This topic describes the managed rules that are provided in the BestPracticesForDataBase compliance package template.

Rule name Description
mongodb-cluster-expired-check If the remaining validity period of each subscription ApsaraDB for MongoDB cluster is longer than or equal to that specified by the input parameter, the evaluation result is compliant.
hbase-cluster-expired-check If the remaining validity period of each subscription ApsaraDB for HBase cluster is longer than or equal to that specified by the input parameter, the evaluation result is compliant.
rds-instance-enabled-safety-security-ip If each ApsaraDB RDS instance uses enhanced whitelists, the evaluation result is compliant.
polardb-cluster-category-normal If the cluster architecture is used for each PolarDB instance, the evaluation result is compliant.
redis-instance-release-protection If the release protection feature is enabled for each ApsaraDB for Redis instance, the evaluation result is compliant.
redis-instance-disable-risk-commands If high-risk commands are disabled for each ApsaraDB for Redis instance, the evaluation result is compliant.
hbase-cluster-type-check If the cluster architecture is used for each ApsaraDB for HBase instance, the evaluation result is compliant.
hbase-cluster-in-vpc If you do not specify the vpcIds parameter, the system checks whether the network type of each ApsaraDB for HBase cluster is set to VPC. If yes, the evaluation result is compliant. If you specify the vpcIds parameter, the system checks whether the VPC in which ApsaraDB for HBase clusters reside matches the specified setting. If yes, the evaluation result is compliant.
hbase-cluster-ha-check If high-availability ApsaraDB for HBase clusters are used, the evaluation result is compliant.
hbase-cluster-deletion-protection If the deletion protection feature is enabled for each ApsaraDB for HBase cluster, the evaluation result is compliant.
mongodb-instance-release-protection If the release protection feature is enabled for each ApsaraDB for MongoDB instance, the evaluation result is compliant.
mongodb-instance-lock-mode If each ApsaraDB for MongoDB instance is not locked, the evaluation result is compliant.
mongodb-instance-log-audit If the audit log feature is enabled for each ApsaraDB for MongoDB cluster, the evaluation result is compliant.
rds-instance-expired-check If the remaining validity period of each subscription ApsaraDB RDS instance is longer than or equal to that specified by the input parameter, the evaluation result is compliant.
polardb-cluster-expired-check If the remaining validity period of each subscription PolarDB instance is longer than or equal to that specified by the input parameter, the evaluation result is compliant.
redis-instance-expired-check If the remaining validity period of each subscription ApsaraDB for Redis cluster is longer than or equal to that specified by the input parameter, the evaluation result is compliant.
rds-instance-enabled-auditing If the SQL audit feature is enabled for each ApsaraDB RDS instance, the evaluation result is compliant.
redis-public-access-check If 0.0.0.0/0 is not added to the IP whitelist of each ApsaraDB RDS instance, the evaluation result is compliant.
rds-high-availability-category If high-availability ApsaraDB RDS instances are used, the evaluation result is compliant.
rds-instances-in-vpc If you do not specify the vpcIds parameter, the system checks whether the network type of each ApsaraDB RDS instance is set to VPC. If yes, the evaluation result is compliant. If you specify the vpcIds parameter, the system checks whether the VPC in which ApsaraDB RDS instances reside matches the specified setting. If yes, the evaluation result is compliant.
rds-multi-az-support If ApsaraDB RDS instances are deployed across multiple zones, the evaluation result is compliant.
rds-instance-enabled-ssl If the SSL certificate feature is enabled in the data security settings of each ApsaraDB RDS instance, the evaluation result is compliant.
rds-instance-enabled-tde If the Transparent Data Encryption (TDE) feature is enabled in the data security settings of each ApsaraDB RDS instance, the evaluation result is compliant.
redis-instance-in-vpc If you do not specify the vpcIds parameter, the system checks whether the network type of each ApsaraDB for Redis instance is set to VPC. If yes, the evaluation result is compliant. If you specify the vpcIds parameter, the system checks whether the VPC in which ApsaraDB for Redis instances reside matches the specified setting. If yes, the evaluation result is compliant.
redis-public-access-check If 0.0.0.0/0 is not added to the IP whitelist of each ApsaraDB for Redis instance, the evaluation result is compliant.
redis-architecturetype-cluster-check If the cluster architecture is used for each ApsaraDB for Redis instance, the evaluation result is compliant.
mongodb-public-access-check If 0.0.0.0/0 is not added to the IP whitelist of each ApsaraDB for MongoDB instance, the evaluation result is compliant.
mongodb-instance-in-vpc If you do not specify the vpcIds parameter, the system checks whether the network type of each ApsaraDB for MongoDB instance is set to VPC. If yes, the evaluation result is compliant. If you specify the vpcIds parameter, the system checks whether the VPC in which ApsaraDB for MongoDB instances reside matches the specified setting. If yes, the evaluation result is compliant.
polardb-public-access-check If 0.0.0.0/0 is not added to the IP whitelist of each PolarDB instance, the evaluation result is compliant.
polardb-dbcluster-in-vpc If you do not specify the vpcIds parameter, the system checks whether the network type of each PolarDB instance is set to VPC. If yes, the evaluation result is compliant. If you specify the vpcIds parameter, the system checks whether the VPC in which PolarDB instances reside matches the specified setting. If yes, the evaluation result is compliant.
rds-instance-sql-collector-retention If the SQL audit feature is enabled for each ApsaraDB RDS for MySQL instance and SQL audit logs are retained for a period longer than or equal to that specified by the input parameter, the evaluation result is compliant.
rds-event-log-enabled If the event history feature is enabled for each ApsaraDB RDS instance, the evaluation result is compliant.