This topic describes the managed rules that are provided in the BestPracticesForECS compliance package template.

Rule name Description
ecs-instance-status-no-stopped If each Elastic Compute Service (ECS) instance is not in the Stopped state, the evaluation result is compliant.
ecs-instance-expired-check If the remaining validity period of each subscription ECS instance is longer than or equal to that specified by the input parameter, the evaluation result is compliant.
ecs-instance-deletion-protection-enabled If the release protection feature is enabled for each ECS instance, the evaluation result is compliant.
ecs-instances-in-vpc If you do not specify the vpcIds parameter, the system checks whether the network type of each ECS instance is set to VPC. If yes, the evaluation result is compliant. If you specify the vpcIds parameter, the system checks whether the VPC in which ECS instances reside matches the specified setting. If yes, the evaluation result is compliant.
ecs-disk-encrypted If encryption is enabled for each ECS data disk, the evaluation result is compliant.
ecs-disk-in-use If each ECS data disk is attached to an ECS instance, the evaluation result is compliant.
sg-risky-ports-check If 0.0.0.0/0 is added to the IP whitelist of each security group and ports 22 and 3389 are disabled, the evaluation result is compliant.
sg-public-access-check If the inbound authorization policy of each security group is set to Allow and you set the port range to -1/-1 or the authorized IP address to 0.0.0.0/0, the evaluation result is compliant.
ecs-instance-attached-security-group If each ECS instance is added to a specified security group, the evaluation result is compliant.
ecs-instance-imageId-check If the ID of the system image of each ECS instance matches the specified setting, the evaluation result is compliant.
ecs-all-updated-security-vul If the vulnerabilities that are identified by Security Center on each ECS instance are fixed, the evaluation result is compliant.
ecs-all-enabled-security-protection If the Security Center agent is installed on each ECS instance, the evaluation result is compliant.
ecs-instance-no-lock If no ECS instances are locked due to issues such as overdue payments and security risks, the evaluation result is compliant.
ess-group-health-check If the health check feature is enabled for the ECS instances of each scaling group, the evaluation result is compliant.
ecs-disk-auto-snapshot-policy If an automatic snapshot policy is specified for each Elastic Compute Service (ECS) data disk, the evaluation result is compliant.
ecs-disk-no-lock If no ECS data disks are locked due to issues such as overdue payments and security risks, the evaluation result is compliant.
ecs-disk-retain-auto-snapshot If auto snapshots are retained when the related ECS data disks are released, the evaluation result is compliant.
ecs-snapshot-retention-days If auto snapshots of ECS instances are retained for a period longer than or equal to that specified by the input parameter, the evaluation result is compliant.