This topic describes the managed rules that are provided in the BestPracticesForECS compliance package template.
Rule name | Description |
---|---|
ecs-instance-status-no-stopped | If each Elastic Compute Service (ECS) instance is not in the Stopped state, the evaluation result is compliant. |
ecs-instance-expired-check | If the remaining validity period of each subscription ECS instance is longer than or equal to that specified by the input parameter, the evaluation result is compliant. |
ecs-instance-deletion-protection-enabled | If the release protection feature is enabled for each ECS instance, the evaluation result is compliant. |
ecs-instances-in-vpc | If you do not specify the vpcIds parameter, the system checks whether the network type of each ECS instance is set to VPC. If yes, the evaluation result is compliant. If you specify the vpcIds parameter, the system checks whether the VPC in which ECS instances reside matches the specified setting. If yes, the evaluation result is compliant. |
ecs-disk-encrypted | If encryption is enabled for each ECS data disk, the evaluation result is compliant. |
ecs-disk-in-use | If each ECS data disk is attached to an ECS instance, the evaluation result is compliant. |
sg-risky-ports-check | If 0.0.0.0/0 is added to the IP whitelist of each security group and ports 22 and 3389 are disabled, the evaluation result is compliant. |
sg-public-access-check | If the inbound authorization policy of each security group is set to Allow and you set the port range to -1/-1 or the authorized IP address to 0.0.0.0/0, the evaluation result is compliant. |
ecs-instance-attached-security-group | If each ECS instance is added to a specified security group, the evaluation result is compliant. |
ecs-instance-imageId-check | If the ID of the system image of each ECS instance matches the specified setting, the evaluation result is compliant. |
ecs-all-updated-security-vul | If the vulnerabilities that are identified by Security Center on each ECS instance are fixed, the evaluation result is compliant. |
ecs-all-enabled-security-protection | If the Security Center agent is installed on each ECS instance, the evaluation result is compliant. |
ecs-instance-no-lock | If no ECS instances are locked due to issues such as overdue payments and security risks, the evaluation result is compliant. |
ess-group-health-check | If the health check feature is enabled for the ECS instances of each scaling group, the evaluation result is compliant. |
ecs-disk-auto-snapshot-policy | If an automatic snapshot policy is specified for each Elastic Compute Service (ECS) data disk, the evaluation result is compliant. |
ecs-disk-no-lock | If no ECS data disks are locked due to issues such as overdue payments and security risks, the evaluation result is compliant. |
ecs-disk-retain-auto-snapshot | If auto snapshots are retained when the related ECS data disks are released, the evaluation result is compliant. |
ecs-snapshot-retention-days | If auto snapshots of ECS instances are retained for a period longer than or equal to that specified by the input parameter, the evaluation result is compliant. |