This topic describes the check items supported by the governance maturity assessment 3.0 model.
Security
Category | Check item | Description | Quick fix description | Decision support |
Personnel identity management | MFA is not enabled for the Alibaba Cloud account. | We recommend that you enable multi-factor authentication (MFA) for your Alibaba Cloud account to achieve a higher level of security. An Alibaba Cloud account without MFA enabled is considered non-compliant. | Quick fixes are not supported. | No |
Personnel identity management | The Alibaba Cloud account was used to log on to the console in the last 90 days. | The Alibaba Cloud account has high privileges and cannot be restricted by conditions such as source IP address or access time. If this account is compromised, the security risk is high. An Alibaba Cloud account is considered non-compliant if it was used to log on to the console within the last 90 days. | Quick fixes are not supported. | No |
Personnel identity management | We recommend that you unify identity management for your multiple accounts. | You can use CloudSSO to centrally manage users of Alibaba Cloud in your enterprise, configure single sign-on (SSO) between your enterprise identity provider (IdP) and Alibaba Cloud, and centrally configure access permissions for all users to member accounts in a resource directory. The configuration is considered non-compliant if CloudSSO has not been used for logon in more than 90 days. | Quick fixes are not supported. | No |
Personnel identity management | RAM is not used to manage identities. | The Alibaba Cloud account has high privileges. If this account is compromised, the security risk is high. We recommend that you use RAM identities for daily operations. The account is considered non-compliant if no RAM identities exist. | Quick fixes are not supported. | No |
Personnel identity management | RAM user-based SSO is not enabled for console logon. | Centrally managing personnel identities using SSO improves management efficiency and reduces risks. The configuration is considered non-compliant if RAM user-based SSO is not configured for the current account or if a logon without SSO occurs within 30 days. | Quick fixes are not supported. | No |
Personnel identity management | RAM SCIM is not enabled to synchronize users. | You can use the System for Cross-domain Identity Management (SCIM) protocol to easily synchronize personnel identities from your enterprise to Alibaba Cloud without needing to manually create users. The configuration is considered non-compliant if SCIM synchronization is not configured for the current account or if a synchronized user has not logged on for two months. | Quick fixes are not supported. | No |
Personnel identity management | A RAM user for whom MFA is not enabled exists. | MFA provides a higher level of security for RAM users. A RAM user with console logon enabled but without MFA configured is considered non-compliant. | Quick fixes are not supported. | Yes |
Personnel identity management | An idle RAM user exists. | When you enable console logon for a RAM user, a logon password is set. The longer the password exists, the higher the risk of exposure. An idle RAM user who has not logged on for more than 90 days is considered non-compliant. | This fix disables console logon for the selected RAM user. After the fix is applied, the RAM user cannot log on to the console. Ensure that the selected RAM user no longer needs to log on. | Yes |
Personnel identity management | A complete password strength policy is not configured for RAM users. | Increasing password strength can effectively reduce the risk of dictionary attacks and brute-force attacks. The configuration is considered non-compliant if a strong password policy, password expiration policy, password history check policy, and password retry limit are not configured. | Quick fixes are not supported. | No |
Personnel identity management | A RAM user who has both console logon and an AccessKey enabled exists. | We recommend the principle of single responsibility in all scenarios. A RAM user in the current account who has an AccessKey and console logon enabled is considered non-compliant. If user-based SSO is enabled for the current account, the console logon configuration is ignored. If the user has logged on in the last seven days and has an AccessKey, the user is considered non-compliant. | This fix disables console logon for the selected RAM user. After the fix is applied, the RAM user cannot log on to the console. Ensure that the selected RAM user no longer needs to log on. | Yes |
Programmatic identity management | The Alibaba Cloud account has an enabled AccessKey. | An AccessKey of an Alibaba Cloud account has the same permissions as the Alibaba Cloud account and cannot be restricted by conditions such as source IP address or access time. If the AccessKey is leaked, the security risk is high. The account is considered non-compliant if an AccessKey for the Alibaba Cloud account exists. | Quick fixes are not supported. | Yes |
Programmatic identity management | An AccessKey-free solution is not used for programmatic access. | The configuration is considered non-compliant if no instance roles are configured for ECS instances and the RAM Roles for Service Accounts (RRSA) plug-in is not enabled for ACK in the current account. | Quick fixes are not supported. | No |
Programmatic identity management | The ECS instance does not use the reinforced mode of Metadata Service. | Ensure that the ECS instance uses the reinforced mode (V2) of Metadata Service to prevent potential Security Token Service (STS) token leaks that can occur in V1. An ECS instance that uses V1 of Metadata Service is considered non-compliant. You must upgrade Metadata Service to V2 to be compliant. | Quick fixes are not supported. | No |
Programmatic identity management | An idle AccessKey exists. | A RAM user AccessKey can be used to access Alibaba Cloud APIs. The longer an AccessKey is exposed externally, the higher the risk of leakage. A RAM user AccessKey that has not been used for more than 365 days is considered non-compliant. | This fix disables the selected AccessKey. After the AccessKey is disabled, it cannot be used. Ensure that the selected AccessKey is not used in any programs or applications. | Yes |
Programmatic identity management | An AccessKey that is not periodically rotated exists. | Periodic rotation reduces the exposure duration of an AccessKey, which in turn reduces the risk of leakage. A RAM user AccessKey that has been in use for more than 365 days is considered non-compliant. | Quick fixes are not supported. | No |
Programmatic identity management | A RAM user with two enabled AccessKeys exists. | If a RAM user has two enabled AccessKeys, the user loses the ability to rotate them, which poses a greater risk. A single RAM user with two AccessKeys is considered non-compliant. | This fix disables the selected AccessKey. After the AccessKey is disabled, it cannot be used. Ensure that the selected AccessKey is not used in any programs or applications. | Yes |
Programmatic identity management | A leaked and unprocessed AccessKey exists. | After an AccessKey is leaked, an attacker can use it to access your resources or data, causing a security incident. An unprocessed AccessKey leak event is considered non-compliant. | Quick fixes are not supported. | No |
Programmatic identity management | Password authentication is not enabled for the Redis instance (new in 3.0 model). | If password authentication is not enabled or is improperly configured for a Redis instance in a virtual private cloud (VPC), it may lead to risks such as data breaches, unauthorized malicious operations, network security vulnerabilities, and service interruptions. A Redis instance in a VPC with password authentication disabled is considered non-compliant. | Quick fixes are not supported. | No |
Programmatic identity management | A KMS key is pending deletion (new in 3.0 model). | Ensure that a master key in use is not scheduled for deletion to prevent it from being deleted due to misoperations, which would affect business operations. A KMS master key that is scheduled for deletion is considered non-compliant. | Quick fixes are not supported. | No |
Permission management | Too many non-administrator RAM identities have high-risk permissions on User Center. | We recommend following the principle of least privilege for RAM identity permission management. Grant only necessary permissions. A RAM identity with write permissions on Billing and User Center (BSS) can modify information such as orders, invoices, contracts, and bills, and perform financial operations such as transactions and withdrawals. Poor management can cause asset losses. The configuration is considered compliant if three or fewer RAM identities in the current Alibaba Cloud account have write permissions such as `bss:*`, `bssapi:*`, `bss:PayOrder`, `bss:Modify*`, `bss:Create*`, `bss:*Order*`, and `bss:Delete*`. | Quick fixes are not supported. | No |
Permission management | All RAM identities are granted administrator permissions. | We recommend following the principle of least privilege for RAM identity permission management by granting only necessary permissions. Avoid granting administrator permissions to all RAM identities to prevent business impacts if an identity is compromised. The configuration is considered compliant if a RAM identity is granted non-administrator permissions. | Quick fixes are not supported. | No |
Permission management | Too many RAM identities are granted administrator permissions. | We recommend following the principle of least privilege for RAM identity permission management by granting only necessary permissions. Administrator permissions allow performing any operation on any resource under the account. Avoid granting administrator permissions to too many RAM identities to prevent business impacts if an identity is compromised. The configuration is considered compliant if three or fewer RAM identities in the current Alibaba Cloud account have administrator permissions. | Quick fixes are not supported. | No |
Permission management | Too many non-administrator RAM identities are granted high-risk privileges. | We recommend following the principle of least privilege for RAM identity permission management by granting only necessary permissions. A RAM identity with write permissions on RAM can create new identities or modify the permissions of existing identities, leading to excessive authorization and posing risks to the security and confidentiality of resources in the account. The configuration is considered compliant if three or fewer RAM identities in the current Alibaba Cloud account have write permissions such as `ram:*`, `ram:Create*`, `ram:Update*`, and `ram:Delete*`. | Quick fixes are not supported. | No |
Permission management | A non-administrator RAM identity is granted decryption permissions on all KMS keys. | Using KMS, you can control who can use your KMS keys and access your encrypted data. A RAM policy defines which operations an identity (user, group, or role) can perform on which resources. As a security best practice, we recommend that you follow the principle of least privilege. This means you should grant only the required permissions to an identity and authorize the identity to use only the required keys. Otherwise, unauthorized data access may occur. Do not grant a user access permissions on all keys. Instead, determine the minimum set of keys that the user needs to access encrypted data, and then grant the user an access policy only for these keys. For example, do not allow the `kms:Decrypt` permission on all KMS keys. Instead, allow this permission only on specific keys in a specific region of your account. By adopting the principle of least privilege, you can reduce the risk of accidental data breaches. | Quick fixes are not supported. | No |
Permission management | A RAM identity has idle product-level permissions. | After an access policy is granted to a RAM identity, if a permission defined in the policy is not used within a specified period, the permission is considered idle. This may occur because the function of the RAM identity has changed, or the previously defined permission scope was too broad. As a best practice, we recommend that you periodically revoke idle permissions to achieve granular authorization. If a RAM identity has a product-level permission that has not been used for 180 days, it is not in compliance with best practices. | Quick fixes are not supported. | No |
Permission management | A RAM identity has idle high-risk operation permissions. | After an access policy is granted to a RAM identity, if an operation (Action) defined in the policy is not used within a specified period, the operation permission is considered idle. This may occur because the function of the RAM identity has changed, or the previously defined permission scope was too broad. As a best practice, we recommend that you periodically revoke idle permissions to achieve granular authorization. For some high-risk operations (such as creating a user in RAM), idle permissions should be revoked in a timely manner to prevent security incidents. If a RAM identity has a high-risk operation permission that has not been used for 180 days, it is not in compliance with best practices. | Quick fixes are not supported. | No |
Permission management | No RAM user inherits permissions from a user group. | By default, RAM users, groups, and roles cannot access any resources. You can grant permissions to users, groups, or roles using RAM policies. We recommend that you apply RAM policies directly to groups and roles instead of users. Assigning permissions at the group or role level can reduce the management complexity that increases with the number of users, and reduce the risk of unintentionally expanding the permissions of a RAM user. The configuration is considered compliant with best practices if any RAM user inherits permissions from a RAM user group. | Quick fixes are not supported. | No |
Permission management | We recommend using control policies for multi-account border protection. | Control policies in a resource directory allow an organization to restrict the Alibaba Cloud services that member accounts can access and the operations that they can perform. This helps centrally manage the permission boundaries of member accounts and ensures that the entire organization complies with unified security and compliance standards. The account is considered non-compliant if the system detects that no custom access control policy is created and attached to a folder or member in the resource directory for the current account. | Quick fixes are not supported. | No |
Permission management | Access Analyzer is not used for permission management (new in 3.0 model). | Access Analyzer can help you identify resources that are shared with external accounts within the current account or resource directory. This helps you identify unexpected resource sharing and reduce enterprise security risks. It can also help you identify and view over-authorized identities in the resource directory or the current account, and generate corresponding analysis results for these identities. | Quick fixes are not supported. | No |
Log collection and archiving | ActionTrail logs are not retained long-term. | The configuration is considered non-compliant if no trail is created, or if an existing trail does not archive events from all regions, archive all read and write events, or have a storage period of less than 180 days. | This fix improves the settings of existing trails in the current account, including enabling complete management-related read and write events and events from all regions. Select at least one existing trail from the list to improve its settings. After the fix, newly generated read, write, and all-region events will be delivered to the destination storage of the trail. Historical events in the storage are not affected. | No |
Log collection and archiving | Operation logs are not centrally collected in a multi-account environment. | ActionTrail records events for each Alibaba Cloud account for the last 90 days by default. Creating a trail can help enterprises persistently store operation records to meet internal and external compliance requirements. A multi-account trail helps enterprise administrators centrally track and audit logs for multiple accounts within the enterprise. The configuration is considered non-compliant if no multi-account trail is detected. | Quick fixes are not supported. | No |
Log collection and archiving | Cloud Firewall logs are not collected and stored for 180 days or more. | Cloud Firewall automatically records all traffic and provides convenient query functions for attack events, traffic details, and operation logs through a visual log audit page, making it easy and fast to trace the source of attacks and review traffic. Cloud Firewall stores audit logs for 7 days by default to meet basic audit and analysis needs. However, to better meet compliance requirements and improve security performance, we recommend that you extend the log storage period to 180 days or more. If you have purchased a subscription version of Cloud Firewall but do not collect and store its logs for 180 days or more, your configuration is not in compliance with network security best practices. | Quick fixes are not supported. | No |
Log collection and archiving | A log delivery task is not configured for an ESA site. | This check item ensures that at least one type of log is configured for the site, so that users can obtain detailed real-time log information about access to ESA resources for monitoring, analysis, and optimization of content delivery performance. If it is not configured, it is not in compliance with the best practices for monitoring and auditing. | Quick fixes are not supported. | No |
Log collection and archiving | Centralized log collection is not enabled in a multi-account environment. | The configuration is considered non-compliant if the system detects that the trusted service for Simple Log Service (SLS) log audit is not enabled. | Quick fixes are not supported. | No |
Log collection and archiving | Log storage is not enabled for the OSS bucket (new in 3.0 model). | Many access logs are generated when you access OSS. You can use the log storage feature to generate log files for these logs on an hourly basis according to fixed naming conventions and write them to a specified bucket. For stored logs, you can analyze them using Alibaba Cloud Simple Log Service or by building a Spark cluster. The configuration is considered compliant if log storage is enabled in the log management of an OSS bucket. | Quick fixes are not supported. | No |
Log collection and archiving | Log collection is not configured for EDAS (new in 3.0 model). | Alibaba Cloud Enterprise Distributed Application Service (EDAS), in conjunction with Simple Log Service, has launched a log feature that supports delivering business file logs and container standard output logs of applications deployed in Container Service for Kubernetes (ACK) clusters to Simple Log Service for query and analysis. The configuration is considered non-compliant if log collection is not configured for EDAS. | Quick fixes are not supported. | No |
Log collection and archiving | Real-time log query is not enabled for OSS (new in 3.0 model). | The real-time log feature for OSS buckets allows users to enable real-time logging for specified buckets to record access behavior to the buckets in the form of logs. These logs can be used for auditing, monitoring, and analysis. The configuration is considered non-compliant if real-time log query is not enabled for Object Storage Service. | Quick fixes are not supported. | No |
Compliance check | Delivery of resource changes or snapshots is not configured. | The configuration is considered non-compliant if delivery of resource changes or snapshots is not configured in Cloud Config. | Quick fixes are not supported. | No |
Compliance check | Compliance check data is not obtained periodically. | The configuration is considered non-compliant if delivery of non-compliant events is not configured in Cloud Config or the check results have not been viewed for seven days. | Quick fixes are not supported. | No |
Compliance check | Cloud resources are non-compliant. | Resources are considered non-compliant if the compliance rate of resources checked by enabled rules in Cloud Config is lower than 100%. | Quick fixes are not supported. | No |
Compliance check | Unified resource configuration checks are not enabled in a multi-account environment. | The current account is considered non-compliant if it does not meet the following two conditions:
| Quick fixes are not supported. | No |
Compliance check | Cloud Config is not enabled. | The account is considered non-compliant if Cloud Config is not enabled for the current account. | Quick fixes are not supported. | No |
Compliance check | Cloud Config compliance rules are not enabled. | The account is considered non-compliant if no Cloud Config rules are enabled for the current account. | Quick fixes are not supported. | No |
Compliance check | Cloud Config compliance rules do not cover all cloud resources. | The assessment is based on the ratio of resources covered by the rules. The configuration is considered non-compliant if the resource type coverage is less than 100%. | Quick fixes are not supported. | No |
Compute resource protection | Vulnerabilities require fixing. | Vulnerability management is a continuous and proactive process that protects systems, networks, and enterprise applications from cyberattacks and data breaches. By promptly addressing potential security weaknesses, you can prevent attacks and minimize damage if an attack occurs. The account is considered non-compliant if the number of vulnerabilities that require fixing is greater than 0. | Quick fixes are not supported. | No |
Compute resource protection | Host baseline risks require fixing. | Viruses and hackers exploit security configuration vulnerabilities to compromise servers, steal data, or plant backdoors. The baseline check feature performs security checks on configurations for server operating systems, databases, software, and containers. Fixing baseline risks promptly strengthens system security, reduces the risk of intrusion, and helps meet security compliance requirements. An Alibaba Cloud account is considered non-compliant if it has one or more unfixed baseline risks. | Quick fixes are not supported. | No |
Compute resource protection | The anti-virus feature is not enabled. | You can enable the virus scan feature to effectively remove various malicious threats from servers and provide effective protection against threats such as mainstream ransomware, DDoS Trojans, mining programs, Trojan programs, malicious programs, backdoor programs, and worms. The configuration is considered non-compliant if you have purchased the Anti-virus, Enterprise, or Ultimate Edition of Security Center and have not configured a periodic virus scan policy. | Quick fixes are not supported. | No |
Compute resource protection | An anti-ransomware policy is not enabled. | Ransomware intrusion encrypts customer business data for ransom, leading to business interruptions, data breaches, and data loss, which brings serious business risks. Timely configuration of anti-ransomware policies can effectively reduce such risks. Your configuration is considered non-compliant if you have purchased the anti-ransomware feature but have not created a protection policy. | Quick fixes are not supported. | No |
Compute resource protection | Container image scanning is not configured. | If an image itself has system or application vulnerabilities, or is replaced with a virus-infected image containing malicious samples, the services created based on the "problematic image" will have vulnerabilities. By performing security scans on images in the image repository, security personnel can push the scan results to developers to fix image issues and ensure business security. Your configuration is considered non-compliant if you have purchased the container image scanning feature but have not configured a scan scope in the scan settings. | Quick fixes are not supported. | No |
Application runtime protection | WAF managed rule is not configured for an ESA site. | This check item ensures that the site has managed rules configured for better protection against vulnerabilities in Web and API applications. If it is not configured, it is not in compliance with the best practices for Web Application Protection. | Quick fixes are not supported. | No |
Application runtime protection | WAF custom rule is not configured for an ESA site. | This check item ensures that the site has WAF custom rules configured to detect and mitigate malicious requests to the site. If it is not configured, it is not in compliance with the best practices for Web Application Protection. | Quick fixes are not supported. | No |
Application runtime protection | Web tamper proofing is not enabled. | The web tamper proofing feature monitors website directories or files in real time and can restore tampered files or directories with backup data when the website is maliciously tampered with. This prevents illegal information from being implanted into the website and ensures its normal operation. Your configuration is considered non-compliant if you have purchased the tamper-proofing feature but the number of bound servers is 0. | Quick fixes are not supported. | No |
Application runtime protection | An application protection configuration is not created. | By detecting attacks and protecting applications at runtime, you can effectively protect Java applications, prevent 0-day vulnerability attacks, and provide security defense for applications. The configuration is considered non-compliant if a customer who has purchased application protection has not created an application configuration (number of groups is 0). | Quick fixes are not supported. | No |
Network attack response | No protected object is added to Anti-DDoS Origin. | After purchasing an Anti-DDoS Origin or Anti-DDoS Pro or Anti-DDoS Premium instance, you need to add public IP assets as protected objects so that DDoS can provide DDoS mitigation capabilities for them. Otherwise, the protection will not be effective and will result in wasted costs. | Quick fixes are not supported. | No |
Network attack response | The DDoS AI intelligent protection for websites is set to strict mode. | AI intelligent protection is designed to improve the security performance of websites. However, when strict mode is enabled in the policy configuration, be aware that it may cause some false positives for business. Therefore, strict mode is more suitable for websites with poor performance or unsatisfactory protection effects. It is worth noting that website domain name services have natural protection against common Layer 4 attacks. Therefore, for most website services, it is recommended not to enable strict mode in AI intelligent protection, but to use the default normal mode to balance protection effects and business continuity. | Quick fixes are not supported. | No |
Network attack response | DDoS attack on an EIP exceeds the defense threshold (new in 3.0 model). | When an EIP is subjected to a large-traffic DDoS attack and the peak bandwidth (bps) of the attack traffic exceeds its DDoS mitigation capability, the Alibaba Cloud blackhole filtering policy temporarily blocks traffic between Alibaba Cloud products and the Internet to avoid greater damage to Alibaba Cloud products from the DDoS attack and to prevent a single cloud product from being attacked by DDoS and affecting the normal operation of other assets. This affects normal network communication. An EIP is considered non-compliant if its DDoS protection status is "Black Hole Activated". | Quick fixes are not supported. | No |
Network attack response | DDoS attack on an SLB instance exceeds the defense threshold (new in 3.0 model). | When an SLB instance is subjected to a large-traffic DDoS attack and the peak bandwidth (bps) of the attack traffic exceeds its DDoS mitigation capability, the Alibaba Cloud blackhole filtering policy temporarily blocks traffic between Alibaba Cloud products and the Internet to avoid greater damage to Alibaba Cloud products from the DDoS attack and to prevent a single cloud product from being attacked by DDoS and affecting the normal operation of other assets. This affects normal network communication. An SLB instance is considered non-compliant if its DDoS protection status is "Black Hole Activated". | Quick fixes are not supported. | No |
Network attack response | Attack on an Anti-DDoS Pro or Anti-DDoS Premium instance exceeds the defense threshold (new in 3.0 model). | For services that have been connected to Anti-DDoS Pro and Anti-DDoS Premium, when the attack traffic exceeds the protection bandwidth of the Anti-DDoS Pro or Anti-DDoS Premium instance, the instance will enter a blackhole, and all service traffic forwarded through the instance will be blocked, causing the service to be inaccessible. An Anti-DDoS Pro or Anti-DDoS Premium instance is considered non-compliant if the status of its Anti-DDoS IP is "Black Hole Activated". | Quick fixes are not supported. | No |
Network attack response | DDoS attack on an ECS instance exceeds the defense threshold (new in 3.0 model). | When an ECS instance is subjected to a large-traffic DDoS attack and the peak bandwidth (bps) of the attack traffic exceeds its DDoS mitigation capability, the Alibaba Cloud blackhole filtering policy temporarily blocks traffic between Alibaba Cloud products and the Internet to avoid greater damage to Alibaba Cloud products from the DDoS attack and to prevent a single cloud product from being attacked by DDoS and affecting the normal operation of other assets. This affects normal network communication. An ECS instance with an open public IP address is considered non-compliant if its DDoS protection status is "Black Hole Activated". | Quick fixes are not supported. | No |
Data access control | The OSS bucket has an access rule for accounts outside the organization. | Ensure that the OSS bucket is accessible only to accounts within the organization to prevent data breach risks. An OSS bucket that allows access from accounts outside the organization is considered non-compliant. | Quick fixes are not supported. | No |
Data access control | Public read is enabled for the OSS bucket. | Prevent the content of an OSS bucket from being publicly readable to ensure data confidentiality and security. An OSS bucket set to public-read is considered non-compliant. | Quick fixes are not supported. | No |
Data access control | Public write is enabled for the OSS bucket. | OSS supports public access by setting a bucket policy and ACL. Public write means that any OSS resource can be modified or new file objects can be uploaded to the bucket without specific permissions or authentication. Public write means that anyone can upload and modify data in the OSS bucket, which can easily lead to data breaches and the risk of generating large costs due to malicious access. As a best practice, we recommend that you disable public write permissions for OSS buckets and access data in OSS buckets only through URL signing or APIs. When either the OSS bucket policy or ACL contains public write semantics, the OSS bucket may have a security risk of being publicly written to, which does not comply with best practices. | Quick fixes are not supported. | No |
Data access control | The OSS bucket has an access rule for anonymous accounts. | Implementing the principle of least privilege is fundamental to reducing security risks and minimizing the impact of errors or malicious behavior. If an OSS bucket policy allows anonymous access, it may lead to data exfiltration by attackers. In addition, if an external account is controlled by a malicious attacker, your data may be tampered with or deleted. This not only threatens the integrity and confidentiality of the data, but may also lead to business interruptions and legal issues. As a best practice, we recommend that you prohibit anonymous access to OSS buckets through policies. A bucket policy is not in compliance with best practices if it contains a policy that allows anonymous access, that is, the authorized user is all accounts (*) and the effect is allow. | Quick fixes are not supported. | No |
Data protection in transit | HTTPS listener is not enabled for SLB. | Ensure that Server Load Balancer (SLB) has an HTTPS listener enabled to encrypt data in transit using the TLS protocol. An SLB instance without an enabled HTTPS listener is considered non-compliant. | Quick fixes are not supported. | No |
Data protection in transit | The SLB server certificate will expire in less than 15 days. | Ensure that the server certificate used by the SLB instance will not expire within 15 days to avoid transmission encryption failure due to certificate expiration. The configuration is considered non-compliant if the remaining validity period of the SLB server certificate is less than or equal to 15 days. | Quick fixes are not supported. | No |
Data protection in transit | The certificate in the SSL Certificate service will expire in 15 days. | After an SSL Certificate expires, the client will not be able to verify the identity of the server, which may cause users to be unable to access the service or receive warnings, affecting the user experience. Failure to update the certificate in time may lead to a decrease in service availability, a decrease in customer trust, and even data breaches. In addition, certificate renewal and updates often require a certain period of time. It is recommended to reserve sufficient time to update the certificate to avoid service interruptions. A certificate in the digital certificate management service is not in compliance with best practices if its expiration time is less than or equal to 15 days. | Quick fixes are not supported. | No |
Data protection in transit | HTTPS force redirect is not configured for the independent domain name of API Gateway. | Providing external APIs only using the HTTP protocol may bring data security risks. Because the communication content of the HTTP protocol is transmitted in plaintext, attackers can easily obtain and view the communication content, thereby obtaining sensitive information, such as user credentials and private data, which can lead to data breaches. As a best practice, it is recommended to use the HTTPS protocol for externally provided APIs and force redirect requests on HTTP listeners to HTTPS listeners to ensure that data is encrypted during transmission. The configuration is not in compliance with best practices if HTTPS force redirect is not configured for the independent domain name associated with API Gateway. | Quick fixes are not supported. | No |
Data protection in transit | HTTPS is not configured for the CDN domain name. | Providing external services only using the HTTP protocol for CDN may bring data security risks. Because the communication content of the HTTP protocol is transmitted in plaintext, attackers can easily obtain and view the communication content, thereby obtaining sensitive information, such as user credentials and private data, which can lead to data breaches. As a best practice, it is recommended to use the HTTPS protocol for externally provided CDN domain names and force redirect requests on HTTP listeners to HTTPS listeners to ensure that data is encrypted during transmission. The configuration is not in compliance with best practices if the HTTPS secure acceleration feature is not enabled for the CDN domain name. | Quick fixes are not supported. | No |
Data protection in transit | HTTP to HTTPS force redirect is not configured for the CDN domain name. | Providing external services only using the HTTP protocol for CDN may bring data security risks. Because the communication content of the HTTP protocol is transmitted in plaintext, attackers can easily obtain and view the communication content, thereby obtaining sensitive information, such as user credentials and private data, which can lead to data breaches. As a best practice, it is recommended to use the HTTPS protocol for externally provided CDN domain names and force redirect requests on HTTP listeners to HTTPS listeners to ensure that data is encrypted during transmission. The configuration is not in compliance with best practices if the force redirect type in the HTTPS configuration of the CDN domain name is not set to HTTPS -> HTTP. | Quick fixes are not supported. | No |
Data protection in transit | The Elasticsearch instance does not use the HTTPS transmission protocol. | Providing services only using the HTTP protocol for an Elasticsearch instance may bring data security risks. Because the communication content of the HTTP protocol is transmitted in plaintext, attackers can easily obtain and view the communication content, thereby obtaining sensitive information, which can lead to data breaches. As a best practice, it is recommended to use the HTTPS protocol to access Elasticsearch within applications or clients to ensure that data is encrypted during transmission. The configuration is in compliance with best practices if the switch to use the HTTPS protocol is turned on in the cluster network settings of the Elasticsearch instance. | Quick fixes are not supported. | No |
Data protection in transit | TLS v1.2 is not enabled for an ESA site. | This check item ensures that the site has TLS v1.2 enabled, using a newer protocol version to improve the security level of the website. If it is not enabled, it is not in compliance with the best practices for data transmission security. | Quick fixes are not supported. | No |
Data protection in transit | HSTS is not enabled for an ESA site. | This check item ensures that the site has HTTP Strict Transport Security (HSTS) enabled to reduce the risk of being hijacked during the first visit. If it is not enabled, it is not in compliance with the best practices for data transmission security. | Quick fixes are not supported. | No |
Data protection in transit | Force HTTPS is not enabled for an ESA site. | This check item ensures that the site has force HTTPS enabled to ensure that HTTP requests from clients to ESA edge nodes are forcibly redirected to HTTPS. If it is not enabled, it is not in compliance with the best practices for data transmission security. | Quick fixes are not supported. | No |
Data protection in transit | The SSL certificate used by CDN is about to expire (new in 3.0 model). | Ensure that the SSL/TLS certificate bound to the domain name is within its validity period to avoid security risks and business interruptions caused by certificate expiration. The configuration is considered non-compliant if the number of days remaining before the CDN certificate expires is less than the number of days specified by the parameter (default is 15 days). | Quick fixes are not supported. | No |
Data-at-rest encryption | TDE is not enabled for PolarDB (new in 3.0 model). | Transparent data encryption (TDE) performs real-time I/O encryption and decryption on data files. Data is encrypted before being written to disk and decrypted when read from disk into memory. Not enabling the TDE feature for PolarDB can lead to risks of data breaches, unauthorized access, or tampering. A PolarDB cluster without TDE enabled is considered non-compliant. | Quick fixes are not supported. | No |
Data-at-rest encryption | TDE is not enabled for RDS (new in 3.0 model). | In scenarios such as security compliance or data-at-rest encryption, it is recommended to use the transparent data encryption (TDE) feature to perform real-time I/O encryption and decryption on data files. By performing data-at-rest encryption at the database layer, it can effectively prevent possible attackers from bypassing the database to directly read sensitive information from storage, thereby effectively improving the security of sensitive data in the database. An RDS instance without TDE enabled is considered non-compliant. | Quick fixes are not supported. | No |
Data masking | Sensitive data detection is not enabled in Data Security Center (new in 3.0 model). | Sensitive data mainly includes high-value data such as customer information, technical data, and personal information, which exist in various forms in the assets of Alibaba Cloud users. The leakage of sensitive data can bring serious economic and brand losses to enterprises. Data Security Center can scan data in databases such as MaxCompute, OSS, Alibaba Cloud database services (RDS, PolarDB-X, PolarDB, OceanBase, Tablestore), and self-managed databases based on predefined sensitive data key fields, and determine whether it is sensitive data based on the number of hits in the sensitive data rules. The configuration is considered non-compliant if sensitive data detection is not enabled in Data Security Center. | Quick fixes are not supported. | No |
Security event response and recovery | Security Center is not used for security protection (new in 3.0 model). | Cloud assets face many security threats, such as virus propagation, cyberattacks, ransomware encryption, and vulnerability exploits. Security Center provides security capabilities such as asset management, configuration checks, and active defense. You can build a security defense system for your cloud assets by purchasing appropriate security protection services. The configuration is considered non-compliant if the version of Security Center used is not higher than the Basic Edition. | Quick fixes are not supported. | No |
Security event response and recovery | Alerts to be processed exist in Security Center. | Security alert events are threats detected by Security Center in your servers or cloud products, covering security alert types such as web tamper proofing, process anomalies, web shells, unusual logons, and malicious processes. Timely processing of alerts can improve the security posture of your assets. The configuration is considered non-compliant if the number of unprocessed alerts is greater than 0. | Quick fixes are not supported. | No |
Network access control | The network type of the ECS launch template is set to classic network (new in 3.0 model). | Users in a classic network cannot achieve network-level isolation, and multiple tenants are in the same IP pool. Users also cannot implement custom network topologies and IP addresses. If an application exposed in a classic network has a vulnerability, it may be attacked by other tenants on the cloud. A virtual private cloud (VPC) provides a higher level of security measures at multiple levels. For enterprises and organizations that value data security, using a VPC is undoubtedly a better choice. The configuration is non-compliant if the network type in the ECS launch template configuration is set to classic network. | Quick fixes are not supported. | No |
Network access control | The inbound rule of the security group associated with the Auto Scaling scaling group is set to 0.0.0.0/0 and any port (new in 3.0 model). | After a scale-out activity is triggered, Auto Scaling automatically creates ECS instances based on the scaling configuration. If the security group rule associated with the Auto Scaling scaling group configuration allows access from all IP addresses (0.0.0.0/0) on any port, the created ECS instances will have security risks. The configuration is considered non-compliant if the inbound rule of the security group associated with the Auto Scaling scaling group configuration contains 0.0.0.0/0 and does not specify a specific port. | Quick fixes are not supported. | No |
Network access control | The API Server of the ACK cluster has a public endpoint enabled (new in 3.0 model). | Setting a public endpoint for an ACK cluster increases the risk of various resource objects (such as Pods, Services, and ReplicaControllers) being attacked on the Internet. It is not recommended to set a public endpoint. An ACK cluster with a public endpoint set is non-compliant. | Quick fixes are not supported. | No |
Network access control | The master node of the EMR cluster has a public endpoint enabled (new in 3.0 model). | If a public IP address is assigned to the master node of an EMR cluster, it significantly increases the risk of being attacked in a public network environment. Attackers may scan, intrude, or perform other malicious behaviors on the master node through the exposed public IP, thereby threatening the security of the entire cluster. An EMR cluster with a public connection set is non-compliant. | Quick fixes are not supported. | No |
Network access control | Binding a public address to an ECS instance is not prohibited. | To reduce the risk of being attacked, it is recommended to prevent ECS instances from being directly exposed to the Internet and to access the Internet through a NAT Gateway or Server Load Balancer. An ECS instance bound to a public address is considered non-compliant. | Quick fixes are not supported. | No |
Network access control | The inbound rule of the security group is set to 0.0.0.0/0 and any port. | Prohibit security group rules from allowing access from all IP addresses (0.0.0.0/0) on any port. Access must be restricted to specific IP ranges and ports. A security group is considered non-compliant if its inbound rule contains 0.0.0.0/0 and does not specify a specific port. | Quick fixes are not supported. | No |
Network access control | The security group opens vulnerable ports (22/3389/...) to the Internet. | Prohibit security group rules from allowing public access to vulnerable ports such as SSH (22) and RDP (3389) to prevent network attacks and unauthorized access. A security group is considered non-compliant if it opens vulnerable ports such as SSH (22) and RDP (3389) to the Internet. | Quick fixes are not supported. | No |
Network access control | A whitelist is not set for the MaxCompute project (new in 3.0 model). | After the whitelist feature is enabled for a MaxCompute project, only devices in the whitelist are allowed to access the project space. If the whitelist feature is not enabled for a MaxCompute project, all IPs using public endpoints can access the MaxCompute project, posing a risk of Internet exposure. A MaxCompute project is considered non-compliant if it is configured for external network access and the IP whitelist feature is not enabled. | Quick fixes are not supported. | No |
Network access control | Public access and classic network access are enabled for the Tablestore instance. | Tablestore creates a public domain name, a VPC domain name, and a classic network domain name for each instance by default. The public domain name is visible to the Internet, and any user can access Tablestore resources through the public domain name on the Internet. The classic network domain name is visible to ECS servers in the same region, and applications can access the instance from classic network ECS servers in the same region through the classic network domain name. As a best practice, it is recommended that the instance only allow access from the console or a VPC. Restricting access to the instance from the Internet or a classic network can provide better network isolation and improve data security. A Tablestore instance is in compliance with best practices if its network type is set to "Console or VPC Access Only" or "Bound VPC Access Only". | Quick fixes are not supported. | No |
Network access control | The PolarDB instance has a public endpoint enabled and no whitelist is set. | Opening public access for a database may bring security risks. Once a database is open to the public, it may be exposed to malicious attackers. In addition, if proper access control is not in place on top of public exposure, it can easily lead to data breaches or damage. As a best practice, it is recommended to only allow database instances to be accessed from within a VPC, set an appropriate IP whitelist, and set complex accounts and passwords for the database. A cluster is not in compliance with best practices if it has a public endpoint enabled and the whitelist is set to 0.0.0.0/0. | Quick fixes are not supported. | No |
Network access control | The Redis instance has a public endpoint enabled and no whitelist is set. | Opening public access for a database may bring security risks. Once a database is open to the public, it may be exposed to malicious attackers. In addition, if proper access control is not in place on top of public exposure, it can easily lead to data breaches or damage. As a best practice, it is recommended to only allow database instances to be accessed from within a VPC, set an appropriate IP whitelist, and set complex accounts and passwords for the database. An instance is not in compliance with best practices if it has a public endpoint enabled and the whitelist is set to 0.0.0.0/0. | Quick fixes are not supported. | No |
Network access control | The MongoDB instance has a public endpoint enabled and no whitelist is set. | Opening public access for a database may bring security risks. Once a database is open to the public, it may be exposed to malicious attackers. In addition, if proper access control is not in place on top of public exposure, it can easily lead to data breaches or damage. As a best practice, it is recommended to only allow database instances to be accessed from within a VPC, set an appropriate IP whitelist, and set complex accounts and passwords for the database. An instance is not in compliance with best practices if it has a public endpoint enabled and the whitelist is set to 0.0.0.0/0. | Quick fixes are not supported. | No |
Network access control | The RDS instance has a public endpoint enabled and no whitelist is set. | Opening public access for a database may bring security risks. Once a database is open to the public, it may be exposed to malicious attackers. In addition, if proper access control is not in place on top of public exposure, it can easily lead to data breaches or damage. As a best practice, it is recommended to only allow database instances to be accessed from within a VPC, set an appropriate IP whitelist, and set complex accounts and passwords for the database. An instance is not in compliance with best practices if it has a public endpoint enabled and the whitelist is set to 0.0.0.0/0. | Quick fixes are not supported. | No |
Network access control | The Elasticsearch instance has a public endpoint enabled and no whitelist is set. | Opening public access for Elasticsearch may bring security risks. Once an instance is open to the public, it may be exposed to malicious attackers. In addition, if proper access control is not in place on top of public exposure, it can easily lead to data breaches or damage. As a best practice, it is recommended to only allow Elasticsearch instances to be accessed from within a VPC, set an appropriate IP whitelist, and configure proper access control. An instance is not in compliance with best practices if it has a public endpoint enabled and the whitelist is set to 0.0.0.0/0. | Quick fixes are not supported. | No |
Network access control | The Kibana service of the Elasticsearch instance has a public endpoint enabled. | Opening public access for Kibana may bring security risks. Once an instance is open to the public, it may be exposed to malicious attackers. In addition, if proper access control is not in place on top of public exposure, it can easily lead to data breaches or damage. As a best practice, it is recommended to only allow Kibana instances to be accessed from within a VPC, set an appropriate IP whitelist, and configure proper access control. The configuration is not in compliance with best practices if the Kibana service of an Elasticsearch instance has public access enabled. | Quick fixes are not supported. | No |
Network protection | Cloud Firewall does not protect all public assets. | This check item ensures that all public assets are protected by Cloud Firewall. The configuration is not in compliance with network security best practices if you use Cloud Firewall, but there are assets that are assigned public IP addresses for which Internet firewall protection is not enabled. | Quick fixes are not supported. | No |
Network protection | No ACL policy is created for Cloud Firewall. | After the firewall switch is turned on, if you do not configure an access control (ACL) policy, Cloud Firewall allows all traffic by default in the access control policy matching process. You can configure traffic blocking and allowing policies for different firewalls based on your business needs to better control unauthorized access to your assets. The configuration is not in compliance with network security best practices if you use Cloud Firewall but have not created an access control policy. | Quick fixes are not supported. | No |
Network protection | The protection bandwidth specification of Cloud Firewall is insufficient. | This check item ensures that the specification of Cloud Firewall is reasonable in terms of protection bandwidth. The configuration is not in compliance with network security best practices if you use Cloud Firewall, but the actual peak bandwidth in the last 30 days exceeds the purchased protection bandwidth. | Quick fixes are not supported. | No |
Network protection | Cloud Firewall is not used to protect network traffic. | Alibaba Cloud Firewall is a SaaS firewall on the cloud platform that can achieve unified security isolation and control for the Internet border, VPC border, and host border of your cloud network assets. It is the first network defense line for your business on the cloud. The configuration is not in compliance with network security best practices if you do not use Cloud Firewall. | Quick fixes are not supported. | No |
Network protection | The number of available authorizations for Cloud Firewall is insufficient. | This check item ensures that the specification of Cloud Firewall is reasonable in terms of the number of available authorizations. The configuration is not in compliance with network security best practices if you use Cloud Firewall, but the number of assets that are assigned public IP addresses for which Internet firewall protection is not enabled exceeds the number of available protection authorizations. | Quick fixes are not supported. | No |
Network protection | Basic defense is not enabled for Cloud Firewall IPS. | The basic defense feature should be enabled for the intrusion prevention system (IPS) module of Cloud Firewall. Basic defense provides basic intrusion prevention capabilities, including brute-force attack interception, command execution vulnerability interception, and control over post-infection connections to C&C (command and control) servers, providing basic protection for your assets. The configuration is not in compliance with network security best practices if you use Cloud Firewall but have not enabled this feature. | Quick fixes are not supported. | No |
Network protection | Virtual patching is not enabled for Cloud Firewall IPS. | The virtual patching feature should be enabled for the intrusion prevention system (IPS) module of Cloud Firewall. Cloud Firewall can provide real-time protection for you against popular high-risk vulnerabilities and emergency vulnerabilities. Virtual patching provides hot patches at the network layer for high-risk and emergency vulnerabilities that can be remotely exploited, and intercepts vulnerability attack behaviors in real time, avoiding business interruptions when fixing host vulnerabilities. The configuration is not in compliance with network security best practices if you use Cloud Firewall but have not enabled this feature. | Quick fixes are not supported. | No |
Network protection | Threat intelligence is not enabled for Cloud Firewall IPS. | The threat intelligence feature should be enabled for the intrusion prevention system (IPS) module of Cloud Firewall to scan and detect threat intelligence and provide central control intelligence blocking. The configuration is not in compliance with network security best practices if you use Cloud Firewall but have not enabled this feature. | Quick fixes are not supported. | No |
Network protection | VPC access traffic is not fully protected by VPC firewalls. | This check item requires that all VPC access traffic must be protected by the virtual private cloud (VPC) firewalls of Cloud Firewall to reduce the risk of internal private network traffic. The configuration is not in compliance with network security best practices if you use Cloud Firewall, but there is VPC access traffic for which VPC firewall is not enabled. | Quick fixes are not supported. | No |
Network protection | A default deny policy is not configured for Cloud Firewall. | To ensure network security, Cloud Firewall should be configured with a default deny policy (that is, an IPv4 address version policy where the source and destination of inbound/outbound access are both 0.0.0.0/0 and the action is deny). Except for explicitly allowed trusted traffic, all other traffic should be blocked by default. The configuration is not in compliance with network security best practices if you use Cloud Firewall but have not configured a default deny policy. | Quick fixes are not supported. | No |
Network protection | Block Mode is not enabled for Cloud Firewall IPS. | The intrusion prevention system (IPS) module of Cloud Firewall should be configured in Block Mode to intercept malicious traffic and block intrusion activities. The configuration is not in compliance with network security best practices if you use Cloud Firewall but have not enabled this feature. | Quick fixes are not supported. | No |
Network protection | NAT gateways are not fully protected by NAT firewalls. | To reduce the risk of private network access to the Internet, all NAT Gateway instances should be connected to Cloud Firewall NAT firewalls for protection. The configuration is not in compliance with network security best practices if you use Cloud Firewall, but there are NAT gateways for which protection is not enabled. | Quick fixes are not supported. | No |
Stability
Category | Check item | Description | Quick fix description | Decision support |
Instance types | ECS instance uses a shared or discontinued instance type. | Using a shared or discontinued instance type for an ECS instance cannot guarantee stable computing performance. An ECS instance of a discontinued or shared instance family is considered non-compliant. | Quick fixes are not supported. | No |
Instance types | Elasticsearch instance uses a development and testing instance type. | An Elasticsearch instance with a 1-core 2 GB specification is only suitable for testing scenarios and not for production environments. An Elasticsearch instance with a 1-core 2 GB specification is considered non-compliant. | Quick fixes are not supported. | No |
Instance types | RDS instance uses a Basic Edition instance type. | An RDS Basic Edition instance has only one database node and no secondary node for hot backup. Therefore, when the node unexpectedly fails or tasks such as restarting the instance, changing the configuration, or upgrading the version are performed, it will be unavailable for an extended period. At the same time, the shared and general-purpose specifications in the RDS instance family share resources with other instances on the same physical machine and are only applicable to application scenarios with low stability requirements. If your business has high availability requirements for the database, it is recommended to use the High-availability/Cluster Edition for the product series and the Dedicated type for the instance family. The configuration is considered non-compliant if the RDS product series does not use the High-availability/Cluster Edition, or the RDS instance family does not use the Dedicated specification. | Quick fixes are not supported. | No |
Instance types | ACK uses a Basic Edition of managed cluster. | Compared with the original managed edition, the ACK Pro managed edition further enhances the reliability, security, and scheduling of the cluster, and is suitable for large-scale businesses in a production environment. A non-professional edition of a managed cluster is considered non-compliant. | Quick fixes are not supported. | No |
Instance types | The Redis instance uses an open source edition instance type. | Redis Enterprise Edition provides stronger performance, more data structures, and more flexible storage methods. A Redis instance that is not an Enterprise Edition is considered non-compliant. | Quick fixes are not supported. | No |
Instance types | The MongoDB instance uses a standalone instance type. | When MongoDB adopts a single-node architecture, the fault recovery time is long and there is no SLA guarantee. A MongoDB instance that is not multi-zone is considered non-compliant. | Quick fixes are not supported. | No |
Instance types | The ApsaraMQ for RocketMQ instance uses a Standard Edition instance type. | The Standard Edition of ApsaraMQ for RocketMQ uses a shared instance and is not recommended for use in a production environment. A shared edition of an ApsaraMQ for RocketMQ instance is considered non-compliant. | Quick fixes are not supported. | No |
Stable versions | ECS instance uses an expired OS version. | An ECS instance that uses an unsupported OS version is considered non-compliant. | Quick fixes are not supported. | No |
Stable versions | Elasticsearch instance uses a non-recommended version. | An Elasticsearch instance is considered non-compliant if its version is within the non-recommended version range. | Quick fixes are not supported. | No |
Stable versions | The PolarDB database does not use a stable minor version. | A PolarDB database is considered non-compliant if the status of its minor version is not stable. | Quick fixes are not supported. | No |
Stable versions | The Redis instance is not upgraded to the latest minor version. | A Redis instance is considered non-compliant if it is not upgraded to the latest minor version. | Quick fixes are not supported. | No |
Stable versions | The MSE engine version is too low. | Using the latest MSE engine version is key to ensuring the continuity of the MSE service. If the engine version is too low, it may cause the following problems: code defects cause GC to be unable to be reclaimed, and memory overflow causes memory to continue to rise, slow startup speed, Json serialization defects, and other issues. The configuration is considered non-compliant if the MSE-ZK or MSE-Ans engine version or the MSE-Ans client version is too low. | Quick fixes are not supported. | No |
Stable versions | The MSE-Ingress gateway version is too low. | Using the latest version of Ingress is key to ensuring the continuity of the gateway service. If the version is too low, it may cause the following problems: security or stability risks, and it may cause the instance list of the subscribed Nacos service to be inaccurate. The configuration is considered non-compliant if the MSE-Ingress version is too low. | Quick fixes are not supported. | No |
Stable versions | A non-maintained ACK version is used. | The Kubernetes community releases a minor version about every 4 months. It is recommended to use a maintained version. Expired version clusters have security risks and stability risks. After the cluster version expires, you will not be able to enjoy the features and bug fixes supported by the new Kubernetes version, you will not be able to obtain timely and effective technical support, and you will face the risk of being unable to fix security vulnerabilities. The configuration is considered "compliant" if the ACK cluster version used has not stopped being maintained. | Quick fixes are not supported. | No |
Stable versions | Automatic upgrade of the minor engine version is not enabled for the RDS instance (new in 3.0 model). | ApsaraDB RDS supports automatic or manual upgrade of minor engine versions. When the minor engine version is lower than the latest minor engine version, the system will periodically issue active O&M tasks to upgrade the minor engine version. The instance will receive the latest version including performance improvements, new feature support, and security issue resolutions, which can ensure the continuous optimization and security of the database service. An RDS instance is considered non-compliant if automatic upgrade of the minor engine version is not enabled. | Quick fixes are not supported. | No |
Stable versions | The major version of the MySQL database of the RDS instance is too low (new in 3.0 model). | Using a MySQL version whose lifecycle has stopped or is about to stop will cause the system to face security risks, performance bottlenecks, compatibility issues, and lack of technical support. Timely upgrading to a supported MySQL version can obtain the latest security patches, performance improvements, and feature enhancements, reduce O&M risks, and improve overall system reliability. The current RDS instance is considered non-compliant if it uses version 5.5 or 5.6. | Quick fixes are not supported. | No |
Stable versions | The Function Compute FC 2.0 function uses a deprecated runtime (new in 3.0 model). | With the iteration of runtime versions, Function Compute will stop maintaining some runtimes and will no longer provide technical support and security updates for them. It is recommended to migrate functions to the latest supported runtime to obtain technical support and security updates. An FC 2.0 function is considered non-compliant if the runtime it uses is any of nodejs12, nodejs10, nodejs8, dotnetcore2.1, python2.7, nodejs6, or nodejs4.4. | Quick fixes are not supported. | No |
Stable versions | Kubelet component version on an ACK cluster node lags behind the control plane (new in 3.0 model). | If the Kubelet component version of an ACK cluster node is behind the control plane, it can cause compatibility failures. The control plane (such as API Server) may not be able to communicate normally with the old version of Kubelet due to new features or protocol upgrades, resulting in abnormal node status, Pod scheduling failure, or the node being marked as unavailable. In addition, the old version of Kubelet may not have fixed known security vulnerabilities, increasing the risk of the node being attacked, and at the same time hindering the overall upgrade capability of the cluster version. In the long run, it may lead to functional deficiencies or maintenance difficulties. You need to immediately upgrade Kubelet to a compatible version to restore communication stability and eliminate security risks. An ACK cluster node is considered non-compliant if its Kubelet component version is behind the control plane. | Quick fixes are not supported. | No |
Expiration risk | Internet Shared Bandwidth instance is at risk of expiration. | An Internet Shared Bandwidth instance is considered non-compliant if its expiration time is less than 7 days from the current time and auto-renewal is not enabled. | This fix will enable auto-renewal for your selected CBWP resource. | No |
Expiration risk | ECS instance is at risk of expiration. | A subscription ECS instance is considered non-compliant if its expiration time is less than 7 days from the check time and auto-renewal is not enabled. | This fix will enable auto-renewal for your selected subscription ECS instance resource. | No |
Expiration risk | RDS instance is at risk of expiration. | A subscription RDS instance is considered non-compliant if its expiration time is less than 7 days from the check time and auto-renewal is not enabled. | This fix will enable auto-renewal for your selected subscription RDS instance resource. | No |
Expiration risk | Bastionhost instance is at risk of expiration. | A Bastionhost instance is considered non-compliant if its expiration time is less than 7 days from the check time and auto-renewal is not enabled. | This fix will enable auto-renewal for your selected subscription Bastionhost instance resource. | No |
Expiration risk | SLB instance is at risk of expiration. | A subscription SLB instance is considered non-compliant if its expiration time is less than 7 days from the check time and auto-renewal is not enabled. | This fix will enable auto-renewal for your selected subscription SLB instance resource. | No |
Expiration risk | EIP instance is at risk of expiration. | A subscription EIP instance is considered non-compliant if its expiration time is less than 7 days from the check time and auto-renewal is not enabled. | This fix will enable auto-renewal for your selected subscription EIP instance resource. | No |
Expiration risk | The AnalyticDB for MySQL Data Warehouse Edition instance is at risk of expiration. | An AnalyticDB for MySQL Data Warehouse Edition instance is considered non-compliant if its expiration time is less than 7 days from the check time and auto-renewal is not enabled. | This fix will enable auto-renewal for your selected subscription AnalyticDB for MySQL Data Warehouse Edition instance resource. | No |
Expiration risk | PolarDB instance is at risk of expiration. | A subscription PolarDB instance is considered non-compliant if its expiration time is less than 7 days from the check time and auto-renewal is not enabled. | This fix will enable auto-renewal for your selected subscription PolarDB instance resource. | No |
Expiration risk | The Cloud Enterprise Network (CEN) bandwidth plan is at risk of expiration. | A CEN bandwidth plan is considered non-compliant if its expiration time is less than 7 days from the current time and auto-renewal is not enabled. | This fix will enable auto-renewal for your selected subscription CEN instance resource. | No |
Expiration risk | The DRDS instance is at risk of expiration. | A PolarDB-X 1.0 or PolarDB-X 2.0 instance is considered non-compliant if its expiration time is less than 7 days from the current time and auto-renewal is not enabled. | Quick fixes are not supported. | No |
Expiration risk | The Anti-DDoS Pro or Anti-DDoS Premium instance is at risk of expiration. | A DDoS instance is considered non-compliant if its expiration time is less than 7 days from the current time and auto-renewal is not enabled. | This fix will enable auto-renewal for your selected subscription DDoSCOO instance resource. | No |
Expiration risk | Redis instance is at risk of expiration. | A subscription Redis instance is considered non-compliant if its expiration time is less than 7 days from the check time and auto-renewal is not enabled. | This fix will enable auto-renewal for your selected subscription Redis instance resource. | No |
Expiration risk | MongoDB instance is at risk of expiration. | A subscription MongoDB instance is considered non-compliant if its expiration time is less than 7 days from the check time and auto-renewal is not enabled. | This fix will enable auto-renewal for your selected subscription MongoDB instance resource. | No |
Expiration risk | The VPN Gateway instance is at risk of expiration (new in 3.0 model). | Ensure to renew your subscription VPN Gateway instance in time to avoid business interruptions due to expiration. A subscription VPN Gateway instance is considered non-compliant if its expiration time is less than 7 days from the check time and auto-renewal is not enabled. | Quick fixes are not supported. | No |
Expiration risk | The KMS instance is at risk of expiration (new in 3.0 model). | Ensure to renew your subscription KMS instance in time to avoid business interruptions due to expiration. A subscription KMS instance is considered non-compliant if its expiration time is less than 7 days from the check time and auto-renewal is not enabled. | Quick fixes are not supported. | No |
Deletion protection | Deletion protection is not enabled for the ALB instance. | An ALB instance is considered non-compliant if deletion protection is not enabled. | This fix enables the deletion protection feature for the selected resource, which prevents it from being released through the console, API, or command line. To release the instance, you must first disable deletion protection on the instance details page. | No |
Deletion protection | Deletion protection is not enabled for the RDS instance. | An RDS instance is considered non-compliant if release protection is not enabled. | This fix enables the deletion protection feature for the selected resource, which prevents it from being released through the console, API, or command line. To release the instance, you must first disable deletion protection on the instance details page. | No |
Deletion protection | Deletion protection is not enabled for the SLB instance. | An SLB instance is considered non-compliant if deletion protection is not enabled. | This fix enables the deletion protection feature for the selected resource, which prevents it from being released through the console, API, or command line. To release the instance, you must first disable deletion protection on the instance details page. | No |
Deletion protection | Deletion protection is not enabled for the EIP instance. | An EIP instance is considered non-compliant if deletion protection is not enabled. | This fix enables the deletion protection feature for the selected resource, which prevents it from being released through the console, API, or command line. To release the instance, you must first disable deletion protection on the instance details page. | No |
Deletion protection | Cluster lock is not enabled for the PolarDB cluster. | A PolarDB instance is considered non-compliant if cluster lock is not enabled. | This fix enables the deletion protection feature for the selected resource, which prevents it from being released through the console, API, or command line. To release the instance, you must first disable deletion protection on the instance details page. | No |
Deletion protection | Cluster lock is not enabled for the ACK cluster. | An ACK cluster is considered non-compliant if deletion protection is not enabled. | This fix enables the deletion protection feature for the selected resource, which prevents it from being released through the console, API, or command line. To release the instance, you must first disable deletion protection on the instance details page. | No |
Deletion protection | Release protection is not enabled for the MongoDB instance. | A MongoDB instance is considered non-compliant if release protection is not enabled. | Quick fixes are not supported. | No |
Multi-zone architecture | Elasticsearch instance is deployed in a single zone. | An Elasticsearch instance that is not deployed across multiple zones is considered non-compliant. | Quick fixes are not supported. | No |
Multi-zone architecture | RDS instance is deployed in a single zone. | An RDS instance that is not deployed across multiple zones is considered non-compliant. | Quick fixes are not supported. | No |
Multi-zone architecture | SLB instance and its server group are deployed in a single zone. | The configuration is considered non-compliant if an SLB instance is in a single zone, or if a server group used by a listener under the SLB instance does not have resources from multiple zones added. | Quick fixes are not supported. | No |
Multi-zone architecture | Hot standby storage cluster is not enabled for the PolarDB cluster. | A PolarDB cluster is considered non-compliant if a hot standby storage cluster is not enabled and the data is distributed in a single zone. | Quick fixes are not supported. | No |
Multi-zone architecture | Redis instance is deployed in a single zone. | A Redis instance that is not deployed across multiple zones is considered non-compliant. | Quick fixes are not supported. | No |
Multi-zone architecture | Zone-redundant storage is not enabled for the OSS bucket. | An OSS bucket is considered non-compliant if zone-redundant storage is not enabled. | Quick fixes are not supported. | No |
Multi-zone architecture | MongoDB instance is deployed in a single zone. | A MongoDB instance that is not deployed across multiple zones is considered non-compliant. | Quick fixes are not supported. | No |
Multi-zone architecture | Related MSE components are deployed in a single zone. | It is recommended to adopt a multi-zone deployment architecture for related MSE components to improve their stability. Related MSE components are considered non-compliant if they are deployed in a single zone. | Quick fixes are not supported. | No |
Multi-zone architecture | The MSE gateway is deployed in a single zone. | All instance replicas of the current gateway are deployed in the same zone (AZ). This deployment form does not have high availability capabilities, and your business may be damaged in extreme cases. Please upgrade to the new version as soon as possible to distribute the gateway instances to multiple zones. The MSE Ingress gateway component is considered non-compliant if it has a single-zone architecture. | Quick fixes are not supported. | No |
Multi-zone architecture | The Bastionhost is deployed in a single zone. | It is recommended to use the Enterprise Dual-Engine or National Secret Edition Bastionhost to meet multi-zone disaster recovery capabilities. Using the Basic Edition Bastionhost is considered "non-compliant". | Quick fixes are not supported. | No |
Multi-zone architecture | The VPN instance is deployed in a single zone. | For existing single-tunnel instances, it is strongly recommended that you enable AZ high availability in the console and configure dual tunnels to establish a connection with the peer. Using a single-tunnel instance for the VPN is considered "non-compliant". | Quick fixes are not supported. | No |
Multi-zone architecture | The transit router is deployed in a single zone. | For existing transit routers, it is strongly recommended to configure multiple zones to meet multi-zone disaster recovery. Setting up a vSwitch in one zone for the VPC connection of a transit router is considered "non-compliant". | Quick fixes are not supported. | No |
Multi-zone architecture | The NLB instance is deployed in a single zone. | For Network Load Balancer instances, it is strongly recommended to configure multiple zones to meet multi-zone disaster recovery. Using a single-zone Network Load Balancer instance is considered "non-compliant". | Quick fixes are not supported. | No |
Multi-zone architecture | The AnalyticDB for PostgreSQL instance is deployed in a single zone. | It is recommended to enable cross-zone disaster recovery for AnalyticDB for PostgreSQL instances. When the primary zone fails, the secondary zone node will be automatically switched to the primary node to continue providing services and ensure business continuity. An AnalyticDB for PostgreSQL instance is considered non-compliant if cross-zone disaster recovery is not enabled. | Quick fixes are not supported. | No |
Multi-zone architecture | The Lindorm instance is deployed in a single zone. | It is recommended to deploy Lindorm instances in multiple zones. Multi-zone instances have higher disaster recovery capabilities. At the same time, Lindorm instances can achieve strong consistency of data between multiple zones, and can also issue requests and return the fastest results under eventual data consistency, thereby improving the service quality of online businesses. A Lindorm instance is considered non-compliant if it does not adopt a multi-zone deployment. | Quick fixes are not supported. | No |
Multi-zone architecture | The HBase instance is deployed in a single zone. | It is recommended to adopt a multi-zone deployment architecture, which has higher disaster recovery capabilities. An HBase instance is considered non-compliant if it does not adopt a multi-zone deployment. | Quick fixes are not supported. | No |
Multi-zone architecture | The Tablestore instance is deployed in a single zone. | The OTS instance in the current region does not support multi-zone disaster recovery capabilities. An OTS instance is considered non-compliant if it does not adopt a multi-zone deployment. | Quick fixes are not supported. | No |
Multi-zone architecture | The OSS bucket associated with ACR does not have zone-redundant storage enabled. | It is recommended to use an Enterprise Edition ACR instance and use zone-redundant OSS storage. An ACR associated with a locally redundant OSS bucket is considered "non-compliant". | Quick fixes are not supported. | No |
Multi-zone architecture | The ApsaraMQ for RocketMQ instance does not use the high-availability cluster edition. | It is recommended to use the high-availability cluster edition, which has multi-zone disaster recovery capabilities. Using an ApsaraMQ for RocketMQ 5.0 instance that is not multi-zone is considered "non-compliant". | Quick fixes are not supported. | No |
Multi-zone architecture | The GWLB instance is deployed in a single zone. | It is recommended to enable multiple zones for GWLB instances to have multi-zone disaster recovery capabilities. Using a Gateway Load Balancer instance that is not multi-zone is considered "non-compliant". | Quick fixes are not supported. | No |
Multi-zone architecture | Flink does not use a cross-zone CU type. | It is recommended to enable cross-zone for Flink's CU to have multi-zone disaster recovery capabilities. A Flink instance that does not use a multi-zone CU is considered "non-compliant". | Quick fixes are not supported. | No |
Multi-zone architecture | The ACK cluster is deployed in a single zone. | Using a regional cluster can achieve cross-regional disaster recovery capabilities. Using a regional ACK cluster with nodes distributed in 3 or more zones is considered "compliant". | Quick fixes are not supported. | No |
Multi-zone architecture | The VPN Gateway does not use dual-tunnel mode. | A dual-tunnel IPsec-VPN connection has a primary and a secondary tunnel. If the primary tunnel fails, traffic can be transmitted through the secondary tunnel, which improves the high availability of the IPsec-VPN connection. Using a dual-tunnel VPN gateway with both primary and secondary tunnels connected to the peer is considered "compliant". | Quick fixes are not supported. | No |
Multi-zone architecture | The SLS project does not use zone-redundant storage. | Simple Log Service provides two storage redundancy types: locally redundant storage and zone-redundant storage, covering data redundancy mechanisms from single-zone to multi-zone to ensure data durability and availability. Using a log project with zone-redundant storage is considered "compliant". | Quick fixes are not supported. | No |
Multi-zone architecture | The Privatelink endpoint service is deployed in a single zone. | Configuring multiple zones for an endpoint service can greatly reduce the risk of service interruption, distribute traffic more evenly, avoid overloading a single zone, and provide proximity access, thereby reducing network latency and improving access speed. Configuring multiple zones for an endpoint service is considered "compliant". | Quick fixes are not supported. | No |
Multi-zone architecture | The PolarDB-X2 instance is deployed in a single zone. | It is recommended to use a multi-zone PolarDB-X2 instance, which has multi-zone disaster recovery capabilities. A PolarDB-X 2.0 instance with a multi-zone architecture is considered "compliant". | Quick fixes are not supported. | No |
Multi-zone architecture | The resources mounted to the NLB server group are all in a single zone. | It is recommended to add resources from multiple zones to the Network Load Balancer server group to have multi-zone disaster recovery capabilities. The configuration is considered "compliant" if the resources in the Network Load Balancer server group are distributed in multiple zones. This rule is "not applicable" if there are no resources in the server group or the resource type is IP. | Quick fixes are not supported. | No |
Multi-zone architecture | The ALB instance is deployed in a single zone. | If only one zone is selected, when this zone fails, the ALB instance will be affected, which in turn affects business stability. An ALB instance that is a multi-zone instance is considered "compliant". | Quick fixes are not supported. | No |
Multi-zone architecture | The Message Queue for Apache Kafka instance is deployed in a single zone. | When you use a Professional Edition instance and only select a single zone for deployment, you can upgrade the cluster to a multi-zone architecture deployment by editing the secondary zone, thereby enhancing the cluster's disaster recovery capabilities. Using a multi-zone Message Queue for Apache Kafka instance is considered "compliant". | Quick fixes are not supported. | No |
Multi-zone architecture | The ApsaraDB for ClickHouse cluster is deployed in a single zone. | It is recommended to use a multi-zone ApsaraDB for ClickHouse cluster instance, which has multi-zone disaster recovery capabilities. Using a multi-zone ApsaraDB for ClickHouse cluster instance is considered "compliant". Currently, only the community version is checked for whether it is a multi-zone architecture. | Quick fixes are not supported. | No |
Multi-zone architecture | The resources mounted to the ALB server group are all in a single zone. | Adding resources from multiple zones to an ALB server group can ensure that even if one zone fails, the application can continue to run in other zones, providing better fault tolerance. The configuration is considered "compliant" if the resources mounted to an ALB server group are distributed in multiple zones. This rule is not applicable if the ALB server group has no mounted resources or if the server group type is IP or Function Compute. | Quick fixes are not supported. | No |
Multi-zone architecture | The ACS cluster is deployed in a single zone. | It is recommended to use a regional multi-zone ACS cluster, which has multi-zone disaster recovery capabilities. Using a regional ACS cluster with nodes distributed in 3 or more zones is considered "compliant". | Quick fixes are not supported. | No |
Multi-zone architecture | The API Gateway instance is deployed in a single zone. | It is recommended to use a multi-zone gateway instance, which has multi-zone disaster recovery capabilities. Using a multi-zone gateway instance is considered "compliant". | Quick fixes are not supported. | No |
Multi-zone architecture | The distribution of ECS instances across zones in a region is uneven (new in 3.0 model). | Deploying all ECS instances in the same zone poses a risk of a single point of failure. When the zone fails (such as due to hardware damage or network interruption), all ECS instances in the region will become unavailable at the same time, leading to business interruptions. The configuration is considered non-compliant if all ECS instances in the same region are deployed in the same zone. | Quick fixes are not supported. | No |
Multi-zone architecture | The resources mounted to the GWLB server group are all in a single zone (new in 3.0 model). | Mounting resources to a multi-zone server group can improve the disaster recovery capability of the system and reduce the risk of business interruption. The configuration is considered non-compliant if a GWLB instance is in a single zone, or if a server group used by a listener under the GWLB instance does not have resources from multiple zones added. This rule is not applicable if there are no resources in the server group or the resource type is IP. | Quick fixes are not supported. | No |
Multi-zone architecture | The ACK cluster inspection CoreDNS has only one replica (new in 3.0 model). | If an ACK cluster CoreDNS has only a single replica configured, it will lose high availability. When a Pod fails, the DNS service will be completely interrupted, causing domain name resolution failure for services within the cluster, which in turn blocks communication between applications. A single-point architecture cannot tolerate node failures or maintenance operations. Service interruptions may occur during upgrades or restarts. The risk increases with long-term operation. You need to immediately scale out the number of replicas to ensure service redundancy and stability. An ACK cluster is considered non-compliant if its CoreDNS has only one replica. | Quick fixes are not supported. | No |
Cluster architecture | The Auto Scaling scaling group is associated with only a single vSwitch. | By associating with multiple vSwitches, a scaling group can improve the overall robustness, reliability, and performance of an application, thereby better meeting business requirements. If a vSwitch is inaccessible due to network problems or other conditions, user traffic can still access the application through other vSwitches. A scaling group is considered "compliant" if it is associated with at least two vSwitches. | Quick fixes are not supported. | No |
Cluster architecture | The PolarDB instance is deployed as a single point. | The configuration is considered non-compliant if the PolarDB product series used is not the Cluster Edition or Multi-master Cluster Edition. | Quick fixes are not supported. | No |
Cluster architecture | Related MSE components are deployed as a single point. | For the MSE ZK component, it is recommended to scale out to 3 or more nodes. For the Nacos-Ans component, it is recommended to scale out to 3 or more nodes. Related MSE components are considered non-compliant if they are deployed on a single node. | Quick fixes are not supported. | No |
Cluster architecture | The MSE gateway is deployed as a single point. | A single-node instance has an architectural risk. A single point of failure will cause the service to be unavailable. It is recommended to scale out to 2 or more nodes. The MSE Ingress component is considered non-compliant if it is deployed on a single node. | Quick fixes are not supported. | No |
Cluster architecture | Primary and secondary nodes of an RDS cluster have different instance types (new in 3.0 model). | If the primary and secondary nodes of an RDS cluster are not configured with the same instance type, it may cause the secondary node to be unable to take over smoothly when the primary node fails, resulting in performance bottlenecks or service interruptions. In addition, different instance specifications may lead to resource mismatches, affecting data synchronization efficiency and recovery speed, and reducing the high availability and disaster recovery capabilities of the system. Detecting and ensuring that the primary and secondary node instance types are consistent helps to improve system stability, enhance failover capabilities, and ensure business continuity, bringing higher reliability and O&M controllability to customers. An RDS cluster is considered non-compliant if its primary and secondary nodes are configured with different instance types. | Quick fixes are not supported. | No |
Cluster architecture | Primary and secondary nodes of an RDS cluster have different instance sizes (new in 3.0 model). | If the primary and secondary nodes of an RDS cluster are not configured with the same instance size, it may cause the secondary node to be unable to take over smoothly when the primary node fails, resulting in performance bottlenecks or service interruptions. In addition, different instance specifications may lead to resource mismatches, affecting data synchronization efficiency and recovery speed, and reducing the high availability and disaster recovery capabilities of the system. Detecting and ensuring that the primary and secondary node instance sizes are consistent helps to improve system stability, enhance failover capabilities, and ensure business continuity, bringing higher reliability and O&M controllability to customers. An RDS cluster is considered non-compliant if its primary and secondary nodes are configured with different instance sizes. | Quick fixes are not supported. | No |
Cluster architecture | Automatic primary/secondary failover is not enabled for the RDS instance (new in 3.0 model). | When the primary node of an instance is abnormal and cannot be used, or when there is a potential risk in the instance and an emergency repair has been performed on the secondary node, RDS will automatically trigger a primary/secondary failover, swapping the primary and secondary nodes. After the failover, the instance endpoint remains unchanged, and the application automatically connects to the new primary node (the original secondary node), thereby ensuring the high availability of the instance. An RDS instance is considered non-compliant if the automatic primary/secondary failover feature is not enabled. | Quick fixes are not supported. | No |
Cluster architecture | High-reliability mode is not used for Express Connect (new in 3.0 model). | Use the high-reliability mode of Express Connect to create two access points in the same region to achieve network redundancy, ensure the stability and reliability of data transmission, and meet compliance requirements. The configuration is considered non-compliant if fewer than two access points are requested for Express Connect in the same region. | Quick fixes are not supported. | No |
Monitoring management | Prometheus monitoring is not configured for the ACK cluster. | Connecting an ACK cluster to monitoring can help development and O&M personnel view the running status of the system, including the infrastructure layer, container performance layer, and so on. The configuration is considered non-compliant for all ACK clusters if "Enable Alibaba Cloud Prometheus Monitoring" is not configured. | Quick fixes are not supported. | No |
Monitoring management | No monitoring alert rules are set for cloud resources. | Achieving full coverage of resource monitoring is the basis and key to ensuring business continuity. Setting alert rules for cloud resources is a necessary means to achieve cloud resource monitoring. The configuration is considered non-compliant if there are cloud resources that are not covered by any alert rules. | This fix automatically enables alert rules based on best practices for cloud resource types that are not configured with CloudMonitor. By default, notifications are sent to message recipients of the "Alibaba Cloud Account Alert Contact" type. Please confirm that the settings are correct. After enabling this fix, you can view the status or update the alert parameters in the One-Click Alerting feature of CloudMonitor. | No |
Monitoring Management | Application monitoring is not configured for the ACK cluster | For distributed and microservice applications, you can connect to Application Real-Time Monitoring Service (ARMS) to implement Tracing Analysis and real-time code-level performance monitoring. This helps O&M engineers stay informed about the health status of applications. Applications that are deployed in Container Service for Kubernetes or Elastic Compute Service (ECS) are considered non-compliant if they are not connected to Application Real-Time Monitoring Service (ARMS). | Quick fix is not supported. | No |
Monitoring Management | Alert rules have unhandled persistent alerts | An alert rule that remains in the Alerting state for an extended period is an issue that requires attention and administration. Typically, you need to troubleshoot the issue as soon as possible to restore the metric to a normal level. Alternatively, you can adjust the alert rule based on actual conditions to prevent many alert notifications or alert fatigue from interfering with normal monitoring and O&M tasks. An alert rule configured in CloudMonitor is considered non-compliant if it remains in the Alerting state for more than 24 hours. | Quick fixing is not supported. | No |
Monitoring Management | No high-priority alert rule is configured in ARMS | If you configure valid alert rules, you can receive timely notifications when your business system does not perform as expected and then make a timely emergency response. The configuration is considered non-compliant if no P1 alert rules for Application Monitoring or Prometheus monitoring, or no corresponding notification policies are configured in ARMS. | Quick fixes are not supported. | No |
Monitoring Management | High-priority alerts in ARMS are not handled in a timely manner | The Mean Time To X (MTTx) metric, such as Mean Time To Recovery (MTTR), is an important metric for measuring the efficiency of alert handling. A timely response to high-priority alerts can effectively improve the recovery efficiency for alerts and even faults, thereby improving the service quality of the business system. The configuration is considered non-compliant if P1 alert rules are not configured for Application Monitoring or Prometheus monitoring, or if there are alerts in Alibaba Cloud ARMS that are pending, being processed, or take more than 30 minutes to resolve. | Quick fix is not supported. | No |
Monitoring management | ARMS resources are not centrally monitored across Alibaba Cloud accounts. | You can create a global aggregation instance to implement centralized monitoring across accounts. The configuration is considered non-compliant if the system detects that the current account does not use ARMS or has not created a globalview instance. | Quick fix is not supported. | No |
Threat detection | An ECS instance has been shut down due to overdue payments or security-related suspensions. | An unexpected shutdown of an ECS instance can cause service interruptions, data loss, or data inconsistency, and affect system performance or cause security threats. A threat is identified if an ECS instance in the current account is shut down due to overdue payments or security-related suspensions. | Quick fix is not supported. | No |
Threat inspection | The ECS instance has pending O&M events. | If scheduled O&M events for an ECS instance are not handled in a timely manner, the ECS instance may restart during peak hours, which affects the business stability of the instance. A threat is identified if the current account has pending ECS O&M events with a status of inquiring, scheduled, or executing. | Quick fix is not supported. | No |
Threat inspection | A health check is not configured for the VBR of a CEN resource. | The health check feature of Cloud Enterprise Network (CEN) detects the connectivity of the Express Connect circuit that is associated with the VBR instance. In a scenario where redundant routes exist between CEN and a data center, if a health check detects a failure on the Express Connect circuit, an automatic switchover to an active route is performed to ensure uninterrupted traffic transmission. The configuration is considered non-compliant if a health check is not configured for the VBR that is associated with the CEN instance. | Quick fix is not supported. | No |
Threat inspection | Excessive replication latency between an RDS read-only instance and its primary instance (new in 3.0 model) | An RDS read-only instance uses native MySQL log-based replication technology (asynchronous replication or semi-synchronous replication), which inevitably causes synchronization latency. Latency can cause data inconsistency between the read-only instance and the primary instance, which can cause business issues. In addition, latency can also cause log accumulation, which causes the storage space of the read-only instance to be quickly consumed. The instance is considered non-compliant if the maximum latency between an RDS read-only instance and its primary instance exceeds 60 seconds within a specified period (in hours). | Quick fix is not supported. | No |
Threat inspection | Insufficient available IP address count in a VPC (new in 3.0 model) | Ensure that each vSwitch has a sufficient number of available IP addresses to prevent business extension failures due to insufficient resources. A vSwitch is considered non-compliant if the number of available IPv4 addresses is less than or equal to the specified value. | Quick fix is not supported. | No |
Threat inspection | The configuration of the OSS origin domain name for a CDN domain name is abnormal (new in 3.0 model) | If the origin domain name configured for a CDN domain name does not exist, resource requests fail and business features are affected. In addition, origin fetch failures cause CDN to repeatedly retry the requests, which increases unnecessary network overhead. A CDN domain name is considered non-compliant if it uses an OSS domain name as its origin and the corresponding OSS Bucket resource is not active. CDN domain names that do not use an OSS domain name as the origin information are not included in the detection scope. | Quick fix is not supported. | No |
Threat inspection | Abnormal Server Load Balancer associated with an ESS Auto Scaling group (new in 3.0 model) | After a scaling group is associated with an SLB instance, instances are automatically added as backend servers to the SLB instance, regardless of whether the instances are automatically created by the scaling group or manually added to the scaling group. If the Server Load Balancer or its server group does not exist, the scaling activities of the scaling group fail. The configuration is considered non-compliant if the Classic Load Balancer or Application Load Balancer that is associated with the Auto Scaling group is not an active resource. | Quick fix is not supported. | No |
Threat inspection | The custom image configured for the ECS launch template is abnormal (new in 3.0 model) | A launch template is a tool that you can use to quickly create instances. This improves efficiency and user experience. If the custom image that is configured in a launch template does not exist, the launch template fails to execute. A custom image is considered non-compliant if a custom image that is associated with an ECS launch template is not a retained resource. | Quick fix is not supported. | No |
Threat inspection | Abnormal SPF record in the DNS parsing of a domain name's mailbox (new in 3.0 model) | SPF is a DNS-based email authentication protocol that defines which mail servers (IP addresses or domain names) are authorized to send emails on behalf of a domain name. When a mail server receives an email, it authenticates the sender's IP address against the SPF record to determine whether the email is valid. Setting a reasonable and valid SPF value can prevent email spoofing, reduce the threat of spam, and improve email deliverability. For each MX record in the DNS domain name, the system checks whether it contains at least one TXT record with a valid SPF value that starts with "v=spf1". A DNS domain name that does not meet the preceding condition is considered non-compliant. | Quick fix is not supported. | No |
Threat inspection | The OSS domain name configured for the CNAME record in DNS is abnormal (new in 3.0 model) | If the CNAME record for DNS domain name resolution is configured with an incorrect OSS domain name, resources fail to be loaded when you access them using the domain name. This affects normal business features. The configuration is considered non-compliant if a CNAME record in DNS is configured with an OSS domain name but the corresponding OSS bucket is not retained. DNS domain names whose CNAME records do not use OSS domain names are not included in the detection scope. | Quick fixes are not supported. | No |
Threat detection | Data replication for the RDS PostgreSQL instance is not in synchronous or semi-synchronous mode (new in 3.0 model). | RDS PostgreSQL supports three data replication modes: asynchronous, synchronous, and semi-synchronous. The asynchronous mode provides the fastest response but is suitable only for scenarios that do not require high data durability. Data may be lost if the database crashes, which poses a durability threat. An RDS PostgreSQL instance is considered non-compliant if it uses the asynchronous replication mode (the synchronous_commit parameter is set to off). | Fast remediation is not supported. | No |
Threat detection | High ALB connection failure rate (new in 3.0 model) | A high connection failure rate for an Application Load Balancer (ALB) may indicate that backend services are abnormal, the network is unstable, or configurations are incorrect. This may lead to user access failures, business interruptions, and a degraded user experience. By inspecting the ALB connection failure rate metric, you can promptly detect and locate the root cause of the problem. This improves system availability and stability, optimizes traffic rerouting efficiency, ensures business continuity and service quality, and provides customers with more reliable cloud application delivery capabilities. An ALB instance is considered non-compliant if its connection failure rate is greater than or equal to 80% for at least 8 hours within a past period. | Quick fix is not supported. | No |
Risk inspection | High proportion of ALB 4xx errors (new in 3.0 model) | If the proportion of 4xx errors for an ALB instance continuously exceeds the specified threshold for a period of time, it usually indicates that many exceptions exist in client requests, such as invalid requests, parameter errors, failed identity verification, or excessively high access frequency (such as DDoS attacks). This not only affects the user experience of normal users but may also expose system interface design bugs or security risks. An ALB instance is considered non-compliant if the proportion of 4xx errors is greater than or equal to 80% for at least 8 hours within a past period of time. | Quick fix is not supported. | No |
Threat inspection | The percentage of ALB 5xx faults is too high (new in 3.0 model) | If the percentage of 5xx faults for an ALB instance continuously exceeds the specified threshold, it indicates that the backend service frequently has internal faults. These faults may be caused by application abnormalities, insufficient resources, configuration faults, or dependent service faults. This directly leads to a degraded user experience, an increased threat of business breaks, and affects system stability and availability. An ALB instance is considered non-compliant if the percentage of its 5xx faults is greater than or equal to 80% for at least 8 hours within a past period. | Quick fix is not supported. | No |
Risk inspection | High ALB TLS handshake failure rate (new in 3.0 model) | A high ALB TLS handshake failure rate may indicate issues with the encrypted communication between the client and the server, such as incorrect certificate configurations, incompatible protocol versions, mismatched key suites, or the use of unsupported encryption algorithms by the client. This can not only cause user access to fail and affect service availability, but also expose security vulnerabilities and increase the threat of man-in-the-middle attacks. An ALB instance is considered non-compliant if its TLS handshake failure rate is greater than or equal to 80% for at least 8 hours within a specific time range. | Quick fix is not supported. | No |
Threat inspection | High connection utilization of Redis instances (new in 3.0 model) | If the connection utilization of a Redis instance continuously exceeds the specified threshold for a period of time, it indicates that the current connection resources are approaching or have reached the upper limit. This may prevent new clients from establishing connections, cause requests to be rejected, or increase response latency, which in turn affects business performance and stability. This situation may also indicate issues such as connection leaks, improper connection pool configurations, or burst traffic pressure. A Redis instance is considered non-compliant if its average connection utilization is greater than or equal to 50% for at least 8 hours within a past period. | Quick fix is not supported. | No |
Threat inspection | The number of backend servers for the CoreDNS Service in the ACK cluster is 0 (new in 3.0 model) | If the number of backend servers for CoreDNS in an ACK cluster is 0, service discovery completely fails. The inter-service communication within the cluster, such as service invocation and database access, is broken. Applications cannot resolve addresses using service names. This directly affects business availability and causes cluster stability threats. An ACK cluster is considered non-compliant if the number of backend servers for its CoreDNS Service is 0. | Quick fix is not supported. | No |
Threat inspection | Abnormal backend status of the API Server CLB instance in an ACK cluster (new in 3.0 model) | An abnormal backend status of the API Server CLB instance in an ACK cluster interrupts control plane communication and causes a complete failure of cluster management. Clients, such as kubectl, cannot access the API Server, which prevents operations such as deploying applications or viewing statuses. In addition, components such as kubelet and controllers are disconnected from the API Server. This triggers abnormal node statuses, pod scheduling failures, and the failure of the automated recovery mechanism. As a result, the cluster becomes unstable, and business services are interrupted because the API Server is unreachable. Monitoring tools, such as Prometheus, cannot collect metric data, which prevents timely alerts and troubleshooting for abnormalities. More seriously, the long-term unavailability of the API Server can cause inconsistencies between the cluster status and the data stored in etcd, leading to data loss or abnormal operations. You must immediately check the CLB configuration, backend node health status, and network connectivity to ensure that traffic is properly distributed and prevent a complete cluster crash. An ACK cluster is considered non-compliant if the backend of its API Server CLB instance is in an abnormal state. | Quick fix is not supported. | No |
Threat inspection | Abnormal listener configuration for the CLB port that is bound to the APIServer of an ACK cluster (new in 3.0 model) | An abnormal listener configuration for the CLB port that is bound to the APIServer of an ACK cluster can cause API service access interruptions. This prevents clients, such as kubectl, from connecting to the cluster and causes O&M operations to fail completely. In addition, components within the cluster, such as kubelet and controllers, cannot communicate with the APIServer. This leads to abnormal node status, pod scheduling failures, and service unavailability. If the listener protocol is incorrect or security group restrictions are missing, unauthorized access or traffic hijacking threats may occur. You must immediately fix the listener port configuration, verify the protocol type, and check the security policy to prevent cluster failures and data breaches. The configuration is considered non-compliant if the listener configuration for the CLB port that is bound to the APIServer of an ACK cluster is abnormal. | Quick fix is not supported. | No |
Risk inspection | The SLB instance attached to the API server of the ACK cluster does not exist (new in 3.0 model) | If the API server of an ACK cluster is not attached to an SLB instance, the API service lacks a traffic entry point. External clients, such as kubectl, cannot access the API Server through load balancing, and cluster management is completely interrupted. Because in-cluster components, such as the kubelet and controllers, cannot establish stable communication, this may cause abnormal node statuses, pod scheduling failures, and service unavailability. In addition, the API Server nodes directly expose their IP addresses, losing traffic distribution and failover capabilities. This creates a single point of failure risk and increases the threat of unauthorized access or DDoS attacks. You must immediately create and attach an SLB instance to restore high availability and secure access. An ACK cluster is considered non-compliant if the SLB instance attached to its API server does not exist. | Quick fix is not supported. | No |
Threat inspection | The CLB instance attached to the API server of the ACK cluster is in an abnormal state (new in 3.0 model) | An abnormal status of the CLB instance attached to the API server of an ACK cluster causes API service traffic forwarding to fail. As a result, clients such as kubectl cannot establish stable connections, and cluster management is completely blocked. Due to communication interruptions, internal components such as kubelet and VPC controllers cause abnormal node status, pod scheduling stagnation, and service unavailability. In addition, failed CLB health checks may cause traffic to be concentrated on faulty nodes, which increases the risk of a single point of failure. If the abnormal status is accompanied by security configuration errors, such as unencrypted traffic or exposed ports, unauthorized access or man-in-the-middle attacks may occur. You must immediately restore the health status of the CLB instance and verify the security policies to prevent cluster paralysis and data breaches. The configuration is considered non-compliant if the CLB instance attached to the API server of an ACK cluster is in an abnormal state. | Quick fixing is not supported. | No |
Risk inspection | The scaling configuration of an ACK cluster node pool is unavailable (new in 3.0 model) | If the scaling configuration of a node pool in an ACK cluster is unavailable, the cluster cannot automatically adjust the number of nodes. During periods of high loads, the cluster cannot scale out. This causes resource exhaustion, pod scheduling failures, or service interruptions. During periods of low loads, the cluster cannot scale in. This causes resource waste and a surge in costs. In addition, if a node fails, the automatic replacement mechanism becomes invalid. This may cause the node to be unavailable for a long period of time and reduces the high availability (HA) of the cluster. In the long run, this will also cause automatic policies such as HPA to fail, the cluster status to become unbalanced, and O&M costs to increase. You must immediately repair the scaling configuration to restore the elastic capabilities. The configuration is considered non-compliant if the scaling configuration of a node pool in an ACK cluster is unavailable. | Quick fixing is not supported. | No |
Risk inspection | The scaling group of a node pool in an ACK cluster is unavailable (new in 3.0 model) | If the scaling group of a node pool in an ACK cluster is unavailable, the cluster completely loses its auto scaling capabilities. During high payload periods, the cluster cannot be dynamically scaled out. This can lead to node resource exhaustion, pod scheduling failures, or service response latency. During low payload periods, the cluster cannot be scaled in, which results in idle resources and wasted costs. When a node fails, the automatic replacement mechanism becomes ineffective. This may cause nodes to be offline for an extended period and increases the risk of a single point of failure in the cluster. In addition, an abnormal scaling group prevents the cluster from elastically responding to burst traffic or maintenance requirements. In the long run, this leads to decreased service stability and lower O&M efficiency. You must immediately repair the status of the scaling group to restore the cluster's elastic capabilities. A cluster is considered non-compliant if a scaling group of a node pool in an ACK cluster is unavailable. | Quick repair is not supported. | No |
Threat inspection | The security group of an ACK cluster node pool is unavailable (new in 3.0 model) | An unavailable security group for an ACK cluster node pool causes network access rules to become invalid. Communication between cluster components, such as the communication between the kubelet and the API Server or service discovery between pods, may be interrupted due to blocked ports or missing rules. In addition, unauthorized traffic may bypass protections, which increases the risk of node intrusions or DDoS attacks. If outbound rules are abnormal, nodes cannot access external storage, image repositories, or monitoring services, which causes dependent service invocations to fail. An invalid security group can also cause nodes to be mistakenly isolated, which affects pod scheduling and business continuity. You must immediately fix the rule configuration to restore network isolation and communication security. The configuration is considered non-compliant if the security group of an ACK cluster node pool is unavailable. | Quick fixing is not supported. | No |
Threat inspection | The vSwitch of a node pool in an ACK cluster is unavailable (new in 3.0 model) | If the vSwitch of a node pool in an ACK cluster is unavailable, network communication between nodes is interrupted. This prevents pods and services from interacting across nodes, which can cause service discovery failures or data transmission stagnation. Communication between the control plane and worker nodes is disconnected, and the nodes are marked as unavailable. This may trigger incorrect evictions or abnormal cluster scale-ins. In addition, nodes cannot access external resources such as storage and databases, which paralyzes application features. The risk of network partitioning increases, which may cause a cluster split-brain or data inconsistency. From an O&M perspective, the interruption of monitoring data makes it difficult to locate faults in a timely manner. You must restore the vSwitch service immediately to ensure network connectivity. A cluster is considered non-compliant if the vSwitch of a node pool in an ACK cluster is unavailable. | Quick fixing is not supported. | No |
Risk inspection | ACK cluster inspection finds that APIService is unavailable (new in 3.0 model) | The unavailability of APIService in an ACK cluster causes the extension API feature to fail. Custom resources, such as CustomResourceDefinitions (CRDs), cannot communicate with the control plane. This leads to management exceptions for components that rely on the extension API, such as Operators and Service Mesh. API requests, such as resource status updates and configuration delivery, fail due to service interruptions. This may cause monitoring data loss, automated policy failure, or errors in cluster management commands. If core extension APIs, such as Admission Webhooks, are affected, the resource creation flow is blocked. This increases the risk of blocked cluster operations. You must urgently recover the APIService to prevent critical features from being paralyzed and to avoid data inconsistency. A cluster is considered non-compliant if the APIService of an ACK cluster is unavailable. | Quick fix is not supported. | No |
Risk inspection | An ACK cluster has abnormal CoreDNS pods (new in 3.0 model) | The presence of abnormal CoreDNS pods in an ACK cluster destabilizes the DNS resolution service. This may cause timeouts or failures in communication between services that use domain names, leading to application call interruptions. Abnormal pods can trigger continuous controller restarts, which increases the load on the control plane. They also consume node resources without providing effective services. If a pod is abnormal due to configuration errors or image vulnerabilities, it may cause DNS hijacking or resolution pollution. This can result in service routing errors or data breaches. You must immediately investigate the pod status and correct the configuration to restore the reliability of the DNS service. The presence of abnormal CoreDNS pods in an ACK cluster is considered a non-compliant item. | Fast remediation is not supported. | No |
Risk inspection | Abnormal status of elastic components in an ACK cluster (new in 3.0 model) | If the status of an elastic component in an ACK cluster is abnormal, mechanisms such as automatic scaling and auto healing fail. During high payload periods, the cluster cannot be dynamically scaled out. This causes resource bottlenecks and service response latency or interruptions. When a node or pod fails, it cannot be automatically replaced, which increases availability risks. At the same time, the cluster cannot optimize resource allocation based on policies. This results in wasted costs or decreased O&M efficiency. In the long term, this may block key business flows. You must urgently repair the status of the elastic component to restore the automatic rotation capability of the cluster. A cluster is considered non-compliant if the status of an elastic component in an ACK cluster is abnormal. | Quick repair is not supported. | No |
Risk inspection | The billing method of the LoadBalancer Service in an ACK cluster is inconsistent with the actual instance (new in 3.0 model) | A mismatch between the billing method of a LoadBalancer Service in an ACK cluster and the actual instance will cause abnormal billing. This may lead to unexpected deliveries, such as being charged on a pay-as-you-go basis when a subscription is expected, or unexpected resource releases, such as when a subscription resource is not renewed upon expiration. These issues can cause service interruptions. In addition, chaotic resource management can interfere with auto scaling policies, which increases O&M costs and threats. You must immediately calibrate the billing method configuration to prevent bill drift and a decrease in business availability. The configuration is considered non-compliant if the billing method of the LoadBalancer Service in an ACK cluster is inconsistent with the actual instance. | Quick fix is not supported. | No |
Threat detection | The certificate instance ID of a LoadBalancer Service in an ACK cluster is inconsistent with the actual instance (new in 3.0 model). | A mismatch between the certificate instance ID of a LoadBalancer Service in an ACK cluster and the actually attached certificate causes the Transport Layer Security (TLS) configuration to become invalid. This can lead to HTTPS service connection rejections or security warnings and break user access. An invalid certificate may expose unencrypted traffic, which increases the risk of man-in-the-middle attacks. In addition, abnormal health checks may cause the status of the backend service to be misjudged, which exacerbates disordered traffic allocation. You must immediately synchronize the certificate configuration to recover secure communication and service availability. The configuration is considered non-compliant if the certificate instance ID of a LoadBalancer Service in an ACK cluster is inconsistent with the actual instance. | Quick fix is not supported. | No |
Data backup and snapshot | No active data backup set is available for AnalyticDB for PostgreSQL (new in 3.0 model) | The data backup check for AnalyticDB for PostgreSQL ensures that the backup policy of an instance is correctly configured to prevent business interruptions caused by data loss or misoperations. Periodically checking the backup policy and backup status can effectively improve data security and recovery capabilities. A running non-Serverless AnalyticDB for PostgreSQL instance in storage-elastic mode is considered non-compliant if no active data backup set is available for the instance within a specified number of hours. By default, the period is 7 days (168 hours). | Quick fix is not supported. | No |
Data backup and snapshot | No volume is attached to the ECI container group. | An ECI container group is considered non-compliant if no volume is attached to it. | Quick fix is not supported. | No |
Data backup and snapshot | Automatic backup is disabled for the Elasticsearch instance | An Elasticsearch instance for which automatic backup is disabled is considered non-compliant. | Quick fix is not supported. | No |
Data backup and snapshot | Log backup is disabled for the RDS instance. | An RDS instance is considered non-compliant if log backup is disabled. | This fix enables log backup for the selected RDS instance. The default retention period is 7 days. | No |
Data backup and snapshot | Log backup is not enabled for the AnalyticDB for MySQL instance | An ADB cluster is considered non-compliant if log backup is not enabled. | This fix enables log backup for the selected AnalyticDB for MySQL cluster. The default retention period is 7 days. | No |
Data backup and snapshot | Level-2 backup is not enabled for the PolarDB cluster. | A PolarDB cluster is considered non-compliant if level-2 backup is not enabled and the retention period is greater than or equal to 30. | This fix sets the level-2 data backup cycle and the level-2 backup retention period for the selected PolarDB cluster. The default retention period is 30 days. If level-2 backup is not enabled, it is automatically enabled. | No |
Data backup and snapshot | Incremental backup is not enabled for the Redis instance. | A Tair-type Redis instance is considered non-compliant if incremental backup is not enabled. | Quick fix is not supported. | No |
Data backup and snapshot | Log backup is not enabled for the MongoDB instance | A MongoDB instance is considered non-compliant if log backup is not enabled. | This fix enables log backup for the selected MongoDB cluster. The default retention period is 7 days. | No |
Data backup and snapshot | An automatic snapshot policy is not configured for the ECS disk. | An ECS disk is considered non-compliant if an automatic snapshot policy is not configured for it. | This fix enables the specified snapshot policy for the selected ECS disk. Because snapshot policies are independent in each region, if a policy with the same name exists in the region where the selected disk is located, the existing policy is used. Otherwise, a new snapshot policy is created. | No |
Data backup and snapshots | The data backup protection for the ECS instance has threats (new in 3.0 model) | For different scenarios such as daily data protection, protection for high-risk operations, regional disaster recovery, and full instance recovery, you must select different snapshot and backup solutions. Otherwise, you may fail to recover data. Incomplete backup solutions also cause the recoverability and efficiency of core files to fail to meet expectations. An ECS instance is considered non-compliant if it does not meet all of the following conditions:
| Quick fix is not supported. | No |
Data backup and snapshots | The data backup policy for the OSS bucket is at risk | You should protect data at the bucket level. If versioning is not enabled, historical versions of objects that are overwritten or deleted may not be saved. If an issue occurs, you cannot recover an object in the bucket to a specific point in time. In addition, if cross-region replication is not enabled, operations under the same or different accounts are not synchronized to another region. This severely compromises business continuity when a disaster or failure occurs. An OSS bucket is considered non-compliant if it does not meet the following conditions:
| Quick fix is not supported. | No |
Data backup and snapshots | The data backup policy for the NAS file system is at risk | If the recycle bin and Cloud Backup are not enabled for NAS, you cannot recover your files in a timely manner when they are accidentally deleted or tampered with. If cross-region replication is not enabled for the backup vault, you cannot implement multi-version geo-redundant backups and you cannot recover data in a different region. This critically affects business continuity. A NAS file system is considered non-compliant if it does not meet the following conditions:
| Quick fixing is not supported. | No |
Data backup and snapshot | The data backup policy for the Tablestore instance has a threat (new in 3.0 model) | If Tablestore backup and cross-region backup are not enabled, you cannot quickly recover important data in a simple, efficient, secure, and reliable manner. If a failure occurs, business continuity is severely affected. A Tablestore instance is considered non-compliant if it does not meet all the following conditions:
| Quick fixing is not supported. | No |
Quotas & Capacity | ECS API calls are throttled | API calls are throttled, which causes them to fail and may affect business stability. The configuration is considered non-compliant if API calls have been throttled in the last 7 days. | Quick fixing is not supported. | No |
Quota & Capacity | RDS API calls are throttled | API calls are throttled, which causes the calls to fail and may affect business stability. The instance is considered non-compliant if API calls have been throttled in the last 7 days. | Quick fix is not supported. | No |
Quotas & capacity | SLB API calls are throttled | API calls are throttled, which causes the calls to fail and may affect service stability. An item is considered non-compliant if API calls have been throttled in the last 7 days. | Quick fixing is not supported. | No |
Quota & Capacity | CDN API calls are throttled | API calls are throttled, which causes the calls to fail. This may affect service stability. The service is considered non-compliant if abnormal throttling issues exist for API calls within the last 7 days. | A quick fix is not supported. | No |
Quota & Capacity | Redis API calls are throttled | API calls are throttled. This causes the calls to fail and may affect business stability. The instance is considered non-compliant if API calls have been abnormally throttled in the last 7 days. | Quick fix is not supported. | No |
Quota & Capacity | PolarDB API calls are throttled | API calls are throttled, which causes the calls to fail and may affect business stability. The instance is considered non-compliant if API calls have experienced throttling issues in the last 7 days. | Quick fix is not supported. | No |
Quota & Capacity | VPC API calls are throttled | API calls are throttled, which causes the calls to fail and may affect service stability. The item is considered non-compliant if API calls have been throttled in the last 7 days. | Quick fix is not supported. | No |
Quotas & Capacity | ACK API calls are throttled | API calls are throttled, which causes the calls to fail and may affect business stability. The item is considered non-compliant if API calls have been throttled in the last 7 days. | Quick fixes are not supported. | No |
Quota & Capacity | RocketMQ API calls are throttled | API calls are throttled, which causes the calls to fail and may affect business stability. The service is considered non-compliant if API calls have been throttled in the last 7 days. | Quick fix is not supported. | No |
Quotas & capacity | CEN API calls are throttled | Throttled API calls cause call failures, which may affect service stability. The item is considered non-compliant if API calls have been throttled in the last seven days. | Quick fixing is not supported. | No |
Quota & Capacity | ALB API calls are throttled | API calls are throttled, which causes the calls to fail and may affect service stability. The resource is considered non-compliant if API calls have been throttled within the last 7 days. | Quick fix is not supported. | No |
Quotas & capacity | NAS API calls are throttled | API calls are throttled, which causes the calls to fail and may affect business stability. The item is considered non-compliant if API calls have been throttled in the last 7 days. | Quick fixing is not supported. | No |
Quota & Capacity | The quota usage for the total number of ACK clusters is approaching the upper limit (new in 3.0 model). | Insufficient resource quotas may restrict the creation, modification, or extension operations of product resources. The item is considered non-compliant when a quota item related to the number of ACK clusters reaches 80% of its upper limit. | Quick fix is not supported. | No |
Quota & Capacity | The vCPU quota usage of ECS pay-as-you-go instances is approaching the upper limit (new in 3.0 model) | Insufficient resource quotas may restrict operations such as creating, modifying, or scaling product resources. An item is considered non-compliant if the quota usage for vCPUs of pay-as-you-go ECS instances reaches 80% of the quota limit. | Quick fixing is not supported. | No |
Quota & Capacity | The vCPU quota usage for ECS subscription instances is close to the upper limit (new in 3.0 model) | Insufficient resource quotas may restrict the creation, modification, or extension of product resources. A resource is considered non-compliant if the usage of the vCPU quota for ECS subscription instances reaches 80% of the upper limit. | Quick fix is not supported. | No |
Quota & Capacity | The vCPU quota usage for ECS spot instances is approaching the upper limit (new in 3.0 model) | Insufficient resource quotas may restrict the creation, modification, or extension of product resources. The quota is considered non-compliant when the quota for ECS spot instance vCPUs reaches 80% of its upper limit. | Quick fix is not supported. | No |
Quota & Capacity | The quota usage for the total number of security groups is approaching the limit (new in 3.0 model) | Insufficient resource quotas may restrict the creation, modification, or extension of product resources. The item is considered non-compliant when the quota for the total number of security groups reaches 80% of its limit. | Quick fix is not supported. | No |
Quota & Capacity | The quota usage for the total number of deployment sets is approaching the upper limit (new in 3.0 model). | Insufficient resource quotas may restrict operations such as creating, modifying, or extending product resources. The status is considered non-compliant if the quota for the total number of deployment sets reaches 80% of its limit. | Quick fix is not supported. | No |
Quota & Capacity | The quota usage for the total number of elastic network interfaces (ENIs) is approaching the upper limit (new in 3.0 model). | Insufficient resource quotas may restrict the creation, modification, or extension of product resources. The item is considered non-compliant when a quota item related to the total number of elastic network interfaces (ENIs) reaches 80% of its upper limit. | Quick fix is not supported. | No |
Quota & Capacity | The quota usage for the total number of SLB instances is close to the upper limit. (new in 3.0 model) | Insufficient resource quotas may restrict the creation, modification, or extension of product resources. The quota is considered non-compliant if the usage of the quota for the total number of SLB instances reaches 80% of the upper limit. | Quick fix is not supported. | No |
Quota & Capacity | The quota usage for the number of servers that can be attached to the backend of an SLB instance is approaching the upper limit (new in 3.0 model). | Insufficient resource quotas may restrict the creation, modification, or extension of product resources. The resource is considered non-compliant if the quota for the number of servers that can be attached to the backend of an SLB instance reaches 80% of its upper limit. | Quick fix is not supported. | No |
Quota & Capacity | The quota usage for the number of listeners in an SLB instance is approaching the limit. (new in 3.0 model) | Insufficient resource quotas may restrict the creation, modification, or extension of product resources. An SLB instance is considered non-compliant if its usage of the quota for the number of listeners reaches 80% of the limit. | Quick fixing is not supported. | No |
Quota & Capacity | The usage of the quota for the number of EIPs that can be attached to a NAT Gateway is approaching the upper limit (new in 3.0 model). | Insufficient resource quotas may restrict the creation, modification, or extension of product resources. A resource is considered non-compliant if the usage of the quota for the number of EIPs that can be attached to a NAT Gateway reaches 80% of its upper limit. | Quick fix is not supported. | No |
Quota & Capacity | The quota usage for the number of SNAT entries in the NAT Gateway is approaching the upper limit (new in 3.0 model). | Insufficient resource quotas may restrict the creation, modification, or extension of product resources. The resource is considered non-compliant if the usage of the quota for SNAT entries in the NAT Gateway reaches 80% of the upper limit. | Quick fix is not supported. | No |
Quota & Capacity | The usage of the quota for the number of accelerated domain names supported by CDN is approaching the upper limit (new in 3.0 model). | Insufficient resource quotas may restrict the creation, modification, or extension of product resources. The item is considered non-compliant when the usage of the quota for the number of accelerated domain names supported by CDN reaches 80% of the upper limit. | Quick fix is not supported. | No |
Quota & Capacity | The quota usage for CDN directory refreshes is approaching the upper limit (new in 3.0 model). | Insufficient resource quotas may restrict the creation, modification, or extension of product resources. A quota item is considered non-compliant if its usage for CDN directory refreshes reaches 80% of the upper limit. | Quick fix is not supported. | No |
Quotas & Capacity | The quota usage for CDN URL refreshes is close to the upper limit (new in 3.0 model). | Insufficient resource quotas may restrict the creation, modification, or extension of product resources. A quota item is considered non-compliant if its usage for CDN URL refreshes reaches 80% of the upper limit. | Quick fix is not supported. | No |
Quota & Capacity | The usage of the CDN prefetch quota is approaching the upper limit (new in 3.0 model) | Insufficient resource quotas may restrict the creation, modification, or extension of product resources. An item is considered non-compliant if its CDN prefetch quota usage reaches 80% of the upper limit. | A quick fix is not supported. | No |
Quota & Capacity | The quota usage for the total number of ESS scaling groups is approaching the upper limit (new in 3.0 model) | Insufficient resource quotas may restrict the creation, modification, or extension of product resources. The quota item for the total number of ESS scaling groups is considered non-compliant if its usage reaches 80% of the upper limit. | A quick fix is not supported. | No |
Quota & Capacity | The quota usage for the total number of ROS stacks is approaching the upper limit (new in 3.0 model). | Insufficient resource quotas may restrict the creation, modification, or extension of product resources. It is considered non-compliant when the quota for the total number of ROS stacks reaches 80% of its upper limit. | Quick fix is not supported. | No |
Quota & Capacity | The quota usage for the total number of EBS disks is approaching the upper limit (new in 3.0 model) | Insufficient resource quotas may restrict the creation, modification, or extension of product resources. The item is considered non-compliant if the quota usage for the total number of EBS disks reaches 80% of its upper limit. | A quick fix is not supported. | No |
Quota & Capacity | The quota usage for the total number of EIPs is approaching the limit (new in 3.0 model). | Insufficient resource quotas may restrict the creation, modification, or extension of product resources. The quota is considered non-compliant if the quota for the total number of EIPs reaches 80% of its limit. | Quick fix is not supported. | No |
Quota & Capacity | The quota usage for the total number of ALB instances is approaching the upper limit (new in 3.0 model) | Insufficient resource quotas may restrict the creation, modification, or scaling of product resources. The quota is considered non-compliant if the usage of the quota for the total number of ALB instances reaches 80% of the upper limit. | Quick fix is not supported. | No |
Quota & Capacity | The quota usage for the total number of NLB instances is approaching the upper limit (new in 3.0 model) | Insufficient resource quotas may restrict the creation, modification, or scaling of product resources. The item is considered non-compliant if the quota usage for the total number of NLB instances reaches 80% of the upper limit. | Quick remediation is not supported. | No |
Quota & Capacity | The quota usage of RDS on-demand instances approaches the upper limit (new in 3.0 model). | Insufficient resource quotas may restrict the creation, modification, or extension of product resources. A quota item is considered non-compliant if the usage of the quota item for RDS on-demand instances reaches 80% of its upper limit. | Quick fix is not supported. | No |
Quota & Capacity | The remaining storage space of an RDS instance is insufficient (new in 3.0 model) | Insufficient remaining storage space in an RDS instance can lead to database write failures, performance degradation, and even service interruptions or the threat of data loss. You must scale out the instance or clear data in a timely manner to prevent business exceptions, ensure stable database operations, and improve system reliability and proactive O&M. An RDS instance is considered non-compliant if its remaining storage space is less than 10%. | Quick fix is not supported. | No |
Costs
Category | Check item | Description | Quick fix description | Decision support |
Cost policy | Cost management suite is not enabled for the ACK cluster | Traditional methods lack effective cost insight and control in cloud-native scenarios. The cost management suite provides features such as waste detection and cost prediction. The configuration is not a best practice if the cost management suite is not enabled for an ACK cluster. | Quick fix is not supported. | No |
Billing method optimization | The subscription billing method is recommended for RDS instances. | We recommend that you use the subscription billing method for resources that are used for a long term. In normal cases, the subscription billing method is more cost-effective than the pay-as-you-go billing method for RDS instances. An RDS instance that uses the pay-as-you-go billing method is not a best practice. | Quick fix is not supported. | No |
Billing method optimization | Pay-as-you-go ECS instances are not covered by a savings plan | We recommend that you use the subscription billing method for resources that are used for a long term. In normal cases, the subscription billing method is more cost-effective than the pay-as-you-go billing method for ECS instances. A savings plan is a discount plan that offers lower prices on pay-as-you-go resources in exchange for a commitment to a consistent amount of usage for a specified term. An ECS instance that uses the pay-as-you-go billing method and is not covered by a savings plan is not a best practice. | Quick fix is not supported. | No |
Application resource optimization | Low resource utilization for an ECS instance | Maintaining the resource utilization of ECS instances at a reasonable level for a long term is an important task for cloud cost management. The cloud platform provides ECS instances of various specifications. You must select an instance of appropriate specifications based on your business cycle to control the costs of ECS instances. The configuration is not a best practice if the CPU utilization and memory usage of an ECS instance are both lower than 3% for 30 consecutive days. | Quick fix is not supported. | No |
Application resource optimization | Low disk usage for an ECS instance | Maintaining the resource utilization of ECS instances at a reasonable level for a long term is an important task for cloud cost management. The cloud platform provides ECS instances of various specifications. You must select an instance of appropriate specifications based on your business cycle to control the costs of ECS instances. The configuration is not a best practice if the disk usage of an ECS disk is lower than 3% for 30 consecutive days. | Quick fix is not supported. | No |
Application resource optimization | Low resource utilization for an RDS instance | Maintaining the resource utilization of RDS instances at a reasonable level for a long term is an important task for cloud cost management. The cloud platform provides RDS instances of various specifications. You must select an instance of appropriate specifications based on your business cycle to control the costs of RDS instances. The configuration is not a best practice if the CPU utilization, memory usage, and disk usage of an RDS instance are all lower than 3% for 30 consecutive days. | Quick fix is not supported. | No |
Application resource optimization | Low disk usage for an RDS instance | Maintaining the resource utilization of RDS instances at a reasonable level for a long term is an important task for cloud cost management. The cloud platform provides RDS instances of various specifications. You must select an instance of appropriate specifications based on your business cycle to control the costs of RDS instances. The configuration is not a best practice if the disk usage of an RDS disk is lower than 3% for 30 consecutive days. | Quick fix is not supported. | No |
Application resource optimization | Idle ALB instance exists | An ALB instance is considered non-compliant if it has a listener to which no backend server is added and the instance was created more than 7 days ago. | Quick fix is not supported. | No |
Application resource optimization | Idle Internet Shared Bandwidth instance exists | An Internet Shared Bandwidth instance is considered non-compliant if it is not associated with any resource and was created more than 7 days ago. | Quick fix is not supported. | No |
Application resource optimization | Idle container image instance exists | A container image instance is considered non-compliant if no namespace or image repository is created for it and the instance was created more than 7 days ago. | Quick fix is not supported. | No |
Application resource optimization | Idle ECS instance exists | An ECS instance is considered non-compliant if it is in the Stopped state and the economical mode is not enabled for it. | Quick fix is not supported. | No |
Application resource optimization | Idle ECS disk exists | A disk is considered non-compliant if it is not in the In Use state and was created more than 7 days ago. | Quick fix is not supported. | No |
Application resource optimization | Idle EIP instance exists | An EIP is considered non-compliant if it is not associated with any resource and was created more than 7 days ago. | Quick fix is not supported. | No |
Application resource optimization | Idle NAT Gateway exists | A NAT Gateway is considered non-compliant if it is not associated with an EIP, or the associated EIP has no SNAT or DNAT entries, and the gateway was created more than 7 days ago. | Quick fix is not supported. | No |
Application resource optimization | Idle VPC NAT Gateway exists | A VPC NAT Gateway is considered non-compliant if it is not associated with an EIP, or the associated EIP has no SNAT or DNAT entries, and the gateway was created more than 7 days ago. | Quick fix is not supported. | No |
Application resource optimization | Idle NAS file system exists | A NAS file system is considered non-compliant if no mount target is added to it and the file system was created more than 7 days ago. | Quick fix is not supported. | No |
Application resource optimization | Idle SLB instance exists | An SLB instance is considered non-compliant if it has no running listener and was created more than 7 days ago. | Quick fix is not supported. | No |
Application resource optimization | Idle VPN Gateway exists | A VPN Gateway is considered non-compliant if no destination-based route is configured, automatic BGP route propagation is not enabled, and the gateway was created more than 7 days ago. | Quick fix is not supported. | No |
Application resource optimization | An ESA site is in an abnormal state | This check item ensures that the site is enabled so that ESA can provide acceleration and protection for the site. It is not a best practice for application resource optimization if the site is not enabled. | Quick fix is not supported. | No |
Cost monitoring | Low balance alert is not enabled for the account (new in 3.0 model) | If you do not enable the low balance alert feature in the Expenses and Costs console, you may not receive notifications when your account balance is about to be exhausted. This may cause service suspension, data loss, or business interruption due to overdue payments. In addition, the lack of an alert mechanism may lead to uncontrolled costs and affect enterprise budget management and financial compliance. Your account is considered non-compliant if the low balance alert feature is not enabled for your account in the Expenses and Costs console. | Quick fix is not supported. | No |
Efficiency
Category | Check item | Description | Quick fix description | Decision support |
Resource Management | Linked instances are in different resource groups | If linked instances are not in the same resource group, management based on resource groups (such as permission, financial, and O&M management) cannot cover all target resources. The configuration is considered non-compliant if linked instances exist but are not in the same custom resource group. | Quick fix is not supported. | No |
Resource Management | Custom resource groups are not used to group resources | You can use custom resource groups to flexibly control the access and use of resources. The configuration is considered non-compliant if the proportion of resources that belong to custom resource groups is less than 75% of the total resources. | Quick fix is not supported. | No |
Resource Management | Custom tags are not used to tag resources | You can use custom tags to flexibly identify, sort, and organize various resources. The configuration is considered non-compliant if the proportion of resources with custom tags is less than 75% of the total resources. | Quick fix is not supported. | No |
Resource Management | Creator tags are not enabled | As the scale of resources on the cloud expands for an enterprise, multiple users are required to manage these resources. In scenarios such as cost management and security, it is necessary to effectively identify the creator of a resource to facilitate cost allocation or security tracing, thereby improving management efficiency. The configuration is considered non-compliant if creator tags are not enabled. | Quick fix is not supported. | No |
Resource Management | Predefined tags are not used | Predefined tags are created in advance and apply to all regions. You can use predefined tags to conveniently attach tags to and manage cloud resources during the resource implementation phase. The configuration is considered non-compliant if the proportion of predefined tags to custom tags is less than 80%. | Quick fix is not supported. | No |
Resource Management | The multi-account resource search feature is not enabled | Using a resource directory to manage multiple Alibaba Cloud accounts, the management account or a delegated administrator account can view and retrieve the cloud resources of all members within the resource directory. The configuration is considered non-compliant if cross-account resource search is not enabled. | Quick fix is not supported. | No |
Account system | Account is not managed by a resource directory | Compared with decentralized management of multiple accounts, centralized management of multiple accounts provides benefits in terms of permissions, security, and costs for an enterprise. The configuration is considered non-compliant if the current account does not belong to any resource directory. | Quick fix is not supported. | No |
Account system | We recommend that you set a delegated administrator account for the resource directory. | You can use a delegated administrator account to separate organization management tasks from business management tasks. The management account performs the organization management tasks of the resource directory, and the delegated administrator account performs the business management tasks of trusted services. The configuration is considered non-compliant if no delegated administrator account is set for the trusted services enabled by the management account (MA) of the resource directory. | Quick fix is not supported. | No |
Account system | You can centrally manage message contacts across multiple accounts. | You can use the message contact management feature of a resource directory to implement centralized management of cross-account message contacts. The configuration is considered non-compliant if no message contacts are detected for the resource directory, or if the message contacts are not attached to the resource directory, a folder, or a member. | Quick fix is not supported. | No |
Resource provisioning and orchestration | Resource creation API call success rate is below 100% | The configuration is considered non-compliant if the success rate of creating infrastructure resources using automated methods (such as OpenAPI, Cloud Control API, SDK, and Terraform) in the last 30 days is less than 100%. | Quick fix is not supported. | No |
Resource provisioning and orchestration | Resource modification API call success rate is below 100% | The configuration is considered non-compliant if the success rate of modifying infrastructure resources using automated methods (such as OpenAPI, Cloud Control API, SDK, and Terraform) in the last 30 days is less than 100%. | Quick fix is not supported. | No |
Resource provisioning and orchestration | A deprecated ECS API is called | Deprecated ECS APIs are no longer maintained, pose stability threats, and do not support new features. The behavior is considered non-compliant if a deprecated ECS API has been called in the last 30 days. | Quick fix is not supported. | No |
Resource provisioning and orchestration | A deprecated RDS API is called | Deprecated RDS APIs are no longer maintained, pose stability threats, and do not support new features. The behavior is considered non-compliant if a deprecated RDS API has been called in the last 30 days. | Quick fix is not supported. | No |
Resource provisioning and orchestration | A deprecated SLB API is called | Deprecated SLB APIs are no longer maintained, pose stability threats, and do not support new features. The behavior is considered non-compliant if a deprecated SLB API has been called in the last 30 days. | Quick fix is not supported. | No |
Resource provisioning and orchestration | A deprecated CDN API is called | Deprecated CDN APIs are no longer maintained, pose stability threats, and do not support new features. The behavior is considered non-compliant if a deprecated CDN API has been called in the last 30 days. | Quick fix is not supported. | No |
Resource provisioning and orchestration | A deprecated Redis API is called | Deprecated Redis APIs are no longer maintained, pose stability threats, and do not support new features. The behavior is considered non-compliant if a deprecated Redis API has been called in the last 30 days. | Quick fix is not supported. | No |
Resource provisioning and orchestration | A deprecated PolarDB API is called | Deprecated PolarDB APIs are no longer maintained, pose stability threats, and do not support new features. The behavior is considered non-compliant if a deprecated PolarDB API has been called in the last 30 days. | Quick fix is not supported. | No |
Resource provisioning and orchestration | A deprecated VPC API is called | Deprecated VPC APIs are no longer maintained, pose stability threats, and do not support new features. The behavior is considered non-compliant if a deprecated VPC API has been called in the last 30 days. | Quick fix is not supported. | No |
Resource provisioning and orchestration | A deprecated ACK API is called | Deprecated ACK APIs are no longer maintained, pose stability threats, and do not support new features. The behavior is considered non-compliant if a deprecated ACK API has been called in the last 30 days. | Quick fix is not supported. | No |
Resource provisioning and orchestration | A deprecated RocketMQ API is called | Deprecated RocketMQ APIs are no longer maintained, pose stability threats, and do not support new features. The behavior is considered non-compliant if a deprecated RocketMQ API has been called in the last 30 days. | Quick fix is not supported. | No |
Resource provisioning and orchestration | A deprecated CEN API is called | Deprecated CEN APIs are no longer maintained, pose stability threats, and do not support new features. The behavior is considered non-compliant if a deprecated CEN API has been called in the last 30 days. | Quick fix is not supported. | No |
Resource provisioning and orchestration | A deprecated ALB API is called | Deprecated ALB APIs are no longer maintained, pose stability threats, and do not support new features. The behavior is considered non-compliant if a deprecated ALB API has been called in the last 30 days. | Quick fix is not supported. | No |
Resource provisioning and orchestration | A deprecated NAS API is called | Deprecated NAS APIs are no longer maintained, pose stability threats, and do not support new features. The behavior is considered non-compliant if a deprecated NAS API has been called in the last 30 days. | Quick fix is not supported. | No |
Resource provisioning and orchestration | It is a best practice to automate routine resource provisioning. | The configuration is considered non-compliant if the ratio of creating resources by calling OpenAPI outside the console in the last year is less than 100%. | Quick fix is not supported. | No |
Resource provisioning and orchestration | We recommend automating the continuous management of resources. | The configuration is considered non-compliant if the ratio of continuously managing resources by calling OpenAPI outside the console in the last 30 days is less than 100%. | Quick fix is not supported. | No |
Resource provisioning and orchestration | We recommend automating resource management. | The configuration is considered non-compliant if the ratio of calling OpenAPI using automated methods such as SDK, Terraform, Cloud Control API, CADT, ROS, and Service Catalog in the last 30 days is less than 100%. | Quick fix is not supported. | No |
Performance
Category | Check item | Description | Quick fix | Decision support |
Performance monitoring | MSE components have capacity risks. | Ensure that the resource capacity is within a reasonable range. If the capacity limit is exceeded, stability risks may occur. The configuration is considered non-compliant if any MSE metric exceeds its capacity limit. | Quick fix is not supported. | No |
Performance monitoring | RDS instances have high performance loads (new in 3.0 model). | If the CPU utilization, memory usage, or number of connections of an RDS instance remains high for a long time, it may cause system performance degradation, reduced stability, or even service interruptions. We recommend that you monitor and handle this issue in a timely manner. The configuration is considered non-compliant if the average usage of any of the following metrics of an RDS instance is greater than or equal to 80% for at least 8 hours in the last 7 days: CPU utilization, memory usage, connection usage, or IOPS. | Quick fix is not supported. | No |
Performance monitoring | Redis instances have high performance loads (new in 3.0 model). | If the CPU utilization or memory usage of a Redis instance remains high for a long time, it may cause system performance degradation, reduced stability, or even service interruptions. We recommend that you monitor and handle this issue in a timely manner. The configuration is considered non-compliant if the average usage of the CPU utilization or memory usage of a Redis instance is greater than or equal to 80% for at least 8 hours in the last 7 days. | Quick fix is not supported. | No |
Performance monitoring | SLB instances have high performance loads (new in 3.0 model). | If the usage of the maximum connections, new connections, or outbound bandwidth of an SLB instance remains high for a long time, it may cause system performance degradation, reduced stability, or even service interruptions. We recommend that you monitor and handle this issue in a timely manner. The configuration is considered non-compliant if the average usage of any of the following metrics of an SLB instance is greater than or equal to 80% for at least 8 hours in the last 7 days: maximum connection usage, new connections, or outbound bandwidth usage. | Quick fix is not supported. | No |
Performance monitoring | The Internet Shared Bandwidth associated with an ALB instance has high performance loads (new in 3.0 model). | If the outbound bandwidth usage of the Internet Shared Bandwidth associated with an ALB instance remains high for a long time, it may cause system performance degradation, reduced stability, or even service interruptions. We recommend that you monitor and handle this issue in a timely manner. The configuration is considered non-compliant if the maximum outbound bandwidth usage of the Internet Shared Bandwidth associated with an ALB instance is greater than or equal to 80% for at least 8 hours in the last 24 hours. | Quick fix is not supported. | No |
Performance monitoring | The EIPs associated with an ALB instance have high performance loads (new in 3.0 model). | If the outbound bandwidth usage of an EIP associated with an ALB instance remains high for a long time, it may cause system performance degradation, reduced stability, or even service interruptions. We recommend that you monitor and handle this issue in a timely manner. The configuration is considered non-compliant if the maximum outbound bandwidth usage of any EIP associated with an ALB instance is greater than or equal to 80% for at least 8 hours in the last 24 hours. | Quick fix is not supported. | No |
Performance monitoring | VPN Gateways have high performance loads (new in 3.0 model). | If the inbound or outbound bandwidth usage of a VPN Gateway remains high for a long time, it may cause system performance degradation, reduced stability, or even service interruptions. We recommend that you monitor and handle this issue in a timely manner. The configuration is considered non-compliant if the maximum inbound or outbound bandwidth usage of a VPN Gateway is greater than or equal to 80% for at least 8 hours in the last 24 hours. | Quick fix is not supported. | No |
Performance monitoring | ECS resources have performance risks due to high memory usage. | Ensure that the memory usage of core cloud products such as ECS is at a healthy level to avoid performance degradation or service interruption risks caused by insufficient memory. The configuration is considered non-compliant if the memory usage of an ECS instance is higher than 85% for more than 9 hours in total in the last 24 hours. | Quick fix is not supported. | No |
Performance monitoring | EBS disks have performance risks due to high throughput. | This helps customers prevent performance bottlenecks, evaluate whether storage resources are reasonably allocated, and determine whether to scale out resources to ensure business continuity. The configuration is considered non-compliant if the IOPS or BPS usage of an EBS disk exceeds 90% of the IOPS or BPS limit for the disk type in the last 24 hours. | Quick fix is not supported. | No |
Performance monitoring | EBS disks have performance risks due to high disk space usage. | High disk space usage may increase the risk of data loss. This helps customers identify potential performance bottlenecks at an early stage and take measures to prevent performance degradation. The configuration is considered non-compliant if the disk space usage of an EBS disk exceeds 80%. | Quick fix is not supported. | No |
Performance monitoring | ECS resources have performance risks due to high CPU utilization. | Ensuring that the CPU utilization of core cloud products such as ECS is at a healthy level is fundamental to guaranteeing stable and continuous business performance. High loads not only slow down application responses but may also trigger automatic protection mechanisms, such as automatic system restarts or service degradation. The configuration is considered non-compliant if the CPU utilization of an ECS instance is higher than 85% for more than 8 hours in total in the last 24 hours. | Quick fix is not supported. | No |
Network design | CDN is not used to accelerate access to OSS resources (new in 3.0 model). | Using CDN to distribute static resources such as images, videos, and documents in OSS can reduce traffic costs and improve resource loading speed. CDN deploys cache nodes in multiple regions around the world. When a user requests to access static resources in OSS, CDN routes the user's request to the nearest cache node, eliminating the need for long-distance requests to directly access OSS resources. At the same time, the nearest cache node returns the cached resources to the user without fetching them from the origin OSS. This process generates CDN downstream traffic fees. The unit price of CDN downstream traffic is lower than that of OSS outbound traffic over the Internet. The configuration is considered non-compliant if the current OSS Bucket is frequently requested but CDN is not used for OSS data transmission optimization. | Quick fix is not supported. | No |
Network design | Smart routing is not enabled for ESA sites in global regions. | This check item ensures that smart routing is enabled for sites to improve the acceleration effect of ESA in global regions. If it is not enabled, the configuration does not comply with the best practices for network optimization. | Quick fix is not supported. | No |
Network design | Cache rules are not configured for ESA sites. | This check item ensures that cache rules are configured for sites to reduce origin fetch traffic. If they are not configured, the configuration does not comply with the best practices for network optimization. | Quick fix is not supported. | No |
Network design | A custom domain name is not set for the OSS Bucket. | Using a custom domain name can enhance brand image and professionalism, and improve stability. A custom domain name can be bound through a CNAME record to achieve CDN acceleration and improve access performance. It also supports secure HTTPS access to enhance data transmission security. The configuration is considered non-compliant if a custom domain name is not set for the OSS Bucket. | Quick fix is not supported. | No |
Use elastic resources | Auto Scaling group cannot automatically scale for performance. | Core cloud products such as ECS resources can automatically increase or decrease resources based on performance loads to ensure a dynamic balance during business operations. | Quick fix is not supported. | No |
Use elastic resources | The automatic scaling feature is not enabled for RDS (new in 3.0 model). | If the automatic scaling feature is not enabled for an RDS instance, the instance may not be able to scale out resources in a timely manner to handle load growth during peak hours, or release idle resources during off-peak hours. This can lead to performance bottlenecks, response latency, or even service interruptions, while also causing resource waste and unnecessary costs. Enabling the automatic scaling feature helps customers achieve elastic resource scheduling and efficient utilization. It ensures database stability and high availability, optimizes the cost structure, and improves the intelligence of cloud resource management. The configuration is considered non-compliant if the automatic scaling feature is not enabled for an RDS instance. | Quick fix is not supported. | No |
Removed check items
Some check items from the 2.0 model have been merged into the 3.0 model. Because the 3.0 model covers the detection of related threats, the following check items have been removed.
Pillar | Category | Check Item | Check Item Description |
Security | Avoid privilege abuse | Too many RAM identities are granted important permissions on OSS and SLS | We recommend following the principle of least privilege for RAM identity permission management by granting only necessary permissions. A RAM identity that has the oss:Delete* or log:Delete* permissions can delete data stored in OSS or SLS. Improper management may cause data loss. A RAM identity that has permissions such as oss:PutBucketAcl, oss:PutObjectAcl, and oss:PutBucketPolicy can modify the access permissions on files in OSS buckets. This may allow external access to the OSS files and cause unauthorized data access. The requirement is met if three or fewer RAM identities in the current Alibaba Cloud account have the oss:Delete*, oss:PutAcl, oss:PutPolicy, log:Delete*, or log:Update* permissions. |
Security | Avoid privilege abuse | Too many RAM identities are granted important permissions on the resource directory | You can use a resource directory to centrally manage accounts in an organization. You can also create new accounts or remove existing accounts from the current organization. As a best practice, only administrators or cloud management team leaders in the organization should have write permissions on the resource directory, such as the permissions to enable or disable the resource directory, create, invite, or delete accounts, and switch account types. In most cases, no more than three employees in an enterprise should have these permissions. We recommend that you do not grant regular users the write permissions on the resource directory. Otherwise, misoperations such as deleting an Alibaba Cloud account may cause business losses. |
Security | Use granular access control | The access scope of some RAM identities is converged | We recommend following the principle of least privilege for RAM identity permission management by granting only necessary permissions. The requirement is met if a RAM identity is attached with permissions on some operations of an Alibaba Cloud service in the current Alibaba Cloud account. |
Security | Use granular access control | The access to OSS and SLS is not converged for any RAM identity | We recommend following the principle of least privilege for RAM identity permission management by granting only necessary permissions. For access to data products such as OSS and SLS, we recommend that you use fine-grained authorization to reduce the risk of data breaches caused by identity leaks. In the current Alibaba Cloud account, if a RAM identity is attached with operation permissions on data products, you must use fine-grained authorization. Do not use the wildcard character (*) for batch authorization. The requirement is met if these conditions are met. |
Security | Authorization efficiency and control | The effective scope of a custom policy attached to a RAM identity does not specify a resource group | By default, the effective scope of a custom policy attached to a RAM identity is at the account level. In this case, if no specific resources or conditions are specified in the custom policy, the RAM identity has the specified permissions on all resources within the account. As a best practice for cloud resource management, you should group resources by resource group and then grant permissions to RAM identities based on the groups. During authorization, you can limit the effective scope to resource groups to better restrict the permission scope of RAM identities and implement fine-grained authorization. The best practice is considered to be followed if the effective scope of a custom policy attached to a RAM identity is a resource group, or if a resource group is specified in the policy conditions. |
Security | Authorization efficiency and control | The authorization of RAM identities that have service-level system policies is not converged to resource groups | We recommend following the principle of least privilege for RAM identity permission management by granting only necessary permissions. You can divide cloud resources into resource groups based on dimensions such as applications and environments. When you grant permissions, you can grant permissions based on resource groups to further narrow the permission scope and avoid risks caused by excessive permissions. The requirement is met in the current Alibaba Cloud account if a RAM identity has a service-level system policy (such as AliyunECSFullAccess) and the authorization scope is a resource group. |
Security | Authorization efficiency and control | The authorization of RAM identities that have administrator permissions is not converged to resource groups | We recommend following the principle of least privilege for RAM identity permission management by granting only necessary permissions. You can divide cloud resources into resource groups based on dimensions such as applications and environments. When you grant permissions, you can grant permissions based on resource groups to further narrow the permission scope and avoid risks caused by excessive permissions. The requirement is met in the current account if a RAM identity has the AdministratorAccess permission and the authorization scope is a resource group. |
Security | Non-compliance alert response | No alert rules are configured for threat-related operations and events | The configuration is considered non-compliant if no account security-related rules or ActionTrail operation compliance-related rules supported by ActionTrail event alerting are enabled. |
Security | Enable automatic remediation | Non-compliant issues are not automatically remediated | The configuration is considered non-compliant if you do not enable automatic remediation for any rule. |
Security | Data storage instances should not be accessible over the Internet | The IP address whitelist of a PolarDB instance is set to 0.0.0.0/0 | An IP address whitelist specifies the IP addresses that are allowed to access a PolarDB cluster. If you set the IP address whitelist to % or 0.0.0.0/0, any IP address can access the database cluster. This setting significantly reduces the security of the database. Do not use this setting unless necessary. As a best practice, we recommend that you follow the principle of least privilege and configure a proper IP address whitelist to ensure a high level of access security for the PolarDB cluster. The configuration does not follow the best practice if the IP address whitelist of a cluster is set to 0.0.0.0/0 or %. |
Security | Data storage instances should not be accessible over the Internet | The IP address whitelist of an RDS instance is set to 0.0.0.0/0 | An IP address whitelist specifies the IP addresses that are allowed to access an RDS instance. If you set the IP address whitelist to 0.0.0.0/0, any IP address can access the database cluster. This setting significantly reduces the security of the database. Do not use this setting unless necessary. As a best practice, we recommend that you follow the principle of least privilege and configure a proper IP address whitelist to ensure a high level of access security for the database instance. The configuration does not follow the best practice if the IP address whitelist of an instance is set to 0.0.0.0/0. |
Security | Data storage instances should not be accessible over the Internet | The IP address whitelist of a Redis instance is set to 0.0.0.0/0 | An IP address whitelist specifies the IP addresses that are allowed to access a Redis instance. If you set the IP address whitelist to 0.0.0.0/0, any IP address can access the database cluster. This setting significantly reduces the security of the database. Do not use this setting unless necessary. As a best practice, we recommend that you follow the principle of least privilege and configure a proper IP address whitelist to ensure a high level of access security for the database instance. The configuration does not follow the best practice if the IP address whitelist of an instance is set to 0.0.0.0/0. |
Security | Data storage instances should not be accessible over the Internet | The IP address whitelist of a MongoDB instance is set to 0.0.0.0/0 | An IP address whitelist specifies the IP addresses that are allowed to access a MongoDB instance. If you set the IP address whitelist to 0.0.0.0/0, any IP address can access the database cluster. This setting significantly reduces the security of the database. Do not use this setting unless necessary. As a best practice, we recommend that you follow the principle of least privilege and configure a proper IP address whitelist to ensure a high level of access security for the database instance. The configuration does not follow the best practice if the IP address whitelist of an instance is set to 0.0.0.0/0. |
Security | Data storage instances should not be accessible over the Internet | The IP address whitelist of an Elasticsearch instance is set to 0.0.0.0/0 | An instance IP address whitelist specifies the IP addresses that are allowed to access an Elasticsearch instance. If you set the IP address whitelist to 0.0.0.0/0 or |
Stability | Deletion protection | Release protection is not enabled for Redis resources | The configuration is considered non-compliant if release protection is not enabled for a Redis instance. |
Stability | Deletion protection | Release protection is not enabled for ECS resources | The configuration is considered non-compliant if release protection is not enabled for an ECS instance. |
Stability | Change management | The maintenance window for Redis resources is unreasonable | The configuration is considered non-compliant if the automatic backup time of a Redis instance is not within the 04:00-05:00, 05:00-06:00, or 12:00-13:00 time range. |
Stability | Change management | The maintenance window for PolarDB resources is unreasonable | The configuration is considered non-compliant if the maintenance window of a PolarDB cluster is not within the 02:00-04:00 or 06:00-10:00 time range. |
Stability | Change management | The maintenance window for ADB resources is unreasonable | The configuration is considered non-compliant if the maintenance window of an ADB cluster is not within the 02:00-04:00, 06:00-08:00, or 12:00-13:00 time range. |
Stability | Change management | The maintenance window for RDS resources is unreasonable | The configuration is considered non-compliant if the maintenance window of an RDS instance is not within the 02:00-06:00 or 06:00-10:00 time range. |
Stability | Change management | The maintenance window for ECS resources is unreasonable | Creating snapshots for an ECS instance temporarily reduces the I/O performance of Elastic Block Storage. The configuration is considered non-compliant if the snapshot creation time specified in the automatic snapshot policy is not 01:00 or 02:00. |
Cost | Resource cost optimization | The "Best Practices for Idle Resource Detection" compliance package is not enabled | The configuration is considered non-compliant if the compliance package for idle resource detection is not enabled in Cloud Config. |
Efficiency | Resource grouping and fencing | Resources in the same organization are not managed using multiple accounts | An Alibaba Cloud account has multiple meanings. Each Alibaba Cloud account is a completely isolated tenant. By default, resource access, network deployment, and identity permissions are completely independent and isolated. An Alibaba Cloud account is also associated with bills. You can deploy different services in different Alibaba Cloud accounts to implement independent accounting and billing. Multi-account management benefits enterprises in terms of environment fencing, security compliance, and business innovation. The condition is met if two or more Alibaba Cloud accounts exist under the same entity. |
Efficiency | Automation quality | The ECS quota is at risk of being exhausted | Abnormalities may occur when you create or change product resources or use product features. A threat exists if a resource quota item of a product has a high usage in the last 7 days and a quota_exceed error has occurred. |
Efficiency | Automation quality | The VPC quota is at risk of being exhausted | Abnormalities may occur when you create or change product resources or use product features. A threat exists if a resource quota item of a product has a high usage in the last 7 days and a quota_exceed error has occurred. |
Efficiency | Automation quality | The SLB quota is at risk of being exhausted | Abnormalities may occur when you create or change product resources or use product features. A threat exists if a resource quota item of a product has a high usage in the last 7 days and a quota_exceed error has occurred. |
Efficiency | Automation quality | The CEN quota is at risk of being exhausted | Abnormalities may occur when you create or change product resources or use product features. A threat exists if a resource quota item of a product has a high usage in the last 7 days and a quota_exceed error has occurred. |
Efficiency | Automation quality | The ACK quota is at risk of being exhausted | Abnormalities may occur when you create or change product resources or use product features. A threat exists if a resource quota item of a product has a high usage in the last 7 days and a quota_exceed error has occurred. |
Efficiency | Automation quality | The CDN quota is at risk of being exhausted | Abnormalities may occur when you create or change product resources or use product features. A threat exists if a resource quota item of a product has a high usage in the last 7 days and a quota_exceed error has occurred. |