RDS - Resource Compliance Audit| Alibaba Cloud Documentation Center

rds-cpu-min-count-limit

Checks whether the number of CPU cores for an ApsaraDB for RDS instance of your account is smaller than the specified threshold value.

Trigger type: configuration change

Applicable resource type: ACS::RDS::DBInstance

Input parameter: cpuCount. You can specify the minimum number of CPU cores for an ApsaraDB for RDS instance.

Cause: The number of CPU cores for an ApsaraDB for RDS instance of your account is smaller than the specified threshold value. You can fix this non-compliance issue by using one of the following methods:

RDS console
- Method 1: Change the instance type. You must make sure that the number of CPU cores for the ApsaraDB for RDS instance is greater than or equal to the specified threshold value.
  Log on to the ApsaraDB for RDS console to modify the number of CPU cores for the ApsaraDB for RDS instance. For more information, see Change the specifications of an ApsaraDB RDS instance.
- Method 2: Modify the value of the input parameter. You must make sure that the specified threshold value is smaller than the number of CPU cores for the ApsaraDB for RDS instance.
  1. Log on to the ApsaraDB for RDS console and view the number of CPU cores for an ApsaraDB for RDS instance.
    1. In the left-side navigation pane, click Instances. On the Instances page, find the instance and click the instance ID.
    2. In the Configuration Information section of the Basic Information page, view the number of CPU cores for the ApsaraDB for RDS instance.
  2. Log on to the Cloud Config console and modify the value of the cpuCount parameter.
    For more information, see Modify a rule.
API
You can also call the ModifyDBInstanceSpec API operation to modify the value of the DBInstanceClass parameter. For more information, see Modify instance.

rds-desired-instance-type

Checks whether your ApsaraDB for RDS instances are of the specified instance types.

Trigger type: configuration change

Applicable resource type: ACS::RDS::DBInstance

Input parameter: instanceTypes. You can specify the instance types. Separate multiple instance types with commas (,), for example, rds.mysql.s2.large,mysql.n1.micro.1.

Cause: Your ApsaraDB for RDS instances are not of the specified instance types. You can fix this non-compliance issue by using one of the following methods:

RDS console
- Method 1: Change the instance type. You must make sure that your ApsaraDB for RDS instances are of the specified instance types.
  Log on to the ApsaraDB for RDS console to change the instance type of the non-compliant ApsaraDB for RDS instance. For more information, see Change the specifications of an ApsaraDB RDS instance.
- Method 2: Add the type of the ApsaraDB for RDS instance to the value of the input parameter.
  1. Log on to the ApsaraDB for RDS console and view the type of the non-compliant ApsaraDB for RDS instance.
    1. In the left-side navigation pane, click Instances. On the Instances page, find the instance and click the instance ID.
    2. In the Configuration Information section of the Basic Information page, view the type of the ApsaraDB for RDS instance.
  2. Log on to the Cloud Config console and add the type of the ApsaraDB for RDS instance to the value of the input parameter.
    For more information, see Modify a rule.
API
You can also call the ModifyDBInstanceSpec API operation to modify the value of the DBInstanceClass parameter. For more information, see Modify instance.

rds-high-availability-category

Checks whether an ApsaraDB for RDS instance of your account is highly available.

Trigger type: configuration change

Applicable resource type: ACS::RDS::DBInstance

Input parameter: none

Cause: An ApsaraDB for RDS instance of your account is not highly available. You can fix this non-compliance issue by using one of the following methods:

RDS console
- Method 1: If you cannot upgrade the ApsaraDB for RDS instance, you must create an instance.
  Note You can manually release pay-as-you-go ApsaraDB for RDS instances in the console. You can also unsubscribe from the subscription ApsaraDB for RDS instances.
  - Unsubscribe from a subscription instance
    Log on to the Alibaba Cloud Management Console and go to the Unsubscribe page.
  - Release a pay-as-you-go instance
    For more information about the risks and procedure of releasing a pay-as-you-go instance, see Release or unsubscribe from an ApsaraDB RDS for MySQL instance.
  When you create an ApsaraDB for RDS instance, set Edition to High-availability. For more information, see Create an ApsaraDB RDS for SQL Server instance.
- Method 2: If the ApsaraDB for RDS instance uses SQL Server as the database engine, upgrade the instance from Basic Edition to High-availability Edition.
  For more information, see Upgrade from Basic Edition to High-availability Edition.
API
You can also call the CreateDBInstance API operation. To create an ApsaraDB for RDS instance of High-availability Edition, set Category to HighAvailability. For more information, see Create instance.

rds-instance-enabled-security-ip-list

Checks whether the whitelist feature is enabled for an ApsaraDB for RDS instance of your account.

Trigger type: configuration change

Applicable resource type: ACS::RDS::DBInstance

Input parameter: none

Cause: The IP address whitelist of an ApsaraDB for RDS instance of your account is set to 0.0.0.0/0. Solution: Modify the IP address whitelist of the ApsaraDB for RDS instance. Cloud Config detects the configuration change and starts to re-evaluate the resource within 10 minutes. You can fix this non-compliance issue by using one of the following methods:

RDS console
Log on to the ApsaraDB for RDS console and replace 0.0.0.0/0 with a new value for the IP address whitelist that is configured for the instance. For more information, see Configure a whitelist for an ApsaraDB RDS for MySQL instance.
API
You can also call the ModifySecurityIps API operation. To modify the IP address whitelist of the ApsaraDB for RDS instance, set the SecurityIps parameter to a value other than 0.0.0.0/0. For more information, see Modify IP address whitelists.

rds-instance-storage-min-size-limit

Checks whether the storage size of an ApsaraDB for RDS instance of your account is smaller than the specified threshold value.

Trigger type: configuration change

Applicable resource type: ACS::RDS::DBInstance

Input parameter: storageSize. You can specify the minimum storage size of an ApsaraDB for RDS instance.

Cause: The storage size of an ApsaraDB for RDS instance of your account is smaller than the specified threshold value. You can fix this non-compliance issue by using one of the following methods:

RDS console
- Method 1: Change the instance type. You must make sure that the storage size of the ApsaraDB for RDS instance is greater than or equal to the specified threshold value.
  Log on to the ApsaraDB for RDS console and change the instance type of the ApsaraDB for RDS instance. For more information, see Change the specifications of an ApsaraDB RDS instance.
- Method 2: Change the value of the input parameter. You must make sure that the specified threshold value is smaller than or equal to the storage size of the instance.
  1. Log on to the ApsaraDB for RDS console and view the storage size of the non-compliant ApsaraDB for RDS instance.
    1. In the left-side navigation pane, click Instances. On the Instances page, find the instance and click the instance ID.
    2. In the Usage Statistics section of the Basic Information page, view the storage size of the ApsaraDB for RDS instance.
  2. Log on to the Cloud Config console and change the value of the storageSize parameter.
    For more information, see Modify a rule.
API
You can also call the ModifyDBInstanceSpec API operation to modify the value of the DBInstanceClass parameter. For more information, see Modify instance.

rds-instances-in-vpc

Checks whether an ApsaraDB for RDS instance of your account is deployed in a virtual private cloud (VPC).

Trigger type: configuration change

Applicable resource type: ACS::RDS::DBInstance

Input parameter: vpcIds. You can specify the IDs of the VPCs where the ApsaraDB for RDS instances reside. Separate multiple VPC IDs with commas (,), for example, pc-25vk5****,vpc-6wesmaymqkgiuru5x****,vpc-8vbc16loavvujlzli****.

Cause: An ECS instance of your account does not reside in a specified VPC. You can fix this non-compliance issue by using one of the following methods:

Method 1: Create an ApsaraDB for RDS instance and deploy the instance in a specified VPC.
1. Log on to the ApsaraDB for RDS console and create an ApsaraDB for RDS instance.
  For more information, see Create an ApsaraDB RDS for SQL Server instance.
2. View the ID of the VPC where the instance resides.
  1. In the left-side navigation pane, click Instances. On the Instances page, find the instance and click the instance ID.
  2. In the Basic Information section of the Basic Information page, view the ID of the VPC where the ApsaraDB for RDS instance resides.
3. Log on to the Cloud Config console and add the VPC ID to the value of the input parameter.
  For more information, see Modify a rule.
Method 2: Add the ID of the VPC where the ApsaraDB for RDS instance resides to the value of the input parameter.
1. View the ID of the VPC where the instance resides.
  1. In the left-side navigation pane, click Instances. On the Instances page, find the instance and click the instance ID.
  2. In the Basic Information section of the Basic Information page, view the ID of the VPC where the ApsaraDB for RDS instance resides.
2. Log on to the Cloud Config console and add the VPC ID to the value of the input parameter.
  For more information, see Modify a rule.

rds-memory-min-size-limit

Checks whether the memory size of an ApsaraDB for RDS instance of your account is smaller than the specified threshold value.

Trigger type: configuration change

Applicable resource type: ACS::RDS::DBInstance

Input parameter: memorySize. You can specify the minimum memory size of an ApsaraDB for RDS instance.

Cause: The memory size of an ApsaraDB for RDS instance of your account is smaller than the specified threshold value. You can fix this non-compliance issue by using one of the following methods:

RDS console
- Method 1: Change the instance type. You must make sure that the memory size of the ApsaraDB for RDS instance is greater than or equal to the specified threshold value.
  Log on to the ApsaraDB for RDS console and change the instance type of the ApsaraDB for RDS instance. For more information, see Change the specifications of an ApsaraDB RDS instance.
- Method 2: Change the value of the input parameter. You must make sure that the specified threshold value is smaller than the memory size of the instance.
  1. Log on to the ApsaraDB for RDS console and view the memory size of the non-compliant ApsaraDB for RDS instance.
    1. In the left-side navigation pane, click Instances. On the Instances page, find the instance and click the instance ID.
    2. In the Configuration Information section of the Basic Information page, view the memory size of the ApsaraDB for RDS instance.
  2. Log on to the Cloud Config console and change the value of the memorySize parameter.
    For more information, see Modify a rule.
API
You can also call the ModifyDBInstanceSpec API operation to modify the value of the DBInstanceClass parameter. For more information, see Modify instance.

rds-multi-az-support

Checks whether an ApsaraDB for RDS instance of your account supports multi-zone deployment.

Applicable resource type: ACS::RDS::DBInstance

Trigger type: configuration change

Input parameter: none

Cause: An ApsaraDB for RDS instance of your account does not support multi-zone deployment. You can fix this non-compliance issue by using one of the following methods:

RDS console
- Method 1: If an ApsaraDB for RDS instance supports multi-zone deployment, migrate the instance across zones in the same region.
  For information about how to migrate an instance that run other database engines, see the following topics:
- Method 2: If an ApsaraDB for RDS instance does not support multi-zone deployment, create an ApsaraDB for RDS instance that supports multi-zone deployment.
  When you create the ApsaraDB for RDS instance, set Deployment Method to Multi-zone Deployment. For more information, see Create an ApsaraDB RDS for SQL Server instance.
API
- You can call the MigrateToOtherZone API operation. To migrate an ApsaraDB for RDS instance to another zone, set ZoneId to multiple zone IDs. For more information, see Migration zone.
- You can also call the CreateDBInstance API operation. To create an ApsaraDB for RDS instance that supports multi-zone deployment, set ZoneId to multiple zone IDs. For more information, see Create an ApsaraDB RDS for SQL Server instance.

rds-public-access-check

Checks whether an ApsaraDB for RDS instance of your account can be accessed by using a public endpoint.

Trigger type: configuration change

Applicable resource type: ACS::RDS::DBInstance

Input parameter: none

Cause: The IP address whitelist of an ApsaraDB for RDS instance of your account is set to 0.0.0.0/0. Solution: Modify the IP address whitelist of the ApsaraDB for RDS instance. Cloud Config detects the configuration change and starts to re-evaluate the resource within 10 minutes. You can fix this non-compliance issue by using one of the following methods:

RDS console
Log on to the ApsaraDB for RDS console and replace 0.0.0.0/0 with a new value for the IP address whitelist that is configured for the instance. For more information, see Configure a whitelist for an ApsaraDB RDS for MySQL instance.
API
You can also call the ModifySecurityIps API operation. To modify the IP address whitelist of the ApsaraDB for RDS instance, set the SecurityIps parameter to a value other than 0.0.0.0/0. For more information, see Modify IP address whitelists.