This topic describes the managed rules that are provided in the GovernanceCenterCompliancePractices compliance package template.

Rule name Description
oss-bucket-server-side-encryption-enabled If server-side encryption is enabled for each Object Storage Service (OSS) bucket, the evaluation result is compliant.
oss-bucket-public-read-prohibited If the access control list (ACL) of each OSS bucket denies read access from the Internet, the evaluation result is compliant.
oss-bucket-public-write-prohibited If the ACL of each OSS bucket denies read and write access from the Internet, the evaluation result is compliant.
root-ak-check If no AccessKey pairs exist in each Alibaba Cloud account, the evaluation result is compliant.
root-mfa-check If multi-factor authentication (MFA) is enabled for each Alibaba Cloud account, the evaluation result is compliant.
ecs-disk-encrypted If encryption is enabled for each Elastic Compute Service (ECS) data disk, the evaluation result is compliant.
sg-risky-ports-check If 0.0.0.0/0 is added to the IP address whitelist of each security group and ports 22 and 3389 are disabled, the evaluation result is compliant.
sg-public-access-check If the inbound authorization policy of each security group is set to Allow and you set the port range to -1/-1 or the authorized IP address to 0.0.0.0/0, the evaluation result is compliant.
rds-instances-in-vpc If you do not specify the vpcIds parameter, the system checks whether the network type of each ApsaraDB RDS instance is set to Virtual Private Cloud (VPC). If yes, the evaluation result is compliant. If you specify the vpcIds parameter, the system checks whether the VPC in which ApsaraDB RDS instances reside matches the specified setting. If yes, the evaluation result is compliant.
rds-instance-enabled-tde If the Transparent Data Encryption (TDE) feature is enabled in the data security settings of each ApsaraDB RDS instance, the evaluation result is compliant.
rds-public-access-check If 0.0.0.0/0 is not added to the IP address whitelist of each ApsaraDB RDS instance, the evaluation result is compliant.
ram-password-policy-check If the settings of password policies configured for each RAM user meet the specified values, the evaluation result is compliant.
ram-user-ak-used-expired-check If the period between the time when each RAM user last used the AccessKey pair and the current time is less than the specified period, the evaluation result is compliant.
ecs-instance-deletion-protection-enabled If the release protection feature is enabled for each ECS instance, the evaluation result is compliant.
slb-delete-protection-enabled If the release protection feature is enabled for each Server Load Balancer (SLB) instance, the evaluation result is compliant.
root-has-specified-role If each Alibaba Cloud account assumes a specified role, the evaluation result is compliant.
ram-user-mfa-check If MFA is enabled for each RAM user, the evaluation result is compliant.
slb-listener-https-enabled If ports 80 and 8080 are used by HTTPS listeners of each SLB instance, the evaluation result is compliant.
resource-region-limit If each resource resides in the specified region, the evaluation result is compliant.
ram-user-last-login-expired-check If each RAM user logs on to the system at least once in the last 90 days, the evaluation result is compliant. If no logon record exists for a RAM user, the system checks the update time. If the last update time is not more than 90 days before the current time, the evaluation result is compliant.
contains-tag If each resource has one of the tag values specified for a tag key, the evaluation result is compliant.
required-tags If each resource has all the specified tags, the evaluation result is compliant. You can add a maximum of six tags to each resource.
oss-bucket-logging-enabled If the log storage feature is enabled for each OSS bucket, the evaluation result is compliant.