This topic describes the managed rules that are related to Elastic Compute Service (ECS) and the rectification methods that target at non-compliant ECS instances.

Rule name: ecs-cpu-min-count-limit

Checks whether the number of vCPUs of an ECS instance under your account is smaller than the threshold that you set.

Trigger type: configuration change

Applicable resource type: ACS::ECS::Instance

Input parameter: cpuCount. It specifies the minimum number of vCPUs of an ECS instance.

Non-compliance description: The number of vCPUs of an ECS instance under your account is smaller than the threshold that you set. You can use one of the following methods to rectify resource non-compliance:
  • Rectification method 1: If the ECS instance is running, stop the instance. Then, change the specifications of the ECS instance so that the number of vCPUs of the instance after the change is greater than or equal to the threshold that you set. Cloud Config detects your modification and automatically starts to evaluate the resource within 10 minutes.
  • Rectification method 2: Change the value of the input parameter and click Re-evaluate on the details page of the rule.
    • To change the specifications of the ECS instance in the console, perform the following steps: Log on to the ECS console. In the left-side navigation pane, choose Instances & Images > Instances. On the Instances page, find the target instance and click Change Instance Type in the Actions column. On the page that appears, change the specifications of the ECS instance.ECS_1
    • You can also call the ModifyInstanceSpec operation and change the value of the InstanceType parameter to change the specifications of the ECS instance.
      • To change the specifications of the ECS instance in the console, perform the following steps: Log on to the ECS console. In the left-side navigation pane, choose Instances & Images > Instances. On the Instances page, find the target instance and click Change Instance Type in the Actions column. On the page that appears, change the specifications of the ECS instance.ECS_1
      • You can also call the ModifyInstanceSpec operation and change the value of the InstanceType parameter to change the specifications of the ECS instance.

Rule name: ecs-desired-instance-type

Checks whether an ECS instance under your account adopts an instance type specified in the input parameter.

Applicable resource type: ACS::ECS::Instance

Trigger type: configuration change

Input parameter: instanceTypes

It specifies the allowed types of ECS instances. Separate multiple instance types with commas (,), for example, t2.small, m4.large, i2.xlarge.

Non-compliance description: The type of an ECS instance under your account is not included in the value of the input parameter. The rule considers the ECS instance as compliant if the type of the ECS instance is included in the value of the input parameter. You can use one of the following methods to rectify resource non-compliance:
  • Rectification method 1: If the ECS instance is running, stop the instance. Then, change the type of the ECS instance to one listed in the value of the input parameter. Cloud Config detects your modification and automatically starts to evaluate the resource within 10 minutes.
  • Rectification method 2: Add the type of the ECS instance to the value of the input parameter. Submit the edits and click Re-evaluate on the details page of the rule.
    • To change the type of the ECS instance in the console, perform the following steps: Log on to the ECS console. In the left-side navigation pane, choose Instances & Images > Instances. On the Instances page, find the target instance and click Change Instance Type in the Actions column. On the page that appears, change the type of the ECS instance.ECS_1
    • You can also call the ModifyInstanceSpec operation and change the value of the InstanceType parameter to change the type of the ECS instance.

Rule name: ecs-disk-encrypted

Checks whether disks attached to corresponding ECS instances are encrypted. If you specify the IDs of Key Management Service (KMS) keys for disk encryption, the rule checks whether disks attached to corresponding ECS instances are encrypted with these keys.

Applicable resource type: ACS::ECS::Disk

Trigger type: configuration change

Input parameter: kmsKeyIds

It specifies the IDs of the KMS keys that are used to encrypt disks.

Non-compliance description:
  1. None of the disks attached to corresponding ECS instances are encrypted.
  2. A disk attached to the corresponding ECS instance is encrypted with a KMS key whose ID is not listed in the value of the input parameter.
The rule considers the disk as compliant if it is encrypted with a KMS key whose ID is listed in the value of the input parameter. The disk encryption feature applies only to data disks, so do the rectification methods. You can use one of the following methods to rectify resource non-compliance:
  • Rectification method 1: Create a disk, attach the disk to an ECS instance, and then use a KMS key whose ID is listed in the value of the input parameter to encrypt the disk. Cloud Config detects your modification and automatically starts to evaluate the resource within 10 minutes.

    For a disk that is evaluated as non-compliant, you can manually release the disk.

    Risks: After a disk is released, the data stored on the disk is cleared.

    For more information about the risks and procedure of releasing a disk, see Release a disk.

  • Rectification method 2: Add the ID of the KMS key that is used to encrypt the disk to the value of the input parameter and click Re-evaluate on the details page of the rule.

Rule name: ecs-disk-in-use

Checks whether a disk under your account is attached to an ECS instance.

Applicable resource type: ACS::ECS::Disk

Trigger type: configuration change

Input parameter: none

Non-compliance description: A disk under your account is not attached to an ECS instance. Rectification method: Attach the disk to an ECS instance under your account and wait until the disk enters the In Use state. You can rectify resource non-compliance in the ECS console or by calling the AttachDisk operation.

  • To attach the disk to an ECS instance in the ECS console, perform the following steps: Log on to the ECS console. In the left-side navigation pane, choose Storage & Snapshots > Disks. On the Disks page, find the target disk and choose More > Attach in the Actions column. In the dialog box that appears, select an ECS instance and click Attach.

  • You can also call the AttachDisk operation to attach the disk to an ECS instance.

    Cloud Config detects your modification and automatically starts to evaluate the resource within 10 minutes.

Rule name: ecs-gpu-min-count-limit

Checks whether the number of GPU cores of an ECS instance under your account is smaller than the threshold that you set.

Trigger type: configuration change

Applicable resource type: ACS::ECS::Instance

Input parameter: gpuCount. It specifies the minimum number of GPU cores of an ECS instance.

Non-compliance description: The number of GPU cores of an ECS instance is smaller than the threshold that you set. You can use one of the following methods to rectify resource non-compliance:
  • Rectification method 1: If the ECS instance is running, stop the instance. Then, change the specifications of the ECS instance so that the number of GPU cores of the ECS instance after the change is greater than or equal to the threshold that you set. Cloud Config detects your modification and automatically starts to evaluate the resource within 10 minutes.

    You cannot change the specifications of an ECS instance that is attached to a local disk. In this case, you must purchase an ECS instance that meets the requirements of the rule.

    For an ECS instance that is evaluated as non-compliant, you can manually release the instance if it adopts the pay-as-you-go billing method. To release an ECS instance that adopts the subscription billing method, you can wait until the billing cycle of the ECS instance ends and then manually release it. If you do not renew the subscription after an ECS instance expires, it is automatically released. In addition, you can submit a ticket to apply for a refund and release a subscription ECS instance before the instance expires. You can also change the billing method of an ECS instance from subscription to pay-as-you-go and then release the instance.

    Risks: After an ECS instance is released, the instance data is cleared. We recommend that you back up your data in advance.

    For more information about the risks and procedure of releasing an ECS instance, see Release an instance.

  • Rectification method 2: Change the value of the input parameter and click Re-evaluate on the details page of the rule.
    • To change the specifications of the ECS instance in the console, perform the following steps: Log on to the ECS console. In the left-side navigation pane, choose Instances & Images > Instances. On the Instances page, find the target instance and click Change Instance Type in the Actions column. On the page that appears, change the specifications of the ECS instance.ECS_1
    • You can also call the ModifyInstanceSpec operation and change the value of the InstanceType parameter to change the specifications of the ECS instance.

Rule name: ecs-instance-attached-security-group

Checks whether an ECS instance under your account is added to a security group that you specify.

Trigger type: configuration change

Applicable resource type: ACS::ECS::Instance

Input parameter: securityGroupIds

It specifies the IDs of the security groups to which the ECS instances under your account are added. Separate multiple security group IDs with commas (,), for example, sg-hp3ebbv7ir****,sg-hp3ebbv****.

Non-compliance description: None of the IDs of the security groups to which an ECS instance is added is listed in the value of the input parameter. The rule considers the ECS instance as compliant if the value of the input parameter contains one of the IDs of the security groups to which the ECS instance is added. You can use one of the following methods to rectify resource non-compliance:
  • Rectification method 1: Add the ECS instance to a security group whose ID is listed in the value of the input parameter. Cloud Config detects your modification and automatically starts to evaluate the resource within 10 minutes.
  • Rectification method 2: Add one of the IDs of the security groups to which the ECS instance is added to the value of the input parameter and click Re-evaluate on the details page of the rule. You can follow one of the following procedures in the ECS console or call the JoinSecurityGroup operation to add the ECS instance to a security group:
    • Procedure 1: Log on to the ECS console. In the left-side navigation pane, choose Instances & Images > Instances. On the Instances page, click the name or ID of the target instance. On the instance details page that appears, click Security Groups in the left-side navigation pane. On the page that appears, click the Security Groups tab and click Add to Security Group in the upper-right corner of the tab. In the dialog box that appears, select a security group and click OK.ECS_6
      Procedure 2: Log on to the ECS console. In the left-side navigation pane, choose Network & Security > Security Groups. On the Security Groups page, find the target security group and click Manage Instances in the Actions column. On the Instances in Security Group page, click Add Instance in the upper-right corner. In the dialog box that appears, enter the ID of the ECS instance and click OK.ECS_7
    • You can also call the JoinSecurityGroup operation to add the ECS instance to a specified security group.

Rule name: ecs-instance-deletion-protection-enabled

Checks whether release protection is enabled for a pay-as-you-go ECS instance under your account.

Trigger type: configuration change

Applicable resource type: ACS::ECS::Instance

Input parameter: none

Non-compliance description: Release protection is not enabled for a pay-as-you-go ECS instance under your account. You can rectify resource non-compliance in the ECS console or by calling the ModifyInstanceAttribute operation.
  • To enable release protection for the ECS instance in the ECS console, perform the following steps:
    Log on to the ECS console. In the left-side navigation pane, choose Instances & Images > Instances. On the Instances page, find the target ECS instance and choose More > Instance Settings > Change Release Protection Setting. In the dialog box that appears, turn on the Release Protection switch. Cloud Config detects your modification and automatically starts to evaluate the resource within 10 minutes.ECS_8
  • You can also call the ModifyInstanceAttribute operation and set DeletionProtection to true to enable release protection for the ECS instance.

    Verification: After you change the configuration, wait 10 minutes. Go to the details page of the rule, click Re-evaluate in the upper-right corner, and view the result. You can also wait until the rule is automatically triggered to view the evaluation result.

Rule name: ecs-instances-in-vpc

Checks whether an ECS instance under your account is deployed in a virtual private cloud (VPC). You can specify the IDs of VPCs to associate with the ECS instances under your account. Then, Cloud Config will evaluate your resources based on the specified VPC IDs. If an ECS instance under your account is not deployed in a VPC, the rule reports Not Applicable. If an ECS instance under your account is deployed in one of the specified VPCs, the ECS instance is considered as compliant. Otherwise, an ECS instance under your account is considered as non-compliant.

Trigger type: configuration change

Applicable resource type: ACS::ECS::Instance

Input parameter: vpcIds

It specifies the IDs of the VPCs where the ECS instances under your account are deployed. Separate multiple VPC IDs with commas (,), for example, vpc-25vk5****,vpc-6wesmaymqkgiuru5x****,vpc-8vbc16loavvujlzli****.

Non-compliance description: An ECS instance under your account is not deployed in a VPC specified in the input parameter. You can use one of the following methods to rectify resource non-compliance:
  • Rectification method 1: Purchase an ECS instance and deploy the instance in a VPC specified in the input parameter. Cloud Config detects your modification and automatically starts to evaluate the resource within 10 minutes.

    For an ECS instance that is evaluated as non-compliant, you can manually release the instance if it adopts the pay-as-you-go billing method. To release an ECS instance that adopts the subscription billing method, you can wait until the billing cycle of the ECS instance ends and then manually release it. If you do not renew the subscription after an ECS instance expires, it is automatically released. In addition, you can submit a ticket to apply for a refund and release a subscription ECS instance before the instance expires. You can also change the billing method of an ECS instance from subscription to pay-as-you-go and then release the instance.

    Risks: After an ECS instance is released, the instance data is cleared. We recommend that you back up your data in advance.

    For more information about the risks and procedure of releasing an ECS instance, see Release an instance.

    When you purchase an ECS instance, set Network Type to VPC.

  • Rectification method 2: Add the ID of the VPC where the ECS instance is deployed to the value of the input parameter. Submit the edits and click Re-evaluate on the details page of the rule.

Rule name: ecs-instance-no-public-ip

Checks whether an ECS instance under your account is associated with a public IP address. This rule is only applicable to IPv4 addresses.

Trigger type: configuration change

Applicable resource type: ACS::ECS::Instance

Input parameter: none

Non-compliance description: An ECS instance under your account is associated with a public IP address. The rule considers the ECS instance as compliant if it is associated with a private IP address. You can use one of the following methods to rectify resource non-compliance:
  • Rectification method 1: If the ECS instance is associated with an elastic IP address (EIP), disassociate the EIP from the ECS instance. Cloud Config detects your modification and automatically starts to evaluate the resource within 10 minutes.

    To disassociate the EIP from the ECS instance, perform the following steps: Log on to the ECS console. In the left-side navigation pane, choose Instances & Images > Instances. On the Instances page, find the target ECS instance and choose More > Network and Security Group > Unbind EIP in the Actions column. In the message that appears, click OK.

  • Rectification method 2: If the ECS instance is associated with a public IP address, convert the public IP address to an EIP and disassociate the EIP from the ECS instance. Cloud Config detects your modification and automatically starts to evaluate the resource within 10 minutes.

    To modify the network settings of the ECS instance, perform the following steps: Log on to the ECS console. In the left-side navigation pane, choose Instances & Images > Instances. On the Instances page, find the target ECS instance and choose More > Network and Security Group > Convert to EIP in the Actions column to convert the public IP address to an EIP. Then, disassociate the EIP from the ECS instance, as described in rectification method 1.

  • Rectification method 3: Purchase an ECS instance and do not select Assign Public IP Address in the Networking step of the configuration. Cloud Config detects your modification and automatically starts to evaluate the resource within 10 minutes.

    For an ECS instance that is evaluated as non-compliant, you can manually release the instance if it adopts the pay-as-you-go billing method. To release an ECS instance that adopts the subscription billing method, you can wait until the billing cycle of the ECS instance ends and then manually release it. If you do not renew the subscription after an ECS instance expires, it is automatically released. In addition, you can submit a ticket to apply for a refund and release a subscription ECS instance before the instance expires. You can also change the billing method of an ECS instance from subscription to pay-as-you-go and then release the instance.

    Risks: After an ECS instance is released, the instance data is cleared. We recommend that you back up your data in advance.

    For more information about the risks and procedure of releasing an ECS instance, see Release an instance.

Rule name: ecs-memory-min-size-limit

Checks whether the memory size of an ECS instance under your account is smaller than the threshold that you set.

Trigger type: configuration change

Applicable resource type: ACS::ECS::Instance

Input parameter: memorySize. It specifies the minimum memory size of an ECS instance.

Non-compliance description: The memory size of an ECS instance under your account is smaller than the threshold that you set. You can use one of the following methods to rectify resource non-compliance:
  • Rectification method 1: If the ECS instance is running, stop the instance. Then, change the specifications of the ECS instance so that the memory size of the instance after the change is greater than or equal to the threshold that you set. Cloud Config detects your modification and automatically starts to evaluate the resource within 10 minutes.
  • Rectification method 2: Change the value of the input parameter and click Re-evaluate on the details page of the rule.
    • To change the specifications of the ECS instance in the console, perform the following steps: Log on to the ECS console. In the left-side navigation pane, choose Instances & Images > Instances. On the Instances page, find the target instance and click Change Instance Type in the Actions column. On the page that appears, change the specifications of the ECS instance.ECS_1
    • You can also call the ModifyInstanceSpec operation and change the value of the InstanceType parameter to change the specifications of the ECS instance.

Rule name: sg-public-access-check

Checks whether an ECS security group under your account allows access from all IP addresses.

Trigger type: configuration change

Applicable resource type: ACS::ECS::SecurityGroup

Input parameter: none

Non-compliance description: An inbound rule of an ECS security group under your account allows access from all IP addresses. You can use one of the following methods to rectify resource non-compliance:
  • Rectification method 1: Change the access permission of the inbound rule so that it denies access, or change the authorization object of the inbound rule. Cloud Config detects your modification and automatically starts to evaluate the resource within 10 minutes.
  • Rectification method 2: Delete the inbound rule that allows access from all IP addresses. Cloud Config detects your modification and automatically starts to evaluate the resource within 10 minutes.
    • You can change the configuration of or delete the inbound rule for the ECS security group in the ECS console.

      To change the configuration of the inbound rule in the ECS console, perform the following steps: Log on to the ECS console. In the left-side navigation pane, choose Network & Security > Security Groups. On the Security Groups page, click the ID of the target security group. On the Security Group Rules page, find the target inbound rule and click Modify in the Actions column. In the dialog box that appears, set Action to Forbid or change the value of Authorization Object. Then, click OK.

      To delete the inbound rule in the ECS console, perform the following steps: Log on to the ECS console. In the left-side navigation pane, choose Network & Security > Security Groups. On the Security Groups page, click the ID of the target security group. On the Inbound tab of the Security Group Rules page, find the target inbound rule and click Delete in the Actions column.

    • You can also change the configuration of or delete the inbound rule by calling the following API operations:

      ModifySecurityGroupRule: You can call this operation and change the value of the Policy or SourceCidrIp parameter to change the access permission or authorization object of the inbound rule respectively for the ECS security group.

      RevokeSecurityGroup: You can call this operation to delete the inbound rule from the ECS security group.

Rule name: sg-risky-ports-check

Checks whether an ECS security group under your account allows inbound or outbound traffic on risky ports.

Trigger type: configuration change

Applicable resource type: ACS::ECS::SecurityGroup

Input parameter: ports. It specifies the range of port numbers that might bring about risks.

Non-compliance description: Risky ports are included in the port range specified for an inbound or outbound rule of an ECS security group under your account, or the port range is set to -1/-1, which indicates all ports. You can rectify resource non-compliance in the ECS console or by calling the UpdateLoginProfile operation.
  • Rectification method 1: Find the target inbound or outbound rule whose port range contains the ports listed in the value of the input parameter and change the access permission of the rule so that it denies access over the specified ports after the change. Cloud Config detects your modification and automatically starts to evaluate the resource within 10 minutes.
  • Rectification method 2: Delete the inbound or outbound rule whose port range contains the ports listed in the value of the input parameter. Cloud Config detects your modification and automatically starts to evaluate the resource within 10 minutes.
  • Rectification method 3: Find the target inbound or outbound rule whose port range contains the ports listed in the value of the input parameter and change the port range of the rule. Cloud Config detects your modification and automatically starts to evaluate the resource within 10 minutes.
  • Rectification method 4: Change the value of the input parameter so that it does not include the port range of the inbound or outbound rule. Submit the edits and click Re-evaluate on the details page of the rule.
    • You can change the configuration of or delete the inbound or outbound rule for the ECS security group in the ECS console.

      To change the configuration of the inbound or outbound rule in the ECS console, perform the following steps: Log on to the ECS console. In the left-side navigation pane, choose Network & Security > Security Groups. On the Security Groups page, click the ID of the target security group. On the Security Group Rules page, find the target inbound rule or outbound rule and click Modify in the Actions column. In the dialog box that appears, set Action to Forbid or change the value of Port Range. Then, click OK.

      To delete the inbound or outbound rule in the ECS console, perform the following steps: Log on to the ECS console. In the left-side navigation pane, choose Network & Security > Security Groups. On the Security Groups page, click the ID of the target security group. On the Security Group Rules page, find the target inbound rule or outbound rule and click Delete in the Actions column.

    • You can also change the configuration of or delete the inbound or outbound rule by calling the following API operations:
      • ModifySecurityGroupRule or ModifySecurityGroupEgressRule: You can call the corresponding operation and change the value of the Policy or PortRange parameter to change the access permission or port range of an inbound or outbound rule respectively for the ECS security group.
      • RevokeSecurityGroup or RevokeSecurityGroupEgress: You can call the corresponding operation to delete an inbound or outbound rule from the ECS security group.