You can configure and enable protection rules provided by Cloud Config for all member accounts of your resource directory in a centralized manner in the Cloud Governance Center console. This prevents the basic configurations of Cloud Governance Center and the resource structure that is created in Cloud Governance Center from being modified. This also ensures the security of the multi-account environment.
Run the protection rule initialization task
Log on to the Cloud Governance Center console.
In the left-side navigation pane, click LandingZone Setup.
In the Standard Blueprint or Standard Blueprint (CEN) section, click Build.
In this example, a standard blueprint is used.
In the Added Items section of the Configure Blueprint page, click Guardrails.
Select the protection rules that you want to enable.
By default, the required rules are selected. You can select one or more recommended rules or optional rules.
Manage protection rules
After protection rules are initialized, you can manage the protection rules. You can view the details of a rule, view the compliance evaluation results of resources, or enable or disable a recommended rule or an optional rule.
Log on to the Cloud Governance Center console.
In the left-side navigation pane, choose .
In the Overview section, view the risk identification rules, enabled rules, disabled rules, and last modification time of the rules.
In the Guardrails section, click the name of the rule that you want to manage.
Click the Guardrail details tab and view the details of the rule. You can also enable or disable a recommended rule or an optional rule.
On the Result tab, view the compliance evaluation results of resources.
Protection rules
You can enable the following types of protection rules based on your business requirements:
Required rules: the basic protection rules. The required rules are automatically enabled and cannot be disabled.
Recommended rules: the security compliance rules. We recommend that you enable the recommended rules. You can enable or disable the recommended rules based on your business requirements.
Optional rules: You can enable or disable the optional rules based on your business requirements. After an optional rule is enabled, you can disable the optional rule.
Rule name | Rule description | Rule scope | Type |
The OSS bucket that is specified for Cloud Governance Center to store audit logs denies the public read/write access. | If the access control list (ACL) is not public-read-write for the Object Storage Service (OSS) buckets that are specified for Cloud Governance Center to store audit logs, the configuration is considered compliant. | Log archive account | Required rule |
The server-side OSS-managed encryption feature is enabled for the OSS bucket that is specified for Cloud Governance Center to store audit logs. | If server-side encryption is enabled for the OSS buckets that are specified for Cloud Governance Center to store audit logs, the configuration is considered compliant. | Log archive account | Required rule |
A role that is specified to provide services exists in Cloud Governance Center. | If a service-linked role of Cloud Governance Center is created and can be searched by name, the configuration is considered compliant. | Log archive account | Optional rule |
oss-bucket-audit-log-delete-prohibited | If the OSS buckets that are created by Cloud Governance Center to store audit logs within a log archive account are not deleted, the configuration is considered compliant. | Core folder | Required rule |
oss-bucket-encryption-modify-prohibited | If the encryption settings of the OSS buckets that are created by Cloud Governance Center to store audit logs within a log archive account are not modified, the configuration is considered compliant. | Core folder | Required rule |
oss-bucket-audit-logs-lifecycle-modify-prohibited | If the lifecycle settings of the OSS buckets that are created by Cloud Governance Center to store audit logs within a log archive account are not modified, the configuration is considered compliant. | Core folder | Required rule |
cloud-governance-center-role-modify-prohibited | If the service-linked role that is used by Cloud Governance Center to provide services is not changed, the configuration is considered compliant. | Core folder | Required rule |
cloud-config-feature-disable-prohibited | If Cloud Config that is used to perform compliance auditing on resources is activated, the configuration is considered compliant. | Core folder | Required rule |
None of Alibaba Cloud accounts in the resource directory have AccessKey pairs. | If no AccessKey pairs are created for the Alibaba Cloud accounts in a resource directory, the configuration is considered compliant. | Global resource directory | Recommended rule |
The MFA feature is enabled for all Alibaba Cloud accounts in the resource directory. | If multi-factor authentication (MFA) is enabled for all Alibaba Cloud accounts in a resource directory, the configuration is considered compliant. | Global resource directory | Recommended rule |
Encryption is enabled for all data disks of the ECS instance. | If encryption is enabled for all the data disks of each Elastic Compute Service (ECS) instance, the configuration is considered compliant. | Global resource directory | Recommended rule |
Not all networks are allowed access to high-risk ports of the security group. | If port 22 and port 3389 are disabled when 0.0.0.0/0 is added to the inbound IP address whitelist of a security group, the configuration is considered compliant. | Global resource directory | Recommended rule |
The network access settings of the security group are valid. | If the port range -1/-1 and the authorized CIDR block 0.0.0.0/0 are not specified when the inbound authorization policy of a security group is set to Allow, the configuration is considered compliant. | Global resource directory | Recommended rule |
The public read/write permissions are not granted on all OSS buckets. | If the ACL of each OSS bucket is not public-read-write, the configuration is considered compliant. | Global resource directory | Recommended rule |
TDE encryption is enabled for the RDS instance. | If the Transparent Data Encryption (TDE) feature is enabled in the data security settings of each ApsaraDB RDS instance, the configuration is considered compliant. | Global resource directory | Recommended rule |
Use ApsaraDB RDS Instances in VPCs. | If no virtual private cloud (VPC) IDs are specified and the network type of each ApsaraDB RDS instance is set to VPC, the configuration is considered compliant. If VPC IDs are specified and each ApsaraDB RDS instance resides in one of the specified VPCs, the configuration is considered compliant. Separate multiple VPC IDs with commas (,). | Global resource directory | Recommended rule |
The whitelist of an ApsaraDB RDS instance does not include all CIDR blocks. | If 0.0.0.0/0 is not added to the IP address whitelist of each ApsaraDB RDS instance, the configuration is considered compliant. | Global resource directory | Recommended rule |
oss-bucket-logging-enabled | If logging is enabled on the Logging page of each OSS bucket, the configuration is considered compliant. | Global resource directory | Optional rule |
The password policy of the RAM user meets the requirements. | If the password policy for each Resource Access Management (RAM) user meets the requirements, the configuration is considered compliant. | Global resource directory | Recommended rule |
The RAM user does not have idle AccessKey pairs. | If the period between the most recent time when a RAM user used an AccessKey pair and the current time is less than the specified number of days, the configuration is considered compliant. The default period is 90 days. | Global resource directory | Recommended rule |
The release protection feature is enabled for the ECS instance. | If the release protection feature is enabled for each ECS instance, the configuration is considered compliant. | Global resource directory | Recommended rule |
The release protection feature is enabled for the SLB instance. | If the release protection feature is enabled for each Server Load Balancer (SLB) instance, the configuration is considered compliant. | Global resource directory | Recommended rule |
The server-side OSS-managed encryption feature is enabled for OSS buckets. | If server-side encryption is enabled for each OSS bucket, the configuration is considered compliant. | Global resource directory | Optional rule |
The MFA feature is enabled for all RAM users. | If MFA is enabled for each RAM user, the configuration is considered compliant. | Global resource directory | Optional rule |
A resource must have at least one of the specified tags. | The value parameter can be set to multiple tag values. If the tag of a resource contains one of the tag values, the configuration is considered compliant. | Global resource directory | Optional rule |
A resource must have all specified tags. | If a resource has all specified tags, the configuration is considered compliant. You can specify up to six tags. | Global resource directory | Optional rule |
The RAM user has logged on within the specified time. | If each RAM user logs on to the system at least once in the previous 90 days, the configuration is considered compliant. If no logon record exists for a RAM user, the system checks the update time. If the RAM user is updated in the previous 90 days, the configuration is considered compliant. The rule does not take effect for the RAM users for which console access is disabled. | Global resource directory | Optional rule |
The HTTPS listening feature is enabled for the SLB instance. | If port 80 and port 8080 are specified for the HTTPS listeners of each SLB instance, the configuration is considered compliant. | Global resource directory | Optional rule |
The resource belongs to the specified region. | If each resource resides in the specified region, the configuration is considered compliant. | Global resource directory | Optional rule |
waf-instance-logging-enabled | If the log collection feature is enabled for each domain name that is protected by Web Application Firewall (WAF), the configuration is considered compliant. | Global resource directory | Optional rule |
vpc-flow-logs-enabled | If the flow log feature is enabled for each VPC, the configuration is considered compliant. | Global resource directory | Optional rule |
api-group-integrated-waf | If an API group of API Gateway is bound to each custom domain name and the domain name is protected by WAF, the configuration is considered compliant. | Global resource directory | Optional rule |
waf-domain-enabled-specified-protection-module | If a protection feature is enabled for each domain name that is protected by WAF, the configuration is considered compliant. | Global resource directory | Optional rule |
security-group-high-risk-port-all-disabled | If 0.0.0.0/0 is added to the inbound IP address whitelist of each security group and high-risk ports are disabled, the configuration is considered compliant. If 0.0.0.0/0 is not added to the inbound IP address whitelist of a security group, the configuration is considered compliant regardless of whether high-risk ports are disabled. If a high-risk port is denied by an authorization policy with a higher priority, the configuration is considered compliant. The rule does not take effect for the security groups that are used by cloud services or virtual network operators (VNOs). | Global resource directory | Optional rule |
security-group-non-whitelist-port-setting-valid | If each inbound rule in a security group allows access only from the ports within a range when the Authorization Object parameter of the inbound rule is set to 0.0.0.0/0, the configuration is considered compliant. The rule does not take effect for the security groups that are used by cloud services or VNOs. | Global resource directory | Optional rule |
oss-bucket-anonymous-prohibited | If a bucket policy is configured for each OSS bucket whose ACL is public-read-write and the read and write permissions are not granted to anonymous accounts in the bucket policy, the configuration is considered compliant. The rule does not take effect for the OSS buckets whose ACL is private. | Global resource directory | Optional rule |
ecs-public-access-check | If no public IPv4 address or elastic IP address (EIP) is specified for each ECS instance, the configuration is considered compliant. | Global resource directory | Optional rule |
rds-public-and-any-ip-access-check | If Internet access is enabled for an ApsaraDB RDS instance and 0.0.0.0/0 is added to the IP address whitelist, the configuration is considered non-compliant. | Global resource directory | Optional rule |
polardb-dbcluster-in-vpc | If Internet access is enabled for a PolarDB instance and 0.0.0.0/0 is added to the IP address whitelist, the configuration is considered non-compliant. | Global resource directory | Optional rule |
cfw-all-asset-protection-enabled | If the protection feature is enabled for all assets in Cloud Firewall, the configuration is considered compliant. The rule takes effect only for Cloud Firewall of a paid edition. If you do not activate Cloud Firewall or use Cloud Firewall of a free edition, the configuration is considered compliant even if protection is disabled for an asset in Cloud Firewall. | Global resource directory | Optional rule |
ecs-instance-enabled-security-protection | If the Security Center agent is installed on all running ECS instances to provide the protection feature, the configuration is considered compliant. The rule does not take effect for the ECS instances that are not running. | Global resource directory | Optional rule |
security-center-version-check | If Security Center Enterprise Edition or a more advanced edition is used, the configuration is considered compliant. | Global resource directory | Optional rule |
ecs-instance-updated-security-vul | If no unfixed vulnerabilities of a specific type or a specific level are detected by Security Center on each running ECS instance, the configuration is considered compliant. The rule does not take effect for the ECS instances that are not running. | Global resource directory | Optional rule |
rds-high-availability-category | If the SQL Explorer and Audit feature is enabled for each ApsaraDB RDS instance, the configuration is considered compliant. | Global resource directory | Optional rule |
actiontrail-trail-intact-enabled | If an active trail exists in ActionTrail and all types of events that are generated in all regions are tracked, the configuration is considered compliant. If the administrator of a resource directory has created a trail that applies to all members, the configuration is considered compliant. | Global resource directory | Optional rule |
rds-instance-sql-collector-retention | If the SQL Explorer and Audit feature is enabled for each ApsaraDB RDS for MySQL instance and the number of days for which SQL audit logs can be retained is no less than the specified period, the configuration is considered compliant. The default period is 180 days. | Global resource directory | Optional rule |
ecs-snapshot-retention-days | If the auto snapshots of ECS instances are retained for a period no less than the specified number of days, the configuration is considered compliant. The default period is seven days. | Global resource directory | Optional rule |
polardb-cluster-level-one-backup-retention | If the retention period for the level-1 backups of each PolarDB cluster is no less than the specified number of days, the configuration is considered compliant. The default period is seven days. | Global resource directory | Optional rule |
polardb-cluster-enabled-tde | If the TDE feature is enabled in the data security settings of each PolarDB cluster, the configuration is considered compliant. | Global resource directory | Optional rule |
kms-credential-automatic-rotation-enabled | If the automatic rotation feature is enabled for Key Management Service (KMS) secrets, the configuration is considered compliant. | Global resource directory | Optional rule |
cmk-automatic-rotation-enabled | If the automatic rotation feature is enabled for the customer master keys (CMKs) in KMS, the configuration is considered compliant. | Global resource directory | Optional rule |
cmk-delete-protection-enabled | If the deletion protection feature is enabled for KMS CMKs, the configuration is considered compliant. | Global resource directory | Optional rule |
oss-encryption-byok-check | If the Encryption Method parameter of each OSS bucket is set to KMS, the configuration is considered compliant. | Global resource directory | Optional rule |
rds-instance-enabled-byok-tde | If a custom key is used to enable TDE for each ApsaraDB RDS instance, the configuration is considered compliant. | Global resource directory | Optional rule |
redis-instance-enabled-byok-tde | If a custom key is used to enable TDE for each ApsaraDB for Redis instance, the configuration is considered compliant. | Global resource directory | Optional rule |
cdn-domain-https-enabled | If HTTPS is enabled for each domain name that is accelerated by Alibaba Cloud CDN, the configuration is considered compliant. | Global resource directory | Optional rule |
api-gateway-api-internet-request-https | If the request method of each API that allows Internet access in API Gateway is set to HTTPS, the configuration is considered compliant. The rule does not take effect for the APIs that allow only internal access. | Global resource directory | Optional rule |
elasticsearch-instance-used-https-protocol | If HTTPS is enabled for each Elasticsearch instance, the configuration is considered compliant. | Global resource directory | Optional rule |
oss-security-access-enabled | If the bucket policy of each OSS bucket allows read and write operations over HTTPS and denies access over HTTP, the configuration is considered compliant. The rule does not take effect for OSS buckets without a bucket policy. | Global resource directory | Optional rule |
slb-http-listener-security-policy-suite | If the HTTPS listeners of each SLB instance use a specific security policy suite version, the configuration is considered compliant. The rule does not take effect for SLB instances without HTTPS listeners. | Global resource directory | Optional rule |
fc-function-custom-domain-and-tls-enable | If each function in Function Compute is bound to a custom domain name and Transport Layer Security (TLS) of a specific version is enabled for the function, the configuration is considered compliant. | Global resource directory | Optional rule |
ecs-all-enabled-account-security-protection | If the Security Center agent is installed on each ECS instance that belongs to the current account, the configuration is considered compliant. | Global resource directory | Optional rule |
security-center-concern-necessity-check | If a vulnerability scan for risks of a specific level is configured in Security Center, the configuration is considered compliant. | Global resource directory | Optional rule |
security-center-notice-config-check | If a notification method is specified for each notification item of Security Center, the configuration is considered compliant. | Global resource directory | Optional rule |
rds-instance-maintain-time-check | If the maintenance period of each ApsaraDB RDS instance matches one of the specified time ranges, the configuration is considered compliant. If the peak hours of your business overlap with the maintenance period, your business may be affected. | Global resource directory | Optional rule |
polardb-cluster-maintain-time-check | If the maintenance period of each PolarDB cluster matches one of the specified time ranges, the configuration is considered compliant. If the peak hours of your business overlap with the maintenance period, your business may be affected. | Global resource directory | Optional rule |
ram-user-no-has-specified-policy | If a policy that meets the specified conditions and includes the permissions that are inherited from a RAM user group is not attached to each RAM user, the configuration is considered compliant. A policy that uses the default settings includes the administrator permissions. If this policy is attached to a RAM user, the configuration is considered non-compliant. | Global resource directory | Optional rule |
ram-policy-no-statements-with-admin-access-check | If the Resource and Action parameters of RAM users, RAM user groups, and RAM roles are not set to | Global resource directory | Optional rule |
ram-user-ak-create-date-expired-check | If the period between the time when the AccessKey pair of each RAM user was created and the current time is no more than the specified number of days, the configuration is considered compliant. The default period is 90 days. | Global resource directory | Optional rule |
ram-user-group-membership-check | If each RAM user belongs to a RAM user group, the configuration is considered compliant. | Global resource directory | Optional rule |
ram-user-login-check | If console access and API access are not enabled for each RAM user at the same time, the configuration is considered compliant. | Global resource directory | Optional rule |
ram-user-sso-enabled | If the single sign-on (SSO) feature is enabled for each RAM user, the configuration is considered compliant. | Global resource directory | Optional rule |
No RAM policies are idle. | If a policy is attached to one or more RAM user groups, RAM roles, or RAM users, the configuration is considered compliant. | Global resource directory | Optional rule |
ram-group-has-member-check | If each RAM user group contains one or more RAM users, the configuration is considered compliant. | Global resource directory | Optional rule |
security-center-leak-ak-check | If no leaked AccessKey pairs are detected in Security Center, the configuration is considered compliant. | Global resource directory | Optional rule |
polardb-cluster-enabled-auditing | If the SQL audit feature is enabled for each PolarDB cluster, the configuration is considered compliant. | Global resource directory | Optional rule |
rds-instance-enabled-log-backup | If you do not enable the log backup feature, you cannot restore the lost data in local logs. If the log backup feature is enabled for each ApsaraDB RDS instance, the configuration is considered compliant. | Global resource directory | Optional rule |
nas-filesystem-enable-backup-plan | If a backup plan is created for each Apsara File Storage NAS file system, the configuration is considered compliant. | Global resource directory | Optional rule |
polardb-cluster-log-backup-retention | If the retention period for the log backups of each PolarDB cluster is no less than the specified number of days, the configuration is considered compliant. The default period is 30 days. If log backup is not enabled or the backup retention period is less than the specified number of days, the configuration is considered non-compliant. | Global resource directory | Optional rule |
oss-zrs-enabled | If the zone-redundant storage feature is disabled, OSS cannot provide consistent services or ensure data recovery when a data center becomes unavailable. If the zone-redundant storage feature is enabled for each OSS bucket, the configuration is considered compliant. | Global resource directory | Optional rule |
sls-logstore-enabled-encrypt | If data encryption is enabled for each Logstore in Simple Log Service, the configuration is considered compliant. | Global resource directory | Optional rule |
rds-event-log-enabled | If the event history feature is enabled for each ApsaraDB RDS instance, the configuration is considered compliant. | Global resource directory | Optional rule |
polardb-cluster-default-time-zone-not-system | If the | Global resource directory | Optional rule |
ecs-instance-os-name-check | You can use this rule to make sure that all ECS instances in the production environment use the same operating system version, or update the operating systems whose support is officially stopped to prevent security vulnerabilities. If the name of the operating system of each ECS instance is included in a whitelist or is not included in a blacklist, the configuration is considered compliant. | Global resource directory | Optional rule |
ecs-instance-monitor-enabled | If the CloudMonitor agent is installed on each running ECS instance and the agent is running as expected, the configuration is considered compliant. The rule does not take effect for the ECS instances that are not running. | Global resource directory | Optional rule |
cms-created-rule-for-specified-product | If at least one alert rule is configured in CloudMonitor for each Alibaba Cloud service of a namespace, the configuration is considered compliant. | Global resource directory | Optional rule |
rds-instance-enabled-disk-encryption | If the disk encryption feature is enabled for each ApsaraDB RDS instance, the configuration is considered compliant. | Global resource directory | Optional rule |
ecs-in-use-disk-encrypted | If the encryption feature is enabled for each ECS data disk that is in use, the configuration is considered compliant. | Global resource directory | Optional rule |
ecs-disk-mount-encrypted | If the encryption feature is enabled for each ECS data disk that you want to mount, the configuration is considered compliant. | Global resource directory | Optional rule |
ecs-vpc-enabled | If no VPC IDs are specified and the network type of each ECS instance is set to VPC, the configuration is considered compliant. If VPC IDs are specified and each ECS instance resides in one of the specified VPCs, the configuration is considered compliant. Separate multiple VPC IDs with commas (,). | Global resource directory | Optional rule |
ram-user-no-policy-check | If no policy is attached to each RAM user, the configuration is considered compliant. We recommend that you configure each RAM user to inherit permissions from a RAM user group or a RAM role. | Global resource directory | Optional rule |
rds-postgresql-parameter-log-connections | If the | Global resource directory | Optional rule |
rds-postgresql-parameter-log-disconnections | If the | Global resource directory | Optional rule |
rds-postgresql-parameter-log-duration | If the | Global resource directory | Optional rule |
oss-authorization-policy-ip-limit-enabled | If the ACL of each OSS bucket is set to private or the bucket policy of each OSS bucket allows access only from specific IP addresses, the configuration is considered compliant. | Global resource directory | Optional rule |
oss-acl-public-read-disabled | If the ACL of each OSS bucket is not public-read, the configuration is considered compliant. | Global resource directory | Optional rule |
ecs-all-enabled-account-security-protection | If the Security Center agent is installed on each ECS instance that belongs to the current account, the configuration is considered compliant. | Global resource directory | Optional rule |
vpc-secondary-cidr-route-check | If the related route table includes at least one entry that indicates the routing information of IP addresses for a custom VPC CIDR block, the configuration is considered compliant. | Global resource directory | Optional rule |
rds-instance-enabled-ssl | If the SSL certificate feature is enabled in the data security settings of each ApsaraDB RDS instance, the configuration is considered compliant. | Global resource directory | Optional rule |
ack-cluster-terway-plugin-enabled | If the Terway network plug-in is used in each Container Service for Kubernetes (ACK) cluster, the configuration is considered compliant. | Global resource directory | Optional rule |
ack-cluster-public-endpoint-disabled | If no public endpoint is configured for the API server in each ACK cluster, the configuration is considered compliant. | Global resource directory | Optional rule |
ack-cluster-cloudmonitor-agent-installed | If the CloudMonitor agent is installed on all nodes in each ACK cluster and the agent is running as expected, the configuration is considered compliant. | Global resource directory | Optional rule |
actiontrail-trail-enabled | If a trail is enabled in ActionTrail, the configuration is considered compliant. | Global resource directory | Optional rule |
A high-availability RDS instance is purchased | If the edition of each ApsaraDB RDS instance is High-availability, the configuration is considered compliant. We recommend that you use ApsaraDB RDS instances of High-availability Edition. If you use ApsaraDB RDS instances of Basic Edition, the stability of your system may not be ensured. Proceed with caution. | Global resource directory | Optional rule |
rds-multi-az-support | If ApsaraDB RDS instances are deployed across multiple zones, the configuration is considered compliant. | Global resource directory | Optional rule |
rds-instance-enabled-security-ip-list | If an IP address whitelist is configured for each ApsaraDB RDS instance and 0.0.0.0/0 is not added to the IP address whitelist, the configuration is considered compliant. | Global resource directory | Optional rule |
redis-instance-in-vpc | If no VPC IDs are specified and the network type of each ApsaraDB for Redis instance is set to VPC, the configuration is considered compliant. If VPC IDs are specified and each ApsaraDB for Redis instance resides in one of the specified VPCs, the configuration is considered compliant. | Global resource directory | Optional rule |
redis-public-access-check | If 0.0.0.0/0 is not added to the IP address whitelist of each ApsaraDB for Redis instance, the configuration is considered compliant. | Global resource directory | Optional rule |
mongodb-instance-in-vpc | If no VPC IDs are specified and the network type of each ApsaraDB for MongoDB instance is set to VPC, the configuration is considered compliant. If VPC IDs are specified and each ApsaraDB for MongoDB instance resides in one of the specified VPCs, the configuration is considered compliant. | Global resource directory | Optional rule |
mongodb-public-access-check | If 0.0.0.0/0 is not added to the IP address whitelist of each ApsaraDB for MongoDB instance, the configuration is considered compliant. | Global resource directory | Optional rule |
The network type of the PolarDB instance is VPC | If no VPC IDs are specified and the network type of each PolarDB instance is set to VPC, the configuration is considered compliant. If VPC IDs are specified and each PolarDB instance resides in one of the specified VPCs, the configuration is considered compliant. | Global resource directory | Optional rule |
sql-server-database-proxy-enabled | If the access mode of each ApsaraDB RDS for SQL Server database is set to proxy, the configuration is considered compliant. | Global resource directory | Optional rule |
slb-acl-public-access-check | If the ACL of each SLB instance does not include 0.0.0.0/0, the configuration is considered compliant. | Global resource directory | Optional rule |
eip-bandwidth-limit | If the available bandwidth of each EIP is no less than the specified bandwidth, the configuration is considered compliant. The default bandwidth is 10 MB. | Global resource directory | Optional rule |
slb-loadbalancer-bandwidth-limit | If the available bandwidth of each SLB instance is no less than the specified bandwidth, the configuration is considered compliant. The default bandwidth is 10 MB. | Global resource directory | Optional rule |
polardb-public-access-check | If 0.0.0.0/0 is not added to the IP address whitelist of each PolarDB instance, the configuration is considered compliant. | Global resource directory | Optional rule |