| ack-cluster-encryption-enabled | ACK Cluster Secret Encryption Enabled | ROS, Terraform | ACK Pro clusters should have Secret encryption at rest enabled using KMS. |
| ack-cluster-inspect-kubelet-version-outdate-check | ACK Kubelet Version Check | ROS, Terraform | Ensures the Kubelet version in the ACK cluster is up to date. |
| ack-cluster-log-plugin-installed | ACK Cluster Log Plugin Installed | ROS, Terraform | Ensures the log-service addon is installed in the ACK cluster. |
| ack-cluster-node-pool-scaling-limits-required | ESS scaling group must configure MinSize | ROS | Checks ESS scaling group must configure MinSize |
| ack-cluster-rrsa-enabled | ACK Cluster RRSA Enabled | ROS, Terraform | Ensures that the RAM Roles for Service Accounts (RRSA) feature is enabled for the ACK cluster. |
| ack-cluster-supported-version | ACK Cluster Supported Version | ROS, Terraform | Ensures that the ACK cluster is running a supported version. |
| ack-cluster-upgrade-latest-version | ACK Cluster Upgraded to Latest Version | ROS, Terraform | Ensures that the ACK cluster is running the latest available version. |
| actiontrail-trail-name-required | ActionTrail trail must configure name | ROS | Checks ActionTrail trail must configure name |
| adb-cluster-multi-zone | ADB Cluster Multi-Zone Deployment | ROS, Terraform | The ADB cluster should be deployed in multi-zone mode. |
| alb-address-type-intranet | ALB should use intranet address type | ROS | Checks ALB should use intranet address type |
| alb-all-listenter-has-server | ALB Listener Has Backend Server | ROS, Terraform | Ensures all ALB listeners are associated with a non-empty server group. |
| alb-instance-bind-security-group-or-enabled-acl | ALB Instance Bind Security Group or Enable ACL | ROS, Terraform | ALB instance should have security groups associated or ACL configured for all running listeners. |
| alb-loadbalancer-name-required | ALB must configure name | ROS | Checks ALB must configure name |
| alb-server-group-multi-zone | ALB Server Group Multi-Zone Distribution | ROS, Terraform | ALB server groups should have backend servers distributed across multiple availability zones for high availability. This rule does not apply to server groups with no attached servers, or to IP/Function Compute type server groups. |
| alidns-domain-regex-match | Alibaba Cloud DNS Domain Names Match Naming Convention | ROS, Terraform | Ensures that Alibaba Cloud DNS domain names match the specified naming convention regex. |
| api-gateway-api-auth-jwt | API Gateway API Auth JWT | ROS, Terraform | Ensures API Gateway APIs use JWT authentication. |
| api-gateway-api-auth-required | API Gateway API Auth Required | ROS, Terraform | Ensures API Gateway APIs have authentication configured. |
| api-gateway-api-internet-request-https | API Gateway Internet Request HTTPS Enabled | ROS, Terraform | Ensures that API Gateway APIs exposed to the internet use HTTPS protocol. |
| api-gateway-api-visibility-private | API Gateway API Visibility Private | ROS, Terraform | Ensures API Gateway APIs are set to PRIVATE visibility. |
| api-gateway-group-bind-domain | API Gateway Group Bind Domain | ROS, Terraform | Ensures API Gateway groups have custom domains bound. |
| api-gateway-group-enabled-ssl | API Gateway Group SSL Enabled | ROS, Terraform | Ensures that SSL is enabled for API Gateway groups. |
| api-gateway-group-https-policy-check | API Gateway Group HTTPS Policy Check | ROS, Terraform | Ensures API Gateway groups have HTTPS security policy set correctly. |
| api-gateway-group-log-enabled | API Gateway Group Log Enabled | ROS, Terraform | Ensures API Gateway groups have logging configured. |
| apigateway-instance-multi-zone | API Gateway Instance Multi-Zone Deployment | ROS, Terraform | API Gateway instances should be deployed in multi-zone configuration for high availability. |
| bastionhost-instance-spec-check | BastionHost Instance Multi-Zone Spec Check | ROS, Terraform | The BastionHost instance should use the Enterprise version which supports multi-zone deployment. |
| cen-cross-region-bandwidth-check | CEN Cross-Region Bandwidth Check | ROS, Terraform | CEN instance cross-region connections should have sufficient bandwidth allocation to meet performance requirements. |
| cen-instance-name-required | CEN instance must configure name | ROS | Checks CEN instance must configure name |
| clickhouse-dbcluster-multi-zone | ClickHouse DBCluster Multi-Zone Deployment | ROS, Terraform | ClickHouse clusters should use the HighAvailability (Double-replica) edition for multi-zone deployment. Note: This applies only to community edition. |
| cms-alarm-name-required | CMS alarm must configure name | ROS | Checks CMS alarm must configure name |
| cr-instance-multi-zone | CR Instance with Zone-Redundant OSS Bucket | ROS, Terraform | Container Registry instances should be associated with zone-redundant OSS buckets for high availability. |
| ecs-disk-all-encrypted-by-kms | ECS disk with KMS encryption enabled | ROS, Terraform | ECS disks (including system disk and data disks) are encrypted with KMS, considered compliant. |
| ecs-disk-category-required | ECS disk must set disk category | ROS | Checks ECS disk must set disk category |
| ecs-disk-encrypted | ECS data disk encryption enabled | ROS, Terraform | ECS data disk has encryption enabled, considered compliant. |
| ecs-disk-in-use | ECS disk is in use | ROS, Terraform | ECS disks are attached to an instance or in use state, considered compliant. |
| ecs-disk-retain-auto-snapshot | Retain auto snapshot when ECS disk is released | ROS, Terraform | Configure ECS disks to retain auto snapshots when released, considered compliant. This helps protect data from accidental deletion. |
| ecs-disk-size-required | ECS disk must set disk size | ROS | Checks ECS disk must set disk size |
| ecs-in-use-disk-encrypted | ECS In-Use Disk Encryption | ROS, Terraform | ECS data disks should have encryption enabled to protect data at rest. |
| ecs-instance-auto-renewal-enabled | ECS subscription instance has auto-renewal enabled | ROS, Terraform | ECS subscription (prepaid) instances have auto-renewal enabled, considered compliant. Pay-as-you-go instances are not applicable. |
| ecs-instance-bandwidth-configured | ECS instance must configure outbound bandwidth | ROS | Checks ECS instance must configure outbound bandwidth |
| ecs-instance-charge-type-required | ECS instance must set charge type | ROS | Checks ECS instance must set charge type |
| ecs-instance-group-max-amount-required | ECS Instance Group Maximum Amount Required | ROS | ECS instance groups should declare MaxAmount so the intended replica ceiling is explicit. |
| ecs-instance-group-min-amount-required | ECS Instance Group Minimum Amount Required | ROS | ECS instance groups should declare MinAmount so the baseline replica count is explicit. |
| ecs-instance-image-expired-check | ECS Instance Image Expired Check | ROS, Terraform | Ensures that the image used by the ECS instance has not expired. |
| ecs-instance-image-type-check | ECS Instance Image Type Check | ROS, Terraform | Ensures ECS instances use images from authorized sources. |
| ecs-instance-login-use-keypair | ECS Instance Login Using Key Pair | ROS, Terraform | Ensures that ECS instances use key pairs for login instead of passwords. |
| ecs-instance-meta-data-mode-check | ECS instance metadata access uses security-enhanced mode (IMDSv2) | ROS, Terraform | When accessing ECS instance metadata, security-enhanced mode (IMDSv2) is enforced, considered compliant. Instances associated with ACK clusters are not applicable. |
| ecs-instance-name-required | ECS instance must configure name | ROS | Checks ECS instance must configure name |
| ecs-instance-no-public-and-anyip | ECS Instance Should Not Bind Public IP or Allow Any IP Access | ROS, Terraform | ECS instances should not directly bind IPv4 public IPs or Elastic IPs, and associated security groups should not expose 0.0.0.0/0. Compliant when no public IP is bound. |
| ecs-instance-not-bind-key-pair | ECS Instance Not Bound to Key Pair | ROS, Terraform | Ensures that ECS instances use key pairs for authentication instead of passwords. |
| ecs-instance-operational-deletion-protection | ECS instance must enable deletion protection for operations | ROS | Checks ECS instance must enable deletion protection for operations |
| ecs-instance-tags-required | ECS instance must configure tags | ROS | Checks ECS instance must configure tags |
| ecs-instance-type-family-not-deprecated | ECS Instance Type Not Deprecated | ROS, Terraform | Ensures ECS instances do not use deprecated or legacy instance types. |
| ecs-instance-type-required | ECS instance must set instance type | ROS | Checks ECS instance must set instance type |
| ecs-instances-in-vpc | ECS Instances in VPC | ROS, Terraform | ECS instances should be deployed in VPC (Virtual Private Cloud) networks rather than classic networks. VPC provides better network isolation, security, and flexibility. |
| ecs-internetmaxbandwidth-check | ECS Internet Max Bandwidth Check | ROS, Terraform | Ensures ECS internet outbound bandwidth does not exceed specified limits. |
| ecs-launch-template-network-type-check | ECS launch template uses VPC network type | ROS, Terraform | ECS launch template versions have network type set to VPC, considered compliant. Classic network type is not recommended for production environments. |
| ecs-launch-template-version-data-disk-encrypted | ECS launch template version enables data disk encryption | ROS, Terraform | All data disks configured in ECS launch template versions are encrypted, considered compliant. |
| ecs-launch-template-version-image-type-check | Launch Template Image Type Check | ROS, Terraform | Ensures ECS launch templates use authorized image types. |
| ecs-running-instances-in-vpc | Running ECS instances are in VPC | ROS, Terraform | Running ECS instances are deployed in Virtual Private Cloud (VPC), considered compliant. This provides network isolation and enhanced security. |
| ecs-security-group-description-required | Security group must configure description | ROS | Checks Security group must configure description |
| ecs-snapshot-policy-timepoints-check | ECS auto snapshot policy timepoints configured reasonably | ROS, Terraform | The snapshot creation timepoints in the auto snapshot policy are within the specified time range, considered compliant. Creating snapshots temporarily reduces block storage I/O performance, with performance differences generally within 10%, causing brief slowdowns. It is recommended to select timepoints that avoid business peak hours. |
| eip-bandwidth-required | EIP must set bandwidth | ROS | Checks EIP must set bandwidth |
| eip-delete-protection-enabled | EIP Deletion Protection Enabled | ROS, Terraform | Ensures that EIP instances have deletion protection enabled. |
| eip-explicit-bandwidth-required | EIP must configure bandwidth | ROS | Checks EIP must configure bandwidth |
| elasticsearch-instance-enabled-data-node-encryption | Elasticsearch Data Node Encryption Enabled | ROS, Terraform | Ensures that data nodes in the Elasticsearch instance have disk encryption enabled. |
| elasticsearch-instance-enabled-node-config-disk-encryption | ES Node Config Disk Encryption | ROS, Terraform | Ensures Elasticsearch elastic node configurations have disk encryption enabled. |
| elasticsearch-instance-multi-zone | Elasticsearch Instance Multi-Zone Deployment | ROS, Terraform | Elasticsearch instances should be deployed across multiple availability zones. |
| emr-cluster-master-public-access-check | EMR Cluster Master Node Public Access Check | ROS, Terraform | EMR on ECS cluster master nodes should not have public IP enabled. |
| ess-group-health-check | ESS Scaling Group Health Check | ROS, Terraform | ESS scaling groups should enable ECS instance health checks. |
| ess-scaling-configuration-attach-security-group | ESS Scaling Configuration Security Group | ROS, Terraform | ESS scaling configurations should attach security groups to instances for proper network isolation and access control. |
| ess-scaling-configuration-enabled-internet-check | ESS Scaling Configuration Internet Access Check | ROS, Terraform | Ensures that ESS scaling configurations do not enable public IP addresses for instances unless necessary. |
| ess-scaling-configuration-image-check | ESS Scaling Configuration Image Check | ROS, Terraform | ESS scaling configurations should specify a maintained image. |
| ess-scaling-configuration-image-type-check | ESS Scaling Configuration Image Type Check | ROS, Terraform | ESS scaling configurations should use images from specified sources. |
| ess-scaling-configuration-instance-type-candidates-required | ESS scaling configuration must set instance type | ROS | Checks ESS scaling configuration must set instance type |
| ess-scaling-group-attach-multi-switch | ESS Scaling Group Multi-VSwitch | ROS, Terraform | ESS scaling groups should be associated with at least two VSwitches for high availability across multiple zones. |
| ess-scaling-group-attach-slb | ESS Scaling Group Attach SLB | ROS, Terraform | ESS scaling groups should be attached to Classic Load Balancer. |
| ess-scaling-group-capacity-bounds-required | ESS scaling group must configure MaxSize | ROS | Checks ESS scaling group must configure MaxSize |
| ess-scaling-group-cooldown-configured | ESS scaling group must configure cooldown | ROS | Checks ESS scaling group must configure cooldown |
| ess-scaling-group-loadbalancer-check | ESS Scaling Group Load Balancer Existence Check | ROS, Terraform | ESS scaling groups should be attached to load balancers for traffic distribution. |
| ess-scaling-rule-action-configured | ESS scaling rule must configure adjustment | ROS | Checks ESS scaling rule must configure adjustment |
| fc-function-custom-domain-and-cert-enable | FC Function Custom Domain Certificate Check | ROS, Terraform | FC custom domains should have SSL certificates configured for secure communication. |
| fc-function-custom-domain-and-https-enable | FC Function Custom Domain HTTPS Check | ROS, Terraform | FC custom domains should have HTTPS enabled for secure communication. |
| fc-function-custom-domain-and-tls-enable | FC Function Custom Domain and TLS Enabled | ROS, Terraform | Ensures that custom domains for Function Compute functions have TLS enabled. |
| fc-function-instance-concurrency-configured | FC function must configure instance concurrency | ROS | Checks FC function must configure instance concurrency |
| fc-function-internet-and-custom-domain-enable | FC Service Internet Access with Custom Domain | ROS, Terraform | FC services with internet access should be bound to custom domains for proper access control. |
| fc-function-settings-check | FC Function Settings Check | ROS, Terraform | FC function settings should meet specified requirements for optimal performance and security. |
| fc-function-timeout-configured | FC function must configure timeout | ROS | Checks FC function must configure timeout |
| fc-service-bind-role | FC Service Bound to RAM Role | ROS, Terraform | Ensures that the Function Compute service has a RAM role bound to it. |
| fc-service-internet-access-disable | FC Service Internet Access Disabled | ROS, Terraform | Ensures that the Function Compute service has internet access disabled when it should only access internal resources. |
| fc-service-log-enable | FC Service Log Enable | ROS, Terraform | FC services should have logging enabled for monitoring and troubleshooting. |
| fc-service-tracing-enable | FC Service Tracing Enable | ROS, Terraform | FC services should have tracing enabled for performance monitoring and debugging. |
| fc-service-vpc-binding | FC Service VPC Binding Enabled | ROS, Terraform | Ensures that the Function Compute service is configured to access resources within a VPC. |
| firewall-asset-open-protect | Cloud Firewall Asset Protection Enabled | ROS, Terraform | Ensures assets are protected by Cloud Firewall. |
| gpdb-instance-multi-zone | GPDB Instance Multi-Zone Deployment | ROS, Terraform | GPDB instances should be deployed with a standby zone for high availability. |
| gwlb-loadbalancer-multi-zone | GWLB LoadBalancer Multi-Zone Deployment | ROS, Terraform | GWLB LoadBalancer instances should be deployed across at least two availability zones. |
| hbase-cluster-deletion-protection | HBase Cluster Deletion Protection Enabled | ROS, Terraform | Ensures that HBase instances have deletion protection enabled. |
| hbase-cluster-in-vpc | HBase Cluster in VPC | ROS, Terraform | Ensures that the HBase cluster is deployed within a VPC. |
| hbase-cluster-multi-zone | HBase Cluster Multi-Zone Deployment | ROS, Terraform | HBase clusters should be deployed in cluster mode with at least 2 nodes for high availability. |
| internet-nat-gateway-in-specified-vpc | Internet NAT Gateway in Specified VPC | ROS, Terraform | Internet-facing NAT gateways should be created in specified VPCs according to network security requirements. |
| intranet-nat-gateway-in-specified-vpc | Intranet NAT Gateway in Specified VPC | ROS, Terraform | Intranet-facing NAT gateways should be created in specified VPCs according to network security requirements. |
| kafka-instance-multi-zone | Kafka Instance Multi-Zone Deployment | ROS, Terraform | Kafka instances should be deployed across multiple availability zones for high availability. |
| kms-instance-multi-zone | KMS Instance Multi-Zone Deployment | ROS, Terraform | KMS instances should be deployed across at least two availability zones for high availability and disaster recovery. |
| kms-key-delete-protection-enabled | KMS key deletion protection enabled | ROS, Terraform | KMS master key has deletion protection enabled, considered compliant. Keys not in enabled status and service keys (which cannot be deleted) are not applicable. |
| kms-key-description-required | KMS key must configure description | ROS | Checks KMS key must configure description |
| kms-key-rotation-enabled | KMS key automatic rotation enabled | ROS, Terraform | KMS user master key has automatic rotation enabled, considered compliant. Service keys and externally imported keys are not applicable. |
| kms-secret-rotation-enabled | KMS Secret Automatic Rotation Enabled | ROS, Terraform | Ensures that KMS secrets have automatic rotation enabled to enhance security by periodically rotating secret values. |
| lindorm-instance-in-vpc | Lindorm Instance in VPC | ROS, Terraform | Ensures Lindorm instance is deployed in a VPC. |
| lindorm-instance-multi-zone | Lindorm Instance Multi-Zone Deployment | ROS, Terraform | Lindorm instances should be configured for multi-zone deployment with at least 4 LindormTable nodes for high availability. |
| logstore-ttl-required | SLS Logstore must set TTL | ROS | Checks SLS Logstore must set TTL |
| mongodb-instance-enabled-ssl | MongoDB Instance SSL Enabled | ROS, Terraform | Ensures MongoDB instances have SSL encryption enabled. |
| mongodb-instance-encryption-byok-check | MongoDB Instance TDE with Custom KMS Key | ROS, Terraform | MongoDB instances should have TDE enabled with a customer-managed KMS encryption key (BYOK). |
| mongodb-instance-in-vpc | MongoDB Instance Deployed in VPC | ROS, Terraform | MongoDB instances should be deployed in a VPC for network isolation. |
| mongodb-instance-log-audit | MongoDB Instance Audit Logging Enabled | ROS, Terraform | MongoDB instances should have audit logging enabled for security monitoring. |
| mongodb-instance-multi-node | MongoDB Instance Multi-Node for High Availability | ROS, Terraform | MongoDB instances should have a replication_factor of at least 3 for high availability. |
| mongodb-instance-multi-zone | MongoDB Instance Multi-Zone Deployment | ROS, Terraform | MongoDB instances should be deployed across multiple availability zones for high availability. |
| mongodb-instance-release-protection | MongoDB Instance Release Protection Enabled | ROS, Terraform | MongoDB instances should have release protection enabled to prevent accidental deletion. |
| mse-cluster-config-auth-enabled | MSE Cluster Config Auth Enabled | ROS, Terraform | Ensures that the Microservices Engine (MSE) cluster configuration center has authentication enabled. |
| mse-cluster-high-availability-configured | MSE cluster must configure replicas | ROS | Checks MSE cluster must configure replicas |
| mse-cluster-multi-availability-area-architecture-check | MSE Cluster High-Availability Configuration | ROS, Terraform | MSE clusters should use the Professional Edition with at least 3 instances (odd number) for high availability. |
| mse-cluster-stable-version-check | MSE Cluster Uses Stable Version | ROS, Terraform | Ensures that MSE cluster engine version is greater than the minimum stable version. |
| mse-gateway-multi-availability-area-architecture-check | MSE Gateway Multi-Availability Zone Deployment | ROS, Terraform | MSE gateway should have backup_vswitch_id configured for multi-availability zone deployment. |
| nas-filesystem-mount-target-access-group-check | NAS Mount Target Access Group Check | ROS, Terraform | Ensures that NAS mount targets do not use the default VPC access group (DEFAULT_VPC_GROUP_NAME). |
| nat-gateway-spec-required | NAT Gateway must set specification | ROS | Checks NAT Gateway must set specification |
| natgateway-delete-protection-enabled | NAT Gateway Deletion Protection Enabled | ROS, Terraform | Ensures that NAT Gateways have deletion protection enabled. |
| natgateway-eip-used-check | NAT Gateway EIP Usage Check | ROS, Terraform | SNAT and DNAT should not use the same EIP to avoid potential conflicts and improve network segmentation. |
| natgateway-snat-eip-bandwidth-check | NAT Gateway SNAT EIP Bandwidth Consistency | ROS, Terraform | When SNAT entries are bound to multiple EIPs, the bandwidth peak settings should be consistent or they should be added to a shared bandwidth package. |
| nlb-address-type-intranet | NLB should use intranet address type | ROS | Checks NLB should use intranet address type |
| nlb-loadbalancer-multi-zone | NLB LoadBalancer Multi-Zone Deployment | ROS, Terraform | NLB LoadBalancer instances should be deployed across at least two availability zones for high availability. |
| nlb-server-group-multi-zone | NLB Server Group Multi-Zone Distribution | ROS, Terraform | NLB server groups should have backend servers distributed across multiple availability zones for high availability. This rule does not apply to server groups with no attached servers, or to IP type server groups. |
| oss-bucket-authorize-specified-ip | OSS Bucket Authorize Specified IP | ROS, Terraform | Ensures OSS bucket policy contains IP address conditions to restrict access. |
| oss-bucket-backup-enable | OSS Backup Enabled | ROS, Terraform | Ensures OSS buckets have backup or versioning enabled. |
| oss-bucket-logging-enabled | OSS Bucket Logging Enabled | ROS, Terraform | Ensures OSS bucket has access logging enabled. |
| oss-bucket-operational-access-logging | OSS bucket must enable logging | ROS | Checks OSS bucket must enable logging |
| oss-bucket-remote-replication | OSS Bucket Remote Replication Enabled | ROS, Terraform | Ensures that cross-region replication is enabled for the OSS bucket for disaster recovery. |
| oss-bucket-tags-required | OSS bucket must configure tags | ROS | Checks OSS bucket must configure tags |
| oss-bucket-tls-version-check | OSS Bucket TLS Version Check | ROS, Terraform | Ensures that the OSS bucket is configured to use a secure version of TLS (TLS 1.2 or higher). |
| oss-bucket-versioning-enabled | OSS Bucket Versioning Enabled | ROS, Terraform | Ensures OSS bucket has versioning enabled. |
| oss-default-encryption-kms | OSS Bucket KMS Encryption Enabled | ROS, Terraform | Ensures OSS bucket uses KMS for server-side encryption. |
| oss-encryption-byok-check | OSS Bucket BYOK Encryption Check | ROS, Terraform | Ensures OSS bucket uses KMS encryption with a customer-managed key (BYOK). |
| oss-storage-class-required | OSS bucket must set storage class | ROS | Checks OSS bucket must set storage class |
| oss-zrs-enabled | OSS Bucket Zone-Redundant Storage Enabled | ROS, Terraform | Ensures OSS bucket uses Zone-Redundant Storage (ZRS) for high availability. |
| ots-instance-multi-zone | OTS Instance Zone-Redundant Storage | ROS, Terraform | OTS instances should use zone-redundant access mode (ConsoleOrVpc) for high availability. |
| ots-instance-network-not-normal | OTS Restricted Network Type | ROS, Terraform | OTS instances should not use unrestricted network access (Any). Use Vpc or ConsoleOrVpc instead. |
| pai-eas-instances-multi-zone | PAI EAS Instance Multi-Zone Deployment | ROS, Terraform | Ensures that PAI EAS instances are deployed across multiple zones for high availability. |
| polardb-cluster-delete-protection-enabled | PolarDB Cluster Deletion Protection Enabled | ROS, Terraform | Ensures that PolarDB clusters have deletion protection enabled. |
| polardb-cluster-enabled-ssl | PolarDB Cluster SSL Enabled | ROS, Terraform | Ensures PolarDB clusters have SSL encryption enabled. |
| polardb-cluster-multi-zone | PolarDB Cluster Multi-Zone Deployment | ROS, Terraform | PolarDB clusters should be deployed across multiple availability zones for high availability. |
| polardb-cluster-tags-required | PolarDB cluster must configure tags | ROS | Checks PolarDB cluster must configure tags |
| polardb-dbcluster-in-vpc | PolarDB Cluster in VPC | ROS, Terraform | Ensures PolarDB cluster is deployed in a VPC. |
| polardb-revision-version-used-check | PolarDB Revision Version Used Check | ROS, Terraform | Ensures PolarDB cluster is using a stable kernel revision version. |
| polardb-x2-instance-multi-zone | PolarDB-X 2.0 Instance Multi-Zone Deployment | ROS, Terraform | PolarDB-X 2.0 instances should be deployed across 3 availability zones. |
| privatelink-server-endpoint-multi-zone | PrivateLink VPC Endpoint Service Multi-Zone Deployment | ROS, Terraform | PrivateLink VPC endpoint services should have resources deployed across multiple availability zones for high availability. |
| privatelink-servier-endpoint-multi-zone | PrivateLink Service Endpoint Multi-Zone Deployment | ROS, Terraform | Ensures that PrivateLink service endpoints are deployed across multiple zones for high availability. |
| ram-password-policy-check | RAM Password Policy Check | ROS, Terraform | Ensures that the RAM password policy meets the specified security requirements. |
| ram-policy-no-has-specified-document | RAM Policy No Specified Document | ROS, Terraform | Ensures custom RAM policies do not contain the specified permission configuration. |
| ram-role-has-specified-policy | RAM Role Has Specified Policy | ROS, Terraform | Ensures RAM roles have the specified policies attached. |
| ram-role-no-product-admin-access | RAM Role No Product Admin Access | ROS, Terraform | Ensures RAM roles do not have full administrative access or product administrator permissions. |
| ram-user-activated-ak-quantity-check | RAM User Active AK Quantity Check | ROS, Terraform | Ensures RAM users do not have more than one active AccessKey. |
| ram-user-ak-create-date-expired-check | RAM User AccessKey Creation Date Expired Check | ROS, Terraform | Ensures that RAM user AccessKeys are not older than the specified number of days. |
| ram-user-ak-used-expired-check | RAM User AccessKey Last Used Date Check | ROS, Terraform | Ensures that RAM user AccessKeys have been used within the specified number of days. |
| ram-user-has-specified-policy | RAM User Has Specified Policy | ROS, Terraform | Ensures RAM users have the required policies attached, including those inherited from groups. |
| ram-user-login-check | RAM User Login Enabled Check | ROS, Terraform | Ensures that RAM users who do not need console access have login disabled. |
| ram-user-no-has-specified-policy | RAM User No Specified Policy | ROS, Terraform | Ensures RAM users do not have specified risky policies attached. |
| ram-user-no-product-admin-access | RAM User No Product Administrative Access | ROS, Terraform | Ensures that RAM users do not have full administrative access to cloud products unless necessary. |
| ram-user-role-no-product-admin-access | RAM User Role No Product Admin Access | ROS, Terraform | Ensures RAM user-defined roles do not have product administrative permissions. |
| rds-backup-policy-required | RDS backup policy must be configured | ROS | Checks RDS backup policy must be configured |
| rds-instacne-delete-protection-enabled | RDS Instance Deletion Protection Enabled | ROS, Terraform | Ensures that RDS instances have deletion protection enabled. |
| rds-instance-deletion-protection-enabled | RDS instance must enable deletion protection | ROS | Checks RDS instance must enable deletion protection |
| rds-instance-enabled-auditing | RDS Instance Auditing Enabled | ROS, Terraform | Ensures RDS instances have SQL auditing enabled. |
| rds-instance-enabled-log-backup | RDS Instance Log Backup Enabled | ROS, Terraform | Ensures RDS instances have log backup enabled. |
| rds-instance-enabled-ssl | RDS Instance SSL Enabled | ROS, Terraform | Ensures RDS instances have SSL encryption enabled. |
| rds-instance-enabled-tde-disk-encryption | RDS Instance Enabled TDE or Disk Encryption | ROS, Terraform | RDS instance should have TDE (Transparent Data Encryption) or disk encryption enabled. |
| rds-instance-has-guard-instance | RDS Instance Has Guard Instance | ROS, Terraform | Ensures production RDS instances have a corresponding guard (disaster recovery) instance. |
| rds-instance-tags-required | RDS instance must configure tags | ROS | Checks RDS instance must configure tags |
| rds-instance-zone-required | RDS Instance Primary Zone Required | ROS | RDS instances should explicitly configure the primary zone used for placement and failover planning. |
| rds-instances-in-vpc | RDS Instance in VPC | ROS, Terraform | Ensures that the RDS instance is deployed within a VPC. |
| rds-multi-az-support | RDS Instance Multi-AZ Deployment | ROS, Terraform | RDS instances should be deployed in multi-AZ configuration for high availability and automatic failover. |
| rds-pay-type-required | RDS instance must set pay type | ROS | Checks RDS instance must set pay type |
| rds-storage-type-required | RDS instance must set storage type | ROS | Checks RDS instance must set storage type |
| redis-architecturetype-cluster-check | Redis Architecture Type Cluster Check | ROS, Terraform | Ensures Redis instance uses cluster architecture type. |
| redis-backup-policy-required | Redis backup policy must be configured | ROS | Checks Redis backup policy must be configured |
| redis-instance-backup-log-enabled | Redis Instance Backup Log Enabled | ROS, Terraform | Ensures that backup is configured for the Redis instance. |
| redis-instance-class-required | Redis instance must set instance class | ROS | Checks Redis instance must set instance class |
| redis-instance-double-node-type | Redis Instance Double Node Type | ROS, Terraform | Ensures Redis instance uses double node type for high availability. |
| redis-instance-enabled-byok-tde | Redis Instance BYOK TDE Enabled | ROS, Terraform | Ensures that Redis instances have Transparent Data Encryption (TDE) enabled using Bring Your Own Key (BYOK). |
| redis-instance-enabled-ssl | Redis Instance SSL Enabled | ROS, Terraform | Ensures Redis instances have SSL encryption enabled. |
| redis-instance-in-vpc | Redis Instance in VPC | ROS, Terraform | Ensures Redis instance is deployed in a VPC. |
| redis-instance-multi-zone | Redis Instance Multi-Zone Deployment | ROS, Terraform | Redis instances should be deployed across multiple availability zones for high availability. |
| redis-instance-name-required | Redis instance must configure name | ROS | Checks Redis instance must configure name |
| redis-instance-release-protection | Redis Instance Release Protection Enabled | ROS, Terraform | Ensures that Redis instances have release protection enabled. |
| redis-instance-tls-version-check | Redis Instance TLS Version Check | ROS, Terraform | Ensures Redis instance has SSL enabled with acceptable TLS version. |
| redis-min-capacity-limit | Redis Min Capacity Limit | ROS, Terraform | Ensures Redis instance has memory capacity meeting the minimum requirement. |
| rocketmq-v5-instance-multi-zone | RocketMQ 5.0 Instance Multi-Zone Deployment | ROS, Terraform | RocketMQ 5.0 instances should be deployed in Cluster HA mode which supports multi-zone availability. |
| security-center-version-check | Security Center Version Check | ROS | Security Center should be at a version that provides sufficient protection features. |
| security-group-enterprise-type | Security group must set type | ROS | Checks Security group must set type |
| security-oss-bucket-logging-configured | OSS bucket must configure access logging | ROS | Checks OSS bucket must configure access logging |
| slb-address-type-intranet | SLB should use intranet address type | ROS | Checks SLB should use intranet address type |
| slb-all-listener-enabled-acl | SLB All Listeners Have Access Control | ROS, Terraform | All running listeners of SLB instances should have access control lists (ACL) configured for security. |
| slb-all-listener-http-disabled | SLB All Listeners HTTP Disabled | ROS, Terraform | Ensures no SLB listeners use the insecure HTTP protocol. |
| slb-all-listener-http-redirect-https | SLB HTTP Redirect to HTTPS Enabled | ROS, Terraform | Ensures SLB HTTP listeners are configured to redirect traffic to HTTPS. |
| slb-all-listenter-has-server | SLB All Listeners Have Backend Servers | ROS, Terraform | When SLB load balancers exist, there should be at least one backend server resource configured. |
| slb-all-listenter-tls-policy-check | SLB Listener TLS Policy Check | ROS, Terraform | Ensures SLB HTTPS listeners use secure TLS cipher policies. |
| slb-default-server-group-multi-server | SLB Default Server Group Has Multiple Servers | ROS, Terraform | The default server group of SLB instances should have at least two servers to avoid single point of failure. |
| slb-instance-autorenewal-check | SLB Instance Auto-Renewal Check | ROS, Terraform | Prepaid SLB instances should have auto-renewal enabled to avoid service interruption. |
| slb-instance-default-server-group-multi-zone | SLB Default Server Group Multi-Zone | ROS, Terraform | The default server group of SLB instances should have resources distributed across multiple availability zones. |
| slb-instance-log-enabled | SLB Instance Logging Enabled | ROS, Terraform | Ensures that access logging is enabled for the SLB instance. |
| slb-instance-master-zone-required | SLB Instance Master Zone Required | ROS | SLB instances should configure a master zone as part of primary and secondary zone deployment. |
| slb-instance-multi-zone | SLB Instance Multi-Zone Deployment | ROS, Terraform | SLB instances should be deployed across multiple zones by configuring both master and slave zones for high availability. |
| slb-instance-spec-check | SLB Instance Specification Check | ROS, Terraform | SLB instance specifications should meet the required performance criteria based on the specified list. |
| slb-internet-charge-type-required | SLB must set internet charge type | ROS | Checks SLB must set internet charge type |
| slb-listener-https-enabled | SLB Listener HTTPS Enabled | ROS, Terraform | Ensures SLB listeners use HTTPS protocol for secure communication. |
| slb-loadbalancer-in-vpc | SLB in VPC Check | ROS, Terraform | Ensures SLB instances are deployed within a Virtual Private Cloud (VPC). |
| slb-loadbalancer-name-required | SLB must configure name | ROS | Checks SLB must configure name |
| slb-master-slave-server-group-multi-zone | SLB Master-Slave Server Group Multi-Zone | ROS, Terraform | The master-slave server group of SLB instances should have resources distributed across multiple availability zones. |
| slb-no-public-ip | SLB Instance No Public IP | ROS, Terraform | SLB instances should not have public IP addresses to reduce attack surface. |
| slb-vserver-group-multi-zone | SLB VServer Group Multi-Zone Deployment | ROS, Terraform | Ensures that SLB virtual server groups contain instances from multiple availability zones. |
| sls-logstore-enabled-encrypt | SLS Logstore Encryption Enabled | ROS, Terraform | Ensures SLS Logstores have server-side encryption enabled. |
| sls-logstore-encrypt-key-origin-check | SLS Logstore Encryption Key Origin Check | ROS, Terraform | Ensures SLS Logstores use externally imported key material (BYOK) for encryption, which provides better control over encryption keys. |
| sls-logstore-shard-count-configured | SLS Logstore must configure shard count | ROS | Checks SLS Logstore must configure shard count |
| sls-logstore-ttl-configured | SLS Logstore must configure TTL | ROS | Checks SLS Logstore must configure TTL |
| sls-project-description-required | SLS project must configure description | ROS | Checks SLS project must configure description |
| sls-project-multi-zone | SLS Project Zone-Redundant Storage | ROS, Terraform | SLS projects should use zone-redundant storage (ZRS) for high availability and data durability. |
| vpc-flow-logs-enabled | VPC Flow Logs Enabled | ROS, Terraform | Ensures VPC flow logs are enabled for monitoring network traffic. |
| vpc-name-required | VPC must configure name | ROS | Checks VPC must configure name |
| vpc-network-acl-not-empty | VPC Network ACL Not Empty | ROS, Terraform | Ensures VPC Network ACLs have at least one rule configured. |
| vpn-connection-master-slave-established | VPN Connection Dual Tunnel Established | ROS, Terraform | Use dual-tunnel VPN gateway and both master and slave tunnels are established with the peer. |
| vpn-gateway-multi-zone | VPN Gateway Multi-Zone Deployment | ROS, Terraform | VPN Gateways should be configured with a disaster recovery VSwitch to support multi-zone availability. |
| vswitch-available-ip-count | VSwitch Available IP Count Check | ROS, Terraform | Ensures that the VSwitch has a sufficient number of available IP addresses. |
| vswitch-name-required | VSwitch must configure name | ROS | Checks VSwitch must configure name |
| vswitch-zone-required | VSwitch must configure zone | ROS | Checks VSwitch must configure zone |
| waf-instance-logging-enabled | WAF Instance Logging Enabled | ROS, Terraform | Ensures that logging is enabled for the WAF instance for auditing and security analysis. |
| waf3-defense-resource-logging-enabled | WAF 3.0 Logging Enabled | ROS, Terraform | Ensures that logging is enabled for resources protected by WAF 3.0. |