Skip to main content

Aliyun Rules

Total rules: 392

Rules by Severity

High Severity (119 Rules)

Rule IDNameIaC TypesDescription
ack-cluster-node-multi-zoneACK Cluster Multi-Zone DeploymentROS, TerraformThe ACK cluster nodes should be distributed across 3 or more availability zones for high availability.
ack-cluster-node-pool-autoscaling-enabledACK cluster must configure worker VSwitchesROSChecks ACK cluster must configure worker VSwitches
ack-cluster-public-endpoint-checkACK Cluster Public Endpoint CheckROS, TerraformACK clusters should not have a public endpoint set, or the associated SLB listener should have ACL enabled.
acs-cluster-node-multi-zoneACS Cluster Node Multi-Zone DeploymentROS, TerraformThe ACS cluster nodes should be distributed across 3 or more availability zones for high availability.
actiontrail-enabledActionTrail EnabledROS, TerraformEnsures ActionTrail is enabled to record account activities.
actiontrail-trail-intact-enabledActionTrail Trail Intact EnabledROS, TerraformActionTrail trail should be enabled and track all event types (Read and Write).
alb-acl-public-access-checkALB ACL Does Not Allow Public AccessROS, TerraformEnsures that ALB access control lists do not contain 0.0.0.0/0 (allowing all IPs).
alb-all-listener-health-check-enabledALB All Listeners Health Check EnabledROS, TerraformEnsures all ALB listeners have health checks enabled.
alb-delete-protection-enabledALB Instance Deletion Protection EnabledROS, TerraformEnsures that ALB instances have deletion protection enabled.
alb-instance-multi-zoneALB Instance Multi-Zone DeploymentROS, TerraformALB instances should be deployed across multiple availability zones for high availability. If only one zone is selected, a zone failure will affect the ALB instance and business stability.
alb-instance-waf-enabledALB Instance Has WAF ProtectionROS, TerraformEnsures that ALB instances have WAF3 (Web Application Firewall) protection enabled.
alb-server-group-multi-serverALB Server Group Has Multiple ServersROS, TerraformEnsures that ALB server groups contain at least two backend servers for high availability.
alidns-route-53-mx-checkDNS MX Record Has Valid SPF in Associated TXT RecordROS, TerraformEnsures that MX records have associated TXT records with valid SPF values for email validation.
api-gateway-group-force-httpsAPI Gateway Group Force HTTPSROS, TerraformEnsures API Gateway groups with public custom domains have HTTPS force redirect enabled.
bastionhost-instance-expired-checkBastionHost Instance Expiration CheckROS, TerraformPrepaid BastionHost instances should have auto-renewal enabled.
cdn-domain-multiple-origin-serversCDN Domain Multiple Origin ServersROS, TerraformCDN domains should be configured with multiple origin servers for high availability and fault tolerance.
cr-instance-any-ip-access-checkCR Instance No Any IP AccessROS, TerraformEnsures Container Registry instances do not have any IP (0.0.0.0/0) in their whitelist.
cr-repository-image-scanning-enabledCR Instance Image Scanning EnabledROS, TerraformEnsures Container Registry instances have image scanning enabled for security vulnerability detection.
cr-repository-type-privateCR Repository Type PrivateROS, TerraformEnsures that CR repositories are set to PRIVATE.
dcdn-domain-multiple-origin-serversDCDN Domain Multiple Origin ServersROS, TerraformDCDN domains should be configured with multiple origin servers for high availability and fault tolerance.
eci-containergroup-environment-no-specified-keysECI Container Group Does Not Contain Sensitive Environment VariablesROS, TerraformEnsures that ECI container groups do not have sensitive environment variables like passwords or access keys.
ecs-available-disk-encryptedECS Disk Encryption EnabledROS, TerraformEnsures that all ECS disks are encrypted.
ecs-instance-attached-security-groupECS Instance Attached Security GroupROS, TerraformIf the ECS instance is included in the specified security group, the configuration is considered compliant.
ecs-instance-deletion-protection-enabledECS Instance Deletion Protection EnabledROS, TerraformEnsures that ECS instances have deletion protection enabled.
ecs-instance-enabled-security-protectionECS Instance Enabled Security ProtectionROS, TerraformEnsures that ECS instances have security enhancement strategy enabled.
ecs-instance-expired-checkECS Prepaid Instance Expiration CheckROS, TerraformPrepaid instances should have auto-renewal enabled to avoid service interruption due to expiration.
ecs-instance-no-public-ipECS instance should not bind public IPROS, TerraformECS instances should not directly bind IPv4 public IP or Elastic IP, considered compliant.
ecs-launch-template-version-attach-security-groupECS launch template version attaches security groupsROS, TerraformECS launch template versions have security groups configured for instances, considered compliant.
ecs-running-instance-no-public-ipECS Instance No Public IPROS, TerraformECS instances should not have a public IP address to reduce direct internet exposure.
ecs-security-group-egress-not-all-accessSecurity Group Egress Not Set to All AccessROS, TerraformSecurity group egress direction should not be set to allow all access (all protocols, all ports, all destinations).
ecs-security-group-not-internet-cidr-accessSecurity Group Ingress Source IP Not Include Public IPROS, TerraformSecurity group ingress rules with accept policy should not have source IP containing public internet IPs.
ecs-security-group-not-open-all-portSecurity Group Ingress Not Open All PortsROS, TerraformSecurity group ingress rules should not allow all ports. When the port range is not set to -1/-1, it is considered compliant.
ecs-security-group-not-open-all-protocolSecurity Group Ingress Not Open All ProtocolsROS, TerraformSecurity group ingress rules should not allow all protocols. When the protocol type is not set to ALL, it is considered compliant.
ecs-security-group-risky-ports-check-with-protocolSecurity Group Risky Ports Check with ProtocolROS, TerraformWhen security group ingress source is set to 0.0.0.0/0, the port range should not include risky ports (22, 3389) for specified protocols (TCP/UDP), to reduce the risk of brute force attacks.
ecs-security-group-white-list-port-checkSecurity Group Non-Whitelist Port Ingress CheckROS, TerraformExcept for whitelisted ports (80), other ports should not have ingress rules allowing access from 0.0.0.0/0.
elasticsearch-instance-enabled-kibana-public-checkElasticsearch Instance Kibana Does Not Enable Public AccessROS, TerraformEnsures that Elasticsearch instance Kibana is not accessible from public networks.
elasticsearch-instance-enabled-public-checkElasticsearch Instance Does Not Enable Public AccessROS, TerraformEnsures that Elasticsearch instances are not accessible from public networks.
elasticsearch-instance-node-not-use-specified-specElasticsearch Instance Does Not Use Deprecated SpecROS, TerraformEnsures that Elasticsearch instances do not use deprecated or unsupported node specifications.
elasticsearch-instance-version-not-deprecatedElasticsearch Instance Does Not Use Deprecated VersionROS, TerraformEnsures that Elasticsearch instances are not using deprecated or EOL versions.
elasticsearch-public-and-any-ip-access-checkElasticsearch Public and Any IP Access CheckROS, TerraformEnsures that Elasticsearch instances do not have public access enabled or an open whitelist.
ess-scaling-configuration-data-disk-encryptedESS Scaling Configuration Data Disk EncryptionROS, TerraformESS scaling configurations should enable data disk encryption to protect data at rest.
ess-scaling-configuration-sg-public-accessESS Scaling Configuration Security Group Public AccessROS, TerraformESS scaling configuration security groups should not allow access from 0.0.0.0/0 to prevent unauthorized access.
ess-scaling-configuration-system-disk-encryptedESS Scaling Configuration System Disk EncryptionROS, TerraformESS scaling configurations should enable system disk encryption.
ess-scaling-group-multi-vswitch-distributionESS Scaling Group Multi-VSwitch DistributionROSESS scaling groups should attach at least two VSwitches so instances can be distributed across zones for high availability.
fc-function-runtime-checkFC Function Runtime CheckROS, TerraformFC functions should not use deprecated runtimes that may have security vulnerabilities.
fc-trigger-http-not-anonymousFC HTTP Trigger Authentication CheckROS, TerraformFC HTTP triggers should require authentication to prevent unauthorized access.
gpdb-instance-disk-encryption-enabledGPDB Instance Disk Encryption EnabledROS, TerraformGPDB instances should have disk encryption enabled using KMS encryption key.
hbase-cluster-expired-checkHBase Prepaid Instance Expiration CheckROS, TerraformPrepaid HBase instances should have auto-renewal enabled.
hbase-cluster-ha-checkHBase Cluster High Availability CheckROS, TerraformHBase cluster should have at least 2 core instances for high availability.
kafka-instance-disk-encryptedKafka Instance Disk Encryption EnabledROS, TerraformKafka instances should have disk encryption enabled using KMS to protect data at rest.
kafka-instance-public-access-checkKafka Instance Public Access CheckROS, TerraformKafka instances should not be deployed with public access (deploy_type 5). Use VPC-only deployment (deploy_type 4) to restrict access to internal networks.
maxcompute-project-encryption-enabledMaxCompute Project Encryption EnabledROS, TerraformEnsures MaxCompute projects have encryption enabled to protect stored data.
maxcompute-project-ip-whitelist-enabledMaxCompute Project IP Whitelist EnabledROS, TerraformEnsures MaxCompute projects have IP whitelist configured to restrict access.
mongodb-cluster-expired-checkMongoDB Instance Expiration CheckROS, TerraformPrepaid MongoDB instances should have auto-renewal enabled.
mongodb-instance-class-not-sharedMongoDB Instance Uses Dedicated ClassROS, TerraformEnsures MongoDB instances use dedicated or exclusive instance classes, not shared instances.
mongodb-min-maxconnections-limitMongoDB Instance Minimum Connections SpecROS, TerraformMongoDB instance class should meet minimum connection requirements (not use the smallest spec).
mongodb-min-maxiops-limitMongoDB Meets Minimum IOPS RequirementsROS, TerraformEnsures MongoDB instances provide at least the minimum required IOPS.
mongodb-public-access-checkMongoDB Instance Public Access CheckROS, TerraformMongoDB instance security IP list should not contain 0.0.0.0/0 which allows access from any IP.
mongodb-public-and-any-ip-access-checkMongoDB Public and Any IP Access CheckROS, TerraformEnsures that MongoDB instances do not have an open whitelist (0.0.0.0/0).
mse-cluster-architecture-checkMSE Cluster Has Multiple NodesROS, TerraformEnsures that MSE (Microservice Engine) clusters have more than 3 nodes for high availability.
mse-cluster-internet-checkMSE Cluster Has No Public Internet AccessROS, TerraformEnsures that MSE clusters do not have public internet access enabled.
mse-gateway-architecture-checkMSE Gateway Has Multiple NodesROS, TerraformEnsures that MSE (Microservice Engine) gateways have more than 1 node for high availability.
nas-access-group-public-access-checkNAS Access Group IP RestrictionROS, TerraformEnsures that NAS access rules do not allow unrestricted access from all IP addresses (0.0.0.0/0).
nat-gateway-vpc-requiredNAT Gateway must bind VPCROSChecks NAT Gateway must bind VPC
nat-risk-ports-checkNAT Gateway Risk Ports CheckROS, TerraformNAT gateway DNAT mappings should not expose risky ports to the internet to prevent security vulnerabilities.
oss-bucket-anonymous-prohibitedOSS Bucket Anonymous Access ProhibitedROS, TerraformEnsures that anonymous access is prohibited for the OSS bucket.
oss-bucket-only-https-enabledOSS Bucket Only HTTPS EnabledROS, TerraformOSS bucket should have a policy that denies non-HTTPS requests to ensure data transport security.
oss-bucket-policy-no-any-anonymousOSS bucket policy does not grant permissions to anonymous usersROS, TerraformOSS bucket policy does not grant any read or write permissions to anonymous users.
oss-bucket-policy-outside-organization-checkOSS Bucket Policy No Outside Organization AccessROS, TerraformEnsures OSS bucket policies do not grant access to principals outside of the organization.
oss-bucket-public-read-prohibitedOSS Bucket Public Read ProhibitedROS, TerraformEnsures OSS bucket ACL does not allow public read access.
oss-bucket-public-write-prohibitedOSS Bucket Public Write ProhibitedROS, TerraformOSS buckets should not allow public write access. Public write access allows anyone to upload, modify, or delete objects in the bucket, which poses significant security risks.
oss-bucket-server-side-encryption-enabledOSS Bucket Server-Side Encryption EnabledROS, TerraformEnsures OSS bucket has server-side encryption enabled.
parameter-sensitive-noecho-checkSensitive Parameters Must Have NoEchoROSTemplate parameters that contain sensitive information (passwords, API keys, secrets) must be protected by either setting NoEcho to true or using valid AssociationProperty values to prevent them from being displayed in plain text.
polardb-cluster-enabled-tdePolarDB Cluster TDE EnabledROS, TerraformEnsures PolarDB clusters have Transparent Data Encryption (TDE) enabled.
polardb-cluster-expired-checkPolarDB Cluster Expiration CheckROS, TerraformPrepaid PolarDB clusters should have auto-renewal enabled.
polardb-public-access-checkPolarDB Public Access CheckROS, TerraformEnsures PolarDB security_ips is not set to allow all source IPs (0.0.0.0/0).
polardb-public-and-any-ip-access-checkPolarDB Public and Any IP Access CheckROS, TerraformEnsures that PolarDB clusters do not have security_ips open to any IP address (0.0.0.0/0 or 0.0.0.0).
ram-policy-no-statements-with-admin-access-checkRAM Policy No Admin AccessROS, TerraformEnsures custom RAM policies do not grant full AdministratorAccess.
ram-user-mfa-checkRAM User MFA EnabledROS, TerraformRAM users with console access should have multi-factor authentication (MFA) enabled.
ram-user-specified-permission-boundRAM User Specified Permission BoundROS, TerraformEnsures RAM users do not have specified high-risk permissions bound.
rds-instance-enabled-disk-encryptionRDS Instance Disk Encryption EnabledROS, TerraformEnsures RDS instances have disk encryption enabled.
rds-instance-expired-checkRDS Prepaid Instance Expiration CheckROS, TerraformPrepaid RDS instances should have auto-renewal enabled.
rds-instance-secondary-zone-requiredRDS Instance Secondary Zone RequiredROSRDS high-availability deployments should place the secondary instance in another zone.
rds-public-access-checkRDS Instance Public Access CheckROS, TerraformRDS instances should not be configured with public network addresses. Public access exposes databases to potential security threats from the internet.
rds-public-connection-and-any-ip-access-checkRDS Public Connection and Any IP Access CheckROS, TerraformEnsures that RDS instances do not have a completely unrestricted security IP whitelist.
rds-white-list-internet-ip-access-checkRDS Whitelist Internet RestrictionROS, TerraformEnsures RDS security IP whitelists do not contain 0.0.0.0/0 or 0.0.0.0.
redis-instance-expired-checkRedis Prepaid Instance Expiration CheckROS, TerraformPrepaid Redis instances should have auto-renewal enabled.
redis-instance-no-public-ipRedis Instance No Public IPROS, TerraformEnsures Redis instance does not have public IP assigned.
redis-instance-open-auth-modeRedis Authentication Mode EnabledROS, TerraformEnsures Redis instances require authentication and are not in 'no-password' mode.
redis-public-and-any-ip-access-checkRedis Public and Any IP Access CheckROS, TerraformEnsures that Redis instances do not have an open whitelist allowing access from any IP.
root-ak-checkRoot User AccessKey CheckROSEnsures that the root account does not have active AccessKeys.
root-mfa-checkRoot User MFA CheckROSEnsures that Multi-Factor Authentication (MFA) is enabled for the root account.
security-api-gateway-api-auth-requiredAPI Gateway API must configure authenticationROSChecks API Gateway API must configure authentication
security-ecs-disk-encryptedECS disk must enable encryptionROSChecks ECS disk must enable encryption
security-ecs-instance-no-public-ipECS instance must not allocate public IPROSChecks ECS public exposure through direct public IP, outbound bandwidth, or EIP association.
security-ecs-instance-security-group-requiredECS instance must attach a security groupROSChecks ECS instance must attach a security group
security-ecs-instance-vpc-requiredECS instance must run in VPCROSChecks ECS instance must run in VPC
security-group-vpc-requiredSecurity group must bind VPCROSChecks Security group must bind VPC
security-oss-bucket-encryption-configuredOSS bucket must configure server-side encryptionROSChecks OSS bucket must configure server-side encryption
security-oss-bucket-private-aclOSS bucket ACL must be privateROSChecks OSS bucket ACL must be private
security-ram-user-mfa-requiredRAM user must require MFAROSChecks RAM user must require MFA
security-rds-instance-ssl-requiredRDS instance must configure SSLROSChecks RDS instance must configure SSL
security-rds-instance-tde-enabledRDS instance must enable TDEROSChecks RDS instance must enable TDE
security-rds-instance-vpc-requiredRDS instance must run in VPCROSChecks RDS instance must run in VPC
security-redis-instance-vpc-requiredRedis instance must run in VPCROSChecks Redis instance must run in VPC
sg-public-access-checkSecurity Group Ingress ValidROS, TerraformSecurity group ingress rules should not allow all ports (-1/-1) from all sources (0.0.0.0/0) simultaneously.
sg-risky-ports-checkSecurity group does not open risky ports to 0.0.0.0/0ROS, TerraformWhen security group ingress rule source is set to 0.0.0.0/0, the port range should not include specified risky ports, considered compliant. If source is not 0.0.0.0/0, it's compliant even if risky ports are included.
slb-acl-public-access-checkSLB ACL Public Access CheckROS, TerraformEnsures that SLB ACLs do not contain 0.0.0.0/0 to prevent unrestricted public access.
slb-all-listener-health-check-enabledSLB All Listeners Health Check EnabledROS, TerraformEnsures all SLB listeners have health checks enabled.
slb-all-listener-servers-multi-zoneSLB Multi-Zone with Multi-Zone Backend ServersROS, TerraformSLB instances should be multi-zone, and all server groups used by listeners should have resources added from multiple zones.
slb-delete-protection-enabledSLB Instance Deletion Protection EnabledROS, TerraformEnsures that SLB instances have deletion protection enabled.
slb-listener-risk-ports-checkSLB Listener Risk Ports CheckROS, TerraformEnsures SLB listeners do not expose high-risk ports like 22 or 3389.
transit-router-vpc-attachment-multi-zoneTransit Router VPC Attachment Multi-Zone ConfigurationROS, TerraformTransit Router VPC attachments should be configured with vSwitches in at least two different availability zones for cross-zone high availability.
tsdb-instance-security-ip-checkTSDB Instance Does Not Allow Any IP AccessROS, TerraformEnsures that TSDB instances do not have security whitelists that allow all IPs.
use-waf-instance-for-security-protectionUse WAF for Security ProtectionROS, TerraformWEB Application Firewall (WAF) should be used to protect websites and APPs from web-based attacks.
vpc-cidr-requiredVPC must configure CIDR blockROSChecks VPC must configure CIDR block
vpc-network-acl-risky-ports-checkVPC Network ACL Risky Ports CheckROS, TerraformEnsures VPC Network ACLs do not allow unrestricted access to risky ports (22, 3389).
vpn-gateway-vpc-requiredVPN Gateway must bind VPCROSChecks VPN Gateway must bind VPC
vswitch-cidr-requiredVSwitch must configure CIDR blockROSChecks VSwitch must configure CIDR block

Medium Severity (232 Rules)

Rule IDNameIaC TypesDescription
ack-cluster-encryption-enabledACK Cluster Secret Encryption EnabledROS, TerraformACK Pro clusters should have Secret encryption at rest enabled using KMS.
ack-cluster-inspect-kubelet-version-outdate-checkACK Kubelet Version CheckROS, TerraformEnsures the Kubelet version in the ACK cluster is up to date.
ack-cluster-log-plugin-installedACK Cluster Log Plugin InstalledROS, TerraformEnsures the log-service addon is installed in the ACK cluster.
ack-cluster-node-pool-scaling-limits-requiredESS scaling group must configure MinSizeROSChecks ESS scaling group must configure MinSize
ack-cluster-rrsa-enabledACK Cluster RRSA EnabledROS, TerraformEnsures that the RAM Roles for Service Accounts (RRSA) feature is enabled for the ACK cluster.
ack-cluster-supported-versionACK Cluster Supported VersionROS, TerraformEnsures that the ACK cluster is running a supported version.
ack-cluster-upgrade-latest-versionACK Cluster Upgraded to Latest VersionROS, TerraformEnsures that the ACK cluster is running the latest available version.
actiontrail-trail-name-requiredActionTrail trail must configure nameROSChecks ActionTrail trail must configure name
adb-cluster-multi-zoneADB Cluster Multi-Zone DeploymentROS, TerraformThe ADB cluster should be deployed in multi-zone mode.
alb-address-type-intranetALB should use intranet address typeROSChecks ALB should use intranet address type
alb-all-listenter-has-serverALB Listener Has Backend ServerROS, TerraformEnsures all ALB listeners are associated with a non-empty server group.
alb-instance-bind-security-group-or-enabled-aclALB Instance Bind Security Group or Enable ACLROS, TerraformALB instance should have security groups associated or ACL configured for all running listeners.
alb-loadbalancer-name-requiredALB must configure nameROSChecks ALB must configure name
alb-server-group-multi-zoneALB Server Group Multi-Zone DistributionROS, TerraformALB server groups should have backend servers distributed across multiple availability zones for high availability. This rule does not apply to server groups with no attached servers, or to IP/Function Compute type server groups.
alidns-domain-regex-matchAlibaba Cloud DNS Domain Names Match Naming ConventionROS, TerraformEnsures that Alibaba Cloud DNS domain names match the specified naming convention regex.
api-gateway-api-auth-jwtAPI Gateway API Auth JWTROS, TerraformEnsures API Gateway APIs use JWT authentication.
api-gateway-api-auth-requiredAPI Gateway API Auth RequiredROS, TerraformEnsures API Gateway APIs have authentication configured.
api-gateway-api-internet-request-httpsAPI Gateway Internet Request HTTPS EnabledROS, TerraformEnsures that API Gateway APIs exposed to the internet use HTTPS protocol.
api-gateway-api-visibility-privateAPI Gateway API Visibility PrivateROS, TerraformEnsures API Gateway APIs are set to PRIVATE visibility.
api-gateway-group-bind-domainAPI Gateway Group Bind DomainROS, TerraformEnsures API Gateway groups have custom domains bound.
api-gateway-group-enabled-sslAPI Gateway Group SSL EnabledROS, TerraformEnsures that SSL is enabled for API Gateway groups.
api-gateway-group-https-policy-checkAPI Gateway Group HTTPS Policy CheckROS, TerraformEnsures API Gateway groups have HTTPS security policy set correctly.
api-gateway-group-log-enabledAPI Gateway Group Log EnabledROS, TerraformEnsures API Gateway groups have logging configured.
apigateway-instance-multi-zoneAPI Gateway Instance Multi-Zone DeploymentROS, TerraformAPI Gateway instances should be deployed in multi-zone configuration for high availability.
bastionhost-instance-spec-checkBastionHost Instance Multi-Zone Spec CheckROS, TerraformThe BastionHost instance should use the Enterprise version which supports multi-zone deployment.
cen-cross-region-bandwidth-checkCEN Cross-Region Bandwidth CheckROS, TerraformCEN instance cross-region connections should have sufficient bandwidth allocation to meet performance requirements.
cen-instance-name-requiredCEN instance must configure nameROSChecks CEN instance must configure name
clickhouse-dbcluster-multi-zoneClickHouse DBCluster Multi-Zone DeploymentROS, TerraformClickHouse clusters should use the HighAvailability (Double-replica) edition for multi-zone deployment. Note: This applies only to community edition.
cms-alarm-name-requiredCMS alarm must configure nameROSChecks CMS alarm must configure name
cr-instance-multi-zoneCR Instance with Zone-Redundant OSS BucketROS, TerraformContainer Registry instances should be associated with zone-redundant OSS buckets for high availability.
ecs-disk-all-encrypted-by-kmsECS disk with KMS encryption enabledROS, TerraformECS disks (including system disk and data disks) are encrypted with KMS, considered compliant.
ecs-disk-category-requiredECS disk must set disk categoryROSChecks ECS disk must set disk category
ecs-disk-encryptedECS data disk encryption enabledROS, TerraformECS data disk has encryption enabled, considered compliant.
ecs-disk-in-useECS disk is in useROS, TerraformECS disks are attached to an instance or in use state, considered compliant.
ecs-disk-retain-auto-snapshotRetain auto snapshot when ECS disk is releasedROS, TerraformConfigure ECS disks to retain auto snapshots when released, considered compliant. This helps protect data from accidental deletion.
ecs-disk-size-requiredECS disk must set disk sizeROSChecks ECS disk must set disk size
ecs-in-use-disk-encryptedECS In-Use Disk EncryptionROS, TerraformECS data disks should have encryption enabled to protect data at rest.
ecs-instance-auto-renewal-enabledECS subscription instance has auto-renewal enabledROS, TerraformECS subscription (prepaid) instances have auto-renewal enabled, considered compliant. Pay-as-you-go instances are not applicable.
ecs-instance-bandwidth-configuredECS instance must configure outbound bandwidthROSChecks ECS instance must configure outbound bandwidth
ecs-instance-charge-type-requiredECS instance must set charge typeROSChecks ECS instance must set charge type
ecs-instance-group-max-amount-requiredECS Instance Group Maximum Amount RequiredROSECS instance groups should declare MaxAmount so the intended replica ceiling is explicit.
ecs-instance-group-min-amount-requiredECS Instance Group Minimum Amount RequiredROSECS instance groups should declare MinAmount so the baseline replica count is explicit.
ecs-instance-image-expired-checkECS Instance Image Expired CheckROS, TerraformEnsures that the image used by the ECS instance has not expired.
ecs-instance-image-type-checkECS Instance Image Type CheckROS, TerraformEnsures ECS instances use images from authorized sources.
ecs-instance-login-use-keypairECS Instance Login Using Key PairROS, TerraformEnsures that ECS instances use key pairs for login instead of passwords.
ecs-instance-meta-data-mode-checkECS instance metadata access uses security-enhanced mode (IMDSv2)ROS, TerraformWhen accessing ECS instance metadata, security-enhanced mode (IMDSv2) is enforced, considered compliant. Instances associated with ACK clusters are not applicable.
ecs-instance-name-requiredECS instance must configure nameROSChecks ECS instance must configure name
ecs-instance-no-public-and-anyipECS Instance Should Not Bind Public IP or Allow Any IP AccessROS, TerraformECS instances should not directly bind IPv4 public IPs or Elastic IPs, and associated security groups should not expose 0.0.0.0/0. Compliant when no public IP is bound.
ecs-instance-not-bind-key-pairECS Instance Not Bound to Key PairROS, TerraformEnsures that ECS instances use key pairs for authentication instead of passwords.
ecs-instance-operational-deletion-protectionECS instance must enable deletion protection for operationsROSChecks ECS instance must enable deletion protection for operations
ecs-instance-tags-requiredECS instance must configure tagsROSChecks ECS instance must configure tags
ecs-instance-type-family-not-deprecatedECS Instance Type Not DeprecatedROS, TerraformEnsures ECS instances do not use deprecated or legacy instance types.
ecs-instance-type-requiredECS instance must set instance typeROSChecks ECS instance must set instance type
ecs-instances-in-vpcECS Instances in VPCROS, TerraformECS instances should be deployed in VPC (Virtual Private Cloud) networks rather than classic networks. VPC provides better network isolation, security, and flexibility.
ecs-internetmaxbandwidth-checkECS Internet Max Bandwidth CheckROS, TerraformEnsures ECS internet outbound bandwidth does not exceed specified limits.
ecs-launch-template-network-type-checkECS launch template uses VPC network typeROS, TerraformECS launch template versions have network type set to VPC, considered compliant. Classic network type is not recommended for production environments.
ecs-launch-template-version-data-disk-encryptedECS launch template version enables data disk encryptionROS, TerraformAll data disks configured in ECS launch template versions are encrypted, considered compliant.
ecs-launch-template-version-image-type-checkLaunch Template Image Type CheckROS, TerraformEnsures ECS launch templates use authorized image types.
ecs-running-instances-in-vpcRunning ECS instances are in VPCROS, TerraformRunning ECS instances are deployed in Virtual Private Cloud (VPC), considered compliant. This provides network isolation and enhanced security.
ecs-security-group-description-requiredSecurity group must configure descriptionROSChecks Security group must configure description
ecs-snapshot-policy-timepoints-checkECS auto snapshot policy timepoints configured reasonablyROS, TerraformThe snapshot creation timepoints in the auto snapshot policy are within the specified time range, considered compliant. Creating snapshots temporarily reduces block storage I/O performance, with performance differences generally within 10%, causing brief slowdowns. It is recommended to select timepoints that avoid business peak hours.
eip-bandwidth-requiredEIP must set bandwidthROSChecks EIP must set bandwidth
eip-delete-protection-enabledEIP Deletion Protection EnabledROS, TerraformEnsures that EIP instances have deletion protection enabled.
eip-explicit-bandwidth-requiredEIP must configure bandwidthROSChecks EIP must configure bandwidth
elasticsearch-instance-enabled-data-node-encryptionElasticsearch Data Node Encryption EnabledROS, TerraformEnsures that data nodes in the Elasticsearch instance have disk encryption enabled.
elasticsearch-instance-enabled-node-config-disk-encryptionES Node Config Disk EncryptionROS, TerraformEnsures Elasticsearch elastic node configurations have disk encryption enabled.
elasticsearch-instance-multi-zoneElasticsearch Instance Multi-Zone DeploymentROS, TerraformElasticsearch instances should be deployed across multiple availability zones.
emr-cluster-master-public-access-checkEMR Cluster Master Node Public Access CheckROS, TerraformEMR on ECS cluster master nodes should not have public IP enabled.
ess-group-health-checkESS Scaling Group Health CheckROS, TerraformESS scaling groups should enable ECS instance health checks.
ess-scaling-configuration-attach-security-groupESS Scaling Configuration Security GroupROS, TerraformESS scaling configurations should attach security groups to instances for proper network isolation and access control.
ess-scaling-configuration-enabled-internet-checkESS Scaling Configuration Internet Access CheckROS, TerraformEnsures that ESS scaling configurations do not enable public IP addresses for instances unless necessary.
ess-scaling-configuration-image-checkESS Scaling Configuration Image CheckROS, TerraformESS scaling configurations should specify a maintained image.
ess-scaling-configuration-image-type-checkESS Scaling Configuration Image Type CheckROS, TerraformESS scaling configurations should use images from specified sources.
ess-scaling-configuration-instance-type-candidates-requiredESS scaling configuration must set instance typeROSChecks ESS scaling configuration must set instance type
ess-scaling-group-attach-multi-switchESS Scaling Group Multi-VSwitchROS, TerraformESS scaling groups should be associated with at least two VSwitches for high availability across multiple zones.
ess-scaling-group-attach-slbESS Scaling Group Attach SLBROS, TerraformESS scaling groups should be attached to Classic Load Balancer.
ess-scaling-group-capacity-bounds-requiredESS scaling group must configure MaxSizeROSChecks ESS scaling group must configure MaxSize
ess-scaling-group-cooldown-configuredESS scaling group must configure cooldownROSChecks ESS scaling group must configure cooldown
ess-scaling-group-loadbalancer-checkESS Scaling Group Load Balancer Existence CheckROS, TerraformESS scaling groups should be attached to load balancers for traffic distribution.
ess-scaling-rule-action-configuredESS scaling rule must configure adjustmentROSChecks ESS scaling rule must configure adjustment
fc-function-custom-domain-and-cert-enableFC Function Custom Domain Certificate CheckROS, TerraformFC custom domains should have SSL certificates configured for secure communication.
fc-function-custom-domain-and-https-enableFC Function Custom Domain HTTPS CheckROS, TerraformFC custom domains should have HTTPS enabled for secure communication.
fc-function-custom-domain-and-tls-enableFC Function Custom Domain and TLS EnabledROS, TerraformEnsures that custom domains for Function Compute functions have TLS enabled.
fc-function-instance-concurrency-configuredFC function must configure instance concurrencyROSChecks FC function must configure instance concurrency
fc-function-internet-and-custom-domain-enableFC Service Internet Access with Custom DomainROS, TerraformFC services with internet access should be bound to custom domains for proper access control.
fc-function-settings-checkFC Function Settings CheckROS, TerraformFC function settings should meet specified requirements for optimal performance and security.
fc-function-timeout-configuredFC function must configure timeoutROSChecks FC function must configure timeout
fc-service-bind-roleFC Service Bound to RAM RoleROS, TerraformEnsures that the Function Compute service has a RAM role bound to it.
fc-service-internet-access-disableFC Service Internet Access DisabledROS, TerraformEnsures that the Function Compute service has internet access disabled when it should only access internal resources.
fc-service-log-enableFC Service Log EnableROS, TerraformFC services should have logging enabled for monitoring and troubleshooting.
fc-service-tracing-enableFC Service Tracing EnableROS, TerraformFC services should have tracing enabled for performance monitoring and debugging.
fc-service-vpc-bindingFC Service VPC Binding EnabledROS, TerraformEnsures that the Function Compute service is configured to access resources within a VPC.
firewall-asset-open-protectCloud Firewall Asset Protection EnabledROS, TerraformEnsures assets are protected by Cloud Firewall.
gpdb-instance-multi-zoneGPDB Instance Multi-Zone DeploymentROS, TerraformGPDB instances should be deployed with a standby zone for high availability.
gwlb-loadbalancer-multi-zoneGWLB LoadBalancer Multi-Zone DeploymentROS, TerraformGWLB LoadBalancer instances should be deployed across at least two availability zones.
hbase-cluster-deletion-protectionHBase Cluster Deletion Protection EnabledROS, TerraformEnsures that HBase instances have deletion protection enabled.
hbase-cluster-in-vpcHBase Cluster in VPCROS, TerraformEnsures that the HBase cluster is deployed within a VPC.
hbase-cluster-multi-zoneHBase Cluster Multi-Zone DeploymentROS, TerraformHBase clusters should be deployed in cluster mode with at least 2 nodes for high availability.
internet-nat-gateway-in-specified-vpcInternet NAT Gateway in Specified VPCROS, TerraformInternet-facing NAT gateways should be created in specified VPCs according to network security requirements.
intranet-nat-gateway-in-specified-vpcIntranet NAT Gateway in Specified VPCROS, TerraformIntranet-facing NAT gateways should be created in specified VPCs according to network security requirements.
kafka-instance-multi-zoneKafka Instance Multi-Zone DeploymentROS, TerraformKafka instances should be deployed across multiple availability zones for high availability.
kms-instance-multi-zoneKMS Instance Multi-Zone DeploymentROS, TerraformKMS instances should be deployed across at least two availability zones for high availability and disaster recovery.
kms-key-delete-protection-enabledKMS key deletion protection enabledROS, TerraformKMS master key has deletion protection enabled, considered compliant. Keys not in enabled status and service keys (which cannot be deleted) are not applicable.
kms-key-description-requiredKMS key must configure descriptionROSChecks KMS key must configure description
kms-key-rotation-enabledKMS key automatic rotation enabledROS, TerraformKMS user master key has automatic rotation enabled, considered compliant. Service keys and externally imported keys are not applicable.
kms-secret-rotation-enabledKMS Secret Automatic Rotation EnabledROS, TerraformEnsures that KMS secrets have automatic rotation enabled to enhance security by periodically rotating secret values.
lindorm-instance-in-vpcLindorm Instance in VPCROS, TerraformEnsures Lindorm instance is deployed in a VPC.
lindorm-instance-multi-zoneLindorm Instance Multi-Zone DeploymentROS, TerraformLindorm instances should be configured for multi-zone deployment with at least 4 LindormTable nodes for high availability.
logstore-ttl-requiredSLS Logstore must set TTLROSChecks SLS Logstore must set TTL
mongodb-instance-enabled-sslMongoDB Instance SSL EnabledROS, TerraformEnsures MongoDB instances have SSL encryption enabled.
mongodb-instance-encryption-byok-checkMongoDB Instance TDE with Custom KMS KeyROS, TerraformMongoDB instances should have TDE enabled with a customer-managed KMS encryption key (BYOK).
mongodb-instance-in-vpcMongoDB Instance Deployed in VPCROS, TerraformMongoDB instances should be deployed in a VPC for network isolation.
mongodb-instance-log-auditMongoDB Instance Audit Logging EnabledROS, TerraformMongoDB instances should have audit logging enabled for security monitoring.
mongodb-instance-multi-nodeMongoDB Instance Multi-Node for High AvailabilityROS, TerraformMongoDB instances should have a replication_factor of at least 3 for high availability.
mongodb-instance-multi-zoneMongoDB Instance Multi-Zone DeploymentROS, TerraformMongoDB instances should be deployed across multiple availability zones for high availability.
mongodb-instance-release-protectionMongoDB Instance Release Protection EnabledROS, TerraformMongoDB instances should have release protection enabled to prevent accidental deletion.
mse-cluster-config-auth-enabledMSE Cluster Config Auth EnabledROS, TerraformEnsures that the Microservices Engine (MSE) cluster configuration center has authentication enabled.
mse-cluster-high-availability-configuredMSE cluster must configure replicasROSChecks MSE cluster must configure replicas
mse-cluster-multi-availability-area-architecture-checkMSE Cluster High-Availability ConfigurationROS, TerraformMSE clusters should use the Professional Edition with at least 3 instances (odd number) for high availability.
mse-cluster-stable-version-checkMSE Cluster Uses Stable VersionROS, TerraformEnsures that MSE cluster engine version is greater than the minimum stable version.
mse-gateway-multi-availability-area-architecture-checkMSE Gateway Multi-Availability Zone DeploymentROS, TerraformMSE gateway should have backup_vswitch_id configured for multi-availability zone deployment.
nas-filesystem-mount-target-access-group-checkNAS Mount Target Access Group CheckROS, TerraformEnsures that NAS mount targets do not use the default VPC access group (DEFAULT_VPC_GROUP_NAME).
nat-gateway-spec-requiredNAT Gateway must set specificationROSChecks NAT Gateway must set specification
natgateway-delete-protection-enabledNAT Gateway Deletion Protection EnabledROS, TerraformEnsures that NAT Gateways have deletion protection enabled.
natgateway-eip-used-checkNAT Gateway EIP Usage CheckROS, TerraformSNAT and DNAT should not use the same EIP to avoid potential conflicts and improve network segmentation.
natgateway-snat-eip-bandwidth-checkNAT Gateway SNAT EIP Bandwidth ConsistencyROS, TerraformWhen SNAT entries are bound to multiple EIPs, the bandwidth peak settings should be consistent or they should be added to a shared bandwidth package.
nlb-address-type-intranetNLB should use intranet address typeROSChecks NLB should use intranet address type
nlb-loadbalancer-multi-zoneNLB LoadBalancer Multi-Zone DeploymentROS, TerraformNLB LoadBalancer instances should be deployed across at least two availability zones for high availability.
nlb-server-group-multi-zoneNLB Server Group Multi-Zone DistributionROS, TerraformNLB server groups should have backend servers distributed across multiple availability zones for high availability. This rule does not apply to server groups with no attached servers, or to IP type server groups.
oss-bucket-authorize-specified-ipOSS Bucket Authorize Specified IPROS, TerraformEnsures OSS bucket policy contains IP address conditions to restrict access.
oss-bucket-backup-enableOSS Backup EnabledROS, TerraformEnsures OSS buckets have backup or versioning enabled.
oss-bucket-logging-enabledOSS Bucket Logging EnabledROS, TerraformEnsures OSS bucket has access logging enabled.
oss-bucket-operational-access-loggingOSS bucket must enable loggingROSChecks OSS bucket must enable logging
oss-bucket-remote-replicationOSS Bucket Remote Replication EnabledROS, TerraformEnsures that cross-region replication is enabled for the OSS bucket for disaster recovery.
oss-bucket-tags-requiredOSS bucket must configure tagsROSChecks OSS bucket must configure tags
oss-bucket-tls-version-checkOSS Bucket TLS Version CheckROS, TerraformEnsures that the OSS bucket is configured to use a secure version of TLS (TLS 1.2 or higher).
oss-bucket-versioning-enabledOSS Bucket Versioning EnabledROS, TerraformEnsures OSS bucket has versioning enabled.
oss-default-encryption-kmsOSS Bucket KMS Encryption EnabledROS, TerraformEnsures OSS bucket uses KMS for server-side encryption.
oss-encryption-byok-checkOSS Bucket BYOK Encryption CheckROS, TerraformEnsures OSS bucket uses KMS encryption with a customer-managed key (BYOK).
oss-storage-class-requiredOSS bucket must set storage classROSChecks OSS bucket must set storage class
oss-zrs-enabledOSS Bucket Zone-Redundant Storage EnabledROS, TerraformEnsures OSS bucket uses Zone-Redundant Storage (ZRS) for high availability.
ots-instance-multi-zoneOTS Instance Zone-Redundant StorageROS, TerraformOTS instances should use zone-redundant access mode (ConsoleOrVpc) for high availability.
ots-instance-network-not-normalOTS Restricted Network TypeROS, TerraformOTS instances should not use unrestricted network access (Any). Use Vpc or ConsoleOrVpc instead.
pai-eas-instances-multi-zonePAI EAS Instance Multi-Zone DeploymentROS, TerraformEnsures that PAI EAS instances are deployed across multiple zones for high availability.
polardb-cluster-delete-protection-enabledPolarDB Cluster Deletion Protection EnabledROS, TerraformEnsures that PolarDB clusters have deletion protection enabled.
polardb-cluster-enabled-sslPolarDB Cluster SSL EnabledROS, TerraformEnsures PolarDB clusters have SSL encryption enabled.
polardb-cluster-multi-zonePolarDB Cluster Multi-Zone DeploymentROS, TerraformPolarDB clusters should be deployed across multiple availability zones for high availability.
polardb-cluster-tags-requiredPolarDB cluster must configure tagsROSChecks PolarDB cluster must configure tags
polardb-dbcluster-in-vpcPolarDB Cluster in VPCROS, TerraformEnsures PolarDB cluster is deployed in a VPC.
polardb-revision-version-used-checkPolarDB Revision Version Used CheckROS, TerraformEnsures PolarDB cluster is using a stable kernel revision version.
polardb-x2-instance-multi-zonePolarDB-X 2.0 Instance Multi-Zone DeploymentROS, TerraformPolarDB-X 2.0 instances should be deployed across 3 availability zones.
privatelink-server-endpoint-multi-zonePrivateLink VPC Endpoint Service Multi-Zone DeploymentROS, TerraformPrivateLink VPC endpoint services should have resources deployed across multiple availability zones for high availability.
privatelink-servier-endpoint-multi-zonePrivateLink Service Endpoint Multi-Zone DeploymentROS, TerraformEnsures that PrivateLink service endpoints are deployed across multiple zones for high availability.
ram-password-policy-checkRAM Password Policy CheckROS, TerraformEnsures that the RAM password policy meets the specified security requirements.
ram-policy-no-has-specified-documentRAM Policy No Specified DocumentROS, TerraformEnsures custom RAM policies do not contain the specified permission configuration.
ram-role-has-specified-policyRAM Role Has Specified PolicyROS, TerraformEnsures RAM roles have the specified policies attached.
ram-role-no-product-admin-accessRAM Role No Product Admin AccessROS, TerraformEnsures RAM roles do not have full administrative access or product administrator permissions.
ram-user-activated-ak-quantity-checkRAM User Active AK Quantity CheckROS, TerraformEnsures RAM users do not have more than one active AccessKey.
ram-user-ak-create-date-expired-checkRAM User AccessKey Creation Date Expired CheckROS, TerraformEnsures that RAM user AccessKeys are not older than the specified number of days.
ram-user-ak-used-expired-checkRAM User AccessKey Last Used Date CheckROS, TerraformEnsures that RAM user AccessKeys have been used within the specified number of days.
ram-user-has-specified-policyRAM User Has Specified PolicyROS, TerraformEnsures RAM users have the required policies attached, including those inherited from groups.
ram-user-login-checkRAM User Login Enabled CheckROS, TerraformEnsures that RAM users who do not need console access have login disabled.
ram-user-no-has-specified-policyRAM User No Specified PolicyROS, TerraformEnsures RAM users do not have specified risky policies attached.
ram-user-no-product-admin-accessRAM User No Product Administrative AccessROS, TerraformEnsures that RAM users do not have full administrative access to cloud products unless necessary.
ram-user-role-no-product-admin-accessRAM User Role No Product Admin AccessROS, TerraformEnsures RAM user-defined roles do not have product administrative permissions.
rds-backup-policy-requiredRDS backup policy must be configuredROSChecks RDS backup policy must be configured
rds-instacne-delete-protection-enabledRDS Instance Deletion Protection EnabledROS, TerraformEnsures that RDS instances have deletion protection enabled.
rds-instance-deletion-protection-enabledRDS instance must enable deletion protectionROSChecks RDS instance must enable deletion protection
rds-instance-enabled-auditingRDS Instance Auditing EnabledROS, TerraformEnsures RDS instances have SQL auditing enabled.
rds-instance-enabled-log-backupRDS Instance Log Backup EnabledROS, TerraformEnsures RDS instances have log backup enabled.
rds-instance-enabled-sslRDS Instance SSL EnabledROS, TerraformEnsures RDS instances have SSL encryption enabled.
rds-instance-enabled-tde-disk-encryptionRDS Instance Enabled TDE or Disk EncryptionROS, TerraformRDS instance should have TDE (Transparent Data Encryption) or disk encryption enabled.
rds-instance-has-guard-instanceRDS Instance Has Guard InstanceROS, TerraformEnsures production RDS instances have a corresponding guard (disaster recovery) instance.
rds-instance-tags-requiredRDS instance must configure tagsROSChecks RDS instance must configure tags
rds-instance-zone-requiredRDS Instance Primary Zone RequiredROSRDS instances should explicitly configure the primary zone used for placement and failover planning.
rds-instances-in-vpcRDS Instance in VPCROS, TerraformEnsures that the RDS instance is deployed within a VPC.
rds-multi-az-supportRDS Instance Multi-AZ DeploymentROS, TerraformRDS instances should be deployed in multi-AZ configuration for high availability and automatic failover.
rds-pay-type-requiredRDS instance must set pay typeROSChecks RDS instance must set pay type
rds-storage-type-requiredRDS instance must set storage typeROSChecks RDS instance must set storage type
redis-architecturetype-cluster-checkRedis Architecture Type Cluster CheckROS, TerraformEnsures Redis instance uses cluster architecture type.
redis-backup-policy-requiredRedis backup policy must be configuredROSChecks Redis backup policy must be configured
redis-instance-backup-log-enabledRedis Instance Backup Log EnabledROS, TerraformEnsures that backup is configured for the Redis instance.
redis-instance-class-requiredRedis instance must set instance classROSChecks Redis instance must set instance class
redis-instance-double-node-typeRedis Instance Double Node TypeROS, TerraformEnsures Redis instance uses double node type for high availability.
redis-instance-enabled-byok-tdeRedis Instance BYOK TDE EnabledROS, TerraformEnsures that Redis instances have Transparent Data Encryption (TDE) enabled using Bring Your Own Key (BYOK).
redis-instance-enabled-sslRedis Instance SSL EnabledROS, TerraformEnsures Redis instances have SSL encryption enabled.
redis-instance-in-vpcRedis Instance in VPCROS, TerraformEnsures Redis instance is deployed in a VPC.
redis-instance-multi-zoneRedis Instance Multi-Zone DeploymentROS, TerraformRedis instances should be deployed across multiple availability zones for high availability.
redis-instance-name-requiredRedis instance must configure nameROSChecks Redis instance must configure name
redis-instance-release-protectionRedis Instance Release Protection EnabledROS, TerraformEnsures that Redis instances have release protection enabled.
redis-instance-tls-version-checkRedis Instance TLS Version CheckROS, TerraformEnsures Redis instance has SSL enabled with acceptable TLS version.
redis-min-capacity-limitRedis Min Capacity LimitROS, TerraformEnsures Redis instance has memory capacity meeting the minimum requirement.
rocketmq-v5-instance-multi-zoneRocketMQ 5.0 Instance Multi-Zone DeploymentROS, TerraformRocketMQ 5.0 instances should be deployed in Cluster HA mode which supports multi-zone availability.
security-center-version-checkSecurity Center Version CheckROSSecurity Center should be at a version that provides sufficient protection features.
security-group-enterprise-typeSecurity group must set typeROSChecks Security group must set type
security-oss-bucket-logging-configuredOSS bucket must configure access loggingROSChecks OSS bucket must configure access logging
slb-address-type-intranetSLB should use intranet address typeROSChecks SLB should use intranet address type
slb-all-listener-enabled-aclSLB All Listeners Have Access ControlROS, TerraformAll running listeners of SLB instances should have access control lists (ACL) configured for security.
slb-all-listener-http-disabledSLB All Listeners HTTP DisabledROS, TerraformEnsures no SLB listeners use the insecure HTTP protocol.
slb-all-listener-http-redirect-httpsSLB HTTP Redirect to HTTPS EnabledROS, TerraformEnsures SLB HTTP listeners are configured to redirect traffic to HTTPS.
slb-all-listenter-has-serverSLB All Listeners Have Backend ServersROS, TerraformWhen SLB load balancers exist, there should be at least one backend server resource configured.
slb-all-listenter-tls-policy-checkSLB Listener TLS Policy CheckROS, TerraformEnsures SLB HTTPS listeners use secure TLS cipher policies.
slb-default-server-group-multi-serverSLB Default Server Group Has Multiple ServersROS, TerraformThe default server group of SLB instances should have at least two servers to avoid single point of failure.
slb-instance-autorenewal-checkSLB Instance Auto-Renewal CheckROS, TerraformPrepaid SLB instances should have auto-renewal enabled to avoid service interruption.
slb-instance-default-server-group-multi-zoneSLB Default Server Group Multi-ZoneROS, TerraformThe default server group of SLB instances should have resources distributed across multiple availability zones.
slb-instance-log-enabledSLB Instance Logging EnabledROS, TerraformEnsures that access logging is enabled for the SLB instance.
slb-instance-master-zone-requiredSLB Instance Master Zone RequiredROSSLB instances should configure a master zone as part of primary and secondary zone deployment.
slb-instance-multi-zoneSLB Instance Multi-Zone DeploymentROS, TerraformSLB instances should be deployed across multiple zones by configuring both master and slave zones for high availability.
slb-instance-spec-checkSLB Instance Specification CheckROS, TerraformSLB instance specifications should meet the required performance criteria based on the specified list.
slb-internet-charge-type-requiredSLB must set internet charge typeROSChecks SLB must set internet charge type
slb-listener-https-enabledSLB Listener HTTPS EnabledROS, TerraformEnsures SLB listeners use HTTPS protocol for secure communication.
slb-loadbalancer-in-vpcSLB in VPC CheckROS, TerraformEnsures SLB instances are deployed within a Virtual Private Cloud (VPC).
slb-loadbalancer-name-requiredSLB must configure nameROSChecks SLB must configure name
slb-master-slave-server-group-multi-zoneSLB Master-Slave Server Group Multi-ZoneROS, TerraformThe master-slave server group of SLB instances should have resources distributed across multiple availability zones.
slb-no-public-ipSLB Instance No Public IPROS, TerraformSLB instances should not have public IP addresses to reduce attack surface.
slb-vserver-group-multi-zoneSLB VServer Group Multi-Zone DeploymentROS, TerraformEnsures that SLB virtual server groups contain instances from multiple availability zones.
sls-logstore-enabled-encryptSLS Logstore Encryption EnabledROS, TerraformEnsures SLS Logstores have server-side encryption enabled.
sls-logstore-encrypt-key-origin-checkSLS Logstore Encryption Key Origin CheckROS, TerraformEnsures SLS Logstores use externally imported key material (BYOK) for encryption, which provides better control over encryption keys.
sls-logstore-shard-count-configuredSLS Logstore must configure shard countROSChecks SLS Logstore must configure shard count
sls-logstore-ttl-configuredSLS Logstore must configure TTLROSChecks SLS Logstore must configure TTL
sls-project-description-requiredSLS project must configure descriptionROSChecks SLS project must configure description
sls-project-multi-zoneSLS Project Zone-Redundant StorageROS, TerraformSLS projects should use zone-redundant storage (ZRS) for high availability and data durability.
vpc-flow-logs-enabledVPC Flow Logs EnabledROS, TerraformEnsures VPC flow logs are enabled for monitoring network traffic.
vpc-name-requiredVPC must configure nameROSChecks VPC must configure name
vpc-network-acl-not-emptyVPC Network ACL Not EmptyROS, TerraformEnsures VPC Network ACLs have at least one rule configured.
vpn-connection-master-slave-establishedVPN Connection Dual Tunnel EstablishedROS, TerraformUse dual-tunnel VPN gateway and both master and slave tunnels are established with the peer.
vpn-gateway-multi-zoneVPN Gateway Multi-Zone DeploymentROS, TerraformVPN Gateways should be configured with a disaster recovery VSwitch to support multi-zone availability.
vswitch-available-ip-countVSwitch Available IP Count CheckROS, TerraformEnsures that the VSwitch has a sufficient number of available IP addresses.
vswitch-name-requiredVSwitch must configure nameROSChecks VSwitch must configure name
vswitch-zone-requiredVSwitch must configure zoneROSChecks VSwitch must configure zone
waf-instance-logging-enabledWAF Instance Logging EnabledROS, TerraformEnsures that logging is enabled for the WAF instance for auditing and security analysis.
waf3-defense-resource-logging-enabledWAF 3.0 Logging EnabledROS, TerraformEnsures that logging is enabled for resources protected by WAF 3.0.

Low Severity (41 Rules)

Rule IDNameIaC TypesDescription
ack-cluster-spec-checkACK Cluster Spec CheckROS, TerraformEnsures ACK clusters use approved specifications (e.g., ACK Pro).
alb-address-type-checkALB Address Type CheckROS, TerraformEnsures ALB instances use the preferred address type (e.g., Intranet).
apig-group-custom-trace-enabledAPI Gateway Group Custom Trace EnabledROS, TerraformEnsures API Gateway groups have custom tracing enabled.
cr-repository-immutablity-enableContainer Registry repository image version is immutableROS, TerraformContainer Registry repository image version is immutable, considered compliant.
eci-container-group-volumn-mountsECI Volume Mounting CheckROS, TerraformEnsures ECI container groups have volumes mounted for persistent data storage.
ecs-disk-auto-snapshot-policyECS disk has auto snapshot policy configuredROS, TerraformECS disk has auto snapshot policy configured, considered compliant. Disks not in use, disks that do not support auto snapshot policy, and non-persistent disks mounted by ACK clusters are not applicable. After enabling auto snapshot policy, Alibaba Cloud will automatically create snapshots for cloud disks according to preset time points and cycles, enabling quick recovery from virus intrusion or ransomware attacks.
ecs-disk-idle-checkECS Disk Idle CheckROS, TerraformEnsures that ECS disks are attached to an instance and not in an idle state.
ecs-disk-regional-auto-checkECS Disk Zone-Redundant ESSD StorageROS, TerraformECS data disks should use zone-redundant ESSD storage for high availability. System disks are not applicable to this rule.
ecs-instance-chargetype-checkECS Instance Charge Type CheckROS, TerraformEnsures ECS instances use the authorized charge type.
ecs-instance-multiple-eni-checkECS instance is bound to only one elastic network interfaceROS, TerraformECS instances are bound to only one elastic network interface, considered compliant. This helps simplify network configuration and reduce complexity.
ecs-instance-ram-role-attachedECS Instance RAM Role AttachedROS, TerraformEnsures that ECS instances have an IAM role attached for secure access to other cloud services.
ecs-internet-charge-type-checkECS Internet Charge Type CheckROS, TerraformEnsures ECS instances use the preferred internet charge type.
ecs-security-group-description-checkSecurity Group Description Not EmptyROS, TerraformSecurity group description should not be empty. Having a description helps with management and auditing.
ecs-security-group-type-not-normalUse Enterprise Security Group TypeROS, TerraformECS security group type should not be normal type. Using enterprise security group is considered compliant.
ecs-snapshot-retention-daysECS auto snapshot retention days meets requirementsROS, TerraformECS auto snapshot policy retention days is greater than the specified number of days, considered compliant. Default value: 7 days.
ecs-system-disk-size-checkECS System Disk Size CheckROS, TerraformEnsures ECS system disks meet the minimum required size.
eip-attachedEIP AttachedROS, TerraformEnsures that EIP instances are associated with a resource.
eip-bandwidth-limitEIP Bandwidth LimitROS, TerraformEnsures EIP bandwidth does not exceed a specified maximum value.
hbase-cluster-type-checkHBase Cluster Engine Type CheckROS, TerraformHBase cluster should not use a deprecated engine type.
metadata-ros-composer-checkTemplate Metadata ALIYUN::ROS::Composer CheckROSTemplate must have Metadata.ALIYUN::ROS::Composer configured. The value must be a dictionary (object).
nas-filesystem-encrypt-type-checkNAS file system encryption configuredROS, TerraformEnsures that NAS file systems have encryption enabled (encrypt_type set to 1 or 2).
oss-bucket-referer-limitOSS bucket referer hotlink protection configuredROS, TerraformOSS bucket has referer hotlink protection enabled with a configured whitelist.
polardb-cluster-default-time-zone-not-systemPolarDB Cluster Default Time Zone Not SystemROS, TerraformEnsures PolarDB cluster has parameters configured with explicit timezone settings.
polardb-cluster-maintain-time-checkPolarDB Cluster Maintenance Window CheckROS, TerraformEnsures that the PolarDB cluster has a maintenance window configured.
ram-group-has-member-checkRAM Group Has MemberROS, TerraformEnsures RAM groups have at least one member.
ram-group-in-use-checkRAM Group In Use CheckROS, TerraformEnsures RAM groups are not idle - must have at least one member and at least one attached policy.
ram-policy-in-use-checkRAM Policy In Use CheckROS, TerraformEnsures RAM policies are attached to at least one RAM user, group, or role.
ram-user-group-membership-checkRAM User Group Membership CheckROS, TerraformEnsures that RAM users belong to at least one group for easier permission management.
ram-user-last-login-expired-checkRAM User Last Login CheckROS, TerraformChecks if RAM users have not logged in for a long time.
ram-user-no-policy-checkRAM User Has PolicyROS, TerraformEnsures RAM users have at least one policy attached.
rds-instance-maintain-time-checkRDS Instance Maintenance Window CheckROS, TerraformEnsures that the RDS instance has a maintenance window configured.
rds-instance-storage-autoscale-enableRDS Storage Autoscale EnabledROS, TerraformEnsures RDS instances have storage autoscale enabled to prevent downtime due to full disks.
redis-instance-backup-time-checkRedis Instance Backup Window CheckROS, TerraformEnsures that the Redis instance has a backup window configured.
root-has-specified-roleRoot Account Has Specified RoleROSEnsures that the root account has a specified RAM role for governance and management.
slb-backendserver-weight-checkSLB Backend Server Weight CheckROS, TerraformEnsures SLB backend servers have at least one server with weight greater than 0.
slb-instance-loadbalancerspec-checkSLB Instance Spec CheckROS, TerraformEnsures SLB instances use approved performance specifications.
slb-loadbalancer-bandwidth-limitSLB Bandwidth LimitROS, TerraformEnsures SLB instance bandwidth does not exceed a specified maximum value.
slb-modify-protection-checkSLB Modification Protection EnabledROS, TerraformEnsures that SLB instances have modification protection enabled.
sls-logstore-hot-ttl-checkSLS Logstore Smart Tier Storage EnabledROS, TerraformEnsures SLS Logstores have intelligent hot/cold tier storage enabled for cost optimization.
vpn-gateway-enabled-ssl-vpnVPN Gateway SSL-VPN EnabledROS, TerraformEnsures the VPN gateway has SSL-VPN enabled for secure client access.
vpn-ipsec-connection-health-check-openVPN IPsec Health Check EnabledROS, TerraformEnsures VPN IPsec connections have health checks enabled to detect tunnel failures.