Cloud Config provides various managed rules. You can create a rule based on a managed rule.

If you want to use other managed rules, submit a ticket. If the requested rules are appropriate, Alibaba Cloud will support them and implement the rules with universal applicability as managed rules.

The following table describes the managed rules provided by Cloud Config.
Alibaba Cloud service Managed rule Name of the supported OOS template for automatic remediation
CDN cdn-domain-https-enabled ACS-CDN-SetDomainServerCertificate
cdn-domain-enabled-cache N/A
cdn-domain-oss-source-check N/A
ActionTrail actiontrail-enabled N/A
actiontrail-trail-intact-enabled N/A
Elastic Compute Service (ECS) ecs-disk-encrypted N/A
ecs-instance-expired-check N/A
ecs-instances-in-vpc N/A
ecs-cpu-min-count-limit N/A
ecs-desired-instance-type N/A
ecs-gpu-min-count-limit N/A
ecs-memory-min-size-limit N/A
ecs-disk-in-use N/A
ecs-instance-no-public-ip N/A
eip-attached N/A
ecs-instance-imageId-check N/A
ecs-instance-attached-security-group N/A
ecs-instance-deletion-protection-enabled ACS-ECS-BulkyEnableDeletionProtection
ecs-command-exclude-sensitive-content N/A
ecs-instance-status-no-stopped N/A
sg-public-access-check N/A
sg-risky-ports-check N/A
ecs-instance-no-lock N/A
ess-group-health-check N/A
ecs-disk-auto-snapshot-policy N/A
ecs-disk-no-lock N/A
ecs-disk-retain-auto-snapshot N/A
ecs-snapshot-retention-days N/A
ecs-instance-chargetype-check N/A
ecs-security-group-not-used N/A
ecs-instance-login-use-keypair N/A
ecs-internet-charge-type-check N/A
ecs-internetmaxbandwidth-check N/A
ecs-instance-running-process-check N/A
ecs-instance-installed-software-check N/A
ecs-available-disk-encrypted N/A
ecs-in-use-disk-encrypted N/A
ecs-instance-image-type-check N/A
ecs-system-disk-encrypted N/A
ecs-instance-auto-renewal-enabled N/A
ecs-system-disk-size-check N/A
ecs-instance-enabled-security-protection N/A
ecs-security-group-description-check N/A
ecs-instance-updated-security-vul N/A
ecs-instance-monitor-enabled N/A
ecs-instance-meta-data-mode-check N/A
ecs-security-group-not-open-all-port N/A
ecs-security-group-not-open-all-protocol N/A
ecs-security-group-not-internet-cidr-access N/A
ecs-security-group-egress-not-all-access N/A
ecs-security-group-white-list-port-check N/A
Dedicated Host ddh-cpu-min-count-limit N/A
ddh-memory-min-size-limit N/A
ddh-socket-min-count-limit N/A
Elastic IP Address (EIP) eip-bandwidth-limit N/A
eip-address-expired-check N/A
ApsaraDB RDS rds-min-maxiops-limit N/A
rds-desired-instance-type N/A
rds-instances-in-vpc N/A
rds-memory-min-size-limit N/A
rds-cpu-min-count-limit N/A
rds-instance-storage-min-size-limit N/A
rds-high-availability-category N/A
rds-multi-az-support N/A
rds-public-access-check ACS-RDS-ReleaseInstancePublicConnection
rds-instance-enabled-ssl N/A
rds-instance-enabled-tde N/A
rds-instance-enabled-security-ip-list ACS-RDS-BulkyModifySecurityIpsByInstanceIPArray
rds-dbinstance-nettype-intranet-limit N/A
rds-connectionmode-safe-enabled N/A
rds-instance-enabled-auditing ACS-RDS-BulkyModifySQLCollectorPolicy
rds-instance-sql-collector-retention ACS-RDS-BulkyModifySQLCollectorRetention
rds-postgresql-parameter-log-connections N/A
rds-postgresql-parameter-log-disconnections N/A
rds-postgresql-parameter-log-duration N/A
rds-event-log-enabled ACS-RDS-BulkyModifyActionEventPolicy
rds-instance-expired-check N/A
rds-instance-enabled-log-backup N/A
rds-instance-enabled-disk-encryption N/A
rds-instance-enabled-byok-tde N/A
rds-instacne-delete-protection-enabled N/A
rds-account-managed-by-kms None
ApsaraDB for Redis redis-min-qps-limit N/A
redis-min-bandwidth-limit N/A
redis-min-capacity-limit N/A
redis-instance-in-vpc N/A
redis-public-access-check ACS-Redis-BulkyDeleteSecurityIpFromInstanceIPArray
redis-architecturetype-cluster-check N/A
redis-instance-release-protection N/A
redis-instance-disable-risk-commands ACS-Redis-BulkyModifyInstanceConfig
redis-instance-expired-check N/A
redis-instance-enabled-audit-log ACS-REDIS-BulkyModifyAuditLogConfig
redis-instance-audit-log-retention ACS-REDIS-BulkyModifyAuditLogConfig
redis-instance-enabled-tde N/A
redis-instance-open-auth-mode N/A
redis-instance-multi-zone N/A
redis-instance-no-public-ip ACS-Redis-ReleaseInstancePublicConnection
redis-instance-enabled-ssl N/A
redis-instance-enabled-byok-tde N/A
redis-instance-double-node-type N/A
ApsaraDB for MongoDB mongodb-instance-in-vpc N/A
mongodb-public-access-check N/A
mongodb-min-maxiops-limit N/A
mongodb-min-maxconnections-limit N/A
mongodb-instance-release-protection N/A
mongodb-instance-lock-mode N/A
mongodb-instance-log-audit N/A
PolarDB polardb-dbcluster-in-vpc N/A
polardb-public-access-check N/A
polardb-cluster-enabled-tde N/A
polardb-cluster-enabled-ssl N/A
Object Storage Service (OSS) oss-bucket-public-read-prohibited ACS-OSS-PutBucketAcl
oss-bucket-public-write-prohibited ACS-OSS-PutBucketAcl
oss-zrs-enabled N/A
oss-bucket-versioning-enabled N/A
oss-bucket-logging-enabled N/A
oss-default-encryption-kms N/A
oss-bucket-server-side-encryption-enabled ACS-OSS-PutBucketEncryption
oss-bucket-name-regex-match N/A
oss-bucket-referer-enabled N/A
oss-bucket-referer-limit ACS-OSS-PutBucketReferer
oss-bucket-anonymous-prohibited N/A
oss-bucket-only-https-enabled N/A
oss-bucket-authorize-specified-ip N/A
oss-bucket-policy-no-any-anonymous N/A
Resource Access Management (RAM) ram-user-login-check N/A
ram-password-policy-check ACS-RAM-SetPasswordPolicy
ram-policy-in-use-check N/A
ram-risky-policy-user-mfa-check N/A
ram-group-has-member-check N/A
ram-policy-no-statements-with-admin-access-check N/A
ram-user-no-policy-check N/A
ram-user-group-membership-check N/A
ram-user-last-login-expired-check N/A
ram-user-mfa-check ACS-ECS-BulkyUpdateLoginProfile
ram-user-ak-create-date-expired-check N/A
ram-user-ak-used-expired-check N/A
ram-user-invalid-ak-check N/A
root-ak-check N/A
root-mfa-check N/A
root-has-specified-role N/A
Tag management
Note For more information about the Alibaba Cloud services that support tags, see Services that work with Tag.
required-tags ACS-TAG-TagResources
required-any-tags N/A
contains-tag N/A
Virtual Private Cloud (VPC) vpn-ipsec-connection-status-check N/A
vpn-ipsec-connection-health-check-open N/A
vpc-flow-logs-enabled N/A.
vpc-secondary-cidr-route-check N/A
vswitch-available-ip-count N/A
Server Load Balancer (SLB) slb-loadbalancer-bandwidth-limit N/A
slb-acl-public-access-check N/A
slb-aliyun-certificate-required N/A
slb-listener-https-enabled N/A
slb-no-public-ip N/A
slb-delete-protection-enabled ACS-SLB-BulkySetLoadBalancerDeleteProtection
slb-loadbalancer-in-vpc N/A
slb-status-active-check N/A
slb-modify-protection-check ACS-SLB-BulkySetLoadBalancerModificationProtection
slb-server-certificate-expired N/A
slb-instance-expired-check N/A
slb-instance-autorenewal-check N/A
slb-instance-loadbalancerspec-check N/A
slb-backendserver-weight-check N/A
slb-acl-has-specified-ip N/A
slb-listener-risk-ports-check N/A
slb-acl-no-has-specified-ip N/A
slb-instance-spec-check N/A
slb-all-listener-enabled-acl N/A
Resource Management resource-region-limit N/A
resources-inherit-tags-from-resource-group ACS-TAG-TagResourcesIgnoreCaseSensitive
Container Service for Kubernetes (ACK) ack-cluster-public-endpoint-check N/A
ack-cluster-deletion-protection-enabled N/A
ack-cluster-network-type-check N/A
ack-cluster-node-monitorenabled N/A
Security Center (SAS) security-center-version-check N/A
security-center-notice-config-check N/A
ApsaraDB for HBase hbase-cluster-type-check N/A
hbase-cluster-in-vpc N/A
hbase-cluster-ha-check N/A
hbase-cluster-deletion-protection N/A
hbase-cluster-expired-check N/A
Web Application Firewall (WAF) waf-instance-logging-enabled ACS-WAF-BulkyModifyLogServiceStatus
waf-domain-enabled-specified-protection-module N/A
waf-domain-enabled-specified-protection-mode N/A
api-gateway-group-domain-access-waf N/A
Key Management Service (KMS) kms-key-delete-protection-enabled ACS-KMS-BulkySetDeletionProtection
kms-key-rotation-enabled ACS-KMS-BulkyUpdateRotationPolicy
kms-secret-rotation-enabled N/A
kms-key-state-not-pending-deletion N/A
NAT Gateway nat-risk-ports-check ACS-VPC-BulkyDeleteForwardEntry
natgateway-delete-protection-enabled N/A
internet-nat-gateway-in-specified-vpc N/A
intranet-nat-gateway-in-specified-vpc N/A
not-use-specified-type-nat-gateway N/A
Apsara File Storage NAS nas-filesystem-status-check N/A
nas-filesystem-encrypt-type-check N/A
nas-access-group-public-access-check N/A
Cloud Enterprise Network (CEN) cen-bandwidth-package-expired-check N/A
cen-cross-region-bandwidth-check N/A
cen-all-vbr-health-check-enabled N/A
EIP Bandwidth Plan cbwp-bandwidth-package-expired-check N/A
Bastionhost (BH) bastionhost-instance-expired-check N/A
API Gateway api-gateway-api-visibility-private N/A
api-gateway-api-internet-request-https ACS-ApiGateway-BulkyModifyApiGroupNetworkPolicy
api-gateway-group-https-policy-check N/A
api-gateway-group-bind-domain N/A
api-gateway-group-enabled-ssl N/A
api-gateway-api-auth-jwt N/A
api-gateway-api-auth-required N/A
Function Compute fc-service-vpc-binding N/A
fc-trigger-http-not-anonymous N/A
Elasticsearch elasticsearch-instance-in-vpc N/A
Cloud Firewall (CFW) cloud-fire-wall-all-asset-open N/A
cloud-fire-wall-no-matched-control-policy N/A
cloud-fire-wall-has-matched-control-policy N/A
Log Service sls-logstore-enabled-encrypt N/A
ApsaraDB for OceanBase oceanbase-instance-enabled-ssl N/A
oceanbase-tenant-security-ip-check N/A
oceanbase-tenant-enabled-encryption N/A
oceanbase-instance-enabled-backup N/A
oceanbase-instance-enabled-sql-diagnosis N/A
Container Registry cr-repository-type-private N/A
Tablestore (OTS) ots-instance-network-not-normal N/A
Application Load Balancer (ALB) alb-delete-protection-enabled N/A
alb-address-type-check N/A