; restrict public admin ports\n  &#8211; restrict public storage access\n  &#8211; ensure logging is enabled for critical services (where supported)\n  &#8211; enforce mandatory tags (<code>Owner<\/code>, <code>System<\/code>, <code>DataClass<\/code>)\n&#8211; Delivery channels:\n  &#8211; OSS for long-term audit evidence retention (with lifecycle + encryption)\n  &#8211; SLS for real-time alerting on critical findings\n&#8211; ActionTrail enabled and exported to SLS for correlation.<\/p>\n\n\n\n<p><strong>Why Cloud Config was chosen<\/strong>\n&#8211; Native Alibaba Cloud integration and governance workflows\n&#8211; Continuous evaluation + history suitable for audits\n&#8211; Scales across many teams without manual checks<\/p>\n\n\n\n<p><strong>Expected outcomes<\/strong>\n&#8211; Reduced misconfiguration risk during migration\n&#8211; Faster audit evidence generation\n&#8211; Clear compliance KPIs and exception tracking\n&#8211; Faster incident investigations via config history + ActionTrail<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Startup\/small-team example: SaaS team needing basic guardrails<\/h3>\n\n\n\n<p><strong>Problem<\/strong>\nA small SaaS team runs production on Alibaba Cloud with limited security staff. They repeatedly encounter issues like:\n&#8211; public SSH opened during debugging\n&#8211; buckets accidentally made public\n&#8211; missing ownership tags leading to orphaned resources<\/p>\n\n\n\n<p><strong>Proposed architecture<\/strong>\n&#8211; Cloud Config enabled in the production account.\n&#8211; 10\u201315 managed rules focused on:\n  &#8211; public exposure\n  &#8211; storage access\n  &#8211; mandatory tags\n&#8211; OSS delivery for 30\u201390 days retention.\n&#8211; Optional: SLS export only for critical findings.<\/p>\n\n\n\n<p><strong>Why Cloud Config was chosen<\/strong>\n&#8211; Minimal setup and maintenance compared to self-managed compliance tooling\n&#8211; Fast value from managed rules\n&#8211; Helps enforce operational hygiene without adding headcount<\/p>\n\n\n\n<p><strong>Expected outcomes<\/strong>\n&#8211; Fewer production security incidents caused by misconfiguration\n&#8211; Cleaner cost allocation via tags\n&#8211; More predictable O&amp;M processes<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">16. FAQ<\/h2>\n\n\n\n<p>1) <strong>Is Cloud Config the same as ActionTrail?<\/strong><br\/>\nNo. <strong>ActionTrail<\/strong> records API calls (\u201cwho did what\u201d). <strong>Cloud Config<\/strong> records configuration state\/history and evaluates <strong>compliance rules<\/strong>. They complement each other.<\/p>\n\n\n\n<p>2) <strong>Does Cloud Config prevent noncompliant changes from happening?<\/strong><br\/>\nCloud Config is primarily <strong>detective<\/strong> (finds and reports). Some ecosystems support remediation\/automation patterns, but \u201chard prevention\u201d usually requires additional controls. <strong>Verify in official docs<\/strong> for any preventive enforcement features.<\/p>\n\n\n\n<p>3) <strong>What resource types does Cloud Config support?<\/strong><br\/>\nSupported types vary. Check the Cloud Config documentation section for <strong>Supported Resource Types<\/strong> and the managed rules catalog.<\/p>\n\n\n\n<p>4) <strong>How fast does Cloud Config detect changes?<\/strong><br\/>\nTypically within minutes, but not guaranteed real-time. Use ActionTrail\/service logs for real-time forensic needs.<\/p>\n\n\n\n<p>5) <strong>Can Cloud Config export results to my SIEM?<\/strong><br\/>\nCommonly yes via <strong>Log Service (SLS)<\/strong> export, then forward from SLS to external SIEM. Exact connectors depend on your SIEM and SLS configuration.<\/p>\n\n\n\n<p>6) <strong>Do I need OSS delivery if I already use SLS?<\/strong><br\/>\nNot strictly, but OSS is often cheaper for long-term retention. Many teams use <strong>OSS for archive<\/strong> and <strong>SLS for alerting\/analytics<\/strong>.<\/p>\n\n\n\n<p>7) <strong>How do I reduce false positives?<\/strong><br\/>\nTune rule parameters, scope rules to relevant resource groups\/tags, and implement exception processes.<\/p>\n\n\n\n<p>8) <strong>Can I write custom rules?<\/strong><br\/>\nUsually yes, but the mechanism varies (policy definitions, Function Compute integration, etc.). <strong>Verify custom rule support and templates<\/strong> in official docs.<\/p>\n\n\n\n<p>9) <strong>Is Cloud Config suitable for multi-account governance?<\/strong><br\/>\nPotentially, especially with Resource Directory, but multi-account aggregation capabilities vary. <strong>Verify aggregator\/multi-account features<\/strong>.<\/p>\n\n\n\n<p>10) <strong>Who should have permission to disable Cloud Config?<\/strong><br\/>\nOnly a small set of platform\/security admins with MFA, because disabling it removes detective controls and audit evidence pipelines.<\/p>\n\n\n\n<p>11) <strong>Does Cloud Config store sensitive data?<\/strong><br\/>\nIt stores configuration metadata; some metadata can still be sensitive (resource names, network ranges). Protect access and export destinations.<\/p>\n\n\n\n<p>12) <strong>How long does Cloud Config retain history in the console?<\/strong><br\/>\nRetention policies vary. If you need long retention for audits, use delivery channels to OSS\/SLS. <strong>Verify retention limits<\/strong> in docs.<\/p>\n\n\n\n<p>13) <strong>Can Cloud Config help with migration projects?<\/strong><br\/>\nYes. During migration, it helps detect drift and misconfigurations in the target environment and provides evidence of ongoing compliance.<\/p>\n\n\n\n<p>14) <strong>What\u2019s the first rule set I should enable?<\/strong><br\/>\nStart with high-impact: public access checks (security groups\/storage), encryption, logging enablement, and mandatory tags.<\/p>\n\n\n\n<p>15) <strong>How do I operationalize findings?<\/strong><br\/>\nExport to SLS, set alert policies for critical findings, route to ticketing\/on-call, and measure MTTR for remediation.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">17. Top Online Resources to Learn Cloud Config<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Resource Type<\/th>\n<th>Name<\/th>\n<th>Why It Is Useful<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Official documentation<\/td>\n<td>Alibaba Cloud Config documentation<\/td>\n<td>Primary reference for concepts, supported resources, rules, APIs, and workflows: https:\/\/www.alibabacloud.com\/help\/en\/cloud-config\/<\/td>\n<\/tr>\n<tr>\n<td>Product page<\/td>\n<td>Cloud Config product page<\/td>\n<td>High-level positioning and entry into docs: https:\/\/www.alibabacloud.com\/ (search \u201cCloud Config\u201d on site)<\/td>\n<\/tr>\n<tr>\n<td>Pricing calculator<\/td>\n<td>Alibaba Cloud Pricing Calculator<\/td>\n<td>Estimate OSS\/SLS and related costs; Cloud Config billing varies by region: https:\/\/www.alibabacloud.com\/pricing\/calculator<\/td>\n<\/tr>\n<tr>\n<td>OSS documentation<\/td>\n<td>OSS docs<\/td>\n<td>Secure bucket configuration, encryption, lifecycle rules for delivery retention: https:\/\/www.alibabacloud.com\/help\/en\/oss\/<\/td>\n<\/tr>\n<tr>\n<td>Log Service documentation<\/td>\n<td>Log Service (SLS) docs<\/td>\n<td>Query, dashboards, alerting, and export patterns for compliance data: https:\/\/www.alibabacloud.com\/help\/en\/sls\/<\/td>\n<\/tr>\n<tr>\n<td>ActionTrail documentation<\/td>\n<td>ActionTrail docs<\/td>\n<td>Combine API auditing with Cloud Config change history: https:\/\/www.alibabacloud.com\/help\/en\/actiontrail\/<\/td>\n<\/tr>\n<tr>\n<td>RAM documentation<\/td>\n<td>Resource Access Management (RAM) docs<\/td>\n<td>Least privilege design and role separation for governance: https:\/\/www.alibabacloud.com\/help\/en\/ram\/<\/td>\n<\/tr>\n<tr>\n<td>Architecture resources<\/td>\n<td>Alibaba Cloud Architecture Center<\/td>\n<td>Patterns for governance\/logging (availability varies by portal region): https:\/\/www.alibabacloud.com\/solutions\/architecture<\/td>\n<\/tr>\n<tr>\n<td>Community learning<\/td>\n<td>Alibaba Cloud Blog (search Cloud Config)<\/td>\n<td>Practical walkthroughs and patterns; validate against official docs: https:\/\/www.alibabacloud.com\/blog<\/td>\n<\/tr>\n<tr>\n<td>Video resources<\/td>\n<td>Alibaba Cloud YouTube channel \/ webinars<\/td>\n<td>Product overviews and demos; search \u201cAlibaba Cloud Config\u201d: https:\/\/www.youtube.com\/@AlibabaCloud<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">18. Training and Certification Providers<\/h2>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\n<p><strong>DevOpsSchool.com<\/strong><br\/>\n   &#8211; Suitable audience: DevOps engineers, SREs, cloud engineers, platform teams<br\/>\n   &#8211; Likely learning focus: DevOps, cloud operations, governance fundamentals, automation<br\/>\n   &#8211; Mode: check website<br\/>\n   &#8211; Website: https:\/\/www.devopsschool.com\/<\/p>\n<\/li>\n<li>\n<p><strong>ScmGalaxy.com<\/strong><br\/>\n   &#8211; Suitable audience: DevOps and SCM learners, build\/release engineers<br\/>\n   &#8211; Likely learning focus: software configuration management, CI\/CD, DevOps toolchains<br\/>\n   &#8211; Mode: check website<br\/>\n   &#8211; Website: https:\/\/www.scmgalaxy.com\/<\/p>\n<\/li>\n<li>\n<p><strong>CLoudOpsNow.in<\/strong><br\/>\n   &#8211; Suitable audience: cloud operations and platform operations learners<br\/>\n   &#8211; Likely learning focus: cloud ops practices, monitoring, operational governance<br\/>\n   &#8211; Mode: check website<br\/>\n   &#8211; Website: https:\/\/www.cloudopsnow.in\/<\/p>\n<\/li>\n<li>\n<p><strong>SreSchool.com<\/strong><br\/>\n   &#8211; Suitable audience: SREs, operations engineers, reliability-focused teams<br\/>\n   &#8211; Likely learning focus: SRE principles, reliability engineering, incident response<br\/>\n   &#8211; Mode: check website<br\/>\n   &#8211; Website: https:\/\/www.sreschool.com\/<\/p>\n<\/li>\n<li>\n<p><strong>AiOpsSchool.com<\/strong><br\/>\n   &#8211; Suitable audience: operations teams exploring AIOps and automation<br\/>\n   &#8211; Likely learning focus: AIOps concepts, event correlation, automation patterns<br\/>\n   &#8211; Mode: check website<br\/>\n   &#8211; Website: https:\/\/www.aiopsschool.com\/<\/p>\n<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">19. Top Trainers<\/h2>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\n<p><strong>RajeshKumar.xyz<\/strong><br\/>\n   &#8211; Likely specialization: DevOps\/cloud training and guidance (verify offerings)<br\/>\n   &#8211; Suitable audience: engineers seeking practical mentoring<br\/>\n   &#8211; Website: https:\/\/rajeshkumar.xyz\/<\/p>\n<\/li>\n<li>\n<p><strong>devopstrainer.in<\/strong><br\/>\n   &#8211; Likely specialization: DevOps training programs (verify specific cloud coverage)<br\/>\n   &#8211; Suitable audience: beginners to intermediate DevOps practitioners<br\/>\n   &#8211; Website: https:\/\/www.devopstrainer.in\/<\/p>\n<\/li>\n<li>\n<p><strong>devopsfreelancer.com<\/strong><br\/>\n   &#8211; Likely specialization: freelance DevOps consulting\/training resources (verify services)<br\/>\n   &#8211; Suitable audience: teams needing short-term expert help<br\/>\n   &#8211; Website: https:\/\/www.devopsfreelancer.com\/<\/p>\n<\/li>\n<li>\n<p><strong>devopssupport.in<\/strong><br\/>\n   &#8211; Likely specialization: DevOps support and training resources (verify scope)<br\/>\n   &#8211; Suitable audience: teams needing operational support guidance<br\/>\n   &#8211; Website: https:\/\/www.devopssupport.in\/<\/p>\n<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">20. Top Consulting Companies<\/h2>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\n<p><strong>cotocus.com<\/strong><br\/>\n   &#8211; Likely service area: cloud\/DevOps consulting (verify exact practice)<br\/>\n   &#8211; Where they may help: landing zones, operations processes, governance rollouts<br\/>\n   &#8211; Consulting use case examples: Cloud governance baseline design, logging and monitoring setups, automation for remediation workflows<br\/>\n   &#8211; Website: https:\/\/cotocus.com\/<\/p>\n<\/li>\n<li>\n<p><strong>DevOpsSchool.com<\/strong><br\/>\n   &#8211; Likely service area: DevOps and cloud consulting\/training services (verify)<br\/>\n   &#8211; Where they may help: DevOps transformation, cloud migrations, platform engineering practices<br\/>\n   &#8211; Consulting use case examples: building governance-as-code practices, operational maturity models, cost optimization process setup<br\/>\n   &#8211; Website: https:\/\/www.devopsschool.com\/<\/p>\n<\/li>\n<li>\n<p><strong>DEVOPSCONSULTING.IN<\/strong><br\/>\n   &#8211; Likely service area: DevOps consulting services (verify)<br\/>\n   &#8211; Where they may help: CI\/CD, automation, cloud operations, governance frameworks<br\/>\n   &#8211; Consulting use case examples: integrating compliance signals into ITSM, setting up centralized logging and alerts, defining remediation runbooks<br\/>\n   &#8211; Website: https:\/\/www.devopsconsulting.in\/<\/p>\n<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">21. Career and Learning Roadmap<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">What to learn before Cloud Config<\/h3>\n\n\n\n<p>To use Cloud Config effectively, you should understand:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Alibaba Cloud fundamentals<\/strong>: accounts, regions, VPC basics, ECS basics<\/li>\n<li><strong>RAM<\/strong>: users, roles, policies, least privilege<\/li>\n<li><strong>Networking security basics<\/strong>: CIDR, security groups, public\/private exposure<\/li>\n<li><strong>Logging fundamentals<\/strong>: what to log, retention, alerting concepts<\/li>\n<li><strong>Migration &amp; O&amp;M Management basics<\/strong>: change management, drift, incident response<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">What to learn after Cloud Config<\/h3>\n\n\n\n<p>To operationalize Cloud Config findings:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>ActionTrail + Log Service correlation<\/strong> for incident investigations<\/li>\n<li><strong>Automation\/remediation<\/strong> patterns (runbooks, change workflows)<\/li>\n<li><strong>Policy-as-code<\/strong> practices (versioning, CI for rules, testing)<\/li>\n<li><strong>Compliance programs<\/strong>: evidence, exception management, control mapping<\/li>\n<li><strong>Cost management<\/strong>: tagging strategy, showback\/chargeback, storage lifecycle<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Job roles that use it<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cloud engineer \/ cloud ops engineer<\/li>\n<li>DevOps engineer \/ SRE<\/li>\n<li>Cloud security engineer<\/li>\n<li>Platform engineer<\/li>\n<li>Governance &amp; compliance engineer<\/li>\n<li>Solutions architect (designing landing zones and guardrails)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Certification path (if available)<\/h3>\n\n\n\n<p>Alibaba Cloud certification availability changes by region and program. A practical path:\n&#8211; Start with Alibaba Cloud fundamentals certifications (if available)\n&#8211; Add security\/governance-focused learning (RAM, audit, logging)\n&#8211; Build hands-on projects using Cloud Config + OSS\/SLS + ActionTrail<\/p>\n\n\n\n<p><strong>Verify current Alibaba Cloud certification tracks<\/strong> on the official Alibaba Cloud certification portal.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Project ideas for practice<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Build a baseline compliance pack (or equivalent rule set) for:\n   &#8211; public access\n   &#8211; encryption\n   &#8211; required tags<\/li>\n<li>Export compliance results to SLS and create:\n   &#8211; dashboards for compliance trends\n   &#8211; alerts for critical findings<\/li>\n<li>Implement a monthly audit report pipeline:\n   &#8211; OSS archive + lifecycle\n   &#8211; evidence retention policy<\/li>\n<li>Create a \u201cmigration readiness\u201d checklist:\n   &#8211; pre-cutover compliance evaluation\n   &#8211; post-cutover drift monitoring<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">22. Glossary<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Cloud Config<\/strong>: Alibaba Cloud service for resource configuration tracking and compliance evaluation.<\/li>\n<li><strong>Configuration Item (CI)<\/strong>: A recorded representation of a resource\u2019s configuration at a point in time.<\/li>\n<li><strong>Managed Rule<\/strong>: Prebuilt compliance rule provided by Alibaba Cloud.<\/li>\n<li><strong>Custom Rule<\/strong>: A user-defined compliance rule (implementation depends on Cloud Config features\u2014verify).<\/li>\n<li><strong>Compliance Evaluation<\/strong>: The process of checking a resource against a rule and producing a result.<\/li>\n<li><strong>Delivery Channel<\/strong>: A configured export path that delivers snapshots\/results to OSS and\/or Log Service.<\/li>\n<li><strong>OSS (Object Storage Service)<\/strong>: Alibaba Cloud object storage service used for durable archival.<\/li>\n<li><strong>SLS (Log Service)<\/strong>: Alibaba Cloud log analytics service used for search, alerting, and dashboards.<\/li>\n<li><strong>RAM (Resource Access Management)<\/strong>: Alibaba Cloud IAM service for users, roles, and policies.<\/li>\n<li><strong>Service-linked role<\/strong>: A managed IAM role that allows a service to access other resources securely.<\/li>\n<li><strong>Configuration Drift<\/strong>: When actual deployed configurations diverge from the intended standard over time.<\/li>\n<li><strong>Least Privilege<\/strong>: Security principle of granting only the permissions required to perform a task.<\/li>\n<li><strong>Evidence Retention<\/strong>: Keeping historical records long enough to satisfy audit and compliance needs.<\/li>\n<li><strong>Exception<\/strong>: A documented, approved deviation from a compliance rule for a defined time and purpose.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">23. Summary<\/h2>\n\n\n\n<p>Alibaba Cloud <strong>Cloud Config<\/strong> is a governance service in the <strong>Migration &amp; O&amp;M Management<\/strong> domain that continuously inventories supported resources, tracks configuration changes, and evaluates compliance using managed and custom rules. It matters because it reduces misconfiguration risk, improves audit readiness, and provides operational visibility into drift\u2014especially during migrations and day\u20112 operations.<\/p>\n\n\n\n<p>Cost and security success with Cloud Config depend on smart choices:\n&#8211; Control cost by tuning rule frequency and carefully selecting exports to <strong>OSS<\/strong> and <strong>Log Service (SLS)<\/strong>.\n&#8211; Secure the service by enforcing least privilege in <strong>RAM<\/strong>, protecting delivery destinations, and restricting who can disable rules or delivery channels.<\/p>\n\n\n\n<p>Use Cloud Config when you need continuous posture visibility and evidence; pair it with <strong>ActionTrail<\/strong> for identity-level audit logs and with <strong>OSS\/SLS<\/strong> for retention and analytics. Next, expand from the lab by adding a baseline rule set, establishing alerting for critical findings, and building a remediation workflow with clear ownership and exceptions.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Migration &#038; O&#038;M Management<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2,19],"tags":[],"class_list":["post-112","post","type-post","status-publish","format-standard","hentry","category-alibaba-cloud","category-migration-o-m-management"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/112","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/comments?post=112"}],"version-history":[{"count":0,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/112\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/media?parent=112"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/categories?post=112"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/tags?post=112"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}