Agentic Cloud Governance Center lets you centrally configure and enable Cloud Config protection rules to prevent unintended changes to resource structure and basic configuration in your multi-account environment.
Initialize protection rules
-
Log in to the Agentic Cloud Governance Center console.
-
In the left navigation pane, choose .
-
Select a blueprint and click Set up.
This example uses a standard blueprint.
-
On the Configure blueprint page, in the Added setup items area, click protection rules.
-
Select the protection rules to enable.
Required rules are selected by default. You can also select recommended or optional rules.
Manage guardrails
After initialization, you can view rule details, check compliance findings, enable or disable guardrails, and set guardrail scope.
-
Sign in to the Agentic Cloud Governance Center console.
-
In the left navigation pane, choose .
-
In the Overview section, view At-risk Rules, Enabled Rules, Disabled Rules, and Last Modified.
-
On the All tab, click the name of a guardrail to manage it.
-
On the Rule Details tab, view guardrail details and scope (the resource folder to which the guardrail applies). You can enable or disable recommended and optional guardrails.
The Basic Information section includes Rule Name, Description, Guidance, Type, Status, and Suggested Action. The Findings and Scope tabs appear at the bottom.
-
On the Findings tab, view compliance findings for your resources.
-
-
When you click Batch enable, you can select a scope for the guardrails.
-
If you select the Root resource folder, the guardrails apply to the entire Resource Directory and affect all member accounts.
-
If you select specific resource folders, the guardrails apply only to member accounts within those folders and will not affect other member accounts in the Resource Directory.
In the Bind Scope dialog box, select a resource folder (for example, dev) and click OK.
-
Available protection rules
Three types of rules are available:
-
Required: Basic protection rules that cannot be disabled.
-
Recommended: Security and compliance rules that you can enable or disable.
-
Optional: Rules that you can enable or disable as needed.
|
Rule name |
Description |
Scope |
Guidance |
|
Ensure the OSS bucket for audit logs disallows public read/write access |
An OSS bucket designated by Agentic Cloud Governance Center for storing audit logs is compliant if its access control list (ACL) prohibits public read/write access. |
Log Account |
Required |
|
Ensure server-side encryption is enabled for the OSS bucket storing audit logs |
An OSS bucket designated by Agentic Cloud Governance Center for storing audit logs is compliant if server-side encryption with OSS-managed keys (SSE-OSS) is enabled. |
Log Account |
Required |
|
Ensure the designated service role for Agentic Cloud Governance Center exists |
The configuration is compliant if the service role designated for Agentic Cloud Governance Center exists. |
Log Account |
Optional |
|
Prohibit the deletion of the OSS bucket for audit logs |
This rule prohibits deleting the OSS bucket that Agentic Cloud Governance Center creates in the Log Account to store audit logs. |
Core Folder |
Required |
|
Prohibit modifying the encryption configuration of the OSS bucket for audit logs |
This rule prohibits modifying the encryption configuration of the OSS bucket that Agentic Cloud Governance Center creates in the Log Account to store audit logs. |
Core Folder |
Required |
|
Prohibit modifying the lifecycle configuration of the OSS bucket for audit logs |
This rule prohibits modifying the lifecycle configuration of the OSS bucket that Agentic Cloud Governance Center creates in the Log Account to store audit logs. |
Core Folder |
Required |
|
Prohibit modifying the designated service role for Agentic Cloud Governance Center |
This rule prohibits modifying the service role that Agentic Cloud Governance Center uses. |
Core Folder |
Required |
|
Prohibit disabling Cloud Config |
This rule ensures that Cloud Config is enabled for resource and compliance auditing. |
Core Folder |
Required |
|
Ensure no AccessKey exists for any Alibaba Cloud account in the Resource Directory |
An Alibaba Cloud account is compliant if it has no AccessKey in any state. |
Global for Resource Directory |
Recommended |
|
Ensure MFA is enabled for all Alibaba Cloud accounts in the Resource Directory |
An Alibaba Cloud account is compliant if MFA is enabled. |
Global for Resource Directory |
Recommended |
|
Ensure encryption is enabled for all ECS data disks |
An ECS data disk is compliant if encryption is enabled. |
Global for Resource Directory |
Recommended |
|
Ensure security groups do not expose high-risk ports to all networks |
A security group is compliant if it has no inbound rule that allows traffic from the |
Global for Resource Directory |
Recommended |
|
Ensure security group inbound rules are valid |
A security group is compliant if no inbound rule with an |
Global for Resource Directory |
Recommended |
|
Ensure public read/write access is disabled for all OSS buckets |
An OSS bucket is compliant if its ACL policy prohibits public read/write access. |
Global for Resource Directory |
Recommended |
|
Ensure TDE is enabled for RDS instances |
An RDS instance is compliant if Transparent Data Encryption (TDE) is enabled in its data security settings. |
Global for Resource Directory |
Recommended |
|
Ensure RDS instances use Virtual Private Cloud (VPC) |
An RDS instance is compliant if its network type is Virtual Private Cloud (VPC). If a parameter is specified, the instance is compliant only if its VPC ID is in the provided comma-separated list. |
Global for Resource Directory |
Recommended |
|
Ensure the RDS IP allowlist is not open to all networks |
An RDS instance is compliant if its IP allowlist is not set to |
Global for Resource Directory |
Recommended |
|
Ensure access logging is enabled for OSS buckets |
An OSS bucket is compliant if logging is enabled in its log management settings. |
Global for Resource Directory |
Optional |
|
Ensure the password policy for RAM users meets requirements |
A password policy is compliant if its settings meet the requirements defined in Access Control (RAM). |
Global for Resource Directory |
Recommended |
|
Ensure RAM users do not have inactive AccessKeys |
An AccessKey of a RAM user is compliant if its last use time is within the specified period. Default: 90 days. |
Global for Resource Directory |
Recommended |
|
Ensure release protection is enabled for ECS instances |
An ECS instance is compliant if release protection is enabled. |
Global for Resource Directory |
Recommended |
|
Ensure release protection is enabled for SLB instances |
An SLB instance is compliant if release protection is enabled. |
Global for Resource Directory |
Recommended |
|
Ensure server-side encryption is enabled for all OSS buckets |
An OSS bucket is compliant if server-side encryption with OSS-managed keys (SSE-OSS) is enabled. |
Global for Resource Directory |
Optional |
|
Ensure MFA is enabled for RAM users |
A RAM user is compliant if MFA is enabled. |
Global for Resource Directory |
Optional |
|
Ensure resources have at least one of the specified tags |
You can specify multiple values for a tag. A resource is compliant if it has a tag with at least one of the specified values. |
Global for Resource Directory |
Optional |
|
Ensure resources have all specified tags |
You can define up to six tags. A resource is compliant if it has all the specified tags. |
Global for Resource Directory |
Optional |
|
Ensure RAM users have logged in within a specified time |
A RAM user is compliant if they have logged in within the last 90 days. If the last login time is unknown, the user is compliant if their account's last update time is within the last 90 days. This rule does not apply to users without console access. |
Global for Resource Directory |
Optional |
|
Ensure HTTPS listeners are enabled for SLB instances |
An SLB instance is compliant if an HTTPS listener is configured for port 80 or 8080. |
Global for Resource Directory |
Optional |
|
Ensure resources are located in specified regions |
A resource is compliant if it is located in one of the regions specified in the rule parameters. |
Global for Resource Directory |
Optional |
|
Ensure log collection is enabled for WAF instances |
The configuration is compliant if log collection is enabled for all domains protected by WAF. |
Global for Resource Directory |
Optional |
|
Ensure Flow Log is enabled for VPCs |
A VPC is compliant if the Flow Log feature is enabled. |
Global for Resource Directory |
Optional |
|
Ensure domains bound to API Gateway groups are protected by WAF |
An API group in API Gateway is compliant if it is bound to a custom domain that is protected by WAF. |
Global for Resource Directory |
Optional |
|
Ensure specified protection features are enabled for WAF-protected domains |
A WAF-protected domain is compliant if the specified protection modules are enabled. |
Global for Resource Directory |
Optional |
|
Ensure security groups do not expose high-risk ports of a specified protocol to all networks |
A security group is compliant if its inbound rules for the |
Global for Resource Directory |
Optional |
|
Ensure valid inbound rules for non-allowlisted ports in security groups |
A security group is compliant if, for all ports not on the specified allowlist, there are no inbound rules that have both the action set to |
Global for Resource Directory |
Optional |
|
Ensure public OSS buckets have a permission policy that denies anonymous access |
An OSS bucket with public read/write permissions is compliant if it has a bucket policy that does not grant any read or write permissions to anonymous users. This rule is not applicable to private buckets. |
Global for Resource Directory |
Optional |
|
Prohibit associating public IP addresses with ECS instances |
An ECS instance is compliant if it is not directly associated with a public IPv4 address or an Elastic IP Address (EIP). |
Global for Resource Directory |
Optional |
|
Ensure publicly accessible RDS instances do not have an IP allowlist open to all networks |
A publicly accessible RDS instance is compliant only if its IP allowlist is not set to |
Global for Resource Directory |
Optional |
|
Ensure publicly accessible PolarDB clusters do not have an IP allowlist open to all networks |
A publicly accessible PolarDB cluster is compliant only if its IP allowlist is not set to |
Global for Resource Directory |
Optional |
|
Ensure all assets are protected by Cloud Firewall |
Compliance requires that all assets are protected by Cloud Firewall. This rule applies only to paid editions; accounts using the free edition or without a subscription are compliant by default. |
Global for Resource Directory |
Optional |
|
Ensure running ECS instances are protected by Security Center |
An ECS instance is compliant if the Security Center agent is installed. This rule does not apply to instances that are not running. |
Global for Resource Directory |
Optional |
|
Ensure Security Center Enterprise Edition or higher is used |
An account is compliant if it is using the Enterprise Edition or a higher edition of Security Center. |
Global for Resource Directory |
Optional |
|
Ensure running ECS instances have no pending vulnerabilities |
An ECS instance is compliant if it has no pending vulnerabilities of the specified type and severity level in Security Center. This rule is not applicable to instances that are not in a running state. |
Global for Resource Directory |
Optional |
|
Ensure SQL audit is enabled for RDS instances |
An RDS instance is compliant if SQL audit is enabled. |
Global for Resource Directory |
Optional |
|
Ensure global event logging is enabled in ActionTrail |
The configuration is compliant if an enabled trail exists in ActionTrail that logs all event types across all regions. A member account in a Resource Directory is also compliant if the management account has created a trail that applies to all member accounts. |
Global for Resource Directory |
Optional |
|
Ensure the SQL audit log retention period for RDS instances meets requirements |
An RDS for MySQL instance is compliant if SQL audit is enabled and the log retention period is greater than or equal to the specified value. Default: 180 days. |
Global for Resource Directory |
Optional |
|
Ensure the retention period for automatic ECS snapshots meets requirements |
An automatic snapshot policy for ECS is compliant if its snapshot retention period is greater than the specified number of days. Default: 7 days. |
Global for Resource Directory |
Optional |
|
Ensure the Level-1 backup retention period for PolarDB clusters meets requirements |
A PolarDB cluster is compliant if its Level-1 backup retention period is greater than or equal to the specified number of days. Default: 7 days. |
Global for Resource Directory |
Optional |
|
Ensure TDE is enabled for PolarDB clusters |
A PolarDB cluster is compliant if TDE is enabled. |
Global for Resource Directory |
Optional |
|
Ensure automatic rotation is configured for credentials in KMS |
A credential in Key Management Service (KMS) is compliant if automatic rotation is configured. |
Global for Resource Directory |
Optional |
|
Ensure automatic rotation is configured for customer master keys (CMKs) in KMS |
A customer master key (CMK) in KMS is compliant if automatic rotation is configured. |
Global for Resource Directory |
Optional |
|
Ensure deletion protection is enabled for KMS CMKs |
A KMS customer master key (CMK) is compliant if deletion protection is enabled. |
Global for Resource Directory |
Optional |
|
Ensure OSS buckets are encrypted with customer-managed KMS keys |
An OSS bucket is compliant if it is encrypted with a customer-managed key from KMS. |
Global for Resource Directory |
Optional |
|
Ensure RDS instances use customer-managed keys for TDE |
An RDS instance is compliant if it uses a customer-managed key to enable TDE. |
Global for Resource Directory |
Optional |
|
Ensure ApsaraDB for Redis instances use customer-managed keys for TDE |
An ApsaraDB for Redis instance is compliant if it uses a customer-managed key to enable TDE. |
Global for Resource Directory |
Optional |
|
Ensure HTTPS is enabled for CDN domains |
A CDN domain is compliant if the HTTPS protocol is enabled. |
Global for Resource Directory |
Optional |
|
Ensure public-facing APIs in API Gateway use HTTPS |
A public-facing API in API Gateway is compliant if its request protocol is set to HTTPS. This rule is not applicable to APIs that are restricted to internal access only. |
Global for Resource Directory |
Optional |
|
Ensure Alibaba Cloud Elasticsearch instances use the HTTPS protocol |
An Alibaba Cloud Elasticsearch instance is compliant if it uses the HTTPS transport protocol. |
Global for Resource Directory |
Optional |
|
Ensure OSS bucket policies enforce secure transport |
An OSS bucket is compliant if its bucket policy either enforces HTTPS for read/write operations or explicitly denies access over HTTP. This rule is not applicable to buckets without a bucket policy. |
Global for Resource Directory |
Optional |
|
Ensure HTTPS listeners on SLB instances use a specified TLS policy |
An SLB instance is compliant if all its HTTPS listeners use the TLS policy version specified in the parameters. This rule is not applicable to instances without HTTPS listeners. |
Global for Resource Directory |
Optional |
|
Ensure Function Compute functions are bound to a custom domain with a specified TLS version |
A Function Compute function is compliant if it is bound to a custom domain and the specified version of TLS is enabled. |
Global for Resource Directory |
Optional |
|
Ensure the Security Center agent is installed on all ECS instances in an account |
An Alibaba Cloud account is compliant if the Security Center agent is installed on all of its ECS instances. |
Global for Resource Directory |
Optional |
|
Ensure vulnerability scanning for a specified risk level is configured in Security Center |
The configuration is compliant if vulnerability scanning for the specified risk level is configured in Security Center. |
Global for Resource Directory |
Optional |
|
Ensure notification methods are set for all alert items in Security Center |
The configuration is compliant if notification methods are configured for all alert items in Security Center. |
Global for Resource Directory |
Optional |
|
Ensure a suitable maintenance window is set for RDS instances |
An RDS instance is compliant if its maintenance window falls within one of the time slots specified in the parameters. Overlapping the maintenance window with business peak hours may impact your services. |
Global for Resource Directory |
Optional |
|
Ensure a suitable maintenance window is set for PolarDB clusters |
A PolarDB cluster is compliant if its maintenance window falls within one of the time slots specified in the parameters. Overlapping the maintenance window with business peak hours may impact your services. |
Global for Resource Directory |
Optional |
|
Ensure RAM users and their groups are not attached to permission policies with specified conditions |
A RAM user is compliant if neither the user nor its user groups are attached to a permission policy that meets the specified conditions. By default, this rule flags administrator privileges as non-compliant. |
Global for Resource Directory |
Optional |
|
Ensure no super administrator exists |
The configuration is compliant if no RAM user, RAM user group, or RAM role has a policy that grants super administrator privileges (Resource: |
Global for Resource Directory |
Optional |
|
Ensure AccessKeys for RAM users are rotated within a specified time |
An AccessKey for a RAM user is compliant if it was created within the specified number of days. Default: 90 days. |
Global for Resource Directory |
Optional |
|
Ensure all RAM users belong to a user group |
The configuration is compliant if all RAM users belong to at least one RAM user group. |
Global for Resource Directory |
Optional |
|
Ensure RAM user access separates human and programmatic use |
A RAM user is compliant if they do not have both console password login and programmatic access (AccessKey) enabled simultaneously. |
Global for Resource Directory |
Optional |
|
Ensure SSO is enabled for RAM users |
A RAM user is compliant if SSO is enabled. |
Global for Resource Directory |
Optional |
|
Ensure no unattached RAM permission policies exist |
A RAM permission policy is compliant if it is attached to at least one RAM user, RAM user group, or RAM role. |
Global for Resource Directory |
Optional |
|
Ensure RAM user groups are not empty |
A RAM user group is compliant if it contains at least one RAM user. |
Global for Resource Directory |
Optional |
|
Ensure no leaked AccessKeys are detected by Security Center |
The configuration is compliant if Security Center has not detected any leaked AccessKey information. |
Global for Resource Directory |
Optional |
|
Ensure SQL audit is enabled for PolarDB clusters |
A PolarDB cluster is compliant if SQL audit is enabled. |
Global for Resource Directory |
Optional |
|
Ensure log backup is enabled for RDS instances |
An RDS instance is compliant if log backup is enabled. Disabling log backup creates a risk of data loss if local logs are unrecoverable. |
Global for Resource Directory |
Optional |
|
Ensure a backup plan is created for NAS file systems |
A NAS file system is compliant if it has a backup plan. |
Global for Resource Directory |
Optional |
|
Ensure the log backup retention period for PolarDB clusters meets requirements |
A PolarDB cluster is compliant if its log backup retention period is greater than or equal to the specified number of days. The default value is 30 days. Clusters are non-compliant if log backup is disabled or the retention period is less than the specified value. |
Global for Resource Directory |
Optional |
|
Ensure Zone-Redundant Storage (ZRS) is enabled for OSS buckets |
An OSS bucket is compliant if Zone-Redundant Storage (ZRS) is enabled. ZRS helps ensure service continuity and data recovery in the event of an availability zone failure. |
Global for Resource Directory |
Optional |
|
Ensure data encryption is configured for Log Service Logstores |
A Logstore in Log Service is compliant if data encryption is configured. |
Global for Resource Directory |
Optional |
|
Ensure historical event logging is enabled for RDS instances |
An RDS instance is compliant if historical event logging is enabled. |
Global for Resource Directory |
Optional |
|
Ensure the default time zone for PolarDB clusters is not set to SYSTEM |
A PolarDB cluster is compliant if its |
Global for Resource Directory |
Optional |
|
Ensure ECS instances use a specified operating system version |
An ECS instance is compliant if its OS name is on the specified allowlist or not on the specified blocklist. This helps standardize OS versions and encourages timely upgrades from unsupported versions to prevent security vulnerabilities. |
Global for Resource Directory |
Optional |
|
Ensure the CloudMonitor agent is installed on running ECS instances |
A running ECS instance is compliant if the CloudMonitor agent is installed and running. This rule is not applicable to instances that are not in a running state. |
Global for Resource Directory |
Optional |
|
Ensure CloudMonitor alert rules are configured for specified cloud products |
A cloud product is compliant if at least one alert rule is configured for its namespace in CloudMonitor. |
Global for Resource Directory |
Optional |
|
Ensure cloud disk encryption is enabled for RDS instances |
An RDS instance is compliant if cloud disk encryption is enabled. |
Global for Resource Directory |
Optional |
|
Ensure encryption is enabled for in-use ECS data disks |
An ECS data disk that is in use is compliant if encryption is enabled. |
Global for Resource Directory |
Optional |
|
Ensure encryption is enabled for unattached ECS data disks |
An ECS data disk that is unattached is compliant if encryption is enabled. |
Global for Resource Directory |
Optional |
|
Ensure ECS instances use Virtual Private Cloud (VPC) |
An ECS instance is compliant if its network type is Virtual Private Cloud (VPC). If a parameter is specified, the instance is compliant if its VPC ID is in the provided comma-separated list. |
Global for Resource Directory |
Optional |
|
Prohibit attaching policies directly to RAM users |
A RAM user is compliant if they inherit permissions from RAM user groups or RAM roles instead of having policies attached directly. |
Global for Resource Directory |
Optional |
|
Ensure the PostgreSQL parameter |
An RDS for PostgreSQL instance is compliant if the |
Global for Resource Directory |
Optional |
|
Ensure the PostgreSQL parameter |
An RDS for PostgreSQL instance is compliant if the |
Global for Resource Directory |
Optional |
|
Ensure the PostgreSQL parameter |
An RDS for PostgreSQL instance is compliant if the |
Global for Resource Directory |
Optional |
|
Ensure OSS bucket policies have IP restrictions |
An OSS bucket is compliant if its read/write permissions are set to private, or if its bucket policy contains rules that only allow access from specific IP addresses. |
Global for Resource Directory |
Optional |
|
Ensure the ACLs of OSS buckets prohibit public read access |
An OSS bucket is compliant if its ACL policy prohibits public read access. |
Global for Resource Directory |
Optional |
|
Ensure the Security Center agent is installed on all ECS instances in an account |
An Alibaba Cloud account is compliant if the Security Center agent is installed on all of its ECS instances. |
Global for Resource Directory |
Optional |
|
Ensure routes are configured for custom CIDR blocks in VPCs |
A VPC is compliant if its associated route table contains at least one route for an IP address within the custom CIDR block. |
Global for Resource Directory |
Optional |
|
Ensure SSL certificates are used for RDS instances |
An RDS instance is compliant if SSL is enabled in its data security settings. |
Global for Resource Directory |
Optional |
|
Ensure ACK clusters use the Terway network plug-in |
An ACK cluster is compliant if it uses the Terway network plug-in. |
Global for Resource Directory |
Optional |
|
Ensure public API server endpoints are disabled for ACK clusters |
An ACK cluster is compliant if a public API server endpoint is not configured. |
Global for Resource Directory |
Optional |
|
Ensure the CloudMonitor agent is installed on ACK cluster nodes |
An ACK cluster is compliant if the CloudMonitor agent is installed and running on all its nodes. |
Global for Resource Directory |
Optional |
|
Ensure ActionTrail trails are enabled |
An ActionTrail trail is compliant if its status is enabled. |
Global for Resource Directory |
Optional |
|
Ensure RDS instances use the High-availability Edition |
An RDS instance is compliant if it uses the High-availability Edition. We recommend using this edition instead of the less stable Basic Edition. |
Global for Resource Directory |
Optional |
|
Ensure RDS instances use multiple availability zones |
An RDS instance is compliant if it is deployed across multiple availability zones. |
Global for Resource Directory |
Optional |
|
Ensure the IP allowlist for RDS instances is configured correctly |
An RDS instance is compliant if an IP allowlist is enabled and does not contain |
Global for Resource Directory |
Optional |
|
Ensure ApsaraDB for Redis instances use Virtual Private Cloud (VPC) |
An ApsaraDB for Redis instance is compliant if its network type is Virtual Private Cloud (VPC). If a parameter is specified, the instance is compliant if its VPC ID is in the provided comma-separated list. |
Global for Resource Directory |
Optional |
|
Ensure the IP allowlist for ApsaraDB for Redis instances is not open to all networks |
An ApsaraDB for Redis instance is compliant if its IP allowlist is not set to |
Global for Resource Directory |
Optional |
|
Ensure ApsaraDB for MongoDB instances use Virtual Private Cloud (VPC) |
An ApsaraDB for MongoDB instance is compliant if its network type is Virtual Private Cloud (VPC). If a parameter is specified, the instance is compliant if its VPC ID is in the provided comma-separated list. |
Global for Resource Directory |
Optional |
|
Prohibit the IP allowlist for ApsaraDB for MongoDB instances from being open to all networks |
An ApsaraDB for MongoDB instance is compliant if its IP allowlist is not set to |
Global for Resource Directory |
Optional |
|
Ensure PolarDB instances use Virtual Private Cloud (VPC) |
A PolarDB instance is compliant if its network type is Virtual Private Cloud (VPC). If a parameter is specified, the instance is compliant if its VPC ID is in the provided comma-separated list. |
Global for Resource Directory |
Optional |
|
Ensure SQL Server is accessed in database proxy mode |
An RDS for SQL Server instance is compliant if its access mode is set to database proxy mode. |
Global for Resource Directory |
Optional |
|
Ensure SLB access control lists do not allow traffic from all IP addresses |
An SLB access control list (ACL) is compliant if it does not contain the |
Global for Resource Directory |
Optional |
|
Ensure the bandwidth of EIP instances meets minimum requirements |
An Elastic IP Address (EIP) instance is compliant if its available bandwidth is greater than or equal to the specified value. Default: 10 Mbps. |
Global for Resource Directory |
Optional |
|
Ensure SLB instances meet specified bandwidth requirements |
An SLB instance is compliant if its available bandwidth is greater than or equal to the specified value (Default: 10 Mbps). |
Global for Resource Directory |
Optional |
|
Prohibit the IP allowlist for PolarDB instances from being open to all networks |
A PolarDB instance is compliant if its IP allowlist is not set to |
Global for Resource Directory |
Optional |