All Products
Search
Document Center

Cloud Config:Managed rules

Last Updated:Apr 30, 2024

When you create a rule in the Cloud Config console, you can select a managed rule.

If you want to use managed rules that are not available in the Cloud Config console, submit a ticket. Alibaba Cloud approves each request based on the evaluation result and converts the rules with universal applicability to managed rules.

The following table describes the managed rules supported by Cloud Config.

Alibaba Cloud service

Managed rule

OOS template ID for automatic remediation

Precheck supported

Alibaba Cloud CDN (CDN)

cdn-domain-https-enabled

None

No

cdn-domain-enabled-cache

None

No

cdn-domain-oss-source-check

None

No

cdn-domain-tls13-enabled

None

No

cdn-domain-aliauth-enabled

None

No

cdn-domain-brotli-enabled

None

No

cdn-domain-gzip-enabled

None

No

cdn-domain-https-force-enabled

None

No

cdn-domain-ignore-args-enabled

None

No

cdn-domain-ipv6-enabled

None

No

cdn-domain-ocsp-stapling-enabled

None

No

cdn-domain-range-enabled

None

No

cdn-domain-referer-enabled

None

No

ActionTrail

actiontrail-enabled

None

No

actiontrail-trail-intact-enabled

None

No

Elastic Compute Service (ECS)

ecs-disk-encrypted

None

Yes

ecs-instance-expired-check

None

No

ecs-instances-in-vpc

None

No

ecs-cpu-min-count-limit

None

No

ecs-desired-instance-type

None

No

ecs-gpu-min-count-limit

None

No

ecs-memory-min-size-limit

None

Yes

ecs-disk-in-use

None

No

ecs-instance-no-public-ip

None

Yes

eip-attached

None

No

ecs-instance-imageId-check

None

Yes

ecs-instance-attached-security-group

None

Yes

ecs-instance-deletion-protection-enabled

ACS-ECS-BulkyEnableDeletionProtection

Yes

ecs-command-exclude-sensitive-content

None

No

ecs-instance-status-no-stopped

None

No

sg-public-access-check

None

Yes

sg-risky-ports-check

None

Yes

ecs-instance-no-lock

None

No

ess-group-health-check

None

No

ecs-disk-auto-snapshot-policy

None

Yes

ecs-disk-no-lock

None

No

ecs-disk-retain-auto-snapshot

None

Yes

ecs-snapshot-retention-days

None

No

ecs-instance-chargetype-check

None

Yes

ecs-security-group-not-used

None

No

ecs-instance-login-use-keypair

None

Yes

ecs-internet-charge-type-check

None

No

ecs-internetmaxbandwidth-check

None

No

ecs-instance-running-process-check

None

No

ecs-instance-installed-software-check

None

No

ecs-available-disk-encrypted

None

No

ecs-in-use-disk-encrypted

None

No

ecs-instance-image-type-check

None

No

ecs-system-disk-encrypted

None

No

ecs-instance-auto-renewal-enabled

None

No

ecs-system-disk-size-check

None

No

ecs-instance-enabled-security-protection

None

No

ecs-security-group-description-check

None

Yes

ecs-instance-updated-security-vul

None

No

ecs-instance-monitor-enabled

None

No

ecs-instance-meta-data-mode-check

None

No

ecs-security-group-not-open-all-port

None

Yes

ecs-security-group-not-open-all-protocol

None

Yes

ecs-security-group-not-internet-cidr-access

None

Yes

ecs-security-group-egress-not-all-access

None

Yes

ecs-security-group-white-list-port-check

None

Yes

sg-risky-ports-check

None

No

ecs-running-instances-in-vpc

ACS-ECS-BulkyStopClassicInstances

No

ecs-running-instance-no-public-ip

ACS-ECS-BulkyStopInstancesWithPublicIp

No

resources-inherit-tags-from-ecs-instance

None

No

ecs-instance-running-process-disabled

None

No

ecs-instance-post-paid-stopped-mode-check

None

No

ecs-instance-enable-security-center-anti-rule

None

No

ecs-instance-os-name-check

None

Yes

ecs-snapshot-policy-timepoints-check

None

No

ecs-launch-template-version-attach-security-group

None

No

ecs-launch-template-version-data-disk-encrypted

None

No

ecs-launch-template-version-system-disk-encrypted

None

No

ecs-disk-all-encrypted-by-kms

None

No

ecs-disk-idle-check

None

No

ecs-instance-image-expired-check

None

No

ecs-instance-not-bind-key-pair

None

No

ecs-instance-ram-role-attached

None

No

ecs-instance-type-family-not-deprecated

None

No

ecs-instance-use-specified-owner-image

None

No

ecs-security-group-type-not-normal

None

No

privatelink-service-endpoint-multi-zone

None

No

ecs-launch-template-version-image-type-check

None

No

ecs-cpu-max-utilization-check

None

No

resources-inherit-resourcegroup-from-ecs-disk

ACS-Config-ResourceManager-BulkyMoveResources

No

resources-inherit-tags-from-ecs-disk

ACS-TAG-TagResourcesIgnoreCaseSensitive

No

resources-inherit-resourcegroup-from-ecs-networkinterface

ACS-Config-ResourceManager-BulkyMoveResources

No

Dedicated Host (DDH)

ddh-cpu-min-count-limit

None

No

ddh-memory-min-size-limit

None

No

ddh-socket-min-count-limit

None

No

Elastic IP Address (EIP)

eip-bandwidth-limit

None

No

eip-address-expired-check

None

No

ess-scaling-configuration-enabled-internet-check

None

No

ess-scaling-group-attach-slb

None

No

ess-scaling-group-attach-multi-switch

None

No

eip-idle-check

None

No

eip-delete-protection-enabled

None

No

ApsaraDB RDS

rds-min-maxiops-limit

None

No

rds-desired-instance-type

None

No

rds-instances-in-vpc

None

No

rds-memory-min-size-limit

None

Yes

rds-cpu-min-count-limit

None

No

rds-instance-storage-min-size-limit

None

No

rds-high-availability-category

None

No

rds-multi-az-support

None

No

rds-public-access-check

ACS-RDS-ReleaseInstancePublicConnection

No

rds-instance-enabled-ssl

None

No

rds-instance-enabled-tde

None

No

rds-instance-enabled-security-ip-list

ACS-RDS-BulkyModifySecurityIpsByInstanceIPArray

Yes

rds-dbinstance-nettype-intranet-limit

None

No

rds-connectionmode-safe-enabled

None

No

rds-instance-enabled-auditing

ACS-RDS-BulkyModifySQLCollectorPolicy

No

rds-instance-sql-collector-retention

ACS-RDS-BulkyModifySQLCollectorRetention

No

rds-postgresql-parameter-log-connections

None

No

rds-postgresql-parameter-log-disconnections

None

No

rds-postgresql-parameter-log-duration

None

No

rds-event-log-enabled

ACS-RDS-BulkyModifyActionEventPolicy

No

rds-instance-expired-check

None

Yes

rds-instance-enabled-log-backup

None

No

rds-instance-enabled-disk-encryption

None

No

rds-instance-enabled-byok-tde

None

No

rds-instance-delete-protection-enabled

None

No

rds-account-managed-by-kms

None

No

rds-instance-maintain-time-check

None

No

rds-public-and-any-ip-access-check

None

No

rds-instance-class-type-check

None

No

rds-instance-monitored-second-level

None

No

rds-instance-category-check

None

No

rds-instance-enabled-safety-security-ip

ACS-RDS-BulkyMigrateSecurityIPMode

No

rds-instance-has-guard-instance

None

No

rds-instance-sync-mode-check

None

No

rds-instance-tls-version-check

None

No

rds-public-connection-and-any-ip-access-check

None

No

ApsaraDB for Redis

redis-min-qps-limit

None

No

redis-min-bandwidth-limit

None

No

redis-min-capacity-limit

None

No

redis-instance-in-vpc

None

No

redis-public-access-check

ACS-Redis-BulkyDeleteSecurityIpFromInstanceIPArray

Yes

redis-architecturetype-cluster-check

None

No

redis-instance-release-protection

None

No

redis-instance-disable-risk-commands

ACS-Redis-BulkyModifyInstanceConfig

No

redis-instance-expired-check

None

No

redis-instance-enabled-audit-log

ACS-REDIS-BulkyModifyAuditLogConfig

No

redis-instance-audit-log-retention

ACS-REDIS-BulkyModifyAuditLogConfig

No

redis-instance-enabled-tde

None

No

redis-instance-open-auth-mode

None

No

redis-instance-multi-zone

None

No

redis-instance-no-public-ip

ACS-Redis-ReleaseInstancePublicConnection

No

redis-instance-enabled-tls

None

No

redis-instance-enabled-byok-tde

None

No

redis-instance-double-node-type

None

No

redis-public-and-any-ip-access-check

None

No

redis-instance-backup-time-check

None

No

redis-instance-backup-log-enabled

None

No

redis-instance-edition-type-check

None

No

redis-instance-tair-type-close-aof

None

No

redis-instance-upgrade-latest-version

None

No

ApsaraDB for MongoDB

mongodb-instance-in-vpc

None

No

mongodb-public-access-check

None

No

mongodb-min-maxiops-limit

None

No

mongodb-min-maxconnections-limit

None

No

mongodb-instance-release-protection

None

No

mongodb-instance-lock-mode

None

No

mongodb-instance-log-audit

None

No

mongodb-cluster-expired-check

None

No

mongodb-public-and-any-ip-access-check

None

No

mongodb-instance-class-not-shared

None

No

mongodb-instance-backup-log-enabled

None

No

mongodb-instance-multi-node

None

No

mongodb-instance-multi-zone

None

No

PolarDB

polardb-dbcluster-in-vpc

None

No

polardb-public-access-check

None

Yes

polardb-cluster-category-normal

None

No

polardb-cluster-expired-check

None

No

polardb-dbversion-status-check

None

No

polardb-cluster-enabled-tde

None

No

polardb-cluster-enabled-ssl

None

No

polardb-cluster-enabled-auditing

None

No

polardb-cluster-default-time-zone-not-system

None

No

polardb-readonly-address-auto-add-new-node-disabled

None

No

polardb-cluster-log-backup-retention

None

No

polardb-cluster-level-two-backup-retention

None

No

polardb-cluster-level-one-backup-retention

None

No

polardb-cluster-accpunts-description-not-empty

None

No

polardb-cluster-address-connection-persist-check

None

No

polardb-cluster-address-consist-level-check

None

No

polardb-cluster-address-read-write-enabled

None

No

polardb-cluster-address-auto-add-new-node-enabled

None

No

polardb-cluster-address-no-public

None

No

polardb-cluster-delete-protection-enabled

None

No

polardb-cluster-maintain-time-check

None

No

polardb-public-and-any-ip-access-check

None

No

polardb-instance-sub-category-exclusive

None

No

polardb-cluster-address-check

None

No

polardb-cluster-address-distributed-transaction-disabled

None

No

polardb-cluster-address-master-accept-reads

None

No

polardb-cluster-multi-zone

None

No

polardb-primary-address-check

None

No

polardb-readonly-address-check

None

No

polardb-x1-instance-expired-check

None

No

polardb-x2-instance-expired-check

None

No

Object Storage Service (OSS)

oss-bucket-public-read-prohibited

ACS-OSS-PutBucketAcl

No

oss-bucket-public-write-prohibited

ACS-OSS-PutBucketAcl

Yes

oss-zrs-enabled

None

No

oss-bucket-versioning-enabled

None

No

oss-bucket-logging-enabled

None

Yes

oss-default-encryption-kms

None

No

oss-bucket-server-side-encryption-enabled

ACS-OSS-PutBucketEncryption

No

oss-bucket-name-regex-match

None

No

oss-bucket-referer-enabled

None

No

oss-bucket-referer-limit

ACS-OSS-PutBucketReferer

No

oss-bucket-anonymous-prohibited

None

No

oss-bucket-only-https-enabled

None

No

oss-bucket-authorize-specified-ip

None

No

oss-bucket-policy-no-any-anonymous

None

Yes

oss-encryption-byok-check

None

No

oss-bucket-logging-prefix-match

None

Yes

Resource Access Management (RAM)

ram-user-login-check

None

No

ram-password-policy-check

ACS-RAM-SetPasswordPolicy

No

ram-policy-in-use-check

None

No

ram-risky-policy-user-mfa-check

None

No

ram-group-has-member-check

None

No

ram-policy-no-statements-with-admin-access-check

None

No

ram-user-no-policy-check

None

No

ram-user-group-membership-check

None

No

ram-user-last-login-expired-check

None

No

ram-user-mfa-check

ACS-ECS-BulkyUpdateLoginProfile

No

ram-user-ak-create-date-expired-check

None

No

ram-user-ak-used-expired-check

None

No

ram-user-invalid-ak-check

None

No

root-ak-check

None

No

root-mfa-check

None

No

ram-user-specified-permission-bound

None

No

ram-user-active-ak-check

None

No

ram-user-no-product-admin-access

None

No

ram-role-no-product-admin-access

None

No

ram-group-in-use-check

None

No

root-has-specified-role

None

No

ram-user-has-specified-policy

None

No

ram-role-has-specified-policy

None

No

ram-user-sso-enabled

None

No

ram-user-no-has-specified-policy

None

No

cloudsso-directory-saml-expired-check

None

No

cloudsso-scim-credential-expired-check

None

No

ram-policy-no-has-specified-document

None

No

ram-role-sso-saml-enabled

None

No

ram-user-activated-ak-quantity-check

None

No

ram-user-role-no-product-admin-access

None

No

account-no-has-ram-user

None

None

Tag

Note

For information about the Alibaba Cloud services that support tags, see Services that work with Tag.

required-tags

ACS-TAG-TagResources

No

required-any-tags

None

No

contains-tag

None

No

contains-all-tag

None

No

resources-tags-not-empty

None

No

matched-tag

ACS-TAG-TagResources

No

Virtual Private Cloud (VPC)

vpn-ipsec-connection-status-check

None

No

vpn-ipsec-connection-health-check-open

None

No

vpc-flow-logs-enabled

None

No

vpc-secondary-cidr-route-check

None

No

vswitch-available-ip-count

None

No

region-vswitch-no-crossed-cidr

None

No

express-connect-opposite-interface-owner-check

None

No

Server Load Balancer (SLB)

slb-loadbalancer-bandwidth-limit

None

Yes

slb-acl-public-access-check

None

No

slb-aliyun-certificate-required

None

No

slb-listener-https-enabled

None

Yes

slb-no-public-ip

None

Yes

slb-delete-protection-enabled

ACS-SLB-BulkySetLoadBalancerDeleteProtection

Yes

slb-loadbalancer-in-vpc

None

Yes

slb-status-active-check

None

No

slb-modify-protection-check

ACS-SLB-BulkySetLoadBalancerModificationProtection

Yes

slb-server-certificate-expired

None

No

slb-instance-expired-check

None

No

slb-instance-autorenewal-check

None

Yes

slb-instance-loadbalancerspec-check

None

Yes

slb-backendserver-weight-check

None

No

slb-acl-has-specified-ip

None

No

slb-listener-risk-ports-check

None

Yes

slb-acl-no-has-specified-ip

None

No

slb-instance-spec-check

None

Yes

slb-all-listener-enabled-acl

None

No

slb-all-listener-health-check-enabled

None

No

slb-instance-multi-zone

None

Yes

clb-prepaid-instance-idle-check

None

No

slb-all-listener-servers-multi-zone

None

No

slb-all-listener-has-server

None

No

slb-all-listener-tls-policy-check

None

No

slb-default-server-group-multi-server

None

No

slb-instance-default-server-group-multi-zone

None

No

slb-instance-idle-check

None

No

slb-instance-log-enabled

None

No

slb-master-slave-server-group-multi-zone

None

No

slb-server-certificate-expired

None

No

slb-vserver-group-multi-zone

None

No

resources-inherit-resourcegroup-from-slb-loadbalancer

ACS-Config-ResourceManager-BulkyMoveResources

No

Container Service for Kubernetes (ACK)

ack-cluster-public-endpoint-check

None

No

ack-cluster-deletion-protection-enabled

None

No

ack-cluster-network-type-check

None

No

ack-cluster-node-monitorenabled

None

No

ack-cluster-rrsa-enabled

None

No

ack-cluster-spec-check

None

No

ack-cluster-upgrade-latest-version

None

No

ack-running-cluster-node-monitorenabled

None

No

ack-cluster-control-plane-log-enable

None

No

ack-cluster-security-inspector-enabled

None

No

ack-cluster-ram-authenticator-enabled

None

No

ack-cluster-pro-spec-used

None

No

ack-cluster-node-pools-management-enabled

None

No

ack-cluster-node-pools-auto-scaling-enabled

None

No

ack-cluster-node-multi-zone

None

No

ack-cluster-has-policy-check

None

No

ack-cluster-encryption-enabled

None

No

ack-cluster-cost-exporter-enabled

None

No

ack-cluster-configuation-inspect-enabled

None

No

ack-cluster-api-server-audit-log-enabled

None

No

ack-cluster-advanced-audit-enabled

None

No

Resource Management

resource-region-limit

None

No

resources-inherit-tags-from-resource-group

ACS-TAG-TagResourcesIgnoreCaseSensitive

No

resource-name-regex-match

None

No

resourcemanager-account-type-check

None

No

resources-inherit-resourcegroup-from-ecs-instance

ACS-Config-ResourceManager-BulkyMoveResources

No

resource-group-default-used-check

None

No

Security Center

security-center-version-check

None

No

security-center-notice-config-check

None

No

ecs-all-enabled-security-protection

None

No

ecs-all-updated-security-vul

None

No

security-center-leak-ak-check

None

No

security-center-image-vul-check

None

No

security-center-weak-password-check

None

No

security-center-concern-necessity-check

None

No

security-center-defense-config-check

None

No

security-center-fingerprint-collect-enabled

None

No

ApsaraDB for HBase

hbase-cluster-type-check

None

No

hbase-cluster-in-vpc

None

No

hbase-cluster-ha-check

None

No

hbase-cluster-deletion-protection

None

No

hbase-cluster-expired-check

None

No

hbase-public-access-check

None

No

Web Application Firewall (WAF)

waf-instance-logging-enabled

ACS-WAF-BulkyModifyLogServiceStatus

No

waf-domain-enabled-specified-protection-module

None

No

waf-domain-enabled-specified-protection-mode

None

No

api-gateway-group-domain-access-waf

None

No

waf3-instance-enabled-specified-defense-rules

None

No

Key Management Service (KMS)

kms-key-delete-protection-enabled

ACS-KMS-BulkySetDeletionProtection

No

kms-key-rotation-enabled

ACS-KMS-BulkyUpdateRotationPolicy

No

kms-secret-rotation-enabled

None

No

kms-key-state-not-pending-deletion

None

No

kms-key-origin-not-external

None

No

NAT Gateway

nat-risk-ports-check

ACS-VPC-BulkyDeleteForwardEntry

No

natgateway-delete-protection-enabled

None

No

internet-nat-gateway-in-specified-vpc

None

No

intranet-nat-gateway-in-specified-vpc

None

No

not-use-specified-type-nat-gateway

None

No

natgateway-eip-used-check

None

No

natgateway-snat-eip-bandwidth-check

None

No

internet-natgateway-idle-check

None

No

intranet-natgateway-idle-check

None

No

resources-inherit-resourcegroup-from-nat-natgateway

ACS-Config-ResourceManager-BulkyMoveResources

No

Apsara File Storage NAS (NAS)

nas-filesystem-status-check

None

No

nas-filesystem-encrypt-type-check

None

Yes

nas-access-group-public-access-check

None

No

nas-filesystem-recycle-bin-check

None

No

nas-filesystem-enable-backup-plan

None

No

nas-filesystem-mount-target-access-group-check

None

No

nas-filesystem-idle-check

None

No

Cloud Enterprise Network (CEN)

cen-bandwidth-package-expired-check

None

No

cen-cross-region-bandwidth-check

None

No

cen-all-vbr-health-check-enabled

None

No

Internet Shared Bandwidth

cbwp-bandwidth-package-expired-check

None

Yes

cbwp-bandwidth-package-idle-check

None

No

Bastionhost

bastionhost-instance-expired-check

None

No

API Gateway

api-gateway-api-visibility-private

None

No

api-gateway-api-internet-request-https

ACS-ApiGateway-BulkyModifyApiGroupNetworkPolicy

No

api-gateway-group-https-policy-check

None

No

api-gateway-group-bind-domain

None

No

api-gateway-group-enabled-ssl

None

No

api-gateway-api-auth-jwt

None

No

api-gateway-api-auth-required

None

No

api-gateway-group-domain-access-waf-or-waf3

None

No

Function Compute

fc-service-vpc-binding

None

No

fc-trigger-http-not-anonymous

None

No

fc-service-tracing-enable

None

No

fc-function-custom-domain-and-tls-enable

None

No

fc-function-custom-domain-and-cert-enable

None

No

fc-function-custom-domain-and-https-enable

None

No

fc-function-internet-and-custom-domain-enable

None

No

fc-service-internet-access-disable

None

No

fc-service-bind-role

None

No

fc-service-log-enable

None

No

Elasticsearch

elasticsearch-instance-in-vpc

None

No

elasticsearch-instance-enabled-kibana-public-check

None

Yes

elasticsearch-instance-enabled-data-node-encryption

None

No

elasticsearch-instance-enabled-public-check

None

Yes

elasticsearch-public-and-any-ip-access-check

None

No

elasticsearch-instance-multi-zone

None

No

elasticsearch-instance-node-not-use-specified-spec

None

No

elasticsearch-instance-snapshot-enabled

None

No

elasticsearch-instance-used-https-protocol

None

No

elasticsearch-instance-version-not-deprecated

None

No

Cloud Firewall (CFW)

cloud-fire-wall-all-asset-open

None

No

cloud-fire-wall-no-matched-control-policy

None

No

cloud-fire-wall-has-matched-control-policy

None

No

Simple Log Service

sls-logstore-enabled-encrypt

None

No

sls-logstore-hot-ttl-check

None

No

ApsaraDB for OceanBase

oceanbase-instance-enabled-ssl

None

No

oceanbase-tenant-security-ip-check

None

No

oceanbase-tenant-enabled-encryption

None

No

oceanbase-instance-enabled-backup

None

No

oceanbase-instance-enabled-sql-diagnosis

None

No

oceanbase-public-and-any-ip-access-check

None

No

Container Registry

cr-repository-type-private

None

Yes

cr-repository-immutablity-enable

None

No

cr-instance-any-ip-access-check

None

No

cr-instance-public-access-check

None

No

cr-instance-idle-check

None

No

cr-repository-tag-expired-check

None

No

Tablestore (OTS)

ots-instance-network-not-normal

None

Yes

ots-instance-all-table-encrypted

None

No

Application Load Balancer (ALB)

alb-delete-protection-enabled

None

No

alb-address-type-check

None

No

alb-all-listener-enabled-acl

None

No

alb-acl-public-access-check

None

No

alb-acl-no-has-specified-ip

None

No

alb-acl-has-specified-ip

None

No

alb-instance-multi-zone

None

No

alb-server-group-multi-server

None

No

alb-all-listener-health-check-enabled

None

No

alb-all-listener-has-server

None

No

alb-instance-idle-check

None

No

alb-server-group-multi-zone

None

No

Alibaba Cloud DNS (DNS)

alidns-domain-regex-match

None

No

Microservices Engine (MSE)

mse-cluster-config-auth-enabled

None

No

mse-cluster-internet-check

None

No

AnalyticDB for MySQL

adb-public-access-check

None

No

adb-cluster-maintain-time-check

None

No

adb-cluster-audit-log-enabled

None

No

adb-cluster-log-backup-enabled

None

No

adb-cluster-expired-check

None

No

Lindorm

tsdb-instance-public-access-check

None

No

tsdb-instance-security-ip-check

None

No

CloudMonitor

cms-created-rule-for-specified-product

None

No

ApsaraMQ for Kafka

kafka-instance-public-access-check

None

No

ons-instance-type-check

None

No

Auto Scaling

ess-scaling-configuration-attach-security-group

None

No

ess-scaling-configuration-data-disk-encrypted

None

No

ess-scaling-configuration-system-disk-encrypted

None

No

ess-scaling-configuration-image-type-check

None

No

VPN Gateway

vpn-gateway-disable

None

No

vpn-ipsec-connection-encrypt-enable

None

No

vpn-gateway-idle-check

None

No

vpn-gateway-status-check

None

No

Anti-DDoS

ddoscoo-instance-expired-check

None

No

Data Transmission Service (DTS)

dts-instance-migration-job-ssl-enabled

None

No

dts-instance-subscribe-job-ssl-enabled

None

No

dts-instance-sync-job-ssl-enabled

None

No

Elastic Container Instance

eci-container-group-volumn-mounts

None

No

MaxCompute

maxcompute-project-encryption-enabled

None

No