This topic describes the alert rules for the operation compliance of ECS instances. The alert rules are applicable to monitor the encryption status of ECS disks, the automatic snapshot policies of ECS instances, and the configurations of ECS security groups. You can configure and enable alert rules in the Simple Log Service console to monitor the operation compliance of ECS instances. If an alert is triggered, you can identify the error cause and fix the error at the earliest opportunity.
Alert rules
The following alert rules are supported. For information about how to set alert parameters, configure whitelists, and perform other relevant operations, see Configure alerts.
ECS Disk Encryption Shutdown Alert
ID | sls_app_audit_cis_at_ecs_disk_encry_detection |
Name | ECS Disk Encryption Shutdown Alert |
Version | 1 |
Type | Cloud Platform, Alicloud, CIS Standard, and ECS Operation Compliance |
Usage | Monitors the encryption status of ECS disks. ECS disks are encrypted on the server side. If the encryption is disabled, an alert is triggered. |
Check Frequency | Fixed interval: 1 minute. |
Time Range | The data of the last 2 minutes is checked. |
Parameter Settings | Severity: The severity level of the alert. Valid values: Critical-10, High-8, Medium-6, Low-4, and Report-2. Default value: High-8. |
External Configurations | You can specify a whitelist of accounts that can disable the encryption feature of an ECS disk. If the encryption feature of an ECS disk is disabled by an account on the whitelist, no alert is triggered. |
Solution | Do not disable the encryption feature of an ECS disk by using an account that is not included in the whitelist. |
Prerequisites | The Operations Log switch of ActionTrail is turned on. To turn on the switch, go to the Log Audit Service console, and then choose . |
ECS Automatic Snapshot Strategy Shutdown Alert
ID | sls_app_audit_cis_at_ecs_auto_snapshot_policy |
Name | ECS Automatic Snapshot Strategy Shutdown Alert |
Version | 1 |
Type | Cloud Platform, Alicloud, CIS Standard, and ECS Operation Compliance |
Usage | Monitors if the automatic snapshot policies of ECS instances are disabled. To back up data for a disk, we recommend that you use automatic snapshot policies. If the automatic snapshot policies of ECS instances are disabled, an alert is triggered. |
Check Frequency | Fixed interval: 1 minute. |
Time Range | The data of the last 2 minutes is checked. |
Parameter Settings | Severity: The severity level of the alert. Valid values: Critical-10, High-8, Medium-6, Low-4, and Report-2. Default value: High-8. |
External Configurations | You can specify a whitelist of accounts that can disable the automatic snapshot policy of a disk. If the automatic snapshot policy is disabled by an account on the whitelist, no alert is triggered. |
Solution | Do not disable the automatic snapshot policy of a disk by using an account that is not included in the whitelist. |
Prerequisites | The Operations Log switch of ActionTrail is turned on. To turn on the switch, go to the Log Audit Service console, and then choose . |
Security Group Configuration Change Alert
ID | sls_app_audit_cis_at_securitygroup_change |
Name | Security Group Configuration Change Alert |
Version | 1 |
Type | Cloud Platform, Alicloud, CIS Standard, and ECS Operation Compliance |
Usage | Monitors if the configurations of ECS security groups are changed. If the configurations of ECS security groups are changed, an alert is triggered. |
Check Frequency | Fixed interval: 1 minute. |
Time Range | The data of the last 2 minutes is checked. |
Parameter Settings | Severity: The severity level of the alert. Valid values: Critical-10, High-8, Medium-6, Low-4, and Report-2. Default value: High-8. |
External Configurations | You can specify a whitelist of accounts that can change the configurations of ECS security groups. If the configurations of security groups are changed by an account on the whitelist, no alert is triggered. |
Solution | Do not change the configurations of security groups by using an account that is not included in the whitelist. |
Prerequisites | The Operations Log switch of ActionTrail is turned on. To turn on the switch, go to the Log Audit Service console, and then choose . |
ECS Network Type Check
ID | sls_app_audit_cis_at_ecs_network_type |
Name | ECS Network Type Check |
Version | 1 |
Type | Cloud Platform, Alicloud, CIS Standard, and ECS Operation Compliance |
Usage | Monitors the network type of ECS instances We recommend that you create ECS instances over a virtual private cloud (VPC). If you create an ECS instance over a classic network, an alert is triggered. |
Check Frequency | Fixed interval: 1 minute. |
Time Range | The data of the last 2 minutes is checked. |
Parameter Settings | Severity: The severity level of the alert. Valid values: Critical-10, High-8, Medium-6, Low-4, and Report-2. Default value: Medium-6. |
External Configurations | You can specify a whitelist of accounts that can create an ECS instance over a classic network. If an ECS instance is created over a classic network by an account on the whitelist, no alert is triggered. |
Solution | Do not create an ECS instance over a classic network by using an account that is not included in the whitelist. |
Prerequisites | The Operations Log switch of ActionTrail is turned on. To turn on the switch, go to the Log Audit Service console, and then choose . |