| ack-cluster-encryption-enabled | ACK Cluster Secret Encryption Enabled | ACK Pro clusters should have Secret encryption at rest enabled using KMS. |
| ack-cluster-inspect-kubelet-version-outdate-check | ACK Kubelet Version Check | Ensures the Kubelet version in the ACK cluster is up to date. |
| ack-cluster-log-plugin-installed | ACK Cluster Log Plugin Installed | Ensures the log-service addon is installed in the ACK cluster. |
| ack-cluster-rrsa-enabled | ACK Cluster RRSA Enabled | Ensures that the RAM Roles for Service Accounts (RRSA) feature is enabled for the ACK cluster. |
| ack-cluster-supported-version | ACK Cluster Supported Version | Ensures that the ACK cluster is running a supported version. |
| ack-cluster-upgrade-latest-version | ACK Cluster Upgraded to Latest Version | Ensures that the ACK cluster is running the latest available version. |
| adb-cluster-multi-zone | ADB Cluster Multi-Zone Deployment | The ADB cluster should be deployed in multi-zone mode. |
| alb-all-listenter-has-server | ALB Listener Has Backend Server | Ensures all ALB listeners are associated with a non-empty server group. |
| alb-instance-bind-security-group-or-enabled-acl | ALB Instance Bind Security Group or Enable ACL | ALB instance should have security groups associated or ACL configured for all running listeners. |
| alb-server-group-multi-zone | ALB Server Group Multi-Zone Distribution | ALB server groups should have backend servers distributed across multiple availability zones for high availability. This rule does not apply to server groups with no attached servers, or to IP/Function Compute type server groups. |
| alidns-domain-regex-match | Alibaba Cloud DNS Domain Names Match Naming Convention | Ensures that Alibaba Cloud DNS domain names match the specified naming convention regex. |
| api-gateway-api-auth-jwt | API Gateway API Auth JWT | Ensures API Gateway APIs use JWT authentication. |
| api-gateway-api-auth-required | API Gateway API Auth Required | Ensures API Gateway APIs have authentication configured. |
| api-gateway-api-internet-request-https | API Gateway Internet Request HTTPS Enabled | Ensures that API Gateway APIs exposed to the internet use HTTPS protocol. |
| api-gateway-api-visibility-private | API Gateway API Visibility Private | Ensures API Gateway APIs are set to PRIVATE visibility. |
| api-gateway-group-bind-domain | API Gateway Group Bind Domain | Ensures API Gateway groups have custom domains bound. |
| api-gateway-group-enabled-ssl | API Gateway Group SSL Enabled | Ensures that SSL is enabled for API Gateway groups. |
| api-gateway-group-https-policy-check | API Gateway Group HTTPS Policy Check | Ensures API Gateway groups have HTTPS security policy set correctly. |
| api-gateway-group-log-enabled | API Gateway Group Log Enabled | Ensures API Gateway groups have logging configured. |
| apigateway-instance-multi-zone | API Gateway Instance Multi-Zone Deployment | API Gateway instances should be deployed in multi-zone configuration for high availability. |
| bastionhost-instance-spec-check | BastionHost Instance Multi-Zone Spec Check | The BastionHost instance should use the Enterprise version which supports multi-zone deployment. |
| cen-cross-region-bandwidth-check | CEN Cross-Region Bandwidth Check | CEN instance cross-region connections should have sufficient bandwidth allocation to meet performance requirements. |
| clickhouse-dbcluster-multi-zone | ClickHouse DBCluster Multi-Zone Deployment | ClickHouse clusters should use the HighAvailability (Double-replica) edition for multi-zone deployment. Note: This applies only to community edition. |
| cr-instance-multi-zone | CR Instance with Zone-Redundant OSS Bucket | Container Registry instances should be associated with zone-redundant OSS buckets for high availability. |
| ecs-disk-all-encrypted-by-kms | ECS disk with KMS encryption enabled | ECS disks (including system disk and data disks) are encrypted with KMS, considered compliant. |
| ecs-disk-encrypted | ECS data disk encryption enabled | ECS data disk has encryption enabled, considered compliant. |
| ecs-disk-in-use | ECS disk is in use | ECS disks are attached to an instance or in use state, considered compliant. Disks that are available or unattached may be idle resources. |
| ecs-disk-retain-auto-snapshot | Retain auto snapshot when ECS disk is released | Configure ECS disks to retain auto snapshots when released, considered compliant. This helps protect data from accidental deletion. |
| ecs-in-use-disk-encrypted | ECS In-Use Disk Encryption | ECS data disks should have encryption enabled to protect data at rest. Encrypted disks use KMS keys to encrypt data, ensuring data security and compliance with regulatory requirements. |
| ecs-instance-auto-renewal-enabled | ECS subscription instance has auto-renewal enabled | ECS subscription (prepaid) instances have auto-renewal enabled, considered compliant. Pay-as-you-go instances are not applicable. |
| ecs-instance-image-expired-check | ECS Instance Image Expired Check | Ensures that the image used by the ECS instance has not expired. |
| ecs-instance-image-type-check | ECS Instance Image Type Check | Ensures ECS instances use images from authorized sources. |
| ecs-instance-login-use-keypair | ECS Instance Login Using Key Pair | Ensures that ECS instances use key pairs for login instead of passwords. |
| ecs-instance-meta-data-mode-check | ECS instance metadata access uses security-enhanced mode (IMDSv2) | When accessing ECS instance metadata, security-enhanced mode (IMDSv2) is enforced, considered compliant. Instances associated with ACK clusters are not applicable. |
| ecs-instance-no-public-and-anyip | ECS Instance Should Not Bind Public IP or Allow Any IP Access | ECS instances should not directly bind IPv4 public IPs or Elastic IPs, and associated security groups should not expose 0.0.0.0/0. Compliant when no public IP is bound. |
| ecs-instance-not-bind-key-pair | ECS Instance Not Bound to Key Pair | Ensures that ECS instances use key pairs for authentication instead of passwords. |
| ecs-instance-type-family-not-deprecated | ECS Instance Type Not Deprecated | Ensures ECS instances do not use deprecated or legacy instance types. |
| ecs-instances-in-vpc | ECS Instances in VPC | ECS instances should be deployed in VPC (Virtual Private Cloud) networks rather than classic networks. VPC provides better network isolation, security, and flexibility. |
| ecs-internetmaxbandwidth-check | ECS Internet Max Bandwidth Check | Ensures ECS internet outbound bandwidth does not exceed specified limits. |
| ecs-launch-template-network-type-check | ECS launch template uses VPC network type | ECS launch template versions have network type set to VPC, considered compliant. Classic network type is not recommended for production environments. |
| ecs-launch-template-version-data-disk-encrypted | ECS launch template version enables data disk encryption | All data disks configured in ECS launch template versions are encrypted, considered compliant. |
| ecs-launch-template-version-image-type-check | Launch Template Image Type Check | Ensures ECS launch templates use authorized image types. |
| ecs-running-instances-in-vpc | Running ECS instances are in VPC | Running ECS instances are deployed in Virtual Private Cloud (VPC), considered compliant. This provides network isolation and enhanced security. |
| ecs-snapshot-policy-timepoints-check | ECS auto snapshot policy timepoints configured reasonably | The snapshot creation timepoints in the auto snapshot policy are within the specified time range, considered compliant. Creating snapshots temporarily reduces block storage I/O performance, with performance differences generally within 10%, causing brief slowdowns. It is recommended to select timepoints that avoid business peak hours. |
| eip-delete-protection-enabled | EIP Deletion Protection Enabled | Ensures that EIP instances have deletion protection enabled. |
| elasticsearch-instance-enabled-data-node-encryption | Elasticsearch Data Node Encryption Enabled | Ensures that data nodes in the Elasticsearch instance have disk encryption enabled. |
| elasticsearch-instance-enabled-node-config-disk-encryption | ES Node Config Disk Encryption | Ensures Elasticsearch elastic node configurations have disk encryption enabled. |
| elasticsearch-instance-multi-zone | Elasticsearch Instance Multi-Zone Deployment | Elasticsearch instances should be deployed across multiple availability zones. |
| emr-cluster-master-public-access-check | EMR Cluster Master Node Public Access Check | EMR on ECS cluster master nodes should not have public IP enabled. |
| ess-group-health-check | ESS Scaling Group Health Check | ESS scaling groups should enable ECS instance health check to ensure only healthy instances are in service. |
| ess-scaling-configuration-attach-security-group | ESS Scaling Configuration Security Group | ESS scaling configurations should attach security groups to instances for proper network isolation and access control. |
| ess-scaling-configuration-enabled-internet-check | ESS Scaling Configuration Internet Access Check | Ensures that ESS scaling configurations do not enable public IP addresses for instances unless necessary. |
| ess-scaling-configuration-image-check | ESS Scaling Configuration Image Check | ESS scaling configurations should use maintained images to ensure security and stability. |
| ess-scaling-configuration-image-type-check | ESS Scaling Configuration Image Type Check | ESS scaling configurations should use images from specified sources for better security and management. |
| ess-scaling-group-attach-multi-switch | ESS Scaling Group Multi-VSwitch | ESS scaling groups should be associated with at least two VSwitches for high availability across multiple zones. |
| ess-scaling-group-attach-slb | ESS Scaling Group Attach SLB | ESS scaling groups should be attached to Classic Load Balancer (SLB) for proper traffic distribution. |
| ess-scaling-group-loadbalancer-check | ESS Scaling Group Load Balancer Existence Check | ESS scaling groups should be attached to existing and active Load Balancer instances for proper traffic distribution. |
| fc-function-custom-domain-and-cert-enable | FC Function Custom Domain Certificate Check | FC custom domains should have SSL certificates configured for secure communication. |
| fc-function-custom-domain-and-https-enable | FC Function Custom Domain HTTPS Check | FC custom domains should have HTTPS enabled for secure communication. |
| fc-function-custom-domain-and-tls-enable | FC Function Custom Domain and TLS Enabled | Ensures that custom domains for Function Compute functions have TLS enabled. |
| fc-function-internet-and-custom-domain-enable | FC Service Internet Access with Custom Domain | FC services with internet access should be bound to custom domains for proper access control. |
| fc-function-settings-check | FC Function Settings Check | FC function settings should meet specified requirements for optimal performance and security. |
| fc-service-bind-role | FC Service Bound to RAM Role | Ensures that the Function Compute service has a RAM role bound to it. |
| fc-service-internet-access-disable | FC Service Internet Access Disabled | Ensures that the Function Compute service has internet access disabled when it should only access internal resources. |
| fc-service-log-enable | FC Service Log Enable | FC services should have logging enabled for monitoring and troubleshooting. |
| fc-service-tracing-enable | FC Service Tracing Enable | FC services should have tracing enabled for performance monitoring and debugging. |
| fc-service-vpc-binding | FC Service VPC Binding Enabled | Ensures that the Function Compute service is configured to access resources within a VPC. |
| firewall-asset-open-protect | Cloud Firewall Asset Protection Enabled | Ensures assets are protected by Cloud Firewall. |
| gpdb-instance-multi-zone | GPDB Instance Multi-Zone Deployment | GPDB instances should be deployed with a standby zone for high availability. |
| gwlb-loadbalancer-multi-zone | GWLB LoadBalancer Multi-Zone Deployment | GWLB LoadBalancer instances should be deployed across at least two availability zones for high availability. |
| hbase-cluster-deletion-protection | HBase Cluster Deletion Protection Enabled | Ensures that HBase clusters have deletion protection enabled. |
| hbase-cluster-in-vpc | HBase Cluster in VPC | Ensures that the HBase cluster is deployed within a VPC. |
| hbase-cluster-multi-zone | HBase Cluster Multi-Zone Deployment | HBase clusters should be deployed in cluster mode with at least 2 nodes for high availability. |
| internet-nat-gateway-in-specified-vpc | Internet NAT Gateway in Specified VPC | Internet-facing NAT gateways should be created in specified VPCs according to network security requirements. |
| intranet-nat-gateway-in-specified-vpc | Intranet NAT Gateway in Specified VPC | Intranet-facing NAT gateways should be created in specified VPCs according to network security requirements. |
| kafka-instance-multi-zone | Kafka Instance Multi-Zone Deployment | Kafka instances should be deployed across multiple availability zones for high availability. |
| kms-instance-multi-zone | KMS Instance Multi-Zone Deployment | KMS instances should be deployed across at least two availability zones for high availability and disaster recovery. |
| kms-key-delete-protection-enabled | KMS key deletion protection enabled | KMS master key has deletion protection enabled, considered compliant. Keys not in enabled status and service keys (which cannot be deleted) are not applicable. |
| kms-key-rotation-enabled | KMS key automatic rotation enabled | KMS user master key has automatic rotation enabled, considered compliant. Service keys and externally imported keys are not applicable. |
| kms-secret-rotation-enabled | KMS secret automatic rotation enabled | KMS secret has automatic rotation enabled, considered compliant. Generic secrets are not applicable. |
| lindorm-instance-in-vpc | Lindorm in VPC Check | Ensures Lindorm instances are deployed within a VPC. |
| lindorm-instance-multi-zone | Lindorm Instance Multi-Zone Deployment | Lindorm instances should be configured for multi-zone deployment with at least 4 LindormTable nodes for high availability. |
| mongodb-instance-enabled-ssl | MongoDB Instance SSL Enabled | Ensures MongoDB instances have SSL encryption enabled. |
| mongodb-instance-encryption-byok-check | MongoDB Instance Uses Custom Key for TDE | Ensures MongoDB instances use custom KMS keys for Transparent Data Encryption (TDE). |
| mongodb-instance-in-vpc | MongoDB Instance Uses VPC Network | Ensures MongoDB instances are deployed in a Virtual Private Cloud (VPC) network. |
| mongodb-instance-log-audit | MongoDB Instance Log Audit Enabled | Ensures MongoDB instances have audit logging enabled. |
| mongodb-instance-multi-node | MongoDB Instance Uses Multiple Nodes | Ensures MongoDB instances are deployed with multiple nodes for high availability. |
| mongodb-instance-multi-zone | MongoDB Instance Multi-Zone Deployment | MongoDB instances should be deployed across multiple availability zones for high availability. |
| mongodb-instance-release-protection | MongoDB Instance Release Protection Enabled | Ensures that MongoDB instances have release protection enabled. |
| mse-cluster-config-auth-enabled | MSE Cluster Config Auth Enabled | Ensures that the Microservices Engine (MSE) cluster configuration center has authentication enabled. |
| mse-cluster-multi-availability-area-architecture-check | MSE Cluster High-Availability Configuration | MSE clusters should use the Professional Edition with at least 3 instances (odd number) for high availability. |
| mse-cluster-stable-version-check | MSE Cluster Uses Stable Version | Ensures that MSE cluster engine version is greater than the minimum stable version. |
| mse-gateway-multi-availability-area-architecture-check | MSE Gateway Multi-Availability Zone Deployment | MSE gateways should be deployed across multiple availability zones by configuring a backup VSwitch. |
| nas-filesystem-mount-target-access-group-check | NAS Mount Target Access Group Check | Ensures NAS mount targets do not use the 'DEFAULT_VPC_GROUP_NAME'. |
| natgateway-delete-protection-enabled | NAT Gateway Deletion Protection Enabled | Ensures that NAT Gateways have deletion protection enabled. |
| natgateway-eip-used-check | NAT Gateway EIP Usage Check | SNAT and DNAT should not use the same EIP to avoid potential conflicts and improve network segmentation. |
| natgateway-snat-eip-bandwidth-check | NAT Gateway SNAT EIP Bandwidth Consistency | When SNAT entries are bound to multiple EIPs, the bandwidth peak settings should be consistent or they should be added to a shared bandwidth package. |
| nlb-loadbalancer-multi-zone | NLB LoadBalancer Multi-Zone Deployment | NLB LoadBalancer instances should be deployed across at least two availability zones for high availability. |
| nlb-server-group-multi-zone | NLB Server Group Multi-Zone Distribution | NLB server groups should have backend servers distributed across multiple availability zones for high availability. This rule does not apply to server groups with no attached servers, or to IP type server groups. |
| oss-bucket-authorize-specified-ip | OSS Bucket Authorize Specified IP | Ensures OSS bucket policies restrict access to specified IP ranges. |
| oss-bucket-backup-enable | OSS Backup Enabled | Ensures OSS buckets have backup or versioning enabled. |
| oss-bucket-logging-enabled | OSS Bucket Logging Enabled | OSS buckets should have logging enabled to track access and operations. Logging helps with security auditing, troubleshooting, and compliance requirements. |
| oss-bucket-remote-replication | OSS Bucket Remote Replication Enabled | Ensures that cross-region replication is enabled for the OSS bucket for disaster recovery. |
| oss-bucket-tls-version-check | OSS Bucket TLS Version Check | Ensures that the OSS bucket is configured to use a secure version of TLS (TLS 1.2 or higher). |
| oss-bucket-versioning-enabled | OSS Bucket Versioning Enabled | OSS bucket should have versioning enabled to protect against accidental deletion or overwriting. |
| oss-default-encryption-kms | OSS bucket server-side KMS encryption enabled | OSS bucket has server-side KMS encryption enabled, considered compliant. |
| oss-encryption-byok-check | OSS Bucket BYOK Encryption Check | OSS buckets should use customer-managed KMS keys (BYOK - Bring Your Own Key) for encryption. This provides better control over encryption keys and meets compliance requirements. |
| oss-zrs-enabled | OSS Bucket Zone-Redundant Storage Enabled | OSS buckets should use zone-redundant storage (ZRS) for high availability and data durability. |
| ots-instance-multi-zone | OTS Instance Zone-Redundant Storage | Ensures Tablestore (OTS) instances use zone-redundant storage for high availability. |
| ots-instance-network-not-normal | OTS Restricted Network Type | Ensures Table Store (OTS) instances do not use the 'Normal' (unrestricted) network type. |
| pai-eas-instances-multi-zone | PAI EAS Instance Multi-Zone Deployment | Ensures that PAI EAS instances are deployed across multiple zones for high availability. |
| polardb-cluster-default-time-zone-not-system | PolarDB Cluster Default Time Zone Not System | Ensures PolarDB cluster default time zone is not set to SYSTEM. |
| polardb-cluster-delete-protection-enabled | PolarDB Cluster Deletion Protection Enabled | Ensures that PolarDB clusters have deletion protection enabled. |
| polardb-cluster-enabled-ssl | PolarDB Cluster SSL Enabled | Ensures PolarDB clusters have SSL encryption enabled. |
| polardb-cluster-multi-zone | PolarDB Cluster Multi-Zone Deployment | PolarDB clusters should be deployed across multiple availability zones for high availability. |
| polardb-dbcluster-in-vpc | PolarDB Cluster in VPC | Ensures PolarDB cluster is deployed in a VPC. |
| polardb-revision-version-used-check | PolarDB Revision Version Used Check | Ensures PolarDB cluster is using a stable kernel revision version. |
| polardb-x2-instance-multi-zone | PolarDB-X 2.0 Instance Multi-Zone Deployment | PolarDB-X 2.0 instances should be deployed across 3 availability zones. |
| privatelink-server-endpoint-multi-zone | PrivateLink VPC Endpoint Service Multi-Zone Deployment | PrivateLink VPC endpoint services should have resources deployed across multiple availability zones for high availability. |
| privatelink-servier-endpoint-multi-zone | PrivateLink Service Endpoint Multi-Zone Deployment | Ensures that PrivateLink service endpoints are deployed across multiple zones for high availability. |
| ram-password-policy-check | RAM Password Policy Check | Ensures that the RAM password policy meets the specified security requirements. |
| ram-policy-no-has-specified-document | RAM Policy No Specified Document | Ensures custom RAM policies do not contain the specified permission configuration. |
| ram-role-has-specified-policy | RAM Role Has Specified Policy | Ensures RAM roles have the specified policies attached. |
| ram-role-no-product-admin-access | RAM Role No Product Admin Access | Ensures RAM roles do not have full administrative access or product administrator permissions. |
| ram-user-activated-ak-quantity-check | RAM User Active AK Quantity Check | Ensures RAM users do not have more than one active AccessKey. |
| ram-user-ak-create-date-expired-check | RAM User AccessKey Creation Date Expired Check | Ensures that RAM user AccessKeys are not older than the specified number of days. |
| ram-user-ak-used-expired-check | RAM User AccessKey Last Used Date Check | Ensures that RAM user AccessKeys have been used within the specified number of days. |
| ram-user-has-specified-policy | RAM User Has Specified Policy | Ensures RAM users have the required policies attached, including those inherited from groups. |
| ram-user-login-check | RAM User Login Enabled Check | Ensures that RAM users who do not need console access have login disabled. |
| ram-user-no-has-specified-policy | RAM User No Specified Policy | Ensures RAM users do not have specified risky policies attached. |
| ram-user-no-product-admin-access | RAM User No Product Administrative Access | Ensures that RAM users do not have full administrative access to cloud products unless necessary. |
| ram-user-role-no-product-admin-access | RAM User Role No Product Admin Access | Ensures RAM user-defined roles do not have product administrative permissions. |
| ram-user-specified-permission-bound | RAM User Specified Permission Bound | Ensures RAM users do not have specified high-risk permissions bound. |
| rds-instacne-delete-protection-enabled | RDS Instance Deletion Protection Enabled | Ensures that RDS instances have deletion protection enabled. |
| rds-instance-enabled-auditing | RDS Instance Auditing Enabled | Ensures RDS instances have SQL auditing enabled. |
| rds-instance-enabled-log-backup | RDS Instance Log Backup Enabled | Ensures RDS instances have log backup enabled. |
| rds-instance-enabled-ssl | RDS Instance SSL Enabled | Ensures RDS instances have SSL encryption enabled. |
| rds-instance-enabled-tde-disk-encryption | RDS Instance Enabled TDE or Disk Encryption | RDS instance should have TDE (Transparent Data Encryption) or disk encryption enabled. |
| rds-instance-has-guard-instance | RDS Instance Has Guard Instance | Ensures production RDS instances have a corresponding guard (disaster recovery) instance. |
| rds-instances-in-vpc | RDS Instance in VPC | Ensures that the RDS instance is deployed within a VPC. |
| rds-multi-az-support | RDS Instance Multi-AZ Deployment | RDS instances should be deployed in multi-AZ configuration for high availability and automatic failover. |
| redis-architecturetype-cluster-check | Redis Architecture Type Cluster Check | Ensures Redis instance uses cluster architecture type. |
| redis-instance-backup-log-enabled | Redis Instance Backup Log Enabled | Ensures that log backup is enabled for the Redis instance. |
| redis-instance-double-node-type | Redis Instance Double Node Type | Ensures Redis instance uses double node type for high availability. |
| redis-instance-enabled-byok-tde | Redis Instance BYOK TDE Enabled | Ensures that Redis instances have Transparent Data Encryption (TDE) enabled using Bring Your Own Key (BYOK). |
| redis-instance-enabled-ssl | Redis Instance SSL Enabled | Ensures Redis instances have SSL encryption enabled. |
| redis-instance-in-vpc | Redis Instance in VPC | Ensures Redis instance is deployed in a VPC. |
| redis-instance-multi-zone | Redis Instance Multi-Zone Deployment | Redis instances should be deployed across multiple availability zones for high availability. |
| redis-instance-release-protection | Redis Instance Release Protection Enabled | Ensures that Redis instances have release protection enabled. |
| redis-instance-tls-version-check | Redis Instance TLS Version Check | Ensures Redis instance has SSL enabled with acceptable TLS version. |
| redis-min-capacity-limit | Redis Min Capacity Limit | Ensures Redis instance has memory capacity meeting the minimum requirement. |
| rocketmq-v5-instance-multi-zone | RocketMQ 5.0 Instance Multi-Zone Deployment | RocketMQ 5.0 instances should be deployed in Cluster HA mode which supports multi-zone availability. |
| security-center-version-check | Security Center Version Check | Security Center should be at a version that provides sufficient protection features. |
| slb-all-listener-enabled-acl | SLB All Listeners Have Access Control | All running listeners of SLB instances should have access control lists (ACL) configured for security. |
| slb-all-listener-http-disabled | SLB All Listeners HTTP Disabled | Ensures no SLB listeners use the insecure HTTP protocol. |
| slb-all-listener-http-redirect-https | SLB HTTP Redirect to HTTPS Enabled | Ensures SLB HTTP listeners are configured to redirect traffic to HTTPS. |
| slb-all-listenter-has-server | SLB All Listeners Have Backend Servers | All listeners of SLB instances should have at least the specified number of backend servers attached. |
| slb-all-listenter-tls-policy-check | SLB Listener TLS Policy Check | Ensures SLB HTTPS listeners use secure TLS cipher policies. |
| slb-default-server-group-multi-server | SLB Default Server Group Has Multiple Servers | The default server group of SLB instances should have at least two servers to avoid single point of failure. |
| slb-instance-autorenewal-check | SLB Instance Auto-Renewal Check | Prepaid SLB instances should have auto-renewal enabled to avoid service interruption. |
| slb-instance-default-server-group-multi-zone | SLB Default Server Group Multi-Zone | The default server group of SLB instances should have resources distributed across multiple availability zones. |
| slb-instance-log-enabled | SLB Instance Logging Enabled | Ensures that access logging is enabled for the SLB instance. |
| slb-instance-multi-zone | SLB Instance Multi-Zone Deployment | SLB instances should be deployed across multiple zones by configuring both master and slave zones for high availability. |
| slb-instance-spec-check | SLB Instance Specification Check | SLB instance specifications should meet the required performance criteria based on the specified list. |
| slb-listener-https-enabled | SLB Listener HTTPS Enabled | Ensures SLB listeners use HTTPS protocol for secure communication. |
| slb-loadbalancer-in-vpc | SLB in VPC Check | Ensures SLB instances are deployed within a Virtual Private Cloud (VPC). |
| slb-master-slave-server-group-multi-zone | SLB Master-Slave Server Group Multi-Zone | The master-slave server group of SLB instances should have resources distributed across multiple availability zones. |
| slb-no-public-ip | SLB Instance No Public IP | SLB instances should not have public IP addresses to reduce attack surface. |
| slb-vserver-group-multi-zone | SLB VServer Group Multi-Zone Deployment | Ensures that SLB virtual server groups contain instances from multiple availability zones. |
| sls-logstore-enabled-encrypt | SLS Logstore Encryption Enabled | Ensures SLS Logstores have server-side encryption enabled. |
| sls-logstore-encrypt-key-origin-check | SLS Logstore Encryption Key Origin Check | Ensures SLS Logstores use externally imported key material (BYOK) for encryption, which provides better control over encryption keys. |
| sls-project-multi-zone | SLS Project Zone-Redundant Storage | SLS projects should use zone-redundant storage (ZRS) for high availability and data durability. |
| vpc-flow-logs-enabled | VPC Flow Logs Enabled | Ensures VPC flow logs are enabled for monitoring network traffic. |
| vpc-network-acl-not-empty | VPC Network ACL Not Empty | Ensures VPC Network ACLs have at least one rule configured. |
| vpn-connection-master-slave-established | VPN Connection Dual Tunnel Established | Use dual-tunnel VPN gateway and both master and slave tunnels are established with the peer. |
| vpn-gateway-multi-zone | VPN Gateway Multi-Zone Deployment | VPN Gateways should be configured with a disaster recovery VSwitch to support multi-zone availability. |
| vswitch-available-ip-count | VSwitch Available IP Count Check | Ensures that the VSwitch has a sufficient number of available IP addresses. |
| waf-instance-logging-enabled | WAF Instance Logging Enabled | Ensures that logging is enabled for the WAF instance for auditing and security analysis. |
| waf3-defense-resource-logging-enabled | WAF 3.0 Logging Enabled | Ensures that logging is enabled for resources protected by WAF 3.0. |