This topic describes the managed rules that are provided in the CISComplianceCheck compliance package template.

Rule Description
ecs-in-use-disk-encrypted If encryption is enabled for each Elastic Compute Service (ECS) data disk that is in use, the evaluation result is compliant.
ecs-available-disk-encrypted If encryption is enabled for each ECS data disk that is to be mounted, the evaluation result is compliant.
ecs-instances-in-vpc If you do not specify the vpcIds parameter, the system checks whether the network type of each ECS instance is set to VPC. If yes, the evaluation result is compliant. If you specify the vpcIds parameter, the system checks whether the VPC in which ECS instances reside matches the specified setting. If yes, the evaluation result is compliant.
oss-bucket-server-side-encryption-enabled If server-side encryption is enabled for each OSS bucket, the evaluation result is compliant.
sg-risky-ports-check If 0.0.0.0/0 is added to the IP address whitelist of each security group and ports 22 and 3389 are disabled, the evaluation result is compliant.
ram-user-mfa-check If multi-factor authentication (MFA) is enabled for each RAM user, the evaluation result is compliant.
root-ak-check If no AccessKey pairs exist in each Alibaba Cloud account, the evaluation result is compliant.
root-mfa-check If MFA is enabled for each Alibaba Cloud account, the evaluation result is compliant.
ram-password-policy-check If the settings of password policies configured for each RAM user meet the specified values, the evaluation result is compliant.
ram-policy-no-statements-with-admin-access-check If the Action parameter of each RAM user, RAM user group, and RAM role is not set to *, the evaluation result is compliant. * indicates the super administrator permissions.
ram-user-no-policy-check If no policies are attached to each RAM user, the evaluation result is compliant.
oss-bucket-logging-enabled If the log storage feature is enabled for each OSS bucket, the evaluation result is compliant.
oss-encryption-byok-check If the specified customer master key (CMK) managed by Key Management Service (KMS) is used to encrypt each Object Storage Service (OSS) bucket, the evaluation result is compliant.
rds-instance-enabled-auditing If the SQL audit feature is enabled for each ApsaraDB RDS instance, the evaluation result is compliant.
rds-instance-sql-collector-retention If the SQL audit feature is enabled for each ApsaraDB RDS for MySQL instance and SQL audit logs are retained for a period longer than or equal to that specified by the input parameter, the evaluation result is compliant.
rds-postgresql-parameter-log-connections If the log_connections parameter of each ApsaraDB RDS for PostgreSQL database is set to on, the evaluation result is compliant.
rds-postgresql-parameter-log-disconnections If the log_disconnections parameter of each ApsaraDB RDS for PostgreSQL database is set to on, the evaluation result is compliant.
rds-postgresql-parameter-log-duration If the log_duration parameter of each ApsaraDB RDS for PostgreSQL database is set to on, the evaluation result is compliant.
oss-bucket-anonymous-prohibited If the access control list (ACL) of each OSS bucket is set to private, the evaluation result is compliant. Alternatively, if an authorization policy is specified for OSS buckets that allow public-read access or public-read-write access and no read/write permissions are granted to anonymous accounts in the authorization policy, the evaluation result is compliant.
oss-bucket-only-https-enabled If the permission policy of each OSS bucket includes settings that allow HTTPS requests and deny HTTP requests, the evaluation result is compliant.
oss-bucket-authorize-specified-ip If the read or write permissions of each OSS bucket are set to private or the permission policy of each OSS bucket includes the required IP whitelists, the evaluation result is compliant.
oss-bucket-public-write-prohibited If the ACL of each OSS bucket denies read and write access from the Internet, the evaluation result is compliant.
oss-bucket-public-read-prohibited If the ACL of each OSS bucket denies read access from the Internet, the evaluation result is compliant.
ecs-all-enabled-security-protection If the Security Center agent is installed on each ECS instance, the evaluation result is compliant.
ecs-all-updated-security-vul If the vulnerabilities that are identified by Security Center on each ECS instance are fixed, the evaluation result is compliant.
vpc-secondary-cidr-route-check If the related route table includes at least one entry that indicates the routing information of IP addresses for a custom VPC CIDR block, the evaluation result is compliant.
ram-user-last-login-expired-check If each RAM user logs on to the system at least once in the last 90 days, the evaluation result is compliant. If no logon record exists for a RAM user, the system checks the update time. If the last update time is not more than 90 days before the current time, the evaluation result is compliant.
ram-user-ak-create-date-expired-check If the period between the time when the AccessKey pair of a RAM user is created and the time when the compliance evaluation starts is shorter than or equal to that specified by the input parameter, the evaluation result is compliant.
vpc-flow-logs-enabled If the flow log feature is enabled for each VPC, the evaluation result is compliant.
rds-instance-enabled-tde If the Transparent Data Encryption (TDE) feature is enabled in the data security settings of each ApsaraDB RDS instance, the evaluation result is compliant.
rds-instance-enabled-ssl If the SSL certificate feature is enabled in the data security settings of each ApsaraDB RDS instance, the evaluation result is compliant.
actiontrail-trail-intact-enabled If an active trail exists in ActionTrail and the events of all types that are generated in all regions are tracked, the evaluation result is compliant.
waf-instance-logging-enabled If the log collection feature is enabled for each domain name that is protected by Web Application Firewall (WAF), the evaluation result is compliant.
ack-cluster-network-type-check If the Terway network plug-in is used on each Container Service for Kubernetes (ACK) cluster, the evaluation result is compliant.
ack-cluster-public-endpoint-check If no public IP addresses and ports are configured for the Kubernetes API server in each ACK cluster, the evaluation result is compliant.
ack-cluster-node-monitorenabled If the CloudMonitor agent is installed on all nodes in each ACK cluster and run as expected, the evaluation result is compliant.
security-center-notice-config-check If a notification method is specified for each notification item detected by Security Center, the evaluation result is compliant.
security-center-version-check If Security Center Enterprise Edition or a more advanced edition is used, the evaluation result is compliant.