All Products
Search
Document Center

Cloud Config:ResourceProtectionOnBestPractices

Last Updated:Oct 11, 2023

The ResourceProtectionOnBestPractices compliance package checks whether protection features such as the deletion protection and update protection features are enabled for cloud services such as Elastic Compute Service (ECS) and ApsaraDB RDS. If the protection features are not enabled, we recommend that you enable them at the earliest opportunity. This topic describes the rules that are provided in the ResourceProtectionOnBestPractices compliance package.

Rule name

Description

ack-cluster-deletion-protection-enabled

Checks whether the release protection feature is enabled for each ACK cluster. If so, the evaluation result is Compliant.

slb-delete-protection-enabled

Checks whether the deletion protection feature is enabled for each Application Load Balancer (ALB) instance. If so, the evaluation result is Compliant. The deletion protection feature prevents instances from being released by misoperations.

ecs-all-enabled-security-protection

Checks whether the Security Center agent is installed on each ECS instance that belongs to the current account. If so, the evaluation result is Compliant.

ecs-instance-deletion-protection-enabled

Checks whether the release protection feature is enabled for each ECS instance. If so, the evaluation result is Compliant.

ecs-instance-enabled-security-protection

Checks whether the Security Center agent is installed on each ECS instance. If so, the evaluation result is Compliant. The Security Center agent helps protect the security of ECS instances. This rule does not apply to ECS instances that are not running.

eip-delete-protection-enabled

Checks whether the deletion protection feature is enabled for each elastic IP address (EIP). If so, the evaluation result is Compliant. For EIPs created with service accounts and subscription EIPs, the evaluation result is Not Applicable. These EIPs do not support the deletion protection feature.

hbase-cluster-deletion-protection

Checks whether the deletion protection feature is enabled for each ApsaraDB for HBase cluster. If so, the evaluation result is Compliant.

kms-key-delete-protection-enabled

Checks whether the deletion protection feature is enabled for each customer master key (CMK) in KMS. If so, the evaluation result is Compliant.

mongodb-instance-release-protection

Checks whether the release protection feature is enabled for each ApsaraDB for MongoDB instance. If so, the evaluation result is Compliant.

natgateway-delete-protection-enabled

Checks whether the release protection feature is enabled for each NAT gateway. If so, the evaluation result is Compliant.

polardb-cluster-delete-protection-enabled

Checks whether the deletion protection feature is enabled for each PolarDB cluster. If so, the evaluation result is Compliant.

rds-instacne-delete-protection-enabled

Checks whether the deletion protection feature is enabled for each RDS instance. If so, the evaluation result is Compliant. For subscription resources, the evaluation result is Not Applicable.

redis-instance-release-protection

Checks whether the release protection feature is enabled for each ApsaraDB for Redis instance. If so, the evaluation result is Compliant.

slb-delete-protection-enabled

Checks whether the release protection feature is enabled for each Server Load Balancer (SLB) instance. If so, the evaluation result is Compliant.

slb-modify-protection-check

Checks whether the modification protection feature is enabled for each SLB instance. If so, the evaluation result is Compliant.

waf-domain-enabled-specified-protection-mode

Checks whether a specified protection feature is enabled for each domain name that is protected by Web Application Firewall (WAF). If so, the evaluation result is Compliant.

waf-domain-enabled-specified-protection-module

Checks whether a specified protection feature is enabled for each domain name that is protected by WAF. If so, the evaluation result is Compliant.