This topic describes eight compliance package templates and the managed rules provided by the compliance package templates.

CISComplianceCheck

Rule name Description
ecs-disk-encrypted If encryption is enabled for each Elastic Compute Service (ECS) data disk, the evaluation result is compliant.
ecs-instances-in-vpc If you do not specify the vpcIds parameter, the system checks whether the network type of each ECS instance is set to Virtual Private Cloud (VPC). If yes, the evaluation result is compliant. If you specify the vpcIds parameter, the system checks whether the VPC in which ECS instances reside matches the specified setting. If yes, the evaluation result is compliant.
oss-bucket-server-side-encryption-enabled If server-side encryption is enabled for each Object Storage Service (OSS) bucket, the evaluation result is compliant.
sg-public-access-check If the inbound authorization policy of each security group is set to Allow and you do not set the port range to -1/-1 or the authorized IP address to 0.0.0.0/0, the evaluation result is compliant.
sg-risky-ports-check If 0.0.0.0/0 is added to the IP whitelist of each security group while ports 22 and 3389 are disabled, the evaluation result is compliant.
ram-user-mfa-check If multi-factor authentication (MFA) is enabled for each RAM user, the evaluation result is compliant.
root-ak-check If each Alibaba Cloud account has no available AccessKey pairs, the evaluation result is compliant.
root-mfa-check If MFA is enabled for each Alibaba Cloud account, the evaluation result is compliant.
ram-password-policy-check If the settings of a password policy for each RAM user meet the specified values, the evaluation result is compliant.
ram-policy-no-statements-with-admin-access-check If the Action parameter of each RAM user, RAM user group, and RAM role is not set to *, the evaluation result is compliant. In this case, * indicates the super administrator permissions.
ram-user-no-policy-check If no permission policies are attached to each RAM user, the evaluation result is compliant.
oss-bucket-logging-enabled If the log storage feature is enabled for each OSS bucket, the evaluation result is compliant.
oss-encryption-byok-check If specified Customer Master Keys (CMK) managed by Key Management Service (KMS) are used to encrypt each OSS bucket, the evaluation result is compliant.
rds-instance-enabled-auditing If the SQL audit feature is enabled for each ApsaraDB RDS instance, the evaluation result is compliant.
rds-instance-sql-collector-retention If the SQL audit feature is enabled for each ApsaraDB RDS instance and SQL audit logs are retained for a period longer than or equal to that specified by the input parameter, the evaluation result is compliant.
rds-postgresql-parameter-log-connections If the log_connections parameter of each ApsaraDB RDS for PostgreSQL database is set to on, the evaluation result is compliant.
ds-postgresql-parameter-log-disconnections If the log_disconnections parameter of each ApsaraDB RDS for PostgreSQL database is set to on, the evaluation result is compliant.
rds-postgresql-parameter-log-duration If the log_duration parameter of each ApsaraDB RDS for PostgreSQL database is set to on, the evaluation result is compliant.
oss-bucket-anonymous-prohibited If the Bucket ACL parameter of each OSS bucket is set to Private and no read and write permissions are granted to an anonymous account in authorization policies, the evaluation result is compliant.
oss-bucket-only-https-enabled If the authorization policy of each OSS bucket includes settings that allow HTTPS requests and deny HTTP requests, the evaluation result is compliant.
oss-bucket-authorize-specified-ip If the authorization policy of each OSS bucket includes the required IP whitelists, the evaluation result is compliant.
ecs-all-enabled-security-protection If the Security Center agent is installed on each ECS instance, the evaluation result is compliant.
ecs-all-updated-security-vul If the vulnerabilities that are identified by Security Center on each ECS instance are fixed, the evaluation result is compliant.
vpc-secondary-cidr-route-check If the related route table includes at least one entry that indicates the routing information of IP addresses for a custom VPC CIDR block, the evaluation result is compliant.
rds-event-log-enabled If the event history feature is enabled for each ApsaraDB RDS instance, the evaluation result is compliant.
ram-user-last-login-expired-check If a RAM user logs on to the system at least once in the last 90 days, the evaluation result is compliant. If no logon record exists for a RAM user, the system checks the update time. If the last update time is not more than 90 days before now, the evaluation result is compliant.
vpc-flow-logs-enabled If the flow log feature is enabled for each VPC, the evaluation result is compliant.
rds-instance-enabled-tde If the Transparent Data Encryption (TDE) feature is enabled in the data security settings of each ApsaraDB RDS instance, the evaluation result is compliant.
rds-instance-enabled-ssl If the SSL certificate feature is enabled in the data security settings of each ApsaraDB RDS instance, the evaluation result is compliant.
actiontrail-trail-intact-enabled If an active trail exists in ActionTrail and the events of all types that are generated in all regions are tracked, the evaluation result is compliant.
waf-instance-logging-enabled If the log collection feature is enabled for each domain name that is protected by Web Application Firewall (WAF), the evaluation result is compliant.
ack-cluster-network-type-check If the Terway network plug-in is used on each Container Service for Kubernetes (ACK) cluster, the evaluation result is compliant.
ack-cluster-public-endpoint-check If no public IP addresses and ports are configured for the Kubernetes API Server in each ACK cluster, the evaluation result is compliant.
ack-cluster-node-monitorenabled If CloudMonitor agents are installed on all nodes in each ACK cluster and run as expected, the evaluation result is compliant.
security-center-notice-config-check If a notification method is specified for each notification item detected by Security Center, the evaluation result is compliant.
security-center-version-check If Security Center Enterprise Edition or an advanced edition is used, the evaluation result is compliant.

ClassifiedProtectionPreCheck

Rule name Description
ecs-instances-in-vpc If you do not specify the vpcIds parameter, the system checks whether the network type of each ECS instance is set to VPC. If yes, the evaluation result is compliant. If you specify the vpcIds parameter, the system checks whether the VPC in which ECS instances reside matches the specified setting. If yes, the evaluation result is compliant.
rds-instances-in-vpc If you do not specify the vpcIds parameter, the system checks whether the network type of each ApsaraDB RDS instance is set to VPC. If yes, the evaluation result is compliant. If you specify the vpcIds parameter, the system checks whether the VPC in which ApsaraDB RDS instances reside matches the specified setting. If yes, the evaluation result is compliant.
actiontrail-enabled If at least one active trail exists in ActionTrail, the evaluation result is compliant.
rds-high-availability-category If high-availability ApsaraDB RDS instances are used, the evaluation result is compliant.
ecs-disk-encrypted If encryption is enabled for each ECS data disk, the evaluation result is compliant.
rds-multi-az-support If ApsaraDB RDS instances are deployed across multiple zones, the evaluation result is compliant.
sg-public-access-check If the inbound authorization policy of each security group is set to Allow and you do not set the port range to -1/-1 or the authorized IP address to 0.0.0.0/0, the evaluation result is compliant.
slb-listener-https-enabled If ports 80 and 8080 are used by HTTPS listeners of each Server Load Balancer (SLB) instance, the evaluation result is compliant.
ecs-instance-no-public-ip If no public IPv4 addresses are associated with each ECS instance, the evaluation result is compliant.
ram-user-mfa-check If MFA is enabled for each RAM user, the evaluation result is compliant.
sg-risky-ports-check If 0.0.0.0/0 is added to the IP whitelist of each security group while ports 22 and 3389 are disabled, the evaluation result is compliant.
oss-bucket-public-read-prohibited If the ACL policy of each OSS bucket denies read access from the Internet, the evaluation result is compliant.
oss-bucket-public-write-prohibited If the ACL policy of each OSS bucket denies read and write access from the Internet, the evaluation result is compliant.
oss-bucket-server-side-encryption-enabled If server-side encryption is enabled for each OSS bucket, the evaluation result is compliant.
slb-no-public-ip If no public IP addresses are associated with each SLB instance, the evaluation result is compliant.
rds-instance-enabled-security-ip-list If the IP whitelist is enabled for each ApsaraDB RDS instance and the whitelist does not contain 0.0.0.0/0, the evaluation result is compliant.
cdn-domain-https-enabled If HTTPS is enabled for each domain name accelerated by Alibaba Cloud Content Delivery Network (CDN), the evaluation result is compliant.
redis-instance-in-vpc If you do not specify the vpcIds parameter, the system checks whether the network type of each ApsaraDB for Redis instance is set to VPC. If yes, the evaluation result is compliant. If you specify the vpcIds parameter, the system checks whether the VPC in which ApsaraDB for Redis instances reside matches the specified setting. If yes, the evaluation result is compliant.
redis-public-access-check If 0.0.0.0/0 is not added to the IP whitelist of each ApsaraDB for Redis instance, the evaluation result is compliant.
mongodb-instance-in-vpc If you do not specify the vpcIds parameter, the system checks whether the network type of each ApsaraDB for MongoDB instance is set to VPC. If yes, the evaluation result is compliant. If you specify the vpcIds parameter, the system checks whether the VPC in which ApsaraDB for MongoDB instances reside matches the specified setting. If yes, the evaluation result is compliant.
mongodb-public-access-check If 0.0.0.0/0 is not added to the IP whitelist of each ApsaraDB for MongoDB instance, the evaluation result is compliant.
polardb-dbcluster-in-vpc If you do not specify the vpcIds parameter, the system checks whether the network type of each PolarDB instance is set to VPC. If yes, the evaluation result is compliant. If you specify the vpcIds parameter, the system checks whether the VPC in which PolarDB instances reside matches the specified setting. If yes, the evaluation result is compliant.
oss-zrs-enabled If zone-redundant storage (ZRS) is enabled for each OSS bucket, the evaluation result is compliant.
rds-connectionmode-safe-enabled If the access mode of each ApsaraDB RDS for SQL Server database is set to proxy, the evaluation result is compliant.
slb-acl-public-access-check If the access control feature is enabled for each SLB instance and 0.0.0.0/0 is not added to the IP whitelist, the evaluation result is compliant.
eip-bandwidth-limit If the available bandwidth of an elastic IP address is greater than or equal to the value of the specified parameter, the evaluation result is compliant.
slb-loadbalancer-bandwidth-limit If the available bandwidth of each SLB instance is greater than or equal to the value of the specified parameter, the evaluation result is compliant.
polardb-public-access-check If 0.0.0.0/0 is not added to the IP whitelist of each PolarDB instance, the evaluation result is compliant.

BestPracticesForOSS

Rule name Description
oss-bucket-public-read-prohibited If the ACL policy of each OSS bucket denies read access from the Internet, the evaluation result is compliant.
oss-bucket-public-write-prohibited If the ACL policy of each OSS bucket denies read and write access from the Internet, the evaluation result is compliant.
oss-bucket-server-side-encryption-enabled If server-side encryption is enabled for each OSS bucket, the evaluation result is compliant.
ss-bucket-referer-limit If the hotlink protection feature is enabled for each OSS bucket, the evaluation result is compliant.
oss-zrs-enabled If ZRS is enabled for each OSS bucket, the evaluation result is compliant.
oss-bucket-logging-enabled If the log storage feature is enabled for each OSS bucket, the evaluation result is compliant.
oss-bucket-versioning-enabled If the versioning feature is enabled for each OSS bucket, the evaluation result is compliant.

BestPracticesForNetwork

Rule name Description
slb-loadbalancer-bandwidth-limit If the available bandwidth of each SLB instance is greater than or equal to the value of the specified parameter, the evaluation result is compliant.
slb-listener-https-enabled If ports 80 and 8080 are used by HTTPS listeners of each SLB instance, the evaluation result is compliant.
sg-public-access-check If the inbound authorization policy of each security group is set to Allow and you do not set the port range to -1/-1 or the authorized IP address to 0.0.0.0/0, the evaluation result is compliant.
sg-risky-ports-check If 0.0.0.0/0 is added to the IP whitelist of each security group while ports 22 and 3389 are disabled, the evaluation result is compliant.
eip-bandwidth-limit If the available bandwidth of an elastic IP address is greater than or equal to the value of the specified parameter, the evaluation result is compliant.
cdn-domain-https-enabled If HTTPS is enabled for each domain name accelerated by CDN, the evaluation result is compliant.
slb-aliyun-certificate-required If each SLB instance uses certificates that are issued by Alibaba Cloud, the evaluation result is compliant.
vpn-ipsec-connection-health-check-open If the health check feature is enabled for each IPsec-VPN connection, the evaluation result is compliant.
vpc-flow-logs-enabled If the flow log feature is enabled for each VPC, the evaluation result is compliant.
slb-delete-protection-enabled If the release protection feature is enabled for each SLB instance, the evaluation result is compliant.
slb-server-certificate-expired If certificates used by each SLB instance are valid, the evaluation result is compliant.
slb-status-active-check If each SLB instance is in the Running state, the evaluation result is compliant.
slb-servercertificate-expired-check If the remaining validity period before the server certificate of SLB expires is longer than or equal to the period specified by the input parameter, the evaluation result is compliant.
slb-instance-expired-check If the remaining validity period before a subscription SLB instance expires is longer than or equal to the period specified by the input parameter, the evaluation result is compliant.
slb-instance-loadbalancerspec-check If a high-performance SLB instance is used, the evaluation result is compliant.
slb-instance-autorenewal-check If the auto-renewal feature is enabled for each subscription SLB instance, the evaluation result is compliant.
slb-backendserver-weight-check If an SLB instance has a backend server and the weight of the backend server is not set to 0, the evaluation result is compliant.

BestPracticesForAccountGovernance

Rule name Description
root-mfa-check If MFA is enabled for each Alibaba Cloud account, the evaluation result is compliant.
ram-group-has-member-check If a RAM user group contains one or more RAM users, the evaluation result is compliant.
root-ak-check If each Alibaba Cloud account has no available AccessKey pairs, the evaluation result is compliant.
ram-user-no-policy-check If no permission policies are attached to each RAM user, the evaluation result is compliant.
ram-policy-no-statements-with-admin-access-check If the Action parameter of each RAM user, RAM user group, and RAM role is not set to *, the evaluation result is compliant. In this case, * indicates the super administrator permissions.
ram-password-policy-check If the settings of a password policy for each RAM user meet the specified values, the evaluation result is compliant.
ram-user-group-membership-check If each RAM user belongs to a RAM user group, the evaluation result is compliant.
ram-risky-policy-user-mfa-check If MFA is enabled for each RAM user to whom you attached the specified high-risk permission policy, the evaluation result is compliant.
ram-policy-in-use-check If a permission policy is attached to one or more RAM user groups, RAM roles, or RAM users, the evaluation result is compliant.
ram-user-login-check If both console logon and AccessKey logon are disabled for a RAM user, the evaluation result is compliant.
ram-user-ak-create-date-expired-check If the period between the time when the AccessKey pair of a RAM user is created and the time when the compliance evaluation starts is shorter than or equal to that specified by the input parameter, the evaluation result is compliant.
ram-user-last-login-expired-check If a RAM user logs on to the system at least once in the last 90 days, the evaluation result is compliant. If no logon record exists for a RAM user, the system checks the update time. If the last update time is not more than 90 days before now, the evaluation result is compliant.

BestPracticesForDataBase

Rule name Description
mongodb-cluster-expired-check If the remaining validity period before a subscription ApsaraDB for MongoDB cluster expires is longer than or equal to that specified by the input parameter, the evaluation result is compliant.
hbase-cluster-expired-check If the remaining validity period before a subscription HBase cluster expires is longer than or equal to that specified by the input parameter, the evaluation result is compliant.
rds-instance-enabled-safety-security-ip If each ApsaraDB RDS instance use enhanced whitelists, the evaluation result is compliant.
polardb-cluster-category-normal If the cluster edition is used for PolarDB, the evaluation result is compliant.
redis-instance-release-protection If the release protection feature is enabled for each ApsaraDB for Redis instance, the evaluation result is compliant.
redis-instance-disable-risk-commands If high-risk commands are disabled for each ApsaraDB for Redis instance, the evaluation result is compliant.
hbase-cluster-type-check If the cluster edition is used for each ApsaraDB for HBase cluster, the evaluation result is compliant.
hbase-cluster-in-vpc If you do not specify the vpcIds parameter, the system checks whether the network type of each ApsaraDB for HBase cluster is set to VPC. If yes, the evaluation result is compliant. If you specify the vpcIds parameter, the system checks whether the VPC in which ApsaraDB for HBase clusters reside matches the specified setting. If yes, the evaluation result is compliant.
hbase-cluster-ha-check If the configuration of each ApsaraDB for HBase cluster is set to high availability, the evaluation result is compliant.
hbase-cluster-deletion-protection If the deletion protection feature is enabled for each ApsaraDB for HBase cluster, the evaluation result is compliant.
mongodb-instance-release-protection If the release protection feature is enabled for each ApsaraDB for MongoDB instance, the evaluation result is compliant.
mongodb-instance-lock-mode If each ApsaraDB for MongoDB instance is not locked, the evaluation result is compliant.
mongodb-instance-log-audit If the audit log feature is enabled for each ApsaraDB for MongoDB cluster, the evaluation result is compliant.
rds-instance-expired-check If the remaining validity period before a subscription ApsaraDB RDS instance expires is longer than or equal to that specified by the input parameter, the evaluation result is compliant.
polardb-cluster-expired-check If the remaining validity period before a subscription PolarDB instance expires is longer than or equal to that specified by the input parameter, the evaluation result is compliant.
redis-instance-expired-check If the remaining validity period before a subscription ApsaraDB for Redis cluster expires is longer than or equal to that specified by the input parameter, the evaluation result is compliant.
rds-instance-enabled-auditing If the SQL audit feature is enabled for each ApsaraDB RDS instance, the evaluation result is compliant.
rds-high-availability-category If high-availability ApsaraDB RDS instances are used, the evaluation result is compliant.
rds-instances-in-vpc If you do not specify the vpcIds parameter, the system checks whether the network type of each ApsaraDB RDS instance is set to VPC. If yes, the evaluation result is compliant. If you specify the vpcIds parameter, the system checks whether the VPC in which ApsaraDB RDS instances reside matches the specified setting. If yes, the evaluation result is compliant.
rds-multi-az-support If ApsaraDB RDS instances are deployed across multiple zones, the evaluation result is compliant.
rds-instance-enabled-ssl If the SSL certificate feature is enabled in the data security settings of each ApsaraDB RDS instance, the evaluation result is compliant.
rds-instance-enabled-tde If the TDE feature is enabled in the data security settings of each ApsaraDB RDS instance, the evaluation result is compliant.
redis-instance-in-vpc If you do not specify the vpcIds parameter, the system checks whether the network type of each ApsaraDB for Redis instance is set to VPC. If yes, the evaluation result is compliant. If you specify the vpcIds parameter, the system checks whether the VPC in which ApsaraDB for Redis instances reside matches the specified setting. If yes, the evaluation result is compliant.
redis-public-access-check If 0.0.0.0/0 is not added to the IP whitelist of each ApsaraDB for Redis instance, the evaluation result is compliant.
redis-architecturetype-cluster-check If the cluster architecture is used for each ApsaraDB for Redis instance, the evaluation result is compliant.
mongodb-public-access-check If 0.0.0.0/0 is not added to the IP whitelist of each ApsaraDB for MongoDB instance, the evaluation result is compliant.
mongodb-instance-in-vpc If you do not specify the vpcIds parameter, the system checks whether the network type of each ApsaraDB for MongoDB instance is set to VPC. If yes, the evaluation result is compliant. If you specify the vpcIds parameter, the system checks whether the VPC in which ApsaraDB for MongoDB instances reside matches the specified setting. If yes, the evaluation result is compliant.
polardb-public-access-check If 0.0.0.0/0 is not added to the IP whitelist of each PolarDB instance, the evaluation result is compliant.
polardb-dbcluster-in-vpc If you do not specify the vpcIds parameter, the system checks whether the network type of each PolarDB instance is set to VPC. If yes, the evaluation result is compliant. If you specify the vpcIds parameter, the system checks whether the VPC in which PolarDB instances reside matches the specified setting. If yes, the evaluation result is compliant.
rds-instance-sql-collector-retention If the SQL audit feature is enabled for each ApsaraDB RDS instance and SQL audit logs are retained for a period longer than that specified by the input parameter, the evaluation result is compliant.
rds-event-log-enabled If the event history feature is enabled for each ApsaraDB RDS instance, the evaluation result is compliant.

BestPraticesForECS

Rule name Description
ecs-instance-status-no-stopped If the ECS instance is not in the Stopped state, the evaluation result is compliant.
ecs-instance-expired-check If the remaining validity period before a subscription ECS instance expires is longer than or equal to that specified by the input parameter, the evaluation result is compliant.
ecs-instance-deletion-protection-enabled If the release protection feature is enabled for each ECS instance, the evaluation result is compliant.
ecs-instances-in-vpc If you do not specify the vpcIds parameter, the system checks whether the network type of each ECS instance is set to VPC. If yes, the evaluation result is compliant. If you specify the vpcIds parameter, the system checks whether the VPC in which ECS instances reside matches the specified setting. If yes, the evaluation result is compliant.
ecs-disk-encrypted If encryption is enabled for each ECS data disk, the evaluation result is compliant.
ecs-disk-in-use If each ECS data disk is attached to an ECS instance, the evaluation result is compliant.
sg-risky-ports-check If 0.0.0.0/0 is added to the IP whitelist of each security group while ports 22 and 3389 are disabled, the evaluation result is compliant.
sg-public-access-check If the inbound authorization policy of each security group is set to Allow and you do not set the port range to -1/-1 or the authorized IP address to 0.0.0.0/0, the evaluation result is compliant.
ecs-instance-attached-security-group If each ECS instance is added to a specified security group, the evaluation result is compliant.
ecs-instance-imageId-check If the ID of the system image of each ECS instance matches the specified setting, the evaluation result is compliant.
ecs-all-updated-security-vul If the vulnerabilities that are identified by Security Center on each ECS instance are fixed, the evaluation result is compliant.
ecs-all-enabled-security-protection If the Security Center agent is installed on each ECS instance, the evaluation result is compliant.
ecs-instance-no-lock If no ECS instances are locked due to some issues, the evaluation result is compliant. These issues include overdue payments and security risks.
ess-group-health-check If the health check feature is enabled for ECS instances of each scaling group, the evaluation result is compliant.
ecs-disk-auto-snapshot-policy If an auto snapshot policy is specified for each ECS data disk, the evaluation result is compliant.
ecs-disk-no-lock If no ECS data disks are locked due to some issues, the evaluation result is compliant. These issues include overdue payments and security risks.
ecs-disk-retain-auto-snapshot If auto snapshots are retained when the related ECS data disks are released, the evaluation result is compliant.
ecs-snapshot-retention-days If auto snapshots of ECS instances are retained for a period longer than or equal to that specified by the input parameter, the evaluation result is compliant.

RMiTComplianceCheck

Rule name Description
actiontrail-trail-intact-enabled If an active trail exists in ActionTrail and the events of all types that are generated in all regions are tracked, the evaluation result is compliant.
actiontrail-enabled If at least one active trail exists in ActionTrail, the evaluation result is compliant.
oss-encryption-byok-check If specified CMKs managed by KMS are used to encrypt each OSS bucket, the evaluation result is compliant.
ecs-disk-auto-snapshot-policy If an auto snapshot policy is specified for each ECS data disk, the evaluation result is compliant.
ecs-disk-encrypted If encryption is enabled for each ECS data disk, the evaluation result is compliant.
ecs-instance-no-public-ip If no public IPv4 addresses are associated with each ECS instance, the evaluation result is compliant.
ecs-instances-in-vpc If you do not specify the vpcIds parameter, the system checks whether the network type of each ECS instance is set to VPC. If yes, the evaluation result is compliant. If you specify the vpcIds parameter, the system checks whether the VPC in which ECS instances reside matches the specified setting. If yes, the evaluation result is compliant.
slb-aliyun-certificate-required If each SLB instance uses certificates that are issued by Alibaba Cloud, the evaluation result is compliant.
slb-server-certificate-expired If certificates used by each SLB instance are valid, the evaluation result is compliant.
slb-delete-protection-enabled If the release protection feature is enabled for each SLB instance, the evaluation result is compliant.
slb-listener-https-enabled If ports 80 and 8080 are used by HTTPS listeners of each SLB instance, the evaluation result is compliant.
ram-group-has-member-check If a RAM user group contains one or more RAM users, the evaluation result is compliant.
ram-password-policy-check If the settings of a password policy for each RAM user meet the specified values, the evaluation result is compliant.
ram-policy-no-statements-with-admin-access-check If the Action parameter of each RAM user, RAM user group, and RAM role is not set to *, the evaluation result is compliant. In this case, * indicates the super administrator permissions.
root-ak-check If each Alibaba Cloud account has no available AccessKey pairs, the evaluation result is compliant.
ram-user-group-membership-check If each RAM user belongs to a RAM user group, the evaluation result is compliant.
ram-user-mfa-check If MFA is enabled for each RAM user, the evaluation result is compliant.
ram-user-no-policy-check If no permission policies are attached to each RAM user, the evaluation result is compliant.
ram-user-last-login-expired-check If a RAM user logs on to the system at least once in the last 90 days, the evaluation result is compliant. If no logon record exists for a RAM user, the system checks the update time. If the last update time is not more than 90 days before now, the evaluation result is compliant.
rds-event-log-enabled If the event history feature is enabled for each ApsaraDB RDS instance, the evaluation result is compliant.
rds-multi-az-support If ApsaraDB RDS instances are deployed across multiple zones, the evaluation result is compliant.
rds-instance-enabled-tde If the TDE feature is enabled in the data security settings of each ApsaraDB RDS instance, the evaluation result is compliant.
oss-bucket-logging-enabled If the log storage feature is enabled for each OSS bucket, the evaluation result is compliant.
oss-bucket-anonymous-prohibited If the Bucket ACL parameter of each OSS bucket is set to Private and no read and write permissions are granted to anonymous accounts in authorization policies, the evaluation result is compliant.
oss-bucket-server-side-encryption-enabled If server-side encryption is enabled for each OSS bucket, the evaluation result is compliant.
oss-default-encryption-kms If server-side encryption with KMS managed keys is enabled for each OSS bucket, the evaluation result is compliant.
oss-bucket-versioning-enabled If the versioning feature is enabled for each OSS bucket, the evaluation result is compliant.
vpc-flow-logs-enabled If the flow log feature is enabled for each VPC, the evaluation result is compliant.
vpn-ipsec-connection-status-check If the IPsec-VPN connection is established, the evaluation result is compliant.
waf-instance-logging-enabled If the log collection feature is enabled for each domain name that is protected by WAF, the evaluation result is compliant.
oss-bucket-only-https-enabled If the authorization policy of each OSS bucket includes settings that allow HTTPS requests and deny HTTP requests, the evaluation result is compliant.
sg-public-access-check If the inbound authorization policy of each security group is set to Allow and you do not set the port range to -1/-1 or the authorized IP address to 0.0.0.0/0, the evaluation result is compliant.
kms-key-rotaion-enabled If automatic key rotation is enabled for CMKs managed by KMS, the evaluation result is compliant.
elasticsearch-instance-in-vpc If you do not specify the vpcIds parameter, the system checks whether the network type of each Elasticsearch instance is set to VPC. If yes, the evaluation result is compliant. If you specify the vpcIds parameter, the system checks whether the VPC in which Elasticsearch instances reside matches the specified setting. If yes, the evaluation result is compliant.