Skip to main content

Aliyun Rules

Total rules: 317

Rules by Severity

High Severity (100 Rules)

Rule IDNameIaC TypesDescription
ack-cluster-node-multi-zoneACK Cluster Multi-Zone DeploymentROS, TerraformThe ACK cluster nodes should be distributed across 3 or more availability zones for high availability.
ack-cluster-public-endpoint-checkACK Cluster Public Endpoint CheckROS, TerraformACK clusters should not have a public endpoint set, or the associated SLB listener should have ACL enabled.
acs-cluster-node-multi-zoneACS Cluster Node Multi-Zone DeploymentROS, TerraformThe ACS cluster nodes should be distributed across 3 or more availability zones for high availability.
actiontrail-enabledActionTrail EnabledROS, TerraformEnsures ActionTrail is enabled to record account activities.
actiontrail-trail-intact-enabledActionTrail Trail Intact EnabledROS, TerraformActionTrail trail should be enabled and track all event types (Read and Write).
alb-acl-public-access-checkALB ACL Does Not Allow Public AccessROS, TerraformEnsures that ALB access control lists do not contain 0.0.0.0/0 (allowing all IPs).
alb-all-listener-health-check-enabledALB All Listeners Health Check EnabledROS, TerraformEnsures all ALB listeners have health checks enabled.
alb-delete-protection-enabledALB Instance Deletion Protection EnabledROS, TerraformEnsures that ALB instances have deletion protection enabled.
alb-instance-multi-zoneALB Instance Multi-Zone DeploymentROS, TerraformALB instances should be deployed across multiple availability zones for high availability. If only one zone is selected, a zone failure will affect the ALB instance and business stability.
alb-instance-waf-enabledALB Instance Has WAF ProtectionROS, TerraformEnsures that ALB instances have WAF3 (Web Application Firewall) protection enabled.
alb-server-group-multi-serverALB Server Group Has Multiple ServersROS, TerraformEnsures that ALB server groups contain at least two backend servers for high availability.
alidns-route-53-mx-checkDNS MX Record Has Valid SPF in Associated TXT RecordROS, TerraformEnsures that MX records have associated TXT records with valid SPF values for email validation.
api-gateway-group-force-httpsAPI Gateway Group Force HTTPSROS, TerraformEnsures API Gateway groups with public custom domains have HTTPS force redirect enabled.
bastionhost-instance-expired-checkBastionHost Instance Expiration CheckROS, TerraformPrepaid BastionHost instances should have auto-renewal enabled.
cdn-domain-multiple-origin-serversCDN Domain Multiple Origin ServersROS, TerraformCDN domains should be configured with multiple origin servers for high availability and fault tolerance.
cr-instance-any-ip-access-checkCR Instance No Any IP AccessROS, TerraformEnsures Container Registry instances do not have any IP (0.0.0.0/0) in their whitelist.
cr-repository-image-scanning-enabledCR Instance Image Scanning EnabledROS, TerraformEnsures Container Registry instances have image scanning enabled for security vulnerability detection.
cr-repository-type-privateCR Repository Type PrivateROS, TerraformEnsures that CR repositories are set to PRIVATE.
dcdn-domain-multiple-origin-serversDCDN Domain Multiple Origin ServersROS, TerraformDCDN domains should be configured with multiple origin servers for high availability and fault tolerance.
eci-containergroup-environment-no-specified-keysECI Container Group Does Not Contain Sensitive Environment VariablesROS, TerraformEnsures that ECI container groups do not have sensitive environment variables like passwords or access keys.
ecs-available-disk-encryptedECS Disk Encryption EnabledROS, TerraformEnsures that all ECS disks are encrypted.
ecs-instance-attached-security-groupECS Instance Attached Security GroupROS, TerraformIf the ECS instance is included in the specified security group, the configuration is considered compliant.
ecs-instance-deletion-protection-enabledECS Instance Deletion Protection EnabledROS, TerraformEnsures that ECS instances have deletion protection enabled.
ecs-instance-enabled-security-protectionECS Instance Enabled Security ProtectionROS, TerraformEnsures that ECS instances have security enhancement strategy enabled.
ecs-instance-expired-checkECS Prepaid Instance Expiration CheckROS, TerraformPrepaid instances should have auto-renewal enabled to avoid service interruption due to expiration.
ecs-instance-no-public-ipECS instance should not bind public IPROS, TerraformECS instances should not directly bind IPv4 public IP or Elastic IP, considered compliant.
ecs-launch-template-version-attach-security-groupECS launch template version attaches security groupsROS, TerraformECS launch template versions have security groups configured for instances, considered compliant.
ecs-running-instance-no-public-ipECS Instance No Public IPROS, TerraformECS instances should not have a public IP address to reduce direct internet exposure.
ecs-security-group-egress-not-all-accessSecurity Group Egress Not Set to All AccessROS, TerraformSecurity group egress direction should not be set to allow all access (all protocols, all ports, all destinations).
ecs-security-group-not-internet-cidr-accessSecurity Group Ingress Source IP Not Include Public IPROS, TerraformSecurity group ingress rules with accept policy should not have source IP containing public internet IPs.
ecs-security-group-not-open-all-portSecurity Group Ingress Not Open All PortsROS, TerraformSecurity group ingress rules should not allow all ports. When the port range is not set to -1/-1, it is considered compliant.
ecs-security-group-not-open-all-protocolSecurity Group Ingress Not Open All ProtocolsROS, TerraformSecurity group ingress rules should not allow all protocols. When the protocol type is not set to ALL, it is considered compliant.
ecs-security-group-risky-ports-check-with-protocolSecurity Group Risky Ports Check with ProtocolROS, TerraformWhen security group ingress source is set to 0.0.0.0/0, the port range should not include risky ports (22, 3389) for specified protocols (TCP/UDP), to reduce the risk of brute force attacks.
ecs-security-group-white-list-port-checkSecurity Group Non-Whitelist Port Ingress CheckROS, TerraformExcept for whitelisted ports (80), other ports should not have ingress rules allowing access from 0.0.0.0/0.
elasticsearch-instance-enabled-kibana-public-checkElasticsearch Instance Kibana Does Not Enable Public AccessROS, TerraformEnsures that Elasticsearch instance Kibana is not accessible from public networks.
elasticsearch-instance-enabled-public-checkElasticsearch Instance Does Not Enable Public AccessROS, TerraformEnsures that Elasticsearch instances are not accessible from public networks.
elasticsearch-instance-node-not-use-specified-specElasticsearch Instance Does Not Use Deprecated SpecROS, TerraformEnsures that Elasticsearch instances do not use deprecated or unsupported node specifications.
elasticsearch-instance-version-not-deprecatedElasticsearch Instance Does Not Use Deprecated VersionROS, TerraformEnsures that Elasticsearch instances are not using deprecated or EOL versions.
elasticsearch-public-and-any-ip-access-checkElasticsearch Public and Any IP Access CheckROS, TerraformEnsures that Elasticsearch instances do not have public access enabled or an open whitelist.
ess-scaling-configuration-data-disk-encryptedESS Scaling Configuration Data Disk EncryptionROS, TerraformAll ESS scaling configuration data disks should be encrypted.
ess-scaling-configuration-sg-public-accessESS Scaling Configuration Security Group Public AccessROS, TerraformESS scaling configuration security groups should not allow unrestricted public access.
ess-scaling-configuration-system-disk-encryptedESS Scaling Configuration System Disk EncryptionROS, TerraformESS scaling configurations should enable system disk encryption to protect system data at rest.
fc-function-runtime-checkFC Function Runtime CheckROS, TerraformFC functions should not use deprecated runtimes that may have security vulnerabilities.
fc-trigger-http-not-anonymousFC HTTP Trigger Authentication CheckROS, TerraformFC HTTP triggers should require authentication to prevent unauthorized access.
gpdb-instance-disk-encryption-enabledGPDB Disk Encryption EnabledROS, TerraformEnsures GPDB instances have disk encryption enabled.
hbase-cluster-expired-checkHBase Prepaid Instance Expiration CheckROS, TerraformPrepaid HBase instances should have auto-renewal enabled.
hbase-cluster-ha-checkHBase Cluster High Availability CheckROS, TerraformHBase cluster should have at least 2 core instances for high availability.
kafka-instance-disk-encryptedKafka Instance Disk EncryptedROS, TerraformKafka instance should have disk encryption enabled during deployment for data protection.
kafka-instance-public-access-checkKafka Instance Public Access CheckROS, TerraformKafka instances should not be deployed with public access (deploy_type 5). Use VPC-only deployment (deploy_type 4) to restrict access to internal networks.
maxcompute-project-encryption-enabledMaxCompute Project Encryption EnabledROS, TerraformEnsures MaxCompute projects have encryption enabled to protect stored data.
maxcompute-project-ip-whitelist-enabledMaxCompute Project IP Whitelist EnabledROS, TerraformEnsures MaxCompute projects have an IP whitelist configured to restrict access.
mongodb-cluster-expired-checkMongoDB Instance Expiration CheckROS, TerraformPrepaid MongoDB instances should have auto-renewal enabled.
mongodb-instance-class-not-sharedMongoDB Instance Uses Dedicated ClassROS, TerraformEnsures MongoDB instances use dedicated or exclusive instance classes, not shared instances.
mongodb-min-maxconnections-limitMongoDB Instance Minimum Connections SpecROS, TerraformMongoDB instance class should meet minimum connection requirements (not use the smallest spec).
mongodb-min-maxiops-limitMongoDB Instance Minimum IOPS StorageROS, TerraformMongoDB instance storage should be at least 20 GB to meet IOPS requirements.
mongodb-public-access-checkMongoDB Whitelist Internet RestrictionROS, TerraformEnsures MongoDB security IP whitelists do not contain 0.0.0.0/0.
mongodb-public-and-any-ip-access-checkMongoDB Public and Any IP Access CheckROS, TerraformEnsures that MongoDB instances do not have an open whitelist (0.0.0.0/0).
mse-cluster-architecture-checkMSE Cluster Has Multiple NodesROS, TerraformMSE cluster instance_count should be greater than 3 for high availability.
mse-cluster-internet-checkMSE Cluster Has No Public Internet AccessROS, TerraformEnsures that MSE clusters do not have public internet access enabled.
mse-gateway-architecture-checkMSE Gateway Has Multiple NodesROS, TerraformMSE gateway should have replica > 1 for high availability.
nas-access-group-public-access-checkNAS Access Group IP RestrictionROS, TerraformEnsures NAS access rules do not allow 0.0.0.0/0.
nat-risk-ports-checkNAT Gateway DNAT Risk Ports CheckROS, TerraformEnsures NAT gateway DNAT entries do not expose high-risk ports.
oss-bucket-anonymous-prohibitedOSS Bucket Anonymous Access ProhibitedROS, TerraformEnsures that anonymous access is prohibited for the OSS bucket.
oss-bucket-only-https-enabledOSS Bucket Only HTTPS EnabledROS, TerraformEnsures OSS bucket policy enforces HTTPS-only access.
oss-bucket-policy-no-any-anonymousOSS Bucket Policy No Anonymous AccessROS, TerraformEnsures OSS bucket policy does not grant any permissions to anonymous users.
oss-bucket-policy-outside-organization-checkOSS Bucket Policy No Outside Organization AccessROS, TerraformEnsures OSS bucket policy does not grant access to principals outside the organization.
oss-bucket-public-read-prohibitedOSS Bucket Public Read ProhibitedROS, TerraformEnsures OSS bucket ACL does not allow public read access.
oss-bucket-public-write-prohibitedOSS Bucket Public Write ProhibitedROS, TerraformOSS buckets should not allow public write access. Public write access allows anyone to upload, modify, or delete objects in the bucket, which poses significant security risks.
oss-bucket-server-side-encryption-enabledOSS Bucket Server-Side Encryption EnabledROS, TerraformEnsures OSS bucket has server-side encryption enabled.
parameter-sensitive-noecho-checkSensitive Parameters Must Have NoEchoROSTemplate parameters that contain sensitive information (passwords, API keys, secrets) must be protected by either setting NoEcho to true or using valid AssociationProperty values to prevent them from being displayed in plain text.
polardb-cluster-enabled-tdePolarDB Cluster TDE EnabledROS, TerraformEnsures PolarDB clusters have Transparent Data Encryption (TDE) enabled.
polardb-cluster-expired-checkPolarDB Cluster Expiration CheckROS, TerraformPrepaid PolarDB clusters should have auto-renewal enabled.
polardb-public-access-checkPolarDB Public Access CheckROS, TerraformEnsures PolarDB security_ips is not set to allow all source IPs (0.0.0.0/0).
polardb-public-and-any-ip-access-checkPolarDB Public and Any IP Access CheckROS, TerraformEnsures that PolarDB clusters do not have public endpoints and are not open to any IP address (0.0.0.0/0).
ram-policy-no-statements-with-admin-access-checkRAM Policy No Admin AccessROS, TerraformEnsures custom RAM policies do not grant full AdministratorAccess.
ram-user-mfa-checkRAM User MFA EnabledROS, TerraformRAM users with console access should have multi-factor authentication (MFA) enabled.
ram-user-role-no-product-admin-accessRAM User Role No Product Admin AccessROS, TerraformEnsures RAM role policy attachments do not grant product administrative permissions.
ram-user-specified-permission-boundRAM User Specified Permission BoundROS, TerraformEnsures RAM users do not have specified high-risk permissions bound.
rds-instance-enabled-disk-encryptionRDS Instance Disk Encryption EnabledROS, TerraformEnsures RDS instances have disk encryption enabled.
rds-instance-expired-checkRDS Prepaid Instance Expiration CheckROS, TerraformPrepaid RDS instances should have auto-renewal enabled.
rds-public-access-checkRDS Instance Public Access CheckROS, TerraformRDS instances should not be configured with public network addresses. Public access exposes databases to potential security threats from the internet.
rds-public-connection-and-any-ip-access-checkRDS Public Connection and Any IP Access CheckROS, TerraformEnsures that RDS instances do not have a completely unrestricted security IP whitelist.
rds-white-list-internet-ip-access-checkRDS Whitelist Internet RestrictionROS, TerraformEnsures RDS security IP whitelists do not contain 0.0.0.0/0 or 0.0.0.0.
redis-instance-expired-checkRedis Prepaid Instance Expiration CheckROS, TerraformPrepaid Redis instances should have auto-renewal enabled.
redis-instance-no-public-ipRedis Instance No Public IPROS, TerraformEnsures Redis instance does not have public IP assigned.
redis-instance-open-auth-modeRedis Authentication Mode EnabledROS, TerraformEnsures Redis instances require authentication and are not in 'no-password' mode.
redis-public-and-any-ip-access-checkRedis Public and Any IP Access CheckROS, TerraformEnsures that Redis instances do not have public access enabled or an open whitelist.
root-ak-checkRoot User AccessKey CheckROSEnsures that the root account does not have active AccessKeys.
root-mfa-checkRoot User MFA CheckROSEnsures that Multi-Factor Authentication (MFA) is enabled for the root account.
sg-public-access-checkSecurity Group Ingress ValidROS, TerraformSecurity group ingress rules should not allow all ports (-1/-1) from all sources (0.0.0.0/0) simultaneously.
sg-risky-ports-checkSecurity group does not open risky ports to 0.0.0.0/0ROS, TerraformWhen security group ingress rule source is set to 0.0.0.0/0, the port range should not include specified risky ports, considered compliant. If source is not 0.0.0.0/0, it's compliant even if risky ports are included.
slb-acl-public-access-checkSLB ACL Public Access CheckROS, TerraformEnsures that SLB ACLs do not contain 0.0.0.0/0 to prevent unrestricted public access.
slb-all-listener-health-check-enabledSLB All Listeners Health Check EnabledROS, TerraformEnsures all SLB listeners have health checks enabled.
slb-all-listener-servers-multi-zoneSLB Multi-Zone with Multi-Zone Backend ServersROS, TerraformSLB instances should be multi-zone, with master_zone_id and slave_zone_id configured to different zones.
slb-delete-protection-enabledSLB Instance Deletion Protection EnabledROS, TerraformEnsures that SLB instances have deletion protection enabled.
slb-listener-risk-ports-checkSLB Listener Risk Ports CheckROS, TerraformEnsures SLB listeners do not expose high-risk ports like 22 or 3389.
transit-router-vpc-attachment-multi-zoneTransit Router VPC Attachment Multi-Zone ConfigurationROS, TerraformTransit Router VPC attachments should be configured with vSwitches in at least two different availability zones for cross-zone high availability.
tsdb-instance-security-ip-checkTSDB Instance Does Not Allow Any IP AccessROS, TerraformEnsures that TSDB instances do not have security whitelists that allow all IPs.
use-waf-instance-for-security-protectionUse WAF for Security ProtectionROS, TerraformWEB Application Firewall (WAF) should be used to protect websites and APPs from web-based attacks.
vpc-network-acl-risky-ports-checkVPC Network ACL Risky Ports CheckROS, TerraformEnsures VPC Network ACLs do not allow unrestricted access to risky ports (22, 3389).

Medium Severity (176 Rules)

Rule IDNameIaC TypesDescription
ack-cluster-encryption-enabledACK Cluster Secret Encryption EnabledROS, TerraformACK Pro clusters should have Secret encryption at rest enabled using KMS.
ack-cluster-inspect-kubelet-version-outdate-checkACK Kubelet Version CheckROS, TerraformEnsures the Kubelet version in the ACK cluster is up to date.
ack-cluster-log-plugin-installedACK Cluster Log Plugin InstalledROS, TerraformEnsures the log-service addon is installed in the ACK cluster.
ack-cluster-rrsa-enabledACK Cluster RRSA EnabledROS, TerraformEnsures that the RAM Roles for Service Accounts (RRSA) feature is enabled for the ACK cluster.
ack-cluster-supported-versionACK Cluster Supported VersionROS, TerraformEnsures that the ACK cluster is running a supported version.
ack-cluster-upgrade-latest-versionACK Cluster Upgraded to Latest VersionROS, TerraformEnsures that the ACK cluster is running the latest available version.
adb-cluster-multi-zoneADB Cluster Multi-Zone DeploymentROS, TerraformThe ADB cluster should be deployed in multi-zone mode.
alb-all-listenter-has-serverALB Listener Has Backend ServerROS, TerraformEnsures all ALB listeners are associated with a non-empty server group.
alb-instance-bind-security-group-or-enabled-aclALB Instance Bind Security Group or Enable ACLROS, TerraformALB instance should have security groups associated or ACL configured for all running listeners.
alb-server-group-multi-zoneALB Server Group Multi-Zone DistributionROS, TerraformALB server groups should have backend servers distributed across multiple availability zones for high availability. This rule does not apply to server groups with no attached servers, or to IP/Function Compute type server groups.
alidns-domain-regex-matchAlibaba Cloud DNS Domain Names Match Naming ConventionROS, TerraformEnsures that Alibaba Cloud DNS domain names match the specified naming convention regex.
api-gateway-api-auth-jwtAPI Gateway API Auth JWTROS, TerraformEnsures API Gateway APIs use JWT authentication.
api-gateway-api-auth-requiredAPI Gateway API Auth RequiredROS, TerraformEnsures API Gateway APIs have authentication configured.
api-gateway-api-internet-request-httpsAPI Gateway Internet Request HTTPS EnabledROS, TerraformEnsures that API Gateway APIs exposed to the internet use HTTPS protocol.
api-gateway-api-visibility-privateAPI Gateway API Visibility PrivateROS, TerraformEnsures API Gateway APIs are set to PRIVATE visibility.
api-gateway-group-bind-domainAPI Gateway Group Bind DomainROS, TerraformEnsures API Gateway groups have custom domains bound.
api-gateway-group-enabled-sslAPI Gateway Group SSL EnabledROS, TerraformEnsures that SSL is enabled for API Gateway groups.
api-gateway-group-https-policy-checkAPI Gateway Group HTTPS Policy CheckROS, TerraformEnsures API Gateway groups have HTTPS security policy set correctly.
api-gateway-group-log-enabledAPI Gateway Group Log EnabledROS, TerraformEnsures API Gateway groups have logging configured.
apigateway-instance-multi-zoneAPI Gateway Instance Multi-Zone DeploymentROS, TerraformAPI Gateway instances should be deployed in multi-zone configuration for high availability.
bastionhost-instance-spec-checkBastionHost Instance Multi-Zone Spec CheckROS, TerraformThe BastionHost instance should use the Enterprise version which supports multi-zone deployment.
cen-cross-region-bandwidth-checkCEN Cross-Region Bandwidth CheckROS, TerraformCEN instance cross-region connections should have sufficient bandwidth allocation to meet performance requirements.
clickhouse-dbcluster-multi-zoneClickHouse DBCluster Multi-Zone DeploymentROS, TerraformClickHouse clusters should use the HighAvailability (Double-replica) edition for multi-zone deployment. Note: This applies only to community edition.
cr-instance-multi-zoneCR Instance with Zone-Redundant OSS BucketROS, TerraformContainer Registry instances should be associated with zone-redundant OSS buckets for high availability.
ecs-disk-all-encrypted-by-kmsECS disk with KMS encryption enabledROS, TerraformECS disks are encrypted with KMS, considered compliant.
ecs-disk-encryptedECS data disk encryption enabledROS, TerraformECS data disk has encryption enabled, considered compliant.
ecs-disk-in-useECS disk is in useROS, TerraformECS disks are attached to an instance or in use state, considered compliant. Disks that are available or unattached may be idle resources.
ecs-disk-retain-auto-snapshotRetain auto snapshot when ECS disk is releasedROS, TerraformConfigure ECS disks to retain auto snapshots when released, considered compliant. This helps protect data from accidental deletion.
ecs-in-use-disk-encryptedECS In-Use Disk EncryptionROS, TerraformECS data disks should have encryption enabled to protect data at rest. Encrypted disks use KMS keys to encrypt data, ensuring data security and compliance with regulatory requirements.
ecs-instance-auto-renewal-enabledECS subscription instance has auto-renewal enabledROS, TerraformECS subscription (prepaid) instances have auto-renewal enabled, considered compliant. Pay-as-you-go instances are not applicable.
ecs-instance-image-expired-checkECS Instance Image Expired CheckROS, TerraformEnsures that the image used by the ECS instance has not expired.
ecs-instance-image-type-checkECS Instance Image Type CheckROS, TerraformEnsures ECS instances use images from authorized sources.
ecs-instance-login-use-keypairECS Instance Login Using Key PairROS, TerraformEnsures that ECS instances use key pairs for login instead of passwords.
ecs-instance-meta-data-mode-checkECS instance metadata access uses security-enhanced mode (IMDSv2)ROS, TerraformWhen accessing ECS instance metadata, security-enhanced mode (IMDSv2) is enforced, considered compliant. Instances associated with ACK clusters are not applicable.
ecs-instance-no-public-and-anyipECS Instance Should Not Bind Public IP or Allow Any IP AccessROS, TerraformECS instances should not directly bind IPv4 public IPs or Elastic IPs, and associated security groups should not expose 0.0.0.0/0. Compliant when no public IP is bound.
ecs-instance-not-bind-key-pairECS Instance Not Bound to Key PairROS, TerraformEnsures that ECS instances use key pairs for authentication instead of passwords.
ecs-instance-type-family-not-deprecatedECS Instance Type Not DeprecatedROS, TerraformEnsures ECS instances do not use deprecated or legacy instance types.
ecs-instances-in-vpcECS Instances in VPCROS, TerraformECS instances should be deployed in VPC (Virtual Private Cloud) networks rather than classic networks. VPC provides better network isolation, security, and flexibility.
ecs-internetmaxbandwidth-checkECS Internet Max Bandwidth CheckROS, TerraformEnsures ECS internet outbound bandwidth does not exceed specified limits.
ecs-launch-template-network-type-checkECS launch template uses VPC network typeROS, TerraformECS launch template versions have network type set to VPC, considered compliant. Classic network type is not recommended for production environments.
ecs-launch-template-version-data-disk-encryptedECS launch template version enables data disk encryptionROS, TerraformAll data disks configured in ECS launch template versions are encrypted, considered compliant.
ecs-launch-template-version-image-type-checkLaunch Template Image Type CheckROS, TerraformEnsures ECS launch templates use authorized image types.
ecs-running-instances-in-vpcRunning ECS instances are in VPCROS, TerraformRunning ECS instances are deployed in Virtual Private Cloud (VPC), considered compliant. This provides network isolation and enhanced security.
ecs-snapshot-policy-timepoints-checkECS auto snapshot policy timepoints configured reasonablyROS, TerraformThe snapshot creation timepoints in the auto snapshot policy are within the specified time range, considered compliant. Creating snapshots temporarily reduces block storage I/O performance, with performance differences generally within 10%, causing brief slowdowns. It is recommended to select timepoints that avoid business peak hours.
eip-delete-protection-enabledEIP Deletion Protection EnabledROS, TerraformEnsures that EIP instances have deletion protection enabled.
elasticsearch-instance-enabled-data-node-encryptionElasticsearch Data Node Encryption EnabledROS, TerraformEnsures that data nodes in the Elasticsearch instance have disk encryption enabled.
elasticsearch-instance-enabled-node-config-disk-encryptionES Node Config Disk EncryptionROS, TerraformEnsures Elasticsearch elastic node configurations have disk encryption enabled.
elasticsearch-instance-multi-zoneElasticsearch Instance Multi-Zone DeploymentROS, TerraformElasticsearch instances should be deployed across multiple availability zones.
emr-cluster-master-public-access-checkEMR Cluster Master Node Public Access CheckROS, TerraformEMR on ECS cluster master nodes should not have public IP enabled.
ess-group-health-checkESS Scaling Group Health CheckROS, TerraformESS scaling groups should enable ECS instance health checks.
ess-scaling-configuration-attach-security-groupESS Scaling Configuration Security GroupROS, TerraformESS scaling configurations should attach security groups to instances for proper network isolation and access control.
ess-scaling-configuration-enabled-internet-checkESS Scaling Configuration Internet Access CheckROS, TerraformESS scaling configurations should not enable public bandwidth for instances unless necessary.
ess-scaling-configuration-image-checkESS Scaling Configuration Image CheckROS, TerraformESS scaling configurations should use maintained images to ensure security and stability.
ess-scaling-configuration-image-type-checkESS Scaling Configuration Image Type CheckROS, TerraformESS scaling configurations should use images from specified sources.
ess-scaling-group-attach-multi-switchESS Scaling Group Multi-VSwitchROS, TerraformESS scaling groups should be associated with at least two VSwitches for high availability across multiple zones.
ess-scaling-group-attach-slbESS Scaling Group Attach SLBROS, TerraformESS scaling groups should be attached to Classic Load Balancer.
ess-scaling-group-loadbalancer-checkESS Scaling Group Load Balancer Existence CheckROS, TerraformESS scaling groups should be attached to load balancers for traffic distribution.
fc-function-custom-domain-and-cert-enableFC Function Custom Domain Certificate CheckROS, TerraformFC custom domains should have SSL certificates configured for secure communication.
fc-function-custom-domain-and-https-enableFC Function Custom Domain HTTPS CheckROS, TerraformFC custom domains should have HTTPS enabled for secure communication.
fc-function-custom-domain-and-tls-enableFC Function Custom Domain and TLS EnabledROS, TerraformEnsures that custom domains for Function Compute functions have TLS enabled.
fc-function-internet-and-custom-domain-enableFC Service Internet Access with Custom DomainROS, TerraformFC services with internet access should be bound to custom domains for proper access control.
fc-function-settings-checkFC Function Settings CheckROS, TerraformFC function settings should meet specified requirements for optimal performance and security.
fc-service-bind-roleFC Service Bound to RAM RoleROS, TerraformEnsures that the Function Compute service has a RAM role bound to it.
fc-service-internet-access-disableFC Service Internet Access DisabledROS, TerraformEnsures that the Function Compute service has internet access disabled when it should only access internal resources.
fc-service-log-enableFC Service Log EnableROS, TerraformFC services should have logging enabled for monitoring and troubleshooting.
fc-service-tracing-enableFC Service Tracing EnableROS, TerraformFC services should have tracing enabled for performance monitoring and debugging.
fc-service-vpc-bindingFC Service VPC Binding EnabledROS, TerraformEnsures that the Function Compute service is configured to access resources within a VPC.
firewall-asset-open-protectCloud Firewall Asset Protection EnabledROS, TerraformEnsures assets are protected by Cloud Firewall.
gpdb-instance-multi-zoneGPDB Instance Multi-Zone DeploymentROS, TerraformGPDB instances should be deployed with a standby zone for high availability.
gwlb-loadbalancer-multi-zoneGWLB LoadBalancer Multi-Zone DeploymentROS, TerraformGWLB LoadBalancer instances should be deployed across at least two availability zones.
hbase-cluster-deletion-protectionHBase Cluster Deletion Protection EnabledROS, TerraformEnsures that HBase instances have deletion protection enabled.
hbase-cluster-in-vpcHBase Cluster Deployed in VPCROS, TerraformEnsures that HBase instances are deployed within a VPC.
hbase-cluster-multi-zoneHBase Cluster Multi-Zone DeploymentROS, TerraformHBase clusters should be deployed in cluster mode with at least 2 nodes for high availability.
internet-nat-gateway-in-specified-vpcInternet NAT Gateway in Specified VPCROS, TerraformInternet-facing NAT gateways should be created in specified VPCs according to network security requirements.
intranet-nat-gateway-in-specified-vpcIntranet NAT Gateway in Specified VPCROS, TerraformIntranet-facing NAT gateways should be created in specified VPCs according to network security requirements.
kafka-instance-multi-zoneKafka Instance Multi-Zone DeploymentROS, TerraformKafka instances should be deployed across multiple availability zones for high availability.
kms-instance-multi-zoneKMS Instance Multi-Zone DeploymentROS, TerraformKMS instances should be deployed across at least two availability zones for high availability and disaster recovery.
kms-key-delete-protection-enabledKMS Key Deletion Protection EnabledROS, TerraformEnsures that KMS keys have deletion protection enabled to prevent accidental deletion.
kms-key-rotation-enabledKMS Key Automatic Rotation EnabledROS, TerraformEnsures that KMS keys have automatic rotation enabled to enhance security by periodically rotating key material.
kms-secret-rotation-enabledKMS Secret Automatic Rotation EnabledROS, TerraformEnsures that KMS secrets have automatic rotation enabled to enhance security by periodically rotating secret values.
lindorm-instance-in-vpcLindorm in VPC CheckROS, TerraformEnsures Lindorm instances are deployed within a VPC.
lindorm-instance-multi-zoneLindorm Instance Multi-Zone DeploymentROS, TerraformLindorm instance should have at least 4 table engine nodes for multi-zone deployment capability.
mongodb-instance-enabled-sslMongoDB Instance SSL EnabledROS, TerraformMongoDB instances should have SSL enabled to encrypt data in transit.
mongodb-instance-encryption-byok-checkMongoDB Instance TDE with Custom KMS KeyROS, TerraformMongoDB instances should have TDE enabled with a customer-managed KMS encryption key (BYOK).
mongodb-instance-in-vpcMongoDB Instance Uses VPC NetworkROS, TerraformEnsures MongoDB instances are deployed in a Virtual Private Cloud (VPC) network.
mongodb-instance-log-auditMongoDB Instance Audit Logging EnabledROS, TerraformMongoDB instances should have audit logging enabled for security monitoring.
mongodb-instance-multi-nodeMongoDB Instance Multi-Node for High AvailabilityROS, TerraformMongoDB instances should have a replication_factor of at least 3 for high availability.
mongodb-instance-multi-zoneMongoDB Instance Multi-Zone DeploymentROS, TerraformMongoDB instances should be deployed across multiple availability zones for disaster recovery.
mongodb-instance-release-protectionMongoDB Instance Release Protection EnabledROS, TerraformMongoDB instances should have release protection enabled to prevent accidental deletion.
mse-cluster-config-auth-enabledMSE Cluster Config Auth EnabledROS, TerraformMSE cluster should have ACL entry list configured for authentication and access control.
mse-cluster-multi-availability-area-architecture-checkMSE Cluster High-Availability ConfigurationROS, TerraformMSE clusters should use the Professional Edition with at least 3 instances (odd number) for high availability.
mse-cluster-stable-version-checkMSE Cluster Uses Stable VersionROS, TerraformEnsures that MSE cluster engine version is greater than the minimum stable version.
mse-gateway-multi-availability-area-architecture-checkMSE Gateway Multi-Availability Zone DeploymentROS, TerraformMSE gateways should be deployed across multiple availability zones by configuring a backup VSwitch.
nas-filesystem-mount-target-access-group-checkNAS Mount Target Access Group CheckROS, TerraformEnsures NAS mount targets do not use the 'DEFAULT_VPC_GROUP_NAME'.
natgateway-delete-protection-enabledNAT Gateway Deletion Protection EnabledROS, TerraformEnsures that NAT gateway instances have deletion protection enabled.
natgateway-eip-used-checkNAT Gateway EIP Usage CheckROS, TerraformSNAT and DNAT should not use the same EIP to avoid potential conflicts and improve network segmentation.
natgateway-snat-eip-bandwidth-checkNAT Gateway SNAT EIP Bandwidth ConsistencyROS, TerraformNAT gateway specification should not be Small to ensure adequate SNAT EIP bandwidth capacity.
nlb-loadbalancer-multi-zoneNLB LoadBalancer Multi-Zone DeploymentROS, TerraformNLB LoadBalancer instances should be deployed across at least two availability zones for high availability.
nlb-server-group-multi-zoneNLB Server Group Multi-Zone DistributionROS, TerraformNLB server groups should have backend servers distributed across multiple availability zones for high availability. This rule does not apply to server groups with no attached servers, or to IP type server groups.
oss-bucket-authorize-specified-ipOSS Bucket Authorize Specified IPROS, TerraformEnsures OSS bucket policies restrict access to specified IP ranges.
oss-bucket-backup-enableOSS Backup EnabledROS, TerraformEnsures OSS bucket has versioning enabled for backup purposes.
oss-bucket-logging-enabledOSS Bucket Logging EnabledROS, TerraformEnsures OSS bucket has access logging enabled.
oss-bucket-remote-replicationOSS Bucket Remote Replication EnabledROS, TerraformEnsures that cross-region replication is enabled for the OSS bucket for disaster recovery.
oss-bucket-tls-version-checkOSS Bucket TLS Version CheckROS, TerraformEnsures OSS bucket has a policy set to enforce TLS requirements.
oss-bucket-versioning-enabledOSS Bucket Versioning EnabledROS, TerraformEnsures OSS bucket has versioning enabled.
oss-default-encryption-kmsOSS bucket server-side KMS encryption enabledROS, TerraformOSS bucket has server-side KMS encryption enabled, considered compliant.
oss-encryption-byok-checkOSS Bucket BYOK Encryption CheckROS, TerraformEnsures OSS bucket uses KMS encryption with a customer-managed key (BYOK).
oss-zrs-enabledOSS Bucket Zone-Redundant Storage EnabledROS, TerraformEnsures OSS bucket uses Zone-Redundant Storage (ZRS) for high availability.
ots-instance-multi-zoneOTS Instance Zone-Redundant StorageROS, TerraformOTS instances should use zone-redundant access mode (ConsoleOrVpc) for high availability.
ots-instance-network-not-normalOTS Restricted Network TypeROS, TerraformOTS instances should not use unrestricted network access (Any). Use Vpc or ConsoleOrVpc instead.
pai-eas-instances-multi-zonePAI EAS Instance Multi-Zone DeploymentROS, TerraformEnsures that PAI EAS instances are deployed across multiple zones for high availability.
polardb-cluster-delete-protection-enabledPolarDB Cluster Deletion Protection EnabledROS, TerraformEnsures that PolarDB clusters have deletion protection enabled.
polardb-cluster-enabled-sslPolarDB Cluster SSL EnabledROS, TerraformEnsures PolarDB clusters have SSL encryption enabled.
polardb-cluster-multi-zonePolarDB Cluster Multi-Zone DeploymentROS, TerraformPolarDB clusters should be deployed across multiple availability zones for high availability.
polardb-dbcluster-in-vpcPolarDB Cluster in VPCROS, TerraformEnsures PolarDB cluster is deployed in a VPC by setting vswitch_id.
polardb-revision-version-used-checkPolarDB Revision Version Used CheckROS, TerraformEnsures PolarDB cluster is using a stable kernel revision version.
polardb-x2-instance-multi-zonePolarDB-X 2.0 Instance Multi-Zone DeploymentROS, TerraformPolarDB-X 2.0 instances should be deployed across 3 availability zones.
privatelink-server-endpoint-multi-zonePrivateLink VPC Endpoint Service Multi-Zone DeploymentROS, TerraformPrivateLink VPC endpoint services should have resources deployed across multiple availability zones for high availability.
privatelink-servier-endpoint-multi-zonePrivateLink Service Endpoint Multi-Zone DeploymentROS, TerraformEnsures that PrivateLink service endpoints are deployed across multiple zones for high availability.
ram-password-policy-checkRAM Password Policy CheckROS, TerraformEnsures that the RAM password policy meets the specified security requirements.
ram-policy-no-has-specified-documentRAM Policy No Specified DocumentROS, TerraformEnsures custom RAM policies do not contain the specified permission configuration.
ram-role-has-specified-policyRAM Role Has Specified PolicyROS, TerraformEnsures RAM roles have the specified policies attached.
ram-role-no-product-admin-accessRAM Role No Product Admin AccessROS, TerraformEnsures RAM roles do not have full administrative access or product administrator permissions.
ram-user-activated-ak-quantity-checkRAM User Active AK Quantity CheckROS, TerraformEnsures RAM users do not have more than one active AccessKey.
ram-user-ak-create-date-expired-checkRAM User AccessKey Creation Date Expired CheckROS, TerraformEnsures that RAM user AccessKeys are properly managed with secure storage.
ram-user-ak-used-expired-checkRAM User AccessKey Last Used Date CheckROS, TerraformEnsures that RAM user AccessKeys are in Active status.
ram-user-has-specified-policyRAM User Has Specified PolicyROS, TerraformEnsures RAM users have the required policies attached, including those inherited from groups.
ram-user-login-checkRAM User Login Enabled CheckROS, TerraformEnsures that RAM users who do not need console access have login disabled.
ram-user-no-has-specified-policyRAM User No Specified PolicyROS, TerraformEnsures RAM users do not have specified risky policies attached.
ram-user-no-product-admin-accessRAM User No Product Administrative AccessROS, TerraformEnsures that RAM users do not have full administrative access to cloud products unless necessary.
rds-instacne-delete-protection-enabledRDS Instance Deletion Protection EnabledROS, TerraformEnsures that RDS instances have deletion protection enabled.
rds-instance-enabled-auditingRDS Instance Auditing EnabledROS, TerraformEnsures RDS instances have SQL auditing enabled.
rds-instance-enabled-log-backupRDS Instance Log Backup EnabledROS, TerraformEnsures RDS instances have log backup enabled.
rds-instance-enabled-sslRDS Instance SSL EnabledROS, TerraformEnsures RDS instances have SSL encryption enabled.
rds-instance-enabled-tde-disk-encryptionRDS Instance Enabled TDE or Disk EncryptionROS, TerraformRDS instance should have TDE (Transparent Data Encryption) or disk encryption enabled.
rds-instance-has-guard-instanceRDS Instance Has Guard InstanceROS, TerraformEnsures production RDS instances have a corresponding guard (disaster recovery) instance.
rds-instances-in-vpcRDS Instance in VPCROS, TerraformEnsures that the RDS instance is deployed within a VPC.
rds-multi-az-supportRDS Instance Multi-AZ DeploymentROS, TerraformRDS instances should be deployed in multi-AZ configuration for high availability and automatic failover.
redis-architecturetype-cluster-checkRedis Architecture Type Cluster CheckROS, TerraformEnsures Redis instance uses cluster architecture type.
redis-instance-backup-log-enabledRedis Instance Backup Log EnabledROS, TerraformEnsures that backup is configured for the Redis instance.
redis-instance-double-node-typeRedis Instance Double Node TypeROS, TerraformEnsures Redis instance uses double node type for high availability.
redis-instance-enabled-byok-tdeRedis Instance BYOK TDE EnabledROS, TerraformEnsures that Redis instances have Transparent Data Encryption (TDE) enabled using Bring Your Own Key (BYOK).
redis-instance-enabled-sslRedis Instance SSL EnabledROS, TerraformEnsures Redis instances have SSL encryption enabled.
redis-instance-in-vpcRedis Instance in VPCROS, TerraformEnsures Redis instance is deployed in a VPC.
redis-instance-multi-zoneRedis Instance Multi-Zone DeploymentROS, TerraformRedis instances should be deployed across multiple availability zones for high availability.
redis-instance-release-protectionRedis Instance Release Protection EnabledROS, TerraformEnsures that Redis instances have release protection enabled.
redis-instance-tls-version-checkRedis Instance TLS Version CheckROS, TerraformEnsures Redis instance has SSL enabled with acceptable TLS version.
redis-min-capacity-limitRedis Min Capacity LimitROS, TerraformEnsures Redis instance has memory capacity meeting the minimum requirement.
rocketmq-v5-instance-multi-zoneRocketMQ 5.0 Instance Multi-Zone DeploymentROS, TerraformRocketMQ 5.0 instances should be deployed in Cluster HA mode which supports multi-zone availability.
security-center-version-checkSecurity Center Version CheckROSSecurity Center should be at a version that provides sufficient protection features.
slb-all-listener-enabled-aclSLB All Listeners Have Access ControlROS, TerraformAll running listeners of SLB instances should have access control lists (ACL) configured for security.
slb-all-listener-http-disabledSLB All Listeners HTTP DisabledROS, TerraformEnsures no SLB listeners use the insecure HTTP protocol.
slb-all-listener-http-redirect-httpsSLB HTTP Redirect to HTTPS EnabledROS, TerraformEnsures SLB HTTP listeners are configured to redirect traffic to HTTPS.
slb-all-listenter-has-serverSLB All Listeners Have Backend ServersROS, TerraformAll listeners of SLB instances should have at least the specified number of backend servers attached.
slb-all-listenter-tls-policy-checkSLB Listener TLS Policy CheckROS, TerraformEnsures SLB HTTPS listeners use secure TLS cipher policies.
slb-default-server-group-multi-serverSLB Default Server Group Has Multiple ServersROS, TerraformThe default server group of SLB instances should have at least two servers to avoid single point of failure.
slb-instance-autorenewal-checkSLB Instance Auto-Renewal CheckROS, TerraformPrepaid SLB instances should have auto-renewal enabled to avoid service interruption.
slb-instance-default-server-group-multi-zoneSLB Default Server Group Multi-ZoneROS, TerraformThe default server group of SLB instances should have resources distributed across multiple availability zones.
slb-instance-log-enabledSLB Instance Logging EnabledROS, TerraformEnsures that access logging is enabled for the SLB instance.
slb-instance-multi-zoneSLB Instance Multi-Zone DeploymentROS, TerraformSLB instances should be deployed across multiple zones by configuring both master and slave zones for high availability.
slb-instance-spec-checkSLB Instance Specification CheckROS, TerraformSLB instance specifications should meet the required performance criteria based on the specified list.
slb-listener-https-enabledSLB Listener HTTPS EnabledROS, TerraformEnsures SLB listeners use HTTPS protocol for secure communication.
slb-loadbalancer-in-vpcSLB in VPC CheckROS, TerraformEnsures SLB instances are deployed within a Virtual Private Cloud (VPC).
slb-master-slave-server-group-multi-zoneSLB Master-Slave Server Group Multi-ZoneROS, TerraformThe master-slave server group of SLB instances should have resources distributed across multiple availability zones.
slb-no-public-ipSLB Instance No Public IPROS, TerraformSLB instances should not have public IP addresses to reduce attack surface.
slb-vserver-group-multi-zoneSLB VServer Group Multi-Zone DeploymentROS, TerraformEnsures that SLB virtual server groups contain instances from multiple availability zones.
sls-logstore-enabled-encryptSLS Logstore Encryption EnabledROS, TerraformEnsures SLS Logstores have server-side encryption enabled.
sls-logstore-encrypt-key-origin-checkSLS Logstore Encryption Key Origin CheckROS, TerraformEnsures SLS Logstores use externally imported key material (BYOK) for encryption, which provides better control over encryption keys.
sls-project-multi-zoneSLS Project Zone-Redundant StorageROS, TerraformSLS projects should use zone-redundant storage (ZRS) for high availability and data durability.
vpc-flow-logs-enabledVPC Flow Logs EnabledROS, TerraformEnsures VPC flow logs are enabled for monitoring network traffic.
vpc-network-acl-not-emptyVPC Network ACL Not EmptyROS, TerraformEnsures VPC Network ACLs have at least one rule configured.
vpn-connection-master-slave-establishedVPN Connection Dual Tunnel EstablishedROS, TerraformUse dual-tunnel VPN gateway and both master and slave tunnels are established with the peer.
vpn-gateway-multi-zoneVPN Gateway Multi-Zone DeploymentROS, TerraformVPN Gateways should be configured with a disaster recovery VSwitch to support multi-zone availability.
vswitch-available-ip-countVSwitch Available IP Count CheckROS, TerraformEnsures that the VSwitch has a sufficient number of available IP addresses.
waf-instance-logging-enabledWAF Instance Logging EnabledROS, TerraformEnsures that logging is enabled for the WAF instance for auditing and security analysis.
waf3-defense-resource-logging-enabledWAF 3.0 Logging EnabledROS, TerraformEnsures that logging is enabled for resources protected by WAF 3.0.

Low Severity (41 Rules)

Rule IDNameIaC TypesDescription
ack-cluster-spec-checkACK Cluster Spec CheckROS, TerraformEnsures ACK clusters use approved specifications (e.g., ACK Pro).
alb-address-type-checkALB Address Type CheckROS, TerraformEnsures ALB instances use the preferred address type (e.g., Intranet).
apig-group-custom-trace-enabledAPI Gateway Group Custom Trace EnabledROS, TerraformEnsures API Gateway groups have custom tracing enabled.
cr-repository-immutablity-enableContainer Registry repository image version is immutableROS, TerraformContainer Registry repository image version is immutable, considered compliant.
eci-container-group-volumn-mountsECI Volume Mounting CheckROS, TerraformEnsures ECI container groups have volumes mounted for persistent data storage.
ecs-disk-auto-snapshot-policyECS disk has auto snapshot policy configuredROS, TerraformECS disk has auto snapshot policy configured, considered compliant. Disks not in use, disks that do not support auto snapshot policy, and non-persistent disks mounted by ACK clusters are not applicable. After enabling auto snapshot policy, Alibaba Cloud will automatically create snapshots for cloud disks according to preset time points and cycles, enabling quick recovery from virus intrusion or ransomware attacks.
ecs-disk-idle-checkECS Disk Idle CheckROS, TerraformEnsures that ECS disks are attached to an instance and not in an idle state.
ecs-disk-regional-auto-checkECS Disk Zone-Redundant ESSD StorageROS, TerraformECS data disks should use zone-redundant ESSD storage for high availability. System disks are not applicable to this rule.
ecs-instance-chargetype-checkECS Instance Charge Type CheckROS, TerraformEnsures ECS instances use the authorized charge type.
ecs-instance-multiple-eni-checkECS instance is bound to only one elastic network interfaceROS, TerraformECS instances are bound to only one elastic network interface, considered compliant. This helps simplify network configuration and reduce complexity.
ecs-instance-ram-role-attachedECS Instance RAM Role AttachedROS, TerraformEnsures that ECS instances have an IAM role attached for secure access to other cloud services.
ecs-internet-charge-type-checkECS Internet Charge Type CheckROS, TerraformEnsures ECS instances use the preferred internet charge type.
ecs-security-group-description-checkSecurity Group Description Not EmptyROS, TerraformSecurity group description should not be empty. Having a description helps with management and auditing.
ecs-security-group-type-not-normalUse Enterprise Security Group TypeROS, TerraformECS security group type should not be normal type. Using enterprise security group is considered compliant.
ecs-snapshot-retention-daysECS auto snapshot retention days meets requirementsROS, TerraformECS auto snapshot policy retention days is greater than the specified number of days, considered compliant. Default value: 7 days.
ecs-system-disk-size-checkECS System Disk Size CheckROS, TerraformEnsures ECS system disks meet the minimum required size.
eip-attachedEIP AttachedROS, TerraformEnsures that EIP instances are associated with a resource.
eip-bandwidth-limitEIP Bandwidth LimitROS, TerraformEnsures EIP bandwidth does not exceed a specified maximum value.
hbase-cluster-type-checkHBase Cluster Engine Type CheckROS, TerraformHBase cluster should not use a deprecated engine type.
metadata-ros-composer-checkTemplate Metadata ALIYUN::ROS::Composer CheckROSTemplate must have Metadata.ALIYUN::ROS::Composer configured. The value must be a dictionary (object).
nas-filesystem-encrypt-type-checkNAS file system encryption configuredROS, TerraformEnsures that NAS file systems have encryption enabled (encrypt_type set to 1 or 2).
oss-bucket-referer-limitOSS Bucket Referer Hotlink ProtectionROS, TerraformEnsures OSS bucket has referer-based hotlink protection configured.
polardb-cluster-default-time-zone-not-systemPolarDB Cluster Default Time Zone Not SystemROS, TerraformEnsures PolarDB cluster has parameters configured with explicit timezone settings.
polardb-cluster-maintain-time-checkPolarDB Cluster Maintenance Window CheckROS, TerraformEnsures that the PolarDB cluster has a maintenance window configured.
ram-group-has-member-checkRAM Group Has MemberROS, TerraformEnsures RAM groups have at least one member.
ram-group-in-use-checkRAM Group In Use CheckROS, TerraformEnsures RAM groups are not idle - must have at least one member and at least one attached policy.
ram-policy-in-use-checkRAM Policy In Use CheckROS, TerraformEnsures RAM policies are attached to at least one RAM user, group, or role.
ram-user-group-membership-checkRAM User Group Membership CheckROS, TerraformEnsures that RAM users belong to at least one group for easier permission management.
ram-user-last-login-expired-checkRAM User Last Login CheckROS, TerraformChecks if RAM users have not logged in for a long time.
ram-user-no-policy-checkRAM User Has PolicyROS, TerraformEnsures RAM users have at least one policy attached.
rds-instance-maintain-time-checkRDS Instance Maintenance Window CheckROS, TerraformEnsures that the RDS instance has a maintenance window configured.
rds-instance-storage-autoscale-enableRDS Storage Autoscale EnabledROS, TerraformEnsures RDS instances have storage autoscale enabled to prevent downtime due to full disks.
redis-instance-backup-time-checkRedis Instance Backup Window CheckROS, TerraformEnsures that the Redis instance has a backup window configured.
root-has-specified-roleRoot Account Has Specified RoleROSEnsures that the root account has a specified RAM role for governance and management.
slb-backendserver-weight-checkSLB Backend Server Weight CheckROS, TerraformEnsures SLB backend servers have reasonable weight configurations.
slb-instance-loadbalancerspec-checkSLB Instance Spec CheckROS, TerraformEnsures SLB instances use approved performance specifications.
slb-loadbalancer-bandwidth-limitSLB Bandwidth LimitROS, TerraformEnsures SLB instance bandwidth does not exceed a specified maximum value.
slb-modify-protection-checkSLB Modification Protection EnabledROS, TerraformEnsures that SLB instances have modification protection enabled.
sls-logstore-hot-ttl-checkSLS Logstore Smart Tier Storage EnabledROS, TerraformEnsures SLS Logstores have intelligent hot/cold tier storage enabled for cost optimization.
vpn-gateway-enabled-ssl-vpnVPN Gateway SSL-VPN EnabledROS, TerraformEnsures the VPN gateway has SSL-VPN enabled for secure client access.
vpn-ipsec-connection-health-check-openVPN IPsec Health Check EnabledROS, TerraformEnsures VPN IPsec connections have health checks enabled to detect tunnel failures.