The ResourceProtectionOnBestPractices compliance package checks whether protection features such as the deletion protection and update protection features are enabled for cloud services such as Elastic Compute Service (ECS) and ApsaraDB RDS. If the protection features are not enabled, we recommend that you enable them at the earliest opportunity. This topic describes the rules that are provided in the ResourceProtectionOnBestPractices compliance package.
Rule name | Description |
Checks whether the release protection feature is enabled for each ACK cluster. If so, the evaluation result is Compliant. | |
Checks whether the deletion protection feature is enabled for each Application Load Balancer (ALB) instance. If so, the evaluation result is Compliant. The deletion protection feature prevents instances from being released by misoperations. | |
Checks whether the Security Center agent is installed on each ECS instance that belongs to the current account. If so, the evaluation result is Compliant. | |
Checks whether the release protection feature is enabled for each ECS instance. If so, the evaluation result is Compliant. | |
Checks whether the Security Center agent is installed on each ECS instance. If so, the evaluation result is Compliant. The Security Center agent helps protect the security of ECS instances. This rule does not apply to ECS instances that are not running. | |
Checks whether the deletion protection feature is enabled for each elastic IP address (EIP). If so, the evaluation result is Compliant. For EIPs created with service accounts and subscription EIPs, the evaluation result is Not Applicable. These EIPs do not support the deletion protection feature. | |
Checks whether the deletion protection feature is enabled for each ApsaraDB for HBase cluster. If so, the evaluation result is Compliant. | |
Checks whether the deletion protection feature is enabled for each customer master key (CMK) in KMS. If so, the evaluation result is Compliant. | |
Checks whether the release protection feature is enabled for each ApsaraDB for MongoDB instance. If so, the evaluation result is Compliant. | |
Checks whether the release protection feature is enabled for each NAT gateway. If so, the evaluation result is Compliant. | |
Checks whether the deletion protection feature is enabled for each PolarDB cluster. If so, the evaluation result is Compliant. | |
Checks whether the deletion protection feature is enabled for each RDS instance. If so, the evaluation result is Compliant. For subscription resources, the evaluation result is Not Applicable. | |
Checks whether the release protection feature is enabled for each ApsaraDB for Redis instance. If so, the evaluation result is Compliant. | |
Checks whether the release protection feature is enabled for each Server Load Balancer (SLB) instance. If so, the evaluation result is Compliant. | |
Checks whether the modification protection feature is enabled for each SLB instance. If so, the evaluation result is Compliant. | |
Checks whether a specified protection feature is enabled for each domain name that is protected by Web Application Firewall (WAF). If so, the evaluation result is Compliant. | |
Checks whether a specified protection feature is enabled for each domain name that is protected by WAF. If so, the evaluation result is Compliant. |