ecs-cpu-min-count-limit
Check the minimum number of CPUs for ECS instances.
Trigger type: configuration change
Resource: ACS::ECS::Instance
Request parameters:
- cpuCount
- Minimum number of CPUs for an ECS instance
Troubleshooting Guide:
When the number of CPUs of the ECS instances under your account is smaller than the threshold that you set, the rule is not compliant.
Method 1: Change the ECS instance type. You can change the instance type only for stopped instances. Make sure that the number of CPUs of the new ECS instance is greater than or equal to the threshold you set. Config detects your changes within 10 minutes and automatically starts the audit.
Method 2: modify the threshold of rule parameters, and click re-audit. Then, refresh the page for verification.
Change the instance type in the console:
ModifyInstanceSpec: call ModifyInstanceSpec to modify the value of InstanceType.
ecs-desired-instance-type
Check whether the ECS instance has the specified instance type.
Resource: ACS::ECS::Instance
Trigger type: configuration change
Parameter: instanceTypes
The list of ECS instance types separated by commas (,), such as t2.small, m4.large, and i2.xlarge.
Troubleshooting Guide:
The ECS instance type family under your account is not listed in the rule parameter threshold, it will cause the rule to be non-compliant. The rule parameter threshold list contains the instance types of the ECS instances, which are compliant.
Method 1: Change the ECS instance type to one of the instance types listed in the rule parameter threshold. Only stopped instances can be changed. Config detects your changes within 10 minutes and automatically starts the audit.
Method 2: Edit the rule parameter threshold and add the instance type of the ECS instance to the rule parameter threshold. Edit the content and click re-audit. Then, refresh the page for verification.
Change the instance type in the console:
API to change the instance type:
You can call this operation to modify the value of InstanceType.
ecs-disk-encrypted
Check whether the connected disk is encrypted. If you specify the KMS key ID for encryption by using the kmshid parameter, this rule checks whether the disks in the connection status use the KMS key for encryption.
Resource: ACS::ECS::Disk
Trigger type: configuration change
Request parameters:
kmsIds
The ID of the KMS key used to encrypt the volume.
Troubleshooting Guide:
1. If all cloud disks in the associated status under your account are not encrypted, this rule will be nonconforming.
2. If the KMSKeyId of the encrypted cloud disk does not exist in the rule parameter threshold you listed, the rule is invalid.
The KMSKeyId of the encrypted cloud disk is included in the rule parameter threshold, which means the cloud disk is compliant. Currently, the disk encryption function only supports data disks. The solution is only applicable to data disks.
Method 1: re-create an encrypted cloud disk and encrypt it with the KMSKeyId listed in the rule parameter threshold. Config detects your changes within 10 minutes and automatically starts the audit.
Solution to non-compliant cloud disks: Release the cloud disks.
Risk: releasing a cloud disk may cause data loss.
For more information about how to release a cloud disk, see Release a disk.
Method 2: Add the KMSKeyId of the encrypted cloud disk to the rule parameter threshold, click re-audit, and refresh the page for verification.
ecs-disk-in-use
Check whether the disk is in use.
Resource: ACS::ECS::Disk
Trigger type: configuration change
Request parameters: none
Repair Guide: If the ECS cloud disk under your account is in the not attached state, this rule is not compliant. Attach a cloud disk to an instance to change its status toIn Useto be compliant.
Console operation: go to the cloud disk console, go to the cloud disk list, click Attach a cloud disk to an instance.
API operation: call AttachDisk to attach a pay-as-you-go data disk to an ECS instance.
Compliance verification method: the Config will detect your changes within 10 minutes and automatically start the audit.
ecs-gpu-min-count-limit
Check the minimum number of CPUs for ECS instances.
Trigger type: configuration change
Resource: ACS::ECS::Instance
Request parameters:
gpuCount
The minimum number of CPUs for a gsc instance.
Troubleshooting Guide:
When the number of GPUs in your ECS instance is smaller than the threshold you set, this rule is not compliant.
Method 1: Change the ECS instance type (you can change the instance type only when the instance is stopped). Make sure that the number of GPUs in the ECS instance after modification is greater than or equal to the threshold value you set. Config detects your changes within 10 minutes and automatically starts the audit.
You cannot change the instance type of an instance that contains local storage.
If the non-compliant instance is a local storage instance, you need to re-purchase an ECS instance that meets the requirements of the rules.
Processing of old ECS instances that do not comply with regulations: release ECS instances (only pay-as-you-go ECS instances are supported). For a subscription instance, you can manually release it after its billing cycle expires. If it is not renewed, the instance is automatically released. Before an instance expires, you can apply for a refund to release the instance in advance. You can also change the billing method to pay-as-you-go before releasing the instance.
Risk: All data will be lost after an ECS instance is released. Back up the data before release.
For more information about instance release risks and procedures, see Release an instance.
Method 2: modify the threshold of rule parameters, and click re-audit. Then, refresh the page for verification.
Change the instance type in the console:
API: call ModifyInstanceSpec to modify the value of InstanceType.
ecs-instance-attached-security-group
Checks whether an ECS instance is attached to a specific security group. Enabled ECS instances are considered compliance.
Trigger type: configuration change
Resource: ACS::ECS::Instance
Request parameters:
securityGroupIds
The IDs of security groups separated by commas (,), such as sg-hp3ebbv7irjeg1 and sg-hp3ebbv7irj.
Troubleshooting Guide:
If the Id of the security group to which the ECS instances belong is not listed in the rule parameter threshold, the rule is invalid. The rule parameter threshold list contains the Id of any security group to which the instance is added.
Method 1: Add the ECS instances to the security group listed in the rule parameter threshold. Config detects your changes within 10 minutes and automatically starts the audit.
Method 2: add the security group Id that an ECS instance joins to the rule parameter threshold, click re-audit, and then refresh the page for verification.
Console operation-bind instances and security groups:
Method 1: go to Security group managementPage, in the Security GroupTab, click Join a security group.
Method 2: go to Security group managementPage, in the List of instances in a security groupTab, click Add an instance.
API operation:
Bind instance with security group: You can call JoinSecurityGroup to add an ECS instance to a specified security group.
ecs-instance-deletion-protection-enabled
Check whether release protection is enabled for your ECS instances (only pay-as-you-go payment is supported). Enabled release protection is considered compliance.
Trigger type: configuration change
Resource: ecs-instances-in-vpc
Request parameters: none
Troubleshooting Guide:
Check whether release protection is enabled for your ECS instances (only pay-as-you-go is supported). Otherwise, this rule is not applicable.
Console operation:
Log on to the ECS console, choose more> instance settings> modify instance attributes, and select enable instance release protection. Config detects your changes within 10 minutes and automatically starts the audit.
API operation:
You can call the ModifyInstanceAttribute operation to set DeletionProtection to true.
Compliance verification method:
After the window period, return to configuration audit-rule details and click re-audit to verify or view the audit results after the rule is automatically triggered.
ecs-instances-in-vpc
Check whether your ECS instance belongs to a Virtual Private Cloud (VPC). You can also specify the ID of the VPC to be associated with your instance. If an ECS instance belongs to a VPC with a specified ID, the return value is compliant. If an ECS instance does not belong to a VPC with a specified ID, the return value is not compliant. If an ECS instance does not have VPC information, the return value is not applicable.
Trigger type: configuration change
Resource: ACS::ECS::Instance
Parameter: vpcIds.
The ID of the VPC that contains these instances. Separate multiple VPC IDs with commas (,), for example, vpc-25vk5xwn8,vpc-6wesmaymqkgiuru5xmkvx,vpc-8vbc16loavvujlzli1yc8
Troubleshooting Guide:
If the VpcId of the ECS instance bound to your account is not listed in the rule parameter threshold, the rule is invalid.
Method 1: create a new ECS instance and bind the instance to one of the VpcId listed in the rule parameter threshold. Config detects your changes within 10 minutes and automatically starts the audit.
Processing of old ECS instances that do not comply with regulations: release ECS instances (only pay-as-you-go ECS instances are supported). For a subscription instance, you can manually release it after its billing cycle expires. If it is not renewed, the instance is automatically released. Before an instance expires, you can apply for a refund to release the instance in advance. You can also change the billing method to pay-as-you-go before releasing the instance.
Risk: All data will be lost after an ECS instance is released. Back up the data before release.
For more information about instance release risks and procedures, see Release an instance.
When you purchase an ECS instance, select VPC in network and security group-network.
Method 2: Edit the rule parameter threshold and add the VpcId bound to the ECS instance to the rule parameter threshold. Edit the content and click re-audit. Then, refresh the page for verification.
ecs-instance-no-public-ip
An ECS instance is deemed to be "compliant" if it is not directly bound to a public IP address. This rule applies only to IPv4.
Trigger type: configuration change
Resource: ACS::ECS::Instance
Request parameters: none
If the ECS instance under your account is bound to a public IP address, this rule is not compliant. If the ECS instance has only a private address, the resource assessment result is compliant.
Method 1: unbind the Elastic IP Address from the ECS instance if it is bound to a Elastic IP Address. Config detects your changes within 10 minutes and automatically starts the audit.
Method 2: If the ECS instance is bound with a public IP address, convert the public IP address to a Elastic IP Address, and unbind the Elastic IP Address. Config detects your changes within 10 minutes and automatically starts the audit.
Method 3: purchase a new ECS instance, and do not select allocate public ipv4 address in the network and security group. Config detects your changes within 10 minutes and automatically starts the audit.
Processing of old ECS instances that do not comply with regulations: release ECS instances (only pay-as-you-go ECS instances are supported). For a subscription instance, you can manually release it after its billing cycle expires. If it is not renewed, the instance is automatically released. Before an instance expires, you can apply for a refund to release the instance in advance. You can also change the billing method to pay-as-you-go before releasing the instance.
Risk: All data will be lost after an ECS instance is released. Back up the data before release.
For more information about instance release risks and procedures, see Release an instance.
ecs-memory-min-size-limit
This metric checks the minimum memory capacity of an ECS instance.
Trigger type: configuration change
Resource: ACS::ECS::Instance
Request parameters:
MemorySize (minimum memory capacity of the ecs instance)
Troubleshooting Guide:
When the memory capacity of the ECS instances under your account is smaller than the threshold value specified by the rule, the rule is not compliant.
Method 1: Change the ECS instance type. You can change the instance type only for stopped instances. Make sure that the number of CPUs of the new ECS instance is greater than or equal to the threshold you set. Config detects your changes within 10 minutes and automatically starts the audit.
Method 2: modify the threshold of rule parameters, and click re-audit. Then, refresh the page for verification.
Change the instance type in the console:
ModifyInstanceSpec: call ModifyInstanceSpec to modify the value of InstanceType.
sg-public-access-check
Check whether the security group matches 0.0.0.0/0.
Trigger type: configuration change
Resource: ACS::ECS::SecurityGroup
Request parameters: none
Solution: When an ECS Security Group rule is in the inbound direction, the authorization policy is "allow", and the authorized object is "0.0.0.0/0", this rule is not compliant.
Method 1: Change the authorization policy of the inbound rules of the security group whose authorization object is 0.0.0.0/0 to reject or modify the authorization object. Config detects your changes within 10 minutes and automatically starts the audit.
Method 2: delete the authorization policy as allow and the authorization object as 0.0.0.0/0 Security Group inbound rules. Config detects your changes within 10 minutes and automatically starts the audit.
Console operation:
Modify authorization policies and modify authorization objects: log on to the security group console, edit security group rules-set authorization policies to block or modify authorization objects.
Delete a security group rule: log on to the security groups console. Choose security group rules> inbound. Delete the rule whose authorization policy is set to allow and whose authorization object is 0.0.0.0/0.
API operation:
- Modifies the values of the Policy (access permission) or SourceCidrIp (authorized object) of the inbound rules of a security group.
- Deletes an inbound rule from a security group.
sg-risky-ports-check
This metric checks whether the security group has enabled risky ports.
Trigger type: configuration change
Resource: ACS::ECS::SecurityGroup
Request parameters:
Ports (risky ports)
Troubleshooting Guide:
When the port number enabled by the ECS Security Group rule (including outbound and inbound) is in the rule parameter threshold, the rule is invalid. "-1/-1" indicates that no port limit is applied. If "-1/-1" is set in the security group rule, the rule is not applicable.
Method 1: disable the ports listed in the rule parameter threshold in the ECS Security Group rule, that is, set the corresponding port authorization policy to deny. Config detects your changes within 10 minutes and automatically starts the audit.
Method 2: delete the security group rules that are enabled with the ports listed in the rule parameter threshold. Config detects your changes within 10 minutes and automatically starts the audit.
Method 3: modify the port range of the security group rule. Config detects your changes within 10 minutes and automatically starts the audit.
Method 4: Edit the rule parameter threshold and delete the corresponding port number from the threshold. Click re-audit and refresh the page for verification.
Console operation:
Log on to the security groups console, edit security group rules-set authorization policy to reject or modify the port range
Delete security group rules: log on to the security group console and choose security group rules from the left-side navigation pane. Delete the security group rules with the Ports specified in the rule parameter threshold enabled.
API operation:
- You can call this operation to modify the security group rule. Modify the Policy (access permission) or PortRange (Port range) values.
- Call RevokeSecurityGroup and RevokeSecurityGroupEgress to delete a security group rule.