This topic describes the check items supported by governance maturity detection to help you query and use them.
Security
Category | Check item | Description | Quick fix description | Auxiliary decision support |
Primary account management | Multi-factor authentication (MFA) is not enabled for the primary account | For primary account identities, we recommend that you enable MFA to provide enhanced security protection. If MFA is not enabled for the primary account, the account is considered non-compliant. | Quick fix is not supported. | No |
Primary account management | The primary account has enabled AccessKey pairs | The AccessKey pair of the primary account has the same permissions as the primary account. The AccessKey pair cannot be restricted by conditions such as source IP addresses or access time. If the AccessKey pair is leaked, the risk is extremely high. If the primary account has an AccessKey pair, the account is considered non-compliant. | Quick fix is not supported. | No |
Primary account management | The primary account has logged on to the console in the last 90 days | The primary account has extensive permissions and cannot be restricted by conditions such as source IP addresses or access time. If the primary account is leaked, the risk is extremely high. If the primary account has logged on to the console more than three times in the last month, the account is considered non-compliant. | Quick fix is not supported. | No |
User management | RAM SCIM is not enabled to synchronize users | System for Cross-domain Identity Management protocol (SCIM) allows you to synchronize identities from your enterprise to Alibaba Cloud without the need to manually create users. If SCIM synchronization is not configured for the current account, or if the synchronized users have not logged on in the last two months, the account is considered non-compliant. | Quick fix is not supported. | No |
User management | RAM single sign-on (SSO) is not enabled for console logon | You can centrally manage users in your enterprise who use Alibaba Cloud by using SSO. This improves the management efficiency of user identities and reduces risks. If RAM SSO is not configured for the current account, or if no logon through SSO has occurred in the last 30 days, the account is considered non-compliant. | Quick fix is not supported. | No |
User management | RAM users have both console logon and AccessKey pairs enabled | In any scenario, we recommend the single-responsibility principle. If a RAM user in the current account has an AccessKey pair and has console logon enabled, the account is considered non-compliant. | Quick fix is not supported. | Yes |
User management | RAM is not used to manage identities | The primary account has extensive permissions. If the primary account is leaked, the risk is extremely high. We recommend that you use RAM identities for daily operations. If no RAM identity exists in the current account, the account is considered non-compliant. | Quick fix is not supported. | No |
Identity management | Complete password strength rules are not configured | You can effectively reduce the risk of password cracking and brute-force attacks by enhancing password strength. If strong password strength, password validity period, historical password check policies, and password retry constraints are not configured, the account is considered non-compliant. | This fix will modify the key settings of password strength in Resource Access Management (RAM). These settings include a password length greater than or equal to 8 characters, at least three types of elements, a validity period of less than 90 days, and a maximum of 5 logon retries within one hour. These are the recommended best practices. You can modify the parameters to implement stricter password strength requirements based on your enterprise needs. After the settings are configured, they apply to all RAM users. | No |
Identity management | MFA is not enabled for RAM users | MFA provides enhanced security protection for RAM users. If a RAM user has console logon enabled but does not have MFA configured, the account is considered non-compliant. | Quick fix is not supported. | Yes |
Identity management | Inactive RAM users exist | When a RAM user has console logon enabled, a logon password is set. The longer the time, the higher the risk of password exposure. If inactive RAM users who have not logged on for more than 90 days exist, the account is considered non-compliant. | Quick fix is not supported. | Yes |
Program identity management | ECS instances do not use the enhanced mode of Metadata Service (added in 2.0 model) | Ensure that ECS instances use the enhanced mode of Metadata Service (V2 version) to prevent STS token leakage that may be caused by the V1 version. If an ECS instance uses the V1 version of Metadata Service, the instance is considered non-compliant. Customers need to upgrade Metadata Service to V2 version for governance. | Quick fix is not supported. | No |
Program identity management | AccessKey pairs are not rotated regularly | Regular rotation reduces the exposure time of AccessKey pairs, which in turn reduces the risk of AccessKey pair leakage. If an AccessKey pair of a RAM user has been used for more than 90 days, the account is considered non-compliant. | Quick fix is not supported. | No |
Program identity management | AccessKey-free solutions are not used for program access | If no instance role is configured for Elastic Compute Service (ECS) in the current account, or if the Resource Access Management for Kubernetes Service Accounts (RRSA) plug-in is not enabled for Container Service for Kubernetes (ACK), or if no service role is configured for Function Compute, the account is considered non-compliant. | Quick fix is not supported. | No |
Program identity management | Leaked AccessKey pairs are not handled | After an AccessKey pair is leaked, attackers can use the AccessKey pair to access your resources or data, causing security incidents. If unhandled AccessKey pair leakage events exist, the account is considered non-compliant. | Quick fix is not supported. | No |
Program identity management | RAM users have two enabled AccessKey pairs | If a RAM user has two enabled AccessKey pairs, the RAM user loses the ability to rotate AccessKey pairs, which poses a greater risk. If a single RAM user has two AccessKey pairs, the account is considered non-compliant. | Quick fix is not supported. | No |
Program identity management | RAM users have inactive AccessKey pairs | The AccessKey pair of a RAM user can be used to access Alibaba Cloud APIs. The longer the AccessKey pair is exposed externally, the higher the risk of leakage. If an AccessKey pair of a RAM user has not been used for more than 90 days, the account is considered non-compliant. | Quick fix is not supported. | Yes |
Granular access control | No RAM identity has restricted access operation scope | For permission management of RAM identities, we recommend that you follow the principle of least privilege and grant only the necessary permissions. In the current Alibaba Cloud account, if a RAM identity is bound to some operation permissions of a cloud service, the requirement is considered met. | Quick fix is not supported. | No |
Granular access control | No RAM identity has restricted access to OSS or SLS | For permission management of RAM identities, we recommend that you follow the principle of least privilege and grant only the necessary permissions. For access to data products such as Object Storage Service (OSS) and Simple Log Service (SLS), we recommend that you use granular authorization to reduce the risk of data leakage caused by identity leakage. In the current Alibaba Cloud account, if a RAM identity is bound to operation permissions related to data products, granular authorization must be used. Do not use the wildcard character * for batch authorization. If this requirement is met, the account is considered compliant. | Quick fix is not supported. | No |
Granular access control | No RAM identity has granular authorization (deleted in 2.0 model) | For permission management of RAM identities, we recommend that you follow the principle of least privilege and grant only the necessary permissions. You can use custom policies to implement granular authorization for RAM identities. If no RAM identity is bound to a custom policy, the account is considered non-compliant. | Quick fix is not supported. | No |
Use of logon credential reports | Identity permission detection reports are not obtained regularly (deleted in 2.0 model) | In the current account, if you have not viewed an identity permission governance report, a user credential report, or a cloud governance maturity report in the last 90 days, the account is considered non-compliant. | Quick fix is not supported. | No |
Use of logon credential reports | The "AccessKey and Permission Governance Best Practices" compliance package is not enabled (deleted in 2.0 model) | If the "AccessKey and Permission Governance Best Practices" compliance package is not enabled in CloudConfig, the account is considered non-compliant. | This fix will create a compliance package in CloudConfig based on the "AccessKey and Permission Governance Best Practices" template. You can then view the detection results in CloudConfig. | No |
Control log archiving | ActionTrail logs are not set for long-term retention | If no trail is created, or if the created trail does not archive all regions, does not archive all read and write operations, or has an archive storage period of less than 180 days, the account is considered non-compliant. | This fix will improve the existing trail settings for the current account, including enabling complete management read and write events and events in all regions. Please select at least one existing trail from the list to improve the settings. After the fix, newly generated read and write events and events in all regions will be delivered to the target storage of the trail. Historical events in the storage are not affected. | No |
Configuration change detection | CloudConfig is not enabled | If CloudConfig is not enabled for the current account, the account is considered non-compliant. | Quick fix is not supported. | No |
Configuration change detection | Resource changes or snapshots are not delivered | If resource changes or snapshots are not delivered in CloudConfig, the account is considered non-compliant. | Quick fix is not supported. | No |
Compliance detection coverage | CloudConfig compliance rules do not cover all cloud resources | The evaluation is based on the ratio of resources covered by rules. If the coverage is less than 100%, the account is considered non-compliant. | Quick fix is not supported. | No |
Compliance detection coverage | CloudConfig compliance rules are not enabled | If CloudConfig rules are not enabled for the current account, the account is considered non-compliant. | Quick fix is not supported. | No |
Non-compliance alert response | Compliance detection data is not obtained regularly | If non-compliance events are not delivered or detection results are not viewed in CloudConfig, the account is considered non-compliant. | Quick fix is not supported. | No |
Non-compliance alert response | No alert rules are set for risky operations | If none of the account security-related rules or ActionTrail operation compliance-related rules supported by ActionTrail event alerts are enabled, the account is considered non-compliant. | Quick fix is not supported. | No |
Alert event handling | Cloud resources have non-compliance issues | If the compliance resource rate detected by enabled rules in CloudConfig is less than 100%, the account is considered non-compliant. | Quick fix is not supported. | No |
Enable automatic remediation | Automated remediation is not used for non-compliance issues | If the user has not enabled automatic remediation for any rule, the account is considered non-compliant. | Quick fix is not supported. | No |
Prevent privilege abuse | Too many RAM identities are granted high-risk permissions for OSS and SLS | For permission management of RAM identities, we recommend that you follow the principle of least privilege and grant only the necessary permissions. RAM identities with | Quick fix is not supported. | No |
Prevent privilege abuse | Too many RAM identities are granted Admin permissions | For permission management of RAM identities, we recommend that you follow the principle of least privilege and grant only the necessary permissions. Admin permissions allow any operation on any resource in the account. Avoid granting Admin permissions to too many RAM identities to prevent business impact in case of identity leakage. In the current Alibaba Cloud account, if the number of RAM identities with Admin permissions is less than or equal to 3, the requirement is considered met. | Quick fix is not supported. | No |
Prevent privilege abuse | Too many RAM identities are granted high-risk permissions for the Fee Hub | For permission management of RAM identities, we recommend that you follow the principle of least privilege and grant only the necessary permissions. RAM identities with write permissions for the Billing and Subscription Service (BSS) product can modify orders, invoices, contracts, and bills, and perform transactions, withdrawals, and other fund operations. Poor management may result in asset loss. In the current Alibaba Cloud account, the requirement is considered met if the number of RAM identities with write permissions such as | Quick fix is not supported. | No |
Prevent privilege abuse | Too many RAM identities are granted high-risk permissions for RAM | For permission management of RAM identities, we recommend that you follow the principle of least privilege and grant only the necessary permissions. RAM identities with write permissions for the RAM product can create new identities or modify the permissions of existing identities, resulting in excessive authorization. This poses risks to the security and confidentiality of resources in the account. In the current Alibaba Cloud account, if the number of RAM identities with write permissions such as | Quick fix is not supported. | No |
Prevent privilege abuse | All RAM identities are granted Admin permissions | For permission management of RAM identities, we recommend that you follow the principle of least privilege and grant only the necessary permissions. Avoid granting Admin permissions to all RAM identities to prevent business impact in case of identity leakage. If RAM identities are granted non-Admin permissions, the requirement is considered met. | Quick fix is not supported. | No |
Authorization efficiency and control | No RAM user inherits authorization from RAM user groups (added in 2.0 model) | By default, RAM users, groups, and roles cannot access any resources. You grant permissions to users, groups, or roles through RAM policies. We recommend that you apply RAM policies directly to groups and roles, rather than users. By assigning permissions at the group or role level, you can reduce the management complexity as the number of users grows, while reducing the risk of inadvertently expanding the permissions of a RAM user. If any RAM user inherits authorization from a RAM user group, the best practice is considered met. | Quick fix is not supported. | No |
Authorization efficiency and control | The effective scope of custom policies granted to RAM identities does not specify resource groups (added in 2.0 model) | By default, when you grant a custom policy to a RAM identity, the effective scope is at the account level. In this case, if the custom policy does not explicitly limit specific resources and does not explicitly specify permission effect conditions, the RAM identity will have the specified permissions for all resources in the account. According to the best practices for cloud resource management, resources should be grouped by resource groups, and RAM identities should be authorized based on the grouping. During the authorization process, by limiting the effective scope to resource groups, you can better restrict the permission scope of RAM identities and achieve granular authorization. If a custom policy granted to a RAM identity has an effective scope of a resource group, or if a resource group is specified in the policy condition, the best practice is considered met. | Quick fix is not supported. | No |
Authorization efficiency and control | No RAM identity with Admin permissions has authorization restricted to resource groups | For permission management of RAM identities, we recommend that you follow the principle of least privilege and grant only the necessary permissions. By dividing cloud resources into resource groups based on applications, environments, and other dimensions, you can authorize by resource group, further narrowing the permission scope and avoiding risks caused by excessive permissions. In the current account, if a RAM identity with AdministratorAccess permissions has an authorization scope of a resource group, the requirement is considered met. | Quick fix is not supported. | No |
Authorization efficiency and control | No RAM identity with service-level system policies has authorization restricted to resource groups | For permission management of RAM identities, we recommend that you follow the principle of least privilege and grant only the necessary permissions. By dividing cloud resources into resource groups based on applications, environments, and other dimensions, you can authorize by resource group, further narrowing the permission scope and avoiding risks caused by excessive permissions. In the current Alibaba Cloud account, if a RAM identity with service-level system policies (such as AliyunECSFullAccess) has an authorization scope of a resource group, the requirement is considered met. | Quick fix is not supported. | No |
Data storage instances should avoid public network access | OSS buckets do not prohibit public read access (added in 2.0 model) | Prevent OSS bucket contents from being publicly readable to ensure data confidentiality and security. If an OSS bucket is set to public read access, it is considered non-compliant. | Quick fix is not supported. | No |
Data storage instances should avoid public network access | OSS buckets have access permissions granted to anonymous accounts (added in 2.0 model) | Implementing the principle of least privilege is fundamental to reducing security risks and minimizing the impact of errors or malicious actions. If an OSS bucket policy allows anonymous account access, attackers may leak data. Additionally, if an external account is controlled by a malicious attacker, your data may be tampered with or deleted. This not only threatens the integrity and confidentiality of the data but may also lead to business interruption and legal issues. Best practice recommends prohibiting anonymous account access to OSS buckets through policies. If a bucket policy exists that allows anonymous account access, meaning the authorized user is all accounts * and the effect is allow, it is considered not meeting the best practice. | Quick fix is not supported. | No |
Data storage instances should avoid public network access | OSS buckets are set to public write (added in 2.0 model) | You can allow public access to OSS resources by configuring bucket policies and access control lists (ACLs). Public write means that any OSS resource can be modified or new file objects can be uploaded to a bucket without specific permissions or authentication. Public write means that anyone can upload and modify data in an OSS bucket, which can easily lead to data leakage and the risk of malicious access that generates significant costs. Best practice recommends disabling public write permissions for OSS buckets and accessing OSS bucket data only through URL signatures or APIs. When either an OSS bucket policy or ACL includes public write semantics, the OSS bucket may be at risk of public write, which does not comply with best practices. | Quick fix is not supported. | No |
Data transmission should use TLS | SLB does not have HTTPS listeners enabled (added in 2.0 model) | Ensure that Server Load Balancer (SLB) has HTTPS listeners enabled to ensure that data is encrypted using the TLS protocol during transmission. If SLB does not have HTTPS listeners enabled, it is considered non-compliant. | Quick fix is not supported. | No |
Data storage instances should avoid public network access | PolarDB instances have public endpoints configured (added in 2.0 model) | Exposing databases to the public network may pose security risks. Once a database is exposed to the public network, it may be visible to malicious attackers. Additionally, if proper access controls are not implemented on top of public exposure, data leakage or damage can easily occur. Best practice recommends allowing database instances to be accessed only from within VPC internal networks, setting appropriate IP address whitelists, and configuring complex accounts and passwords for databases. If a cluster has public access enabled, it is considered not complying with best practices. | Quick fix is not supported. | No |
Data transmission should use TLS | Elasticsearch instances do not use HTTPS transmission protocol (added in 2.0 model) | Elasticsearch instances that use only the HTTP protocol to provide services may pose data security risks. Since HTTP protocol communications are transmitted in plaintext, attackers can easily obtain and view communication content, thereby acquiring sensitive information and leading to data leakage. Best practice recommends accessing Elasticsearch using the HTTPS protocol in applications or clients to ensure that data transmission is encrypted. If an Elasticsearch instance's cluster network settings have the HTTPS protocol switch enabled, it is considered compliant with best practices. | Quick fix is not supported. | No |
Data storage instances should avoid public network access | PolarDB instances have IP whitelist set to 0.0.0.0/0 (added in 2.0 model) | An IP address whitelist consists of IP addresses that are allowed to access PolarDB clusters. If the IP whitelist is set to % or 0.0.0.0/0, any IP address is allowed to access the database cluster, which greatly reduces the security of the database. Do not use this setting unless necessary. Best practice recommends following the principle of least privilege, setting appropriate IP whitelists, and providing high-level access security protection for PolarDB clusters. If a cluster's IP whitelist is set to 0.0.0.0/0 or %, it is considered not complying with best practices. | Quick fix is not supported. | No |
Data storage instances should avoid public network access | Elasticsearch instances have IP whitelist set to 0.0.0.0/0 (added in 2.0 model) | An instance IP whitelist consists of IP addresses that are allowed to access Elasticsearch instances. If the IP whitelist is set to | Quick fix is not supported. | No |
Data storage instances should avoid public network access | Redis instances have IP whitelist set to 0.0.0.0/0 (added in 2.0 model) | An IP address whitelist consists of IP addresses that are allowed to access Redis instances. If the IP whitelist is set to 0.0.0.0/0, any IP address is allowed to access the database cluster, which greatly reduces the security of the database. Do not use this setting unless necessary. Best practice recommends following the principle of least privilege, setting appropriate IP whitelists, and providing high-level access security protection for database instances. If an instance's IP whitelist is set to 0.0.0.0/0, it is considered not complying with best practices. | Quick fix is not supported. | No |
Data transmission should use TLS | Certificates in SSL Certificate Service will expire within 30 days (added in 2.0 model) | After an SSL certificate expires, clients will not be able to verify the server's identity, which may result in users being unable to access services or receiving warnings, affecting user experience. Failure to update certificates in a timely manner may lead to reduced service availability, decreased customer trust, and even data leakage. Additionally, certificate renewal and updates often require a certain period of time, so it is recommended to reserve sufficient time to update certificates to avoid service interruption. If a digital certificate in the certificate management service has an expiration time <= 30 days, it is considered not complying with best practices. | Quick fix is not supported. | No |
Network boundary protection | Security groups have inbound rules set to 0.0.0.0/0 and any port (added in 2.0 model) | Prohibit security group rules that allow all IP addresses (0.0.0.0/0) to access from any port. Access must be restricted to specific IP ranges and ports. If a security group's inbound rules include 0.0.0.0/0 and do not specify specific ports, it is considered non-compliant. | Quick fix is not supported. | No |
Data storage instances should avoid public network access | RDS instances have IP whitelist set to 0.0.0.0/0 (added in 2.0 model) | An IP address whitelist consists of IP addresses that are allowed to access RDS instances. If the IP whitelist is set to 0.0.0.0/0, any IP address is allowed to access the database cluster, which greatly reduces the security of the database. Do not use this setting unless necessary. Best practice recommends following the principle of least privilege, setting appropriate IP whitelists, and providing high-level access security protection for database instances. If an instance's IP whitelist is set to 0.0.0.0/0, it is considered not complying with best practices. | Quick fix is not supported. | No |
Data storage instances should avoid public network access | Elasticsearch instances have public access enabled (added in 2.0 model) | Exposing Elasticsearch to the public network may pose security risks. Once an instance is exposed to the public network, it may be visible to malicious attackers. Additionally, if proper access controls are not implemented on top of public exposure, data leakage or damage can easily occur. Best practice recommends allowing Elasticsearch instances to be accessed only from within VPC internal networks, setting appropriate IP whitelists, and configuring appropriate access controls. If an instance has public access enabled, it is considered not complying with best practices. | Quick fix is not supported. | No |
Data transmission should use TLS | CDN domains are not configured to force HTTP to HTTPS redirection (added in 2.0 model) | CDN using only the HTTP protocol to provide external services may pose data security risks. Since HTTP protocol communications are transmitted in plaintext, attackers can easily obtain and view communication content, thereby acquiring sensitive information such as user credentials and private data, leading to data leakage. Best practice recommends that CDN domains providing external services use the HTTPS protocol and force requests on HTTP listeners to redirect to HTTPS protocol listeners, ensuring that data transmission is encrypted. If a CDN domain's HTTPS configuration does not have the force redirect type set to HTTPS -> HTTP, it is considered not complying with best practices. | Quick fix is not supported. | No |
Network boundary protection | ECS instances are not prohibited from binding public IP addresses (added in 2.0 model) | Prevent ECS instances from being directly exposed to the public network to reduce the risk of being attacked. It is recommended to access the public network through NAT Gateway or Server Load Balancer. If ECS instances are bound to public IP addresses, they are considered non-compliant. | Quick fix is not supported. | No |
Data storage instances should avoid public network access | Redis instances have public endpoints configured (added in 2.0 model) | Exposing databases to the public network may pose security risks. Once a database is exposed to the public network, it may be visible to malicious attackers. Additionally, if proper access controls are not implemented on top of public exposure, data leakage or damage can easily occur. Best practice recommends allowing database instances to be accessed only from within VPC internal networks, setting appropriate IP whitelists, and configuring complex accounts and passwords for databases. If an instance has public access enabled, it is considered not complying with best practices. | Quick fix is not supported. | No |
Data transmission should use TLS | CDN domains are not configured with HTTPS (added in 2.0 model) | CDN using only the HTTP protocol to provide external services may pose data security risks. Since HTTP protocol communications are transmitted in plaintext, attackers can easily obtain and view communication content, thereby acquiring sensitive information such as user credentials and private data, leading to data leakage. Best practice recommends that CDN domains providing external services use the HTTPS protocol and force requests on HTTP listeners to redirect to HTTPS protocol listeners, ensuring that data transmission is encrypted. If a CDN domain does not have HTTPS secure acceleration enabled, it is considered not complying with best practices. | Quick fix is not supported. | No |
Data storage instances should avoid public network access | RDS instances have public endpoints configured (added in 2.0 model) | Exposing databases to the public network may pose security risks. Once a database is exposed to the public network, it may be visible to malicious attackers. Additionally, if proper access controls are not implemented on top of public exposure, data leakage or damage can easily occur. Best practice recommends allowing database instances to be accessed only from within VPC internal networks, setting appropriate IP whitelists, and configuring complex accounts and passwords for databases. If an instance has public access enabled, it is considered not complying with best practices. | Quick fix is not supported. | No |
Data storage instances should avoid public network access | Elasticsearch instances have Kibana service with public access enabled (added in 2.0 model) | Exposing Kibana to the public network may pose security risks. Once an instance is exposed to the public network, it may be visible to malicious attackers. Additionally, if proper access controls are not implemented on top of public exposure, data leakage or damage can easily occur. Best practice recommends allowing Kibana instances to be accessed only from within VPC internal networks, setting appropriate IP whitelists, and configuring appropriate access controls. If the Kibana service of an Elasticsearch instance has public access enabled, it is considered not complying with best practices. | Quick fix is not supported. | No |
Data storage instances should avoid public network access | Tablestore instances have public access configured (added in 2.0 model) | Tablestore provides a public endpoint, a VPC endpoint, and a classic network endpoint for each instance. The public endpoint is accessible from the Internet, and any user can access Tablestore resources through the public endpoint on the Internet. The classic network endpoint is accessible from ECS servers in the same region on the classic network. Applications can access the instance through the classic network endpoint from ECS servers on the classic network in the same region. Best practice recommends allowing instances to be accessed only from the console or VPC. Restricting instances from being accessed through the public network or classic network can provide better network isolation capabilities and enhance data security. If a Tablestore instance's network type is set to "Limited to console or VPC access" or "Limited to bound VPC access," it is considered compliant with best practices. | Quick fix is not supported. | No |
Data transmission should use TLS | APIs with public access in API Gateway are not configured with HTTPS (added in 2.0 model) | APIs that use only the HTTP protocol to provide external services may pose data security risks. Since HTTP protocol communications are transmitted in plaintext, attackers can easily obtain and view communication content, thereby acquiring sensitive information such as user credentials and private data, leading to data leakage. Best practice recommends that APIs providing external services use the HTTPS protocol and force requests on HTTP listeners to redirect to HTTPS protocol listeners, ensuring that data transmission is encrypted. If a domain associated with API Gateway is not configured with the HTTPS protocol, it is considered not complying with best practices. | Quick fix is not supported. | No |
Network boundary protection | Security groups expose high-risk ports (22/3389/...) to the public network (added in 2.0 model) | Prohibit security group rules that allow public network access to high-risk ports such as SSH (22) and RDP (3389) to prevent network attacks and unauthorized access. If security groups expose high-risk ports such as SSH (22) and RDP (3389) to the public network, they are considered non-compliant. | Quick fix is not supported. | No |
Data storage instances should avoid public network access | MongoDB instances have public endpoints configured (added in 2.0 model) | Exposing databases to the public network may pose security risks. Once a database is exposed to the public network, it may be visible to malicious attackers. Additionally, if proper access controls are not implemented on top of public exposure, data leakage or damage can easily occur. Best practice recommends allowing database instances to be accessed only from within VPC internal networks, setting appropriate IP whitelists, and configuring complex accounts and passwords for databases. If an instance has public access enabled, it is considered not complying with best practices. | Quick fix is not supported. | No |
Data storage instances should avoid public network access | MongoDB instances have IP whitelist set to 0.0.0.0/0 (added in 2.0 model) | An IP address whitelist consists of IP addresses that are allowed to access MongoDB instances. If the IP whitelist is set to 0.0.0.0/0, any IP address is allowed to access the database cluster, which greatly reduces the security of the database. Do not use this setting unless necessary. Best practice recommends following the principle of least privilege, setting appropriate IP whitelists, and providing high-level access security protection for database instances. If an instance's IP whitelist is set to 0.0.0.0/0, it is considered not complying with best practices. | Quick fix is not supported. | No |
Data transmission should use TLS | SLB server certificates will expire in less than 30 days (added in 2.0 model) | Ensure that server certificates used by SLB will not expire within 30 days to avoid transmission encryption failure due to certificate expiration. If the remaining validity period of an SLB server certificate is less than or equal to 30 days, it is considered non-compliant. | Quick fix is not supported. | No |
Data storage instances should avoid public network access | OSS buckets allow access from accounts outside the organization (added in 2.0 model) | Ensure that OSS buckets are accessible only to accounts within the organization to prevent data leakage risks. If OSS buckets allow access from accounts outside the organization, they are considered non-compliant. | Quick fix is not supported. | No |
Network boundary protection | VPC interconnection traffic is not fully protected by VPC firewall (added in 2.0 model) | This check item requires that all VPC interconnection traffic must be protected by the VPC firewall of Cloud Firewall to reduce the risk of private network internal traffic. If Cloud Firewall is used but there is VPC interconnection traffic with VPC firewall not enabled, it is considered not complying with network security best practices. | Quick fix is not supported. | No |
Host vulnerabilities | Anti-virus feature is not enabled (added in 2.0 model) | Enabling virus scanning can effectively clean various malicious threats on servers and provide effective protection against mainstream ransomware, DDoS trojans, mining and trojan programs, malicious programs, backdoor programs, and worms. If you have purchased Security Center Anti-virus, Enterprise Edition, or Ultimate Edition but have not configured periodic virus scanning policies, it is considered non-compliant. | Quick fix is not supported. | No |
Network boundary protection | Cloud Firewall IPS has not enabled virtual patching (added in 2.0 model) | The Intrusion Prevention System (IPS) module of Cloud Firewall should have virtual patching enabled. Cloud Firewall can protect you against popular high-risk vulnerabilities and emergency vulnerabilities in real time. Virtual patching provides hot patches at the network layer for high-risk vulnerabilities and emergency vulnerabilities that can be remotely exploited. It intercepts vulnerability attack behaviors in real time and prevents business interruption when host vulnerabilities are being fixed. If Cloud Firewall is used but this feature is not enabled, it is considered not complying with network security best practices. | Quick fix is not supported. | No |
Network boundary protection | Cloud Firewall has insufficient available authorizations (added in 2.0 model) | This check item ensures that the specifications of Cloud Firewall are reasonable in terms of available authorizations. If Cloud Firewall is used, but the number of public IP assets with Internet firewall protection not enabled exceeds the number of available protection authorizations, it is considered not complying with network security best practices. | Quick fix is not supported. | No |
Alert handling | Pending Security Center alerts exist (added in 2.0 model) | Security alert events refer to threats detected by Security Center in your servers or cloud products, covering security alert types such as web tamper-proofing, process anomalies, website backdoors, abnormal logins, and malicious processes. Timely handling of alerts can improve asset security posture. If the number of unhandled alerts is greater than 0, it is considered non-compliant. | Quick fix is not supported. | No |
Network attack response | Website DDoS intelligent protection is set to strict mode (added in 2.0 model) | Intelligent protection aims to enhance website security performance. However, when enabling strict mode in policy configuration, note that it may cause some false blocking of your business. Therefore, strict mode is more suitable for website scenarios with poor performance or unsatisfactory protection effects. It is worth noting that website domain name businesses already have natural protection capabilities against common layer 4 attacks. For most website businesses, it is recommended not to enable strict mode in intelligent protection, but to use the default normal mode to balance protection effectiveness and business continuity. | Quick fix is not supported. | No |
Network boundary protection | Cloud Firewall has not created ACL policies (added in 2.0 model) | After enabling the firewall switch, if you have not configured access control (ACL) policies, Cloud Firewall allows all traffic by default in the access control policy matching stage. You can configure traffic interception and allow policies for different firewalls based on your business requirements to better control unauthorized access to assets. If Cloud Firewall is used but no access control policies have been created, it is considered not complying with network security best practices. | Quick fix is not supported. | No |
Network boundary protection | NAT gateways are not fully protected by NAT boundary firewall (added in 2.0 model) | To reduce the risk of private network accessing the public network, all NAT gateway instances should be protected by Cloud Firewall NAT boundary firewall. If Cloud Firewall is used but there are NAT gateways with protection not enabled, it is considered not complying with network security best practices. | Quick fix is not supported. | No |
Network boundary protection | Cloud Firewall IPS has not enabled interception mode (added in 2.0 model) | The Intrusion Prevention System (IPS) module of Cloud Firewall should be configured in interception mode to intercept malicious traffic and block intrusion activities. If Cloud Firewall is used but this feature is not enabled, it is considered not complying with network security best practices. | Quick fix is not supported. | No |
Network boundary protection | Cloud Firewall IPS has not enabled threat intelligence (added in 2.0 model) | The Intrusion Prevention System (IPS) module of Cloud Firewall should enable threat intelligence to scan for reconnaissance threats and provide command and control intelligence blocking. If Cloud Firewall is used but this feature is not enabled, it is considered not complying with network security best practices. | Quick fix is not supported. | No |
Monitoring and auditing | Cloud Firewall logs are not collected and stored for 180 days or more (added in 2.0 model) | Cloud Firewall automatically records all traffic in logs and provides the Log Audit page to display event logs, traffic logs, and operation logs. This allows you to trace the sources of attacks and audit traffic in a convenient manner. Cloud Firewall stores audit logs for 7 days by default to meet basic audit and analysis requirements. However, to better meet compliance requirements and improve security performance, we recommend extending the log storage period to 180 days or more. If you have purchased a subscription version of Cloud Firewall but have not collected Cloud Firewall logs and stored them for 180 days or more, it is considered not complying with network security best practices. | Quick fix is not supported. | No |
Host vulnerabilities | Vulnerabilities pending remediation exist (added in 2.0 model) | Vulnerability management is a continuous, proactive process that protects systems, networks, and enterprise applications from network attacks and data leakage. Timely addressing potential security weaknesses can prevent attacks and minimize damage when attacks occur. If the number of vulnerabilities pending remediation in the Alibaba Cloud account is greater than 0, it is considered non-compliant. | Quick fix is not supported. | No |
Business risk control | Web tamper-proofing is not enabled (added in 2.0 model) | The web tamper proofing feature can monitor website directories and files in real time. The feature can also restore tampered files or directories by using backups when a website is being tampered with. This prevents the website from being inserted with illegal information and ensures that the website can run as expected. If you have purchased the tamper-proofing feature but the number of bound servers is 0, it is considered non-compliant. | Quick fix is not supported. | No |
Host vulnerabilities | Host baselines pending remediation exist (added in 2.0 model) | Viruses and attackers can exploit the defects in the security configurations of a server to intrude into the server to steal data or insert webshells. The baseline check feature detects security configurations of server operating systems, databases, software, and containers. Timely remediation of baseline risks can harden system security, reduce intrusion risks, and meet security compliance requirements. If the number of unremediated baselines in the Alibaba Cloud account is greater than 0, it is considered non-compliant. | Quick fix is not supported. | No |
Network boundary protection | Cloud Firewall IPS has not enabled basic protection (added in 2.0 model) | The Intrusion Prevention System (IPS) module of Cloud Firewall should enable basic protection. Basic protection provides basic intrusion prevention capabilities, including brute-force attack interception, command execution vulnerability interception, and control of connections to command and control (C&C) servers after infection, providing basic protection for your assets. If Cloud Firewall is used but this feature is not enabled, it is considered not complying with network security best practices. | Quick fix is not supported. | No |
Network boundary protection | Cloud Firewall protection bandwidth specification is insufficient (added in 2.0 model) | This check item ensures that the specifications of Cloud Firewall are reasonable in terms of protection bandwidth. If Cloud Firewall is used, but the actual bandwidth peak in the last 30 days exceeds the purchased protection bandwidth, it is considered not complying with network security best practices. | Quick fix is not supported. | No |
Network boundary protection | Cloud Firewall has not configured default deny policy (added in 2.0 model) | To ensure network security, Cloud Firewall should configure a default deny policy (i.e., an IPv4 address version policy with source and destination both set to 0.0.0.0/0 and action set to deny for inbound/outbound). All traffic other than explicitly allowed trusted traffic should be blocked by default. If Cloud Firewall is used but no default deny policy is configured, it is considered not complying with network security best practices. | Quick fix is not supported. | No |
Network boundary protection | Cloud Firewall does not protect all public network assets (added in 2.0 model) | This check item ensures that all public network assets are protected by Cloud Firewall. If Cloud Firewall is used, but there are public IP assets with Internet firewall protection not enabled, it is considered not complying with network security best practices. | Quick fix is not supported. | No |
Network attack response | Anti-DDoS Origin has not added corresponding protected objects (added in 2.0 model) | After purchasing Anti-DDoS Origin or Anti-DDoS Pro instances, you need to add public IP assets as protected objects for DDoS to provide DDoS protection capabilities. Otherwise, it cannot provide protection effects and causes a certain waste of costs. | Quick fix is not supported. | No |
Container vulnerabilities | Container image scanning is not configured (added in 2.0 model) | When the image itself has system vulnerabilities, application vulnerabilities, or the image is replaced with a malicious sample-containing image, services created based on "problematic images" have vulnerabilities. Performing security scans on images in the image repository allows security personnel to push scan results to developers to fix image issues and ensure business security. If you have purchased container image scanning but have not configured scan scope in the scan settings, it is considered non-compliant. | Quick fix is not supported. | No |
Application runtime security | Application protection configuration is not created (added in 2.0 model) | By detecting attacks during application runtime and providing application protection, Java applications can be effectively protected, 0Day vulnerability attacks can be prevented, and security defense can be provided for applications. If a customer who has purchased application protection has not created application configurations and the number of groups is 0, it is considered non-compliant. | Quick fix is not supported. | No |
Host vulnerabilities | Anti-ransomware policy is not enabled (added in 2.0 model) | Ransomware intrusion can encrypt customer business data for ransom, leading to business interruption, data leakage, data loss, and other serious business risks. Timely configuration of anti-ransomware policies can effectively reduce such risks. If you have purchased the anti-ransomware feature but have not created protection policies, it is considered non-compliant. | Quick fix is not supported. | No |
Network boundary protection | Cloud Firewall is not used to protect network traffic (added in 2.0 model) | Alibaba Cloud Cloud Firewall is a cloud platform Software as a Service (SaaS) firewall that can implement unified security isolation and traffic control for your cloud network assets at the Internet, virtual private cloud (VPC), and host boundaries. Cloud Firewall is the first line of defense to protect your workloads in Alibaba Cloud. If Cloud Firewall is not used, it is considered not complying with network security best practices. | Quick fix is not supported. | No |
Multi-account centralized management | It is recommended to centrally manage multi-account identities | By using cloud single sign-on (SSO), you can centrally manage users in your enterprise who use Alibaba Cloud, configure single sign-on between your enterprise identity management system and Alibaba Cloud at one time, and centrally configure access permissions for all users to Resource Directory (RD) member accounts. If there is no login using cloud SSO for more than 90 days, it is considered non-compliant. | Quick fix is not supported. | No |
Multi-account centralized management | It is recommended to centrally collect operation logs from multiple accounts | ActionTrail only records events for the last 90 days for each Alibaba Cloud account by default. Creating trails can help enterprises persistently store operation records and meet internal and external compliance requirements. Multi-account trails help enterprise administrators centrally track and audit logs from multiple accounts within the enterprise. If no multi-account trail is detected, it is considered non-compliant. | Quick fix is not supported. | No |
Multi-account centralized management | It is recommended to use control policies for multi-account boundary protection | Resource Directory control policies allow organizations to limit the cloud services that member accounts can access and the operations they can perform, centrally manage permission boundaries for member accounts, and ensure that the entire organization follows unified security and compliance standards. If the current account has not created custom control policies and bound them to resource folders or members in the resource directory, it is considered non-compliant. | Quick fix is not supported. | No |
Stability
Category | Check item | Description | Quick fix description | Auxiliary decision support |
Instance specifications | ECS resources do not use high-availability instance specifications | Using shared or discontinued ECS instance specifications cannot guarantee stable computing performance of instances. If instances use discontinued or shared ECS instance families, they are considered non-compliant. | Quick fix is not supported. | No |
Instance specifications | Elasticsearch resources do not use high-availability instance specifications | Elasticsearch instances with 1 core and 2 GB specifications are only suitable for testing scenarios, not for production environments. If Elasticsearch instances use 1 core and 2 GB specifications, they are considered non-compliant. | Quick fix is not supported. | No |
Instance specifications | RDS resources do not use high-availability instance specifications | RDS Basic Edition does not provide a secondary instance that serves as a hot standby. If your RDS instance that runs RDS Basic Edition unexpectedly fails or you restart the RDS instance, change the specifications, or upgrade the database engine of the RDS instance, your database service may become unavailable for an extended period of time. Additionally, shared specifications and general-purpose specifications in RDS instance families share resources with other instances on the same physical machine, which is only suitable for application scenarios with low stability requirements. If your business has high availability requirements for databases, we recommend using High-availability/Cluster Edition for product series and dedicated specifications for instance families. If the RDS product series does not use High-availability/Cluster Edition, or if the RDS instance family does not use dedicated specifications, it is considered non-compliant. | Quick fix is not supported. | No |
Instance specifications | ACK resources do not use high-availability instance specifications | ACK Pro managed clusters provide enhanced reliability, security, and scheduling capabilities compared to the original managed clusters, making them suitable for large-scale business in production environments. If managed clusters do not use the Professional Edition, they are considered non-compliant. | Quick fix is not supported. | No |
Instance specifications | Redis resources do not use high-availability instance specifications | Redis Enterprise Edition provides stronger performance, more data structures, and more flexible storage methods. If Redis Enterprise Edition is not used, it is considered non-compliant. | Quick fix is not supported. | No |
Instance specifications | MongoDB resources do not use high-availability instance specifications | When MongoDB uses a standalone architecture, the recovery time after a failure is longer and there is no Service-Level Agreement (SLA) guarantee. If MongoDB instances do not use multi-zone deployment, they are considered non-compliant. | Quick fix is not supported. | No |
Instance specifications | ONS resources do not use high-availability instance specifications | Standard Edition RocketMQ uses shared instances, which is not recommended for production environments. If shared RocketMQ instances are used, they are considered non-compliant. | Quick fix is not supported. | No |
Stable versions | PolarDB resources do not use stable versions | If the minor version status of a PolarDB database is not stable, it is considered non-compliant. | Quick fix is not supported. | No |
Quick fix is not supported. | No | If Redis instances are not upgraded to the latest minor version, they are considered non-compliant. | Quick fix is not supported. | No |
Stable versions | ACK resources do not use stable versions | If ACK clusters are not upgraded to the latest version, they are considered non-compliant. | Quick fix is not supported. | No |
Stable versions | MSE engine version has risks (added in 2.0 model) | Using the latest MSE engine version is essential for ensuring MSE service continuity. If the engine version is too low, it may lead to issues such as code defects preventing proper memory reclamation during garbage collection, memory overflow causing continuous memory increase, slow startup speed, and Json serialization defects. If the MSE-ZK or MSE-Ans engine version or MSE-Ans client version is too low, it is considered non-compliant. | Quick fix is not supported. | No |
Stable versions | Elasticsearch resources do not use stable versions | If Elasticsearch instances use versions that are in the not recommended version range, they are considered non-compliant. | Quick fix is not supported. | No |
Stable versions | ECS resources do not use stable versions | If ECS instances use operating system versions that are no longer supported, they are considered non-compliant. | Quick fix is not supported. | No |
Stable versions | MSE-Ingress gateway version has security or stability risks (added in 2.0 model) | Using the latest version of Ingress is essential to ensure gateway service continuity. If the version is too low, it may lead to security or stability risks. It may also cause inaccurate instance lists when subscribing to Nacos services. If the MSE-Ingress version is too low, it is considered non-compliant. | Quick fix is not supported. | No |
Expiration risk | DDoSCOO resources have expiration risk | If the expiration time of a DDoS instance is less than 30 days from the current time and auto-renewal is not enabled, it is considered non-compliant. | This fix will enable auto-renewal for the DDoSCOO subscription instance resources you select. | No |
Expiration risk | EIP resources have expiration risk | If the expiration time of an EIP subscription instance is less than 30 days from the check time and auto-renewal is not enabled, it is considered non-compliant. | This fix will enable auto-renewal for the EIP subscription instance resources that you select. | No |
Expiration risk | CEN resources have expiration risk | If the expiration time of a Cloud Enterprise Network (CEN) bandwidth package is less than 30 days from the current time and auto-renewal is not enabled, it is considered non-compliant. | This fix will enable auto-renewal for the CEN subscription instance resources that you select. | No |
Expiration risk | RDS resources have expiration risk | If the expiration time of an RDS subscription instance is less than 30 days from the check time and auto-renewal is not enabled, it is considered non-compliant. | This fix will enable auto-renewal for the RDS subscription instance resources that you select. | No |
Expiration risk | ADB resources have expiration risk | If the expiration time of an AnalyticDB for MySQL data warehouse instance is less than 30 days from the check time and auto-renewal is not enabled, it is considered non-compliant. | This fix will enable auto-renewal for the ADB subscription instance resources that you select. | No |
Expiration risk | PolarDB resources have expiration risk | If the expiration time of a PolarDB subscription instance is less than 30 days from the check time and auto-renewal is not enabled, it is considered non-compliant. | This fix will enable auto-renewal for the PolarDB subscription instance resources that you select. | No |
Expiration risk | Bastionhost resources have expiration risk | If the expiration time of a Bastionhost instance is less than 30 days from the check time and auto-renewal is not enabled, it is considered non-compliant. | This fix will enable auto-renewal for the Bastionhost subscription instance resources that you select. | No |
Expiration risk | SLB resources have expiration risk | If the expiration time of an SLB subscription instance is less than 30 days from the check time and auto-renewal is not enabled, it is considered non-compliant. | This fix will enable auto-renewal for the SLB subscription instance resources you select. | No |
Expiration risk | Redis resources have expiration risk | If the expiration time of a Redis subscription instance is less than 30 days from the check time and auto-renewal is not enabled, it is considered non-compliant. | This fix will enable auto-renewal for the Redis subscription instance resources that you select. | No |
Expiration risk | MongoDB resources have expiration risk | If the expiration time of a MongoDB subscription instance is less than 30 days from the check time and auto-renewal is not enabled, it is considered non-compliant. | This fix will enable auto-renewal for the MongoDB subscription instance resources that you select. | No |
Expiration risk | DRDS resources have expiration risk | If the expiration time of a PolarDB-X1.0 or PolarDB-X2.0 instance is less than 30 days from the current time and auto-renewal is not enabled, it is considered non-compliant. | Quick fix is not supported. | No |
Expiration risk | CBWP resources have expiration risk | If the expiration time of a shared bandwidth instance is less than 30 days from the current time and auto-renewal is not enabled, it is considered non-compliant. | This fix will enable auto-renewal for the CBWP resources you select. | No |
Expiration risk | ECS resources have expiration risk | If the expiration time of an ECS subscription instance is less than 30 days from the check time and auto-renewal is not enabled, it is considered non-compliant. | This fix will enable auto-renewal for the ECS subscription instance resources you select. | No |
Deletion protection | EIP resources do not have deletion protection enabled | If EIP instances do not have deletion protection enabled, they are considered non-compliant. | This fix will enable deletion protection for the selected resources. The resources cannot be released through the console, API, or command line. If you need to release the instance, you must first disable the deletion protection switch on the instance details page. | No |
Deletion protection | PolarDB resources do not have cluster protection lock enabled | If PolarDB instances do not have cluster protection lock enabled, they are considered non-compliant. | This fix will enable deletion protection for the selected resources. The resources cannot be released through the console, API, or command line. If you need to release the instance, you must first disable the deletion protection switch on the instance details page. | No |
Deletion protection | MongoDB resources do not have deletion protection enabled | If MongoDB instances do not have deletion protection enabled, they are considered non-compliant. | Quick fix is not supported. | No |
Deletion protection | ALB resources do not have deletion protection enabled | If Application Load Balancer (ALB) instances do not have deletion protection enabled, they are considered non-compliant. | This fix will enable deletion protection for the selected resources. The resources cannot be released through the console, API, or command line. If you need to release the instance, you must first disable the deletion protection switch on the instance details page. | No |
Deletion protection | ACK resources do not have deletion protection enabled | If ACK clusters do not have deletion protection enabled, they are considered non-compliant. | This fix will enable deletion protection for the selected resources. The resources cannot be released through the console, API, or command line. If you need to release the instance, you must first disable the deletion protection switch on the instance details page. | No |
Deletion protection | RDS resources do not have deletion protection enabled | If RDS instances do not have deletion protection enabled, they are considered non-compliant. | This fix will enable deletion protection for the selected resources. The resources cannot be released through the console, API, or command line. If you need to release the instance, you must first disable the deletion protection switch on the instance details page. | No |
Deletion protection | SLB resources do not have deletion protection enabled | If SLB instances do not have deletion protection enabled, they are considered non-compliant. | This fix will enable deletion protection for the selected resources. The resources cannot be released through the console, API, or command line. If you need to release the instance, you must first disable the deletion protection switch on the instance details page. | No |
Deletion protection | ECS resources do not have deletion protection enabled | If ECS instances do not have deletion protection enabled, they are considered non-compliant. | This fix will enable deletion protection for the selected resources. The resources cannot be released through the console, API, or command line. If you need to release the instance, you must first disable the deletion protection switch on the instance details page. | No |
Deletion protection | Redis resources do not have deletion protection enabled | If Redis instances do not have deletion protection enabled, they are considered non-compliant. | This fix will enable deletion protection for the selected resources. The resources cannot be released through the console, API, or command line. If you need to release the instance, you must first disable the deletion protection switch on the instance details page. | No |
Change management | RDS resources have unreasonable maintenance window | If the maintenance window of an RDS instance is not within the range of 02:00-06:00 or 06:00-10:00, it is considered non-compliant. | This fix will uniformly modify the maintenance window for the selected instances. Based on best practices, a recommended maintenance window has been suggested for you. You can modify this parameter according to your enterprise's actual needs. | No |
Change management | PolarDB resources have inappropriate maintenance window | If the maintenance window of a PolarDB cluster is not within the range of 02:00-04:00 or 06:00-10:00, it is considered non-compliant. | This fix will uniformly modify the maintenance window for the selected instances. Based on best practices, a recommended maintenance window has been suggested for you. You can modify this parameter according to your organization's actual needs. | No |
Change management | ECS resources have unreasonable maintenance window | Creating snapshots for ECS instances temporarily reduces the I/O performance of block storage. If the snapshot creation time points set in the automatic snapshot policy are not within the range of 1 and 2, they are considered non-compliant. | This fix will uniformly modify the automatic creation time in the selected snapshot policy to ensure that the snapshot time is within a reasonable range, avoiding impact on your business. Based on best practices, a creation time has been recommended for you. You can modify this parameter according to your enterprise's actual needs. | No |
Change management | Redis resources have inappropriate maintenance windows | If the automatic backup time period of a Redis instance is not within the range of 04:00-05:00, 05:00-06:00, or 12:00-13:00, it is considered non-compliant. | Quick fix is not supported. | No |
Change management | ADB resources have unreasonable maintenance window | If the maintenance window of an ADB cluster is not within the range of 02:00-04:00, 06:00-08:00, or 12:00-13:00, it is considered non-compliant. | This fix will uniformly modify the maintenance window for the selected instances. Based on best practices, a recommended maintenance window has been suggested for you. You can modify this parameter according to your enterprise's actual needs. | No |
Data backup | ECI resources do not have data backup configured | If Elastic Container Instance (ECI) container groups do not have volumes mounted, they are considered non-compliant. | Quick fix is not supported. | No |
Data backup | Redis resources do not have data backup configured | If Tair-type Redis instances do not have incremental backup enabled, they are considered non-compliant. | Quick fix is not supported. | No |
Data backup | Elasticsearch resources do not have data backup configured | If Elasticsearch instances do not have automatic backup enabled, they are considered non-compliant. | Quick fix is not supported. | No |
Data backup | MongoDB resources do not have log backup enabled | MongoDB instances are considered non-compliant if they do not have log backup enabled. | This fix will enable log backup for the selected MongoDB clusters with a default storage period of 7 days. | No |
Data backup | AnalyticDB MySQL Edition does not have log backup enabled | If ADB clusters do not have log backup enabled, they are considered non-compliant. | This fix will enable log backup for the selected AnalyticDB MySQL Edition clusters with a default storage period of 7 days. | No |
Data backup | RDS resources do not have log backup enabled | If RDS instances do not have log backup enabled, they are considered non-compliant. | This fix will enable log backup for the selected RDS instances with a default storage period of 7 days. | No |
Data backup | OSS buckets do not have versioning enabled | If OSS instances do not have versioning enabled, data cannot be recovered when it is overwritten or deleted. OSS instances without versioning enabled are considered non-compliant. | This fix will enable versioning for the selected OSS instances. After versioning is enabled, objects in the bucket are stored as previous versions when they are overwritten or deleted. If you accidentally overwrite or delete objects, you can restore the objects in the bucket to any previous version. | No |
Data backup | PolarDB resources do not have data backup configured | PolarDB clusters are considered non-compliant if they do not have level-2 backup enabled and the retention period is greater than or equal to 30. | This fix will set the level-2 backup cycle and level-2 backup retention period (default is 30 days) for the selected PolarDB clusters. If level-2 backup is not currently enabled, it will be automatically enabled. | No |
Host snapshots | ECS resources do not have host snapshots enabled | If ECS disks do not have automatic snapshot policies set, they are considered non-compliant. | This fix will enable the specified snapshot policy for the selected ECS disk instances. Because snapshot policies in each region are independent, if a policy with the same name exists in the region where the selected disk is located, the existing policy will be used. Otherwise, a new snapshot policy will be created. | No |
Multi-zone architecture | Elasticsearch resources do not use multi-zone architecture | If Elasticsearch instances do not use multi-zone deployment, they are considered non-compliant. | Quick fix is not supported. | No |
Multi-zone architecture | Redis resources do not use multi-zone architecture | If Redis instances do not use multi-zone deployment, they are considered non-compliant. | Quick fix is not supported. | No |
Multi-zone architecture | RDS resources do not use multi-zone architecture | If RDS instances do not use multi-zone deployment, they are considered non-compliant. | Quick fix is not supported. | No |
Multi-zone architecture | MSE-related components have single zone deployment risk (added in 2.0 model) | We recommend that MSE-related components adopt a multi-zone deployment architecture to improve stability. If MSE-related components are deployed in a single zone, they are considered non-compliant. | Quick fix is not supported. | No |
Multi-zone architecture | OSS resources do not use multi-zone architecture | If OSS buckets do not have zone-redundant storage enabled, they are considered non-compliant. | Quick fix is not supported. | No |
Multi-zone architecture | MongoDB resources do not use multi-zone architecture | MongoDB instances that do not use multi-zone deployment are considered non-compliant. | Quick fix is not supported. | No |
Multi-zone architecture | MSE gateway has single-zone architecture risk (added in 2.0 model) | Currently, all instance replicas of the gateway are deployed in the same availability zone (AZ). This deployment approach lacks high availability capabilities, and in extreme cases, your business may be affected. You should upgrade to a new version as soon as possible to distribute gateway instances across multiple availability zones. If the MSE Ingress gateway component has a single-zone architecture, it is considered non-compliant. | Quick fix is not supported. | No |
Multi-zone architecture | SLB resources do not use multi-zone architecture | If an SLB instance is in a single zone, or if resources from multiple zones are not added to the server group used by listeners under the SLB instance, it is considered non-compliant. | Quick fix is not supported. | No |
Multi-zone architecture | PolarDB resources do not use multi-zone architecture | If PolarDB clusters do not have hot standby storage cluster enabled and data is distributed in a single zone, they are considered non-compliant. | Quick fix is not supported. | No |
Cluster architecture | CEN resources do not use cluster architecture | If Virtual Border Routers (VBRs) associated with a Cloud Enterprise Network (CEN) instance do not have health checks configured, they are considered non-compliant. | Quick fix is not supported. | No |
Cluster architecture | ACK clusters have single-point deployment risk (added in 2.0 model) | Using regional clusters can achieve cross-region disaster recovery capabilities. If ACK clusters do not use regional clusters, they are considered non-compliant. | Quick fix is not supported. | No |
Cluster architecture | PolarDB resources do not use cluster architecture | If the PolarDB product series used are not Cluster Edition or Multi-master Cluster Edition, they are considered non-compliant. | Quick fix is not supported. | No |
Cluster architecture | MSE gateway has single-point deployment risk (added in 2.0 model) | Standalone instances present architectural risks. Single-point failures can cause service unavailability. We recommend scaling out to 2 or more nodes. If the MSE Ingress component is deployed as a single node, it is considered non-compliant. | Quick fix is not supported. | No |
Cluster architecture | MSE-related resources have single-point deployment risk (added in 2.0 model) | For MSE ZK components, you should scale out to 3 or more nodes. For Nacos-Ans components, you should scale out to more than 3 nodes. MSE-related components deployed as a single node are considered non-compliant. | Quick fix is not supported. | No |
Monitoring discovery | Core cloud product resources without configured monitoring alert rules | Achieving full coverage of resource monitoring is the foundation and key to ensuring business continuity. Setting alert rules for cloud product resources is a necessary means to implement cloud product resource monitoring. Resources without any alert rules are considered non-compliant. | This fix will automatically enable alert rules based on best practices for cloud resource types that do not have CloudMonitor configured. By default, notifications will be sent to message recipients of the "Alibaba Cloud account alert contact" type. Please confirm that the settings are correct. After enabling, you can view the enabled status or update alert parameters in the one-click alert feature in CloudMonitor. | No |
Monitoring discovery | ACK clusters without Prometheus monitoring configuration | Connecting ACK clusters to monitoring helps developers and operations personnel view the system's running status, including the infrastructure layer, container performance layer, and more. All ACK clusters that do not have "Enable Alibaba Cloud Prometheus Monitoring" configured are considered non-compliant. | Quick fix is not supported. | No |
Monitoring discovery | ACK clusters do not have application monitoring configured | For distributed and microservice applications, you can connect to Application Real-Time Monitoring Service (ARMS) for full-link tracing and code-level real-time performance monitoring. This helps operations personnel track application health status at all times. Applications deployed in Container Service for Kubernetes or Elastic Compute Service that are not connected to ARMS are considered non-compliant. | Quick fix is not supported. | No |
Monitoring alerts | Continuous alerts are not handled in a timely manner | Alert rules that remain in an alerting state for a long time require attention and governance. Problems should be resolved quickly to restore monitoring metrics to normal levels. Alternatively, alert rules should be adjusted based on actual conditions to prevent interference with normal monitoring and operations work caused by excessive alert messages or alert fatigue. For all alert rules set in CloudMonitor, any rule that has been in an alerting state for more than 24 hours is considered non-compliant. | Quick fix is not supported. | No |
Monitoring alerts | High-priority alert rules are not configured | Configuring effective alert rules can provide timely notifications when business systems do not meet operational expectations, allowing for prompt emergency response. If no P1-level alert rules for application monitoring or Prometheus monitoring are configured in the Alibaba Cloud ARMS service, or if no corresponding notification policies are configured, the system is considered non-compliant. | Quick fix is not supported. | No |
Monitoring alerts | High-priority alerts are not handled within the specified time (30 minutes) | MTTx metrics (Mean time to xx, such as MTTR: Mean time to recovery) serve as important measures of alert handling efficiency. Timely response to high-priority alerts can effectively improve the recovery efficiency of alerts or failures, thereby enhancing the service quality of business systems. If no P1-level alert rules for application monitoring or Prometheus monitoring are configured, or if there are alerts in Alibaba Cloud ARMS service that are not resolved within 30 minutes (pending claim, in process, or resolved after more than 30 minutes), it is considered non-compliant. | Quick fix is not supported. | No |
Multi-account centralized management | We recommend centrally monitoring ARMS resources across multiple Alibaba Cloud accounts | By creating global aggregation instances, you can achieve unified monitoring across accounts. If the current account uses ARMS but has not created a globalview instance, it is considered non-compliant. | Quick fix is not supported. | No |
Multi-account centralized management | We recommend enabling unified resource configuration detection for multiple accounts | The current account is considered non-compliant if it does not meet the following two conditions: 1. An account group exists and rules have been created under the account group; 2. Non-compliance events are delivered to SLS. | Quick fix is not supported. | No |
Instance capacity | MSE-related components have capacity risks (added in 2.0 model) | Ensure that resource capacity remains within a reasonable range. If it exceeds the capacity limit, stability risks may occur. If MSE exceeds capacity for related metrics, it is considered non-compliant. | Quick fix is not supported. | No |
Abnormal event monitoring | ECS instances are shut down due to overdue payment or security blocking (added in 2.0 model) | Passive shutdown of ECS instances can cause service interruption, data loss, data inconsistency, impact system performance, or create security vulnerabilities. If ECS instances in the current account are shut down due to overdue payment or security blocking, they are considered at risk. | Quick fix is not supported. | No |
Abnormal event monitoring | ECS instances have pending maintenance events (added in 2.0 model) | Failure to respond to and handle ECS planned maintenance events promptly may result in ECS instances restarting during business peak periods, affecting the stability of business operations on the ECS instances. If there are unhandled ECS maintenance events (with event status of inquering/scheduled/executing) in the current account, they are considered at risk. | Quick fix is not supported. | No |
Cost
Category | Check item | Description | Quick fix description | Auxiliary decision support |
Resource cost optimization | RDS instances have low resource utilization for an extended period (added in 2.0 model) | Maintaining RDS instance resource utilization at a reasonable level for a long time is an important task in cloud cost management. The cloud platform provides RDS instances of various specifications for enterprises. Enterprises need to choose instances of appropriate specifications according to the actual business cycle to achieve cost control of RDS instances. If an RDS instance has CPU utilization, memory utilization, and disk utilization continuously below 3% for 30 days, it is considered not complying with best practices. | Quick fix is not supported. | No |
Resource cost optimization | ECS instances have low resource utilization for an extended period (added in 2.0 model) | Maintaining ECS instance resource utilization at a reasonable level for a long time is an important task in cloud cost management. The cloud platform provides ECS instances of various specifications for enterprises. Enterprises need to choose instances of appropriate specifications according to the actual business cycle to achieve cost control of ECS instances. If an ECS instance has CPU utilization and memory utilization continuously below 3% for 30 days, it is considered not complying with best practices. | Quick fix is not supported. | No |
Resource cost optimization | ECS disks have low resource utilization for an extended period (added in 2.0 model) | Maintaining ECS instance resource utilization at a reasonable level for a long time is an important task in cloud cost management. The cloud platform provides ECS instances of various specifications for enterprises. Enterprises need to choose instances of appropriate specifications according to the actual business cycle to achieve cost control of ECS instances. If an ECS disk has utilization continuously below 3% for 30 days, it is considered not complying with best practices. | Quick fix is not supported. | No |
Resource cost optimization | RDS instance disks have low resource utilization for an extended period (added in 2.0 model) | Maintaining RDS instance resource utilization at a reasonable level for a long time is an important task in cloud cost management. The cloud platform provides RDS instances of various specifications for enterprises. Enterprises need to choose instances of appropriate specifications according to the actual business cycle to achieve cost control of RDS instances. If an RDS disk has utilization continuously below 3% for 30 days, it is considered not complying with best practices. | Quick fix is not supported. | No |
Resource cost optimization | EIP resources are idle | If an EIP is not bound to a resource instance and has been created for more than 7 days, it is considered non-compliant. | Quick fix is not supported. | No |
Resource cost optimization | VPC NAT resources are idle | If a VPC NAT gateway is not bound to an EIP, or if the bound EIP does not have SNAT/DNAT entries set, and the gateway has been created for more than 7 days, it is considered non-compliant. | Quick fix is not supported. | No |
Resource cost optimization | SLB resources are idle | If an SLB load balancer does not have any running listeners and has been created for more than 7 days, it is considered non-compliant. | Quick fix is not supported. | No |
Resource cost optimization | ECS instances are recommended to use subscription payment plan or include pay-as-you-go resources in savings plans (added in 2.0 model) | For resources that are used stably for a long time, it is recommended to adopt a subscription payment plan. Normally, the cost of ECS instances with subscription is lower than that of pay-as-you-go. A savings plan is a discount benefit plan that offers lower pay-as-you-go discounts in exchange for a commitment to use a stable amount of resources over a certain period. If an ECS instance has a pay-as-you-go billing method and has not purchased a savings plan instance, it is considered not complying with best practices. | Quick fix is not supported. | No |
Resource cost optimization | ECS resources are idle | If an ECS instance is in a stopped state and has not set the economical mode for stopped instances, it is considered non-compliant. | Quick fix is not supported. | No |
Resource cost optimization | CR resources are idle | If a container image instance has not created a namespace or image repository and has been created for more than 7 days, it is considered non-compliant. | Quick fix is not supported. | No |
Resource cost optimization | VPN resources are idle | If a VPN gateway has not configured destination-based route policies or has not enabled automatic BGP route propagation, and has been created for more than 7 days, it is considered non-compliant. | Quick fix is not supported. | No |
Resource cost optimization | NAS resources are idle | If a NAS file system has not added mount targets and has been created for more than 7 days, it is considered non-compliant. | Quick fix is not supported. | No |
Resource cost optimization | RDS instances are recommended to use subscription payment plan (added in 2.0 model) | For resources that are used stably for a long time, it is recommended to adopt a subscription payment plan. Normally, the cost of RDS instances with subscription billing is lower than that of pay-as-you-go. If an RDS instance has a pay-as-you-go billing method, it is considered not complying with best practices. | Quick fix is not supported. | No |
Resource cost optimization | ALB resources are idle | If an ALB load balancer has listeners that have not added backend servers and has been created for more than 7 days, it is considered non-compliant. | Quick fix is not supported. | No |
Resource cost optimization | NAT resources are idle | If a NAT gateway is not bound to an EIP or if the bound EIP does not have SNAT/DNAT entries set, and the gateway has been created for more than 7 days, it is considered non-compliant. | Quick fix is not supported. | No |
Resource cost optimization | CBWP resources are idle | If a shared bandwidth instance is not bound to any resource instances and has been created for more than 7 days, it is considered non-compliant. | Quick fix is not supported. | No |
Resource cost optimization | ECS disks are idle | If a cloud disk is not in use and has been created for more than 7 days, it is considered non-compliant. | Quick fix is not supported. | No |
Resource cost optimization | "Resource Idle Detection Best Practices" compliance package is not enabled | If the resource idle detection compliance package is not enabled in CloudConfig, it is considered non-compliant. | Quick fix is not supported. | No |
Cost allocation and analysis | ACK clusters do not have cost management suite enabled (added in 2.0 model) | Traditional methods lack effective cost insights and cost control means for cloud-native scenarios. The cost management suite provides functions such as resource waste checking and resource cost prediction. If ACK clusters do not have the cost management suite function enabled, they are considered not complying with best practices. | Quick fix is not supported. | No |
Efficiency
Category | Check item | Description | Quick fix description | Auxiliary decision support |
Automation level | Users call deprecated Redis APIs (added in 2.0 model) | Deprecated Redis APIs are no longer maintained, posing stability risks and preventing the use of new features. If there have been calls to deprecated Redis APIs in the last 30 days, it is considered non-compliant. | Quick fix is not supported. | No |
Automation level | Users call deprecated ECS APIs (added in 2.0 model) | Deprecated ECS APIs are no longer maintained, posing stability risks and preventing the use of new features. If there have been calls to deprecated ECS APIs in the last 30 days, it is considered non-compliant. | Quick fix is not supported. | No |
Automation level | Users call deprecated CEN APIs (added in 2.0 model) | Deprecated CEN APIs are no longer maintained, posing stability risks and preventing the use of new features. If there have been calls to deprecated CEN APIs in the last 30 days, it is considered non-compliant. | Quick fix is not supported. | No |
Automation level | Users call deprecated PolarDB APIs (added in 2.0 model) | Deprecated PolarDB APIs are no longer maintained, posing stability risks and preventing the use of new features. If there have been calls to deprecated PolarDB APIs in the last 30 days, it is considered non-compliant. | Quick fix is not supported. | No |
Automation level | Users call deprecated VPC APIs (added in 2.0 model) | Deprecated VPC APIs are no longer maintained, posing stability risks and preventing the use of new features. If there have been calls to deprecated VPC APIs in the last 30 days, it is considered non-compliant. | Quick fix is not supported. | No |
Automation level | Users call deprecated RocketMQ APIs (added in 2.0 model) | Deprecated RocketMQ APIs are no longer maintained, posing stability risks and preventing the use of new features. If there have been calls to deprecated RocketMQ APIs in the last 30 days, it is considered non-compliant. | Quick fix is not supported. | No |
Automation level | Users call deprecated NAS APIs (added in 2.0 model) | Deprecated NAS APIs are no longer maintained, posing stability risks and preventing the use of new features. If there have been calls to deprecated NAS APIs in the last 30 days, it is considered non-compliant. | Quick fix is not supported. | No |
Automation level | Users call deprecated CDN APIs (added in 2.0 model) | Deprecated CDN APIs are no longer maintained, posing stability risks and preventing the use of new features. If there have been calls to deprecated CDN APIs in the last 30 days, it is considered non-compliant. | Quick fix is not supported. | No |
Automation level | Users call deprecated RDS APIs (added in 2.0 model) | Deprecated RDS APIs are no longer maintained, posing stability risks and preventing the use of new features. If there have been calls to deprecated RDS APIs in the last 30 days, it is considered non-compliant. | Quick fix is not supported. | No |
Automation level | Users call deprecated ACK APIs (added in 2.0 model) | Deprecated ACK APIs are no longer maintained, posing stability risks and preventing the use of new features. If there have been calls to deprecated ACK APIs in the last 30 days, it is considered non-compliant. | Quick fix is not supported. | No |
Automation level | Users call deprecated SLB APIs (added in 2.0 model) | Deprecated SLB APIs are no longer maintained, posing stability risks and preventing the use of new features. If there have been calls to deprecated SLB APIs in the last 30 days, it is considered non-compliant. | Quick fix is not supported. | No |
Automation level | Users call deprecated ALB APIs (added in 2.0 model) | Deprecated ALB APIs are no longer maintained, posing stability risks and preventing the use of new features. If there have been calls to deprecated ALB APIs in the last 30 days, it is considered non-compliant. | Quick fix is not supported. | No |
Automation level | It is recommended to use automated methods to control resources | If the ratio of using automated means such as SDK, Terraform, Cloud Control API, CADT, ROS, Service Catalog, etc., to call OpenAPI in the last 30 days has not reached 100%, it is considered non-compliant. | Quick fix is not supported. | No |
Automation level | It is recommended to use automated methods for daily resource provisioning | If the ratio of using non-console calls to OpenAPI to create resources in the last year has not reached 100%, it is considered non-compliant. | Quick fix is not supported. | No |
Automation level | It is recommended to use automated methods for continuous resource management | If the ratio of using non-console calls to OpenAPI for continuous resource management in the last 30 days has not reached 100%, it is considered non-compliant. | Quick fix is not supported. | No |
Automation quality | RDS OpenAPI calls are at risk of being throttled (added in 2.0 model) | API calls being throttled can lead to call failures, which may affect business stability. If there have been throttling exception issues in API calls in the last 7 days, it is considered non-compliant. | Quick fix is not supported. | No |
Automation quality | There is a risk of being throttled when calling NAS OpenAPI (newly added in model 2.0) | API calls are throttled, causing call failures, which may affect business stability. If API calls have throttling abnormalities within the last 7 days, this is considered non-compliant. | Quick fix is not supported. | No |
Automation quality | ECS OpenAPI calls are at risk of being throttled (added in 2.0 model) | API calls being throttled can lead to call failures, which may affect business stability. If there have been throttling exception issues in API calls in the last 7 days, it is considered non-compliant. | Quick fix is not supported. | No |
Automation quality | VPC OpenAPI calls are at risk of being throttled (added in 2.0 model) | API calls being throttled can lead to call failures, which may affect business stability. If there have been throttling exception issues in API calls in the last 7 days, it is considered non-compliant. | Quick fix is not supported. | No |
Automation quality | Redis OpenAPI calls are at risk of being throttled (added in 2.0 model) | API calls being throttled can lead to call failures, which may affect business stability. If there have been throttling exception issues in API calls in the last 7 days, it is considered non-compliant. | Quick fix is not supported. | No |
Automation quality | ALB OpenAPI calls are at risk of being throttled (added in 2.0 model) | API calls being throttled can lead to call failures, which may affect business stability. If there have been throttling exception issues in API calls in the last 7 days, it is considered non-compliant. | Quick fix is not supported. | No |
Automation quality | SLB OpenAPI calls are at risk of being throttled (added in 2.0 model) | API calls being throttled can lead to call failures, which may affect business stability. If there have been throttling exception issues in API calls in the last 7 days, it is considered non-compliant. | Quick fix is not supported. | No |
Automation quality | CEN OpenAPI calls are at risk of being throttled (added in 2.0 model) | API calls being throttled can lead to call failures, which may affect business stability. If there have been throttling exception issues in API calls in the last 7 days, it is considered non-compliant. | Quick fix is not supported. | No |
Automation quality | RocketMQ OpenAPI calls are at risk of being throttled (added in 2.0 model) | API calls being throttled can lead to call failures, which may affect business stability. If there have been throttling exception issues in API calls in the last 7 days, it is considered non-compliant. | Quick fix is not supported. | No |
Automation quality | ACK OpenAPI calls are at risk of being throttled (added in 2.0 model) | API calls being throttled can lead to call failures, which may affect business stability. If there have been throttling exception issues in API calls in the last 7 days, it is considered non-compliant. | Quick fix is not supported. | No |
Automation quality | PolarDB OpenAPI calls are at risk of being throttled (added in 2.0 model) | API calls being throttled can lead to call failures, which may affect business stability. If there have been throttling exception issues in API calls in the last 7 days, it is considered non-compliant. | Quick fix is not supported. | No |
Automation quality | CDN API traffic is within normal range (added in 2.0 model) | API calls being throttled can lead to call failures, which may affect business stability. If there have been throttling exception issues in API calls in the last 7 days, it is considered non-compliant. | Quick fix is not supported. | No |
Automation quality | ACK quota has saturation risk (added in 2.0 model) | Product resource creation, modification, or product function usage may encounter exceptions. If there have been resource quota items with high quota levels in the product in the last 7 days, and quota_exceed errors have been encountered, it is considered at risk. | Quick fix is not supported. | No |
Automation quality | CDN quota has saturation risk (added in 2.0 model) | Product resource creation, modification, or product function usage may encounter exceptions. If there have been resource quota items with high quota levels in the product in the last 7 days, and quota_exceed errors have been encountered, it is considered at risk. | Quick fix is not supported. | No |
Automation quality | ECS quota has saturation risk (added in 2.0 model) | Product resource creation, modification, or product function usage may encounter exceptions. If there have been resource quota items with high quota levels in the product in the last 7 days, and quota_exceed errors have been encountered, it is considered at risk. | Quick fix is not supported. | No |
Automation quality | VPC quota has saturation risk (added in 2.0 model) | Product resource creation, modification, or product function usage may encounter exceptions. If there have been resource quota items with high quota levels in the product in the last 7 days, and quota_exceed errors have been encountered, it is considered at risk. | Quick fix is not supported. | No |
Automation quality | SLB quota has saturation risk (added in 2.0 model) | Product resource creation, modification, or product function usage may encounter exceptions. If there have been resource quota items with high quota levels in the product in the last 7 days, and quota_exceed errors have been encountered, it is considered at risk. | Quick fix is not supported. | No |
Automation quality | CEN quota has saturation risk (added in 2.0 model) | Product resource creation, modification, or product function usage may encounter exceptions. If there have been resource quota items with high quota levels in the product in the last 7 days, and quota_exceed errors have been encountered, it is considered at risk. | Quick fix is not supported. | No |
Automation quality | Resource modification interface call success rate has not reached 100% | If the success rate of using automated means (OpenAPI, Cloud Control API, SDK, Terraform, etc.) to modify infrastructure resources in the last 30 days has not reached 100%, it is considered non-compliant. | Quick fix is not supported. | No |
Automation quality | Resource creation interface call success rate has not reached 100% | If the success rate of using automated means (OpenAPI, Cloud Control API, SDK, Terraform, etc.) to create infrastructure resources in the last 30 days has not reached 100%, it is considered non-compliant. | Quick fix is not supported. | No |
Automation quality | Diagnostic tools are not used to observe and diagnose errors (deleted in 2.0 model) | If Request IDs have never been used in the OpenAPI portal to self-diagnose errors related to core products in the past year, it is considered non-compliant. | Quick fix is not supported. | No |
Automation quality | The quota platform is not used to view or adjust quotas (deleted in 2.0 model) | If core products have not been viewed in the quota platform or the self-service application function has not been used in the past year, it is considered non-compliant. | Quick fix is not supported. | No |
Automation quality | API calls have throttling exception risk (deleted in 2.0 model) | If there have been throttling exception issues in API calls in the last 7 days, it is considered non-compliant. | Quick fix is not supported. | No |
Automation quality | Cloud product resource quota has saturation risk (deleted in 2.0 model) | If there have been resource quota items with high quota levels in the product in the last 7 days, and quota_exceed errors have been encountered, it is considered at risk. | Quick fix is not supported. | No |
Unified control | Account is not managed by Resource Directory | Compared to scattered management of multiple accounts, unified management of multiple accounts can bring value to enterprises in terms of permissions, security, and cost. If the current account does not belong to any resource directory, it is considered non-compliant. | Quick fix is not supported. | No |
Unified control | Resource groups or tags are not used for financial unit allocation (deleted in 2.0 model) | Cost allocation is the foundation for cost visibility, budgeting, and cost optimization in enterprise finance. If there are financial units that are not associated with resource groups or tags, it is considered non-compliant. | Quick fix is not supported. | No |
Resource grouping and isolation | Associated resources are divided into different resource groups (added in 2.0 model) | If associated resources are not placed in the same resource group, permission, financial, and operational management based on resource groups may not cover all target resources. If there are associated resources that are not in the same custom resource group, it is considered non-compliant. | Quick fix is not supported. | No |
Resource grouping and isolation | Multiple accounts are not used to manage resources within the same organization | Alibaba Cloud accounts have multiple meanings. Each cloud account is a completely isolated tenant, with resource access, network deployment, and identity permissions that are completely independent and isolated by default. Cloud accounts are also associated with bills, allowing different businesses to be deployed in different cloud accounts for independent cost accounting and billing. Using multiple accounts for management can benefit enterprises in terms of environment isolation, security compliance, and business innovation. If there are two or more Alibaba Cloud accounts under the same entity, the condition is met. | Quick fix is not supported. | No |
Resource grouping and isolation | Custom resource groups are not used to group resources | Through custom resource groups, you can more flexibly control resource access and use. If the proportion of resources belonging to custom resource groups is less than 75% of total resources, it is considered non-compliant. | Quick fix is not supported. | No |
Resource grouping and isolation | Creator tags are not enabled | As the scale of enterprise resources in the cloud continues to expand, multiple people need to manage cloud resources. In cost, security, and other scenarios, it is necessary to effectively identify resource creators to facilitate cost allocation or security tracing and improve management efficiency. If creator tags are not enabled, it is considered non-compliant. | Quick fix is not supported. | No |
Resource grouping and isolation | Custom tags are not used to tag resources | Through custom tags, users can more flexibly identify, sort, and organize various resources. If the proportion of resources with custom tags is less than 75% of total resources, it is considered non-compliant. | Quick fix is not supported. | No |
Resource grouping and isolation | Preset tags are not used | Preset tags are tags that are created in advance and applied to all regions. Using preset tags allows for easy binding and management of cloud resources during the resource implementation phase. If the proportion of preset tags to custom tags is less than 80%, it is considered non-compliant. | Quick fix is not supported. | No |
Multi-account centralized management | It is recommended to enable centralized log collection for multiple accounts | If the SLS log audit trusted service status is not detected as enabled, it is considered non-compliant. | Quick fix is not supported. | No |
Multi-account centralized management | It is recommended to set delegated administrator accounts for the resource directory where the account is located | Using delegated administrator accounts can separate organization management tasks from business management tasks. The management account performs organization management tasks for the resource directory, and delegated administrator accounts perform business management tasks for trusted services. If no delegated administrator account is set in the trusted services enabled by the resource directory management account (MA), it is considered non-compliant. | Quick fix is not supported. | No |
Multi-account centralized management | It is recommended to enable multi-account resource search function | By using Resource Directory to manage multiple Alibaba Cloud accounts, management accounts or delegated administrator accounts can view and search for cloud resources of all members in the resource directory. If cross-account resource search is not enabled, it is considered non-compliant. | Quick fix is not supported. | No |
Multi-account centralized management | It is recommended to use centralized management of multi-account message contacts | Through the Resource Directory message contact management function, you can achieve centralized management of cross-account message contacts. If no Resource Directory message contacts are detected, or if message contacts are not bound to the resource directory, resource folders, or members, it is considered non-compliant. | Quick fix is not supported. | No |
Performance
Category | Check item | Description | Quick fix description | Auxiliary decision support |
Performance anomaly detection | EBS disks have performance risks due to high space utilization (added in 2.0 model) | Excessively high disk space utilization may increase the risk of data loss. This helps customers detect potential performance bottlenecks early and take measures to avoid performance degradation. If an EBS disk's space utilization exceeds 80%, it is considered non-compliant. | Quick fix is not supported. | No |
Performance anomaly detection | ECS resources have performance risks due to high memory utilization (added in 2.0 model) | Ensuring that the memory utilization of core cloud product ECS is at a healthy level helps avoid performance degradation or service interruption risks due to insufficient memory. If an ECS instance has high memory utilization, meaning that in the past 24 hours, the ECS memory utilization has been greater than 85% for a cumulative time exceeding 9 hours, it is considered non-compliant. | Quick fix is not supported. | No |
Performance anomaly detection | EBS disks have performance risks due to high throughput (added in 2.0 model) | This helps customers prevent performance bottlenecks, assess whether storage resource allocation is reasonable, and determine whether expansion is needed to ensure business continuity. If an EBS disk's IOPS or BPS utilization in the past 24 hours exceeds 90% of the corresponding IOPS or BPS for that disk type, it is considered non-compliant. | Quick fix is not supported. | No |
Performance anomaly detection | ECS resources have performance risks due to high CPU utilization (added in 2.0 model) | Ensuring that the CPU utilization of core cloud product ECS is at a healthy level is the foundation for ensuring stable and continuous business operation. High load not only causes applications to respond slowly but may also trigger automatic protection mechanisms such as system automatic restart or service degradation. If an ECS instance has high CPU utilization, meaning that in the past 24 hours, the CPU utilization has been greater than 85% for a cumulative time exceeding 8 hours, it is considered non-compliant. | Quick fix is not supported. | No |
Performance anomaly detection | ECS resources cannot automatically scale performance (added in 2.0 model) | Core cloud products such as ECS resources should be able to automatically increase or decrease resources based on performance load to ensure dynamic balance during business operation. If ECS has not enabled elastic scaling, or if elastic scaling is enabled but the success rate of the elastic scaling group in the last 24 hours is less than 90%, it is considered non-compliant. | Quick fix is not supported. | No |