ApsaraDB for RDS - Resource Compliance Audit| Alibaba Cloud Documentation Center

Rule name: rds-cpu-min-count-limit

Checks whether the number of CPU cores of an ApsaraDB for RDS instance under your account is smaller than the threshold that you set.

Trigger type: configuration change

Applicable resource type: ACS::RDS::DBInstance

Input parameter: cpuCount. It specifies the minimum number of CPU cores of an ApsaraDB for RDS instance.

Non-compliance description: The number of CPU cores of an ApsaraDB for RDS instance under your account is smaller than the threshold that you set.

You can use one of the following methods to rectify resource non-compliance in the ApsaraDB for RDS console or Cloud Config console:
- Rectification method 1: Change the specifications of the ApsaraDB for RDS instance so that the number of CPU cores of the instance after the change is greater than or equal to the threshold that you set.
  Log on to the ApsaraDB for RDS console and change the specifications of the target ApsaraDB for RDS instance. For more information, see Change the specifications of an ApsaraDB RDS instance.
- Rectification method 2: Change the value of the input parameter and click Re-evaluate on the details page of the rule.
  1. Log on to the ApsaraDB for RDS console and view the number of CPU cores of the target ApsaraDB for RDS instance.
    1. In the left-side navigation pane, click Instances. On the Instances page, find the target instance and click the instance ID.
    2. In the Configuration Information section of the Basic Information page, view the number of CPU cores of the ApsaraDB for RDS instance.
  2. Log on to the Cloud Config console and change the value of the input parameter cpuCount.
    For more information, see Modify a rule.
You can also call the ModifyDBInstanceSpec operation and change the value of the DBInstanceClass parameter to change the specifications of the ApsaraDB for RDS instance. For more information, see Modify instance.

Rule name: rds-desired-instance-type

Checks whether an ApsaraDB for RDS instance under your account adopts an instance type specified in the input parameter.

Trigger type: configuration change

Applicable resource type: ACS::RDS::DBInstance

Input parameter: instanceTypes. It specifies the list of allowed types of ApsaraDB for RDS instances. Separate multiple instance types with commas (,), for example, rds.mysql.s2.large,mysql.n1.micro.1.

Non-compliance description: The type of an ApsaraDB for RDS instance under your account is not included in the value of the input parameter. The rule considers the ApsaraDB for RDS instance as compliant if the type of the ApsaraDB for RDS instance is included in the value of the input parameter.

You can use one of the following methods to rectify resource non-compliance in the ApsaraDB for RDS console or Cloud Config console:
- Rectification method 1: Change the type of the ApsaraDB for RDS instance to one listed in the value of the input parameter.
  Log on to the ApsaraDB for RDS console and change the type of the target ApsaraDB for RDS instance. For more information, see Change the specifications of an ApsaraDB RDS instance.
- Rectification method 2: Add the type of the ApsaraDB for RDS instance to the value of the input parameter. Submit the edits and click Re-evaluate on the details page of the rule.
  1. Log on to the ApsaraDB for RDS console and view the type of the target ApsaraDB for RDS instance.
    1. In the left-side navigation pane, click Instances. On the Instances page, find the target instance and click the instance ID.
    2. In the Configuration Information section of the Basic Information page, view the type of the ApsaraDB for RDS instance.
  2. Log on to the Cloud Config console and add the type of the ApsaraDB for RDS instance to the value of the input parameter.
    For more information, see Modify a rule.
You can also call the ModifyDBInstanceSpec operation and change the value of the DBInstanceClass parameter to change the type of the ApsaraDB for RDS instance. For more information, see Modify instance.

Rule name: rds-high-availability-category

Checks whether an ApsaraDB for RDS instance under your account is highly available.

Trigger type: configuration change

Applicable resource type: ACS::RDS::DBInstance

Input parameter: none

Non-compliance description: An ApsaraDB for RDS instance under your account is not highly available.

You can use one of the following methods to rectify resource non-compliance in the ApsaraDB for RDS console:
- Rectification method 1: If the ApsaraDB for RDS instance does not adopt SQL Server as the database engine, purchase an ApsaraDB for RDS instance of High-availability Edition. This is because you can only upgrade the edition of an ApsaraDB RDS for SQL Server instance.
  Note
  For an ApsaraDB for RDS instance that is evaluated as non-compliant, you can manually release the instance if it adopts the pay-as-you-go billing method or unsubscribe from the instance if it adopts the subscription billing method.
  
  Unsubscribe from a subscription instance
  Log on to the Alibaba Cloud Management Console and go to the Unsubscribe page to unsubscribe from a subscription instance.
  
  Release a pay-as-you-go instance
  For more information about the risks and procedure of releasing a pay-as-you-go instance, see Release or unsubscribe from an ApsaraDB RDS for MySQL instance.
  When you purchase an ApsaraDB for RDS instance, set Edition to High-availability. For more information, see Create an instance in an RDS ApsaraDB for MyBase.
- Rectification method 2: If the ApsaraDB for RDS instance adopts SQL Server as the database engine, upgrade the instance from Basic Edition to High-availability Edition.
  For more information, see Upgrade from Basic Edition to High-availability Edition.
You can also call the CreateDBInstance operation and set Category to HighAvailability to create an ApsaraDB for RDS instance of High-availability Edition. For more information, see Create instance.

Rule name: rds-instance-enabled-security-ip-list

Checks whether the whitelist feature is enabled for an ApsaraDB for RDS instance under your account.

Trigger type: configuration change

Applicable resource type: ACS::RDS::DBInstance

Input parameter: none

Non-compliance description: The IP address whitelist of an ApsaraDB for RDS instance under your account is set to 0.0.0.0/0. Rectification method: Modify the IP address whitelist of the ApsaraDB for RDS instance. Cloud Config detects your modification and automatically starts to evaluate the resource within 10 minutes. You can rectify resource non-compliance in the ApsaraDB for RDS console or by calling the ModifySecurityIps operation.

You can log on to the ApsaraDB for RDS console, find the target ApsaraDB for RDS instance, and then replace 0.0.0.0/0 with a new value for the IP address whitelist configured for the instance. For more information, see Configure a whitelist for an ApsaraDB RDS for MySQL instance.
You can also call the ModifySecurityIps operation and change the value of the SecurityIps parameter to modify the IP address whitelist of the ApsaraDB for RDS instance. For more information, see Modify IP address whitelists.

Rule name: rds-instance-storage-min-size-limit

Checks whether the storage size of an ApsaraDB for RDS instance under your account is smaller than the threshold that you set.

Trigger type: configuration change

Applicable resource type: ACS::RDS::DBInstance

Input parameter: storageSize. It specifies the minimum storage size of an ApsaraDB for RDS instance.

Non-compliance description: The storage size of an ApsaraDB for RDS instance under your account is smaller than the threshold that you set.

You can use one of the following methods to rectify resource non-compliance in the ApsaraDB for RDS console or Cloud Config console:
- Rectification method 1: Change the specifications of the ApsaraDB for RDS instance so that the storage size of the instance after the change is greater than or equal to the threshold that you set.
  Log on to the ApsaraDB for RDS console and change the specifications of the target ApsaraDB for RDS instance. For more information, see Change the specifications of an ApsaraDB RDS instance.
- Rectification method 2: Change the value of the input parameter and click Re-evaluate on the details page of the rule.
  1. Log on to the ApsaraDB for RDS console and view the storage size of the target ApsaraDB for RDS instance.
    1. In the left-side navigation pane, click Instances. On the Instances page, find the target instance and click the instance ID.
    2. In the Usage Statistics section of the Basic Information page, view the storage size of ApsaraDB for RDS instance.
  2. Log on to the Cloud Config console and change the value of the input parameter storageSize.
    For more information, see Modify a rule.
You can also call the ModifyDBInstanceSpec operation and change the value of the DBInstanceClass parameter to change the specifications of the ApsaraDB for RDS instance. For more information, see Modify instance.

Rule name: rds-instances-in-vpc

Checks whether an ApsaraDB for RDS instance under your account is deployed in a virtual private cloud (VPC).

Trigger type: configuration change

Applicable resource type: ACS::RDS::DBInstance

Input parameter: vpcIds

It specifies the IDs of the VPCs where the ApsaraDB for RDS instances under your account are deployed. Separate multiple VPC IDs with commas (,), for example, pc-25vk5****,vpc-6wesmaymqkgiuru5x****,vpc-8vbc16loavvujlzli****.

Non-compliance description: An ApsaraDB for RDS instance under your account is not deployed in a VPC specified in the input parameter. You can use one of the following methods to rectify resource non-compliance:

Rectification method 1: Purchase an ApsaraDB for RDS instance and deploy the instance in a VPC specified in the input parameter.
Note
For an ApsaraDB for RDS instance that is evaluated as non-compliant, you can manually release the instance if it adopts the pay-as-you-go billing method or unsubscribe from the instance if it adopts the subscription billing method.
- Unsubscribe from a subscription instance
  Log on to the Alibaba Cloud Management Console and go to the Unsubscribe page to unsubscribe from a subscription instance.
- Release a pay-as-you-go instance
  For more information about the risks and procedure of releasing a pay-as-you-go instance, see Release or unsubscribe from an ApsaraDB RDS for MySQL instance.
1. Log on to the ApsaraDB for RDS console and purchase an ApsaraDB for RDS instance.
  For more information, see Create an instance in an RDS ApsaraDB for MyBase.
2. View the ID of the VPC where the instance is deployed.
  1. In the left-side navigation pane, click Instances. On the Instances page, find the target instance and click the instance ID.
  2. In the Basic Information section of the Basic Information page, view the ID of the VPC where the ApsaraDB for RDS instance is deployed.
3. Log on to the Cloud Config console and add the VPC ID to the value of the input parameter.
  For more information, see Modify a rule.
Rectification method 2: Add the ID of the VPC where the ApsaraDB for RDS instance is deployed to the value of the input parameter. Submit the edits and click Re-evaluate on the details page of the rule.
1. In the Basic Information section of the Basic Information page, view the ID of the VPC where the ApsaraDB for RDS instance is deployed.
2. Log on to the Cloud Config console and add the VPC ID to the value of the input parameter.
  For more information, see Modify a rule.

Rule name: rds-memory-min-size-limit

Checks whether the memory size of an ApsaraDB for RDS instance under your account is smaller than the threshold that you set.

Trigger type: configuration change

Applicable resource type: ACS::RDS::DBInstance

Input parameter: memorySize. It specifies the minimum memory size of an ApsaraDB for RDS instance.

Non-compliance description: The memory size of an ApsaraDB for RDS instance under your account is smaller than the threshold that you set.

You can use one of the following methods to rectify resource non-compliance in the ApsaraDB for RDS console or Cloud Config console:
- Rectification method 1: Change the specifications of the ApsaraDB for RDS instance so that the memory size of the instance after the change is greater than or equal to the threshold that you set.
  Log on to the ApsaraDB for RDS console and change the specifications of the target ApsaraDB for RDS instance. For more information, see Change the specifications of an ApsaraDB RDS instance.
- Rectification method 2: Change the value of the input parameter and click Re-evaluate on the details page of the rule.
  1. Log on to the ApsaraDB for RDS console and view the memory size of the target ApsaraDB for RDS instance.
    1. In the left-side navigation pane, click Instances. On the Instances page, find the target instance and click the instance ID.
    2. In the Configuration Information section of the Basic Information page, view the memory size of the ApsaraDB for RDS instance.
  2. Log on to the Cloud Config console and change the value of the input parameter memorySize.
    For more information, see Modify a rule.
You can also call the ModifyDBInstanceSpec operation and change the value of the DBInstanceClass parameter to change the specifications of the ApsaraDB for RDS instance. For more information, see Modify instance.

Rule name: rds-multi-az-support

Checks whether an ApsaraDB for RDS instance under your account supports multi-zone deployment.

Applicable resource type: ACS::RDS::DBInstance

Trigger type: configuration change

Input parameter: none

Non-compliance description: An ApsaraDB for RDS instance under your account does not support multi-zone deployment.

You can use one of the following methods to rectify resource non-compliance in the ApsaraDB for RDS console:
- Rectification method for an ApsaraDB for RDS instance that supports cross-zone restore: Take a snapshot of the instance and restore the snapshot in another zone. Such instances include ApsaraDB RDS for MySQL, ApsaraDB RDS for SQL Server, and ApsaraDB RDS for PPAS instances.
  For more information about the risks and procedure of restoring an ApsaraDB for RDS instance adopting a specific database engine in another zone, see the following documentation:
  1. ApsaraDB RDS for MySQL: Migrate an ApsaraDB RDS MySQL instance across zones
  2. ApsaraDB RDS for SQL Server: Migrate an ApsaraDB RDS for SQL Server instance across zones in the same region
  3. ApsaraDB RDS for PPAS: Migrate an ApsaraDB RDS for PPAS instance across zones
- Rectification method for an ApsaraDB for RDS instance that does not support cross-zone restore: Purchase an ApsaraDB for RDS instance that supports multi-zone deployment.
  Note
  For an ApsaraDB for RDS instance that is evaluated as non-compliant, you can manually release the instance if it adopts the pay-as-you-go billing method or unsubscribe from the instance if it adopts the subscription billing method.
  
  Unsubscribe from a subscription instance
  Log on to the Alibaba Cloud Management Console and go to the Unsubscribe page to unsubscribe from a subscription instance.
  
  Release a pay-as-you-go instance
  For more information about the risks and procedure of releasing a pay-as-you-go instance, see Release or unsubscribe from an ApsaraDB RDS for MySQL instance.
  When you purchase an ApsaraDB for RDS instance, set Deployment Method to Multi-zone Deployment. For more information, see Create an instance in an RDS ApsaraDB for MyBase.
You can also enable multi-zone deployment for an ApsaraDB for RDS instance by calling the following operations:
- MigrateToOtherZone: You can call this operation to restore an ApsaraDB for RDS instance in another zone. For more information, see Migration zone.
- CreateDBInstance: You can call this operation and set ZoneId to multiple zone IDs to create an ApsaraDB for RDS instance that supports multi-zone deployment. For more information, see Create instance.

Rule name: rds-public-access-check

Checks whether an ApsaraDB for RDS instance under your account can be accessed by using a public endpoint.

Trigger type: configuration change

Applicable resource type: ACS::RDS::DBInstance

Input parameter: none

Non-compliance description: The IP address whitelist of an ApsaraDB for RDS instance under your account is set to 0.0.0.0/0. Rectification method: Modify the IP address whitelist of the ApsaraDB for RDS instance. Cloud Config detects your modification and automatically starts to evaluate the resource within 10 minutes. You can rectify resource non-compliance in the ApsaraDB for RDS console or by calling the ModifySecurityIps operation.

You can log on to the ApsaraDB for RDS console, find the target ApsaraDB for RDS instance, and then replace 0.0.0.0/0 with a new value for the IP address whitelist configured for the instance. For more information, see Configure a whitelist for an ApsaraDB RDS for MySQL instance.
You can also call the ModifySecurityIps operation and change the value of the SecurityIps parameter to modify the IP address whitelist of the ApsaraDB for RDS instance. For more information, see Modify IP address whitelists.