This topic describes the existing managed rules that Cloud Config provides. You can reference these managed rules to create rules in the Cloud Config console. The list of managed rules will be updated from time to time.

If you need other rules, submit a ticket and provide the rules to Alibaba Cloud staff. Alibaba Cloud staff will evaluate the rules and add universally applicable rules to the list of managed rules as required.

In the following managed rules, the applicable resource type of each rule is displayed in the format of a namespace. For more information about the resource types, see Cloud services supported by Cloud Config.

Check whether your account has activated ActionTrail

  • Rule name: actiontrail-enabled
  • Applicable resource type: ACS::ActionTrail::Trail
  • Rule parameter: none
  • Trigger type: configuration change
  • Compliance description: The evaluation result is considered compliant if your account has activated ActionTrail.
  • Scenario: To meet the internal compliance requirements of your enterprise, you must activate ActionTrail for your account so that ActionTrail can monitor operations performed with your account on resources and record operations logs in real time. You can use this rule to check whether your account has activated ActionTrail.

Check whether the number of vCPUs of each Elastic Compute Service (ECS) instance under your account is greater than or equal to the threshold that you set

  • Rule name: ecs-cpu-min-count-limit
  • Applicable resource type: ACS::ECS::Instance
  • Rule parameter: cpuCount. The cpuCount parameter specifies the minimum number of vCPUs of each ECS instance under your account. Specify a value for this parameter in the Cloud Config console.
  • Trigger type: configuration change
  • Compliance description: The evaluation result is considered compliant if the number of vCPUs of each ECS instance under your account is greater than or equal to the threshold that you set.
  • Scenario: You can use the rule to monitor the specifications of ECS instances under your account. The instances are compliant only when the number of vCPUs is greater than or equal to the threshold that you set.

Check whether the ECS instances under your account are of the specified types

  • Rule name: ecs-desired-instance-type
  • Applicable resource type: ACS::ECS::Instance
  • Rule parameter: instanceTypes. Specify a value for this parameter in the Cloud Config console. The value is a list of ECS instance types separated with commas (,), for example, t2.small,m4.large,i2.xlarge.
  • Trigger type: configuration change
  • Compliance description: The evaluation result is considered compliant if the types of ECS instances under your account are all listed in the value.
  • Scenario: You can use this rule to limit the types of ECS instances under your account.

Check whether disks attached to corresponding ECS instances are encrypted under your account.

  • Rule name: ecs-disk-encrypted
  • Applicable resource type: ACS::ECS::Disk
  • Rule parameter: kmsIds. If you do not specify a value for this parameter, the rule only checks whether disks are encrypted. If you have specified a value, the rule also checks whether the key IDs used to encrypt the disks are all listed in the specified value. You can enter multiple key IDs. Separate the key IDs with commas (,).
  • Trigger type: configuration change
  • Compliance description: The evaluation result is considered compliant if the following conditions are met: All disks attached to corresponding ECS instances are encrypted under your account. In addition, if you have specified a value for the rule parameter, the key IDs used to encrypt the disks are all listed in the specified value.
  • Scenario: You can use this rule to check whether disks are encrypted and whether the encryption is compliant.

Check whether disks under your account are attached to corresponding ECS instances

  • Rule name: ecs-disk-in-use
  • Applicable resource type: ACS::ECS::Disk
  • Rule parameter: none
  • Trigger type: configuration change
  • Compliance description:The evaluation result is considered compliant if all the disks under you account are attached to corresponding ECS instances.
  • Scenario: You can use this rule to check whether disks under your account are attached to corresponding ECS instances.

Check whether ECS instances under your account are bound to corresponding Virtual Private Cloud (VPC) instances

  • Rule name: ecs-instances-in-vpc
  • Applicable resource type: ACS::ECS::Instance
  • Rule parameter: vpcIds. If you do not specify a value for this parameter, the rule only checks whether ECS instances under your account are bound to specified VPC instances. If you have specified a value, the rule also checks whether the IDs of VPC instances bound to the ECS instances are all listed in the specified value. You can enter multiple VPC IDs. Separate the VPC IDs with commas (,).
  • Trigger type: configuration change
  • Compliance description: The evaluation result is considered compliant if the following conditions are met: All ECS instances under your account are bound to corresponding VPC instances. In addition, if you have specified a value for the rule parameter, the IDs of VPC instances bound to the ECS instances are all listed in the specified value.
  • Scenario: You can use this rule to check whether all ECS instances under your account are or can be bound to specified VPC instances.

Check whether the number of GPU cores of each ECS instance under your account is greater than or equal to the threshold that you set

  • Rule name: ecs-gpu-min-count-limit
  • Applicable resource type: ACS::ECS::Instance
  • Rule parameter: gpuCount. The gpuCount parameter specifies the minimum number of GPU cores of an ECS instance under your account. Specify a value for this parameter in the Cloud Config console.
  • Trigger type: configuration change
  • Compliance description: The evaluation result is considered compliant if the number of GPU cores of each ECS instance under your account is greater than or equal to the threshold that you set.
  • Scenario: You can use this rule to check whether the number of GPU cores of each ECS instance under your account meets the requirements.

Check whether the memory size of each ECS instance under your account is greater than or equal to the threshold that you set

  • Rule name: ecs-memory-min-size-limit
  • Applicable resource type: ACS::ECS::Instance
  • Rule parameter: memorySize. The memorySize parameter specifies the minimum memory size of each ECS instance under your account. Specify a value for this parameter in the Cloud Config console.
  • Trigger type: configuration change
  • Compliance description: The evaluation result is considered compliant if the memory size of each ECS instance under your account is greater than or equal to the threshold that you set.
  • Scenario: You can use this rule to check whether the memory size of each ECS instance under your account meets the requirements.

Check whether the number of CPU cores of each ApsaraDB for RDS instance under your account is greater than or equal to the threshold that you set

  • Rule name: rds-cpu-min-count-limit
  • Applicable resource type: ACS::RDS::DBInstance
  • Rule parameter: cpuCount. The cpuCount parameter specifies the minimum number of CPU cores of each ApsaraDB for RDS instance under your account. Specify a value for this parameter in the Cloud Config console.
  • Trigger type: configuration change
  • Compliance description: The evaluation result is considered compliant if the number of CPU cores of each ApsaraDB for RDS instance under your account is greater than or equal to the threshold that you set.
  • Scenario: You can use this rule to check whether the number of CPU cores of each ApsaraDB for RDS instance under your account meets the requirements.

Check whether the ApsaraDB for RDS instances under your account are of the specified types

  • Rule name: rds-desired-instance-type
  • Applicable resource type: ACS::RDS::DBInstance
  • Rule parameter: instanceTypes. Specify a value for this parameter in the Cloud Config console. The value is a list of ApsaraDB for RDS instance types separated with commas (,), for example, rds.mysql.s2.large,mysql.n1.micro.1.
  • Trigger type: configuration change
  • Compliance description: The evaluation result is considered compliant if the types of ApsaraDB for RDS instances under your account are all listed in the value.
  • Scenario: You can use this rule to limit the types of ApsaraDB for RDS instances under your account.

Check whether ApsaraDB for RDS instances under your account are of high availability

  • Rule name: rds-high-availability-category
  • Applicable resource type: ACS::RDS::DBInstance
  • Rule parameter: none
  • Trigger type: configuration change
  • Compliance description: The evaluation result is considered compliant if the ApsaraDB for RDS instances under your account are of high availability.
  • Scenario: You can use this rule to check the high-availability configuration of ApsaraDB for RDS instances under your account.

Check whether ApsaraDB for RDS instances under your account are bound to corresponding VPC instances

  • Rule name: rds-instances-in-vpc
  • Applicable resource type: ACS::RDS::DBInstance
  • Rule parameter: vpcIds. If you do not specify a value for this parameter, the rule only checks whether ApsaraDB for RDS instances under your account are bound to specified VPC instances. If you have specified a value, the rule also checks whether the IDs of VPC instances bound to the ApsaraDB for RDS instances are all listed in the specified value. You can enter multiple VPC IDs. Separate the VPC IDs with commas (,).
  • Trigger type: configuration change
  • Compliance description: The evaluation result is considered compliant if the following conditions are met: All ApsaraDB for RDS instances under your account are bound to corresponding VPC instances. In addition, if you have specified a value for the rule parameter, the IDs of VPC instances bound to the ApsaraDB for RDS instances are all listed in the specified value.
  • Scenario: You can use this rule to check whether all ApsaraDB for RDS instances under your account are or can be bound to specified VPC instances.

Check whether the storage size of each ApsaraDB for RDS instance under your account is greater than or equal to the threshold that you set

  • Rule name: rds-instance-storage-min-size-limit
  • Applicable resource type: ACS::RDS::DBInstance
  • Rule parameter: storageSize. The storageSize parameter specifies the minimum storage size of each ApsaraDB for RDS instance under your account. Specify a value for this parameter in the Cloud Config console.
  • Trigger type: configuration change
  • Compliance description: The evaluation result is considered compliant if the storage size of each ApsaraDB for RDS instance under your account is greater than or equal to the threshold that you set.
  • Scenario: You can use this rule to check whether the storage size of each ApsaraDB for RDS instance under your account meets the requirements.

Check whether the memory size of each ApsaraDB for RDS instance under your account is greater than or equal to the threshold that you set

  • Rule name: rds-memory-min-size-limit
  • Applicable resource type: ACS::RDS::DBInstance
  • Rule parameter: memorySize. The memorySize parameter specifies the minimum memory size of each ApsaraDB for RDS instance under your account. Specify a value for this parameter in the Cloud Config console.
  • Trigger type: configuration change
  • Compliance description: The evaluation result is considered compliant if the memory size of each ApsaraDB for RDS instance under your account is greater than or equal to the threshold that you set.
  • Scenario: You can use this rule to check whether the memory size of each ApsaraDB for RDS instance under your account meets the requirements.

Check whether ApsaraDB for RDS instances under your account can be used in multiple zones

  • Rule name: rds-multi-az-support
  • Applicable resource type: ACS::RDS::DBInstance
  • Rule parameter: none
  • Trigger type: configuration change
  • Compliance description: The evaluation result is considered compliant if the ApsaraDB for RDS instances under your account can be used in multiple zones.
  • Scenario: You can use this rule to check whether ApsaraDB for RDS instances under your account can be used in multiple zones.

Check whether ApsaraDB for RDS instances under your account can be accessed through a public endpoint

  • Rule name: rds-public-access-check
  • Applicable resource type: ACS::RDS::DBInstance
  • Rule parameter: none
  • Trigger type: configuration change
  • Compliance description: The evaluation result is considered compliant if the ApsaraDB for RDS instances under your account cannot be accessed through a public endpoint.
  • Scenario: You can use this rule to check whether ApsaraDB for RDS instances under your account can be accessed through a public endpoint.

Check whether specified resources under your account have specified tags

  • Rule name: required-tags
  • Applicable resource types: ACS::RDS::DBInstance, ACS::SLB::LoadBalancer, ACS::ECS::Disk, ACS::ECS::SecurityGroup, ACS::ECS::Instance, and ACS::ECS::NetworkInterface
  • Rule parameters: tag1Key and tag1Value. The tag1Key parameter specifies the key of the tag, and the tag1Value parameter specifies the value of the tag.
  • Trigger type: configuration change
  • Compliance description: The evaluation result is considered compliant if all resources of the specified types under your account have specified tags.
  • Scenario: You can use this rule to check whether all specified resources under your account have complete tags.

Check whether 0.0.0.0/0 is added as the authorization object of security group rules for ECS instances under your account

  • Rule name: sg-public-access-check
  • Applicable resource type: ACS::ECS::SecurityGroup
  • Rule parameter: none
  • Trigger type: configuration change
  • Compliance description: The evaluation result is considered compliant if 0.0.0.0/0 is not added as the authorization object of security group rules for ECS instances under your account.
  • Scenario: You can use this rule to check whether the security groups of ECS instances under your account are correctly configured.

Check whether HTTPS listeners are enabled for Server Load Balancer (SLB) instances under your account

  • Rule name: slb-listener-https-enabled
  • Applicable resource type: ACS::SLB::LoadBalancer
  • Rule parameter: none
  • Trigger type: configuration change
  • Compliance description: The evaluation result is considered compliant if HTTPS listeners are enabled for SLB instances under your account.
  • Scenario: You can use this rule to check whether listeners of the SLB instances under your account are compliant.

Check whether Elastic IP Addresses are bound to corresponding ECS or SLB instances

  • Rule name: eip-attached
  • Applicable resource type: ACS::VPC::EipAddress
  • Rule parameter: none
  • Trigger type: configuration change
  • Compliance description: The evaluation result is considered compliant if Elastic IP Addresses are bound to corresponding ECS or SLB instances.
  • Scenario: You can use this rule to check whether Elastic IP Addresses are bound to corresponding ECS or SLB instances.

Check whether ECS instances under your account are bound to public IPv4 addresses

  • Rule name: ecs-instance-no-public-ip
  • Applicable resource type: ACS::ECS::Instance
  • Rule parameter: none
  • Trigger type: configuration change
  • Compliance description: The evaluation result is considered compliant if ECS instances under your account are not bound to public IPv4 addresses.
  • Scenario: You can use this rule to check whether the public access configuration of ECS instances under your account is compliant.