Managed rules - Cloud Config - Alibaba Cloud Documentation Center

Cloud Config provides various managed rules. You can create a rule based on a managed rule.

If you want to use other managed rules, submit a ticket. If the requested rules are appropriate, Alibaba Cloud will support them and implement the rules with universal applicability as managed rules.

The following table describes the managed rules provided by Cloud Config.


Alibaba Cloud service	Managed rule	Name of the supported OOS template for automatic remediation
CDN	cdn-domain-https-enabled	ACS-CDN-SetDomainServerCertificate
	cdn-domain-enabled-cache	N/A
	cdn-domain-oss-source-check	N/A
ActionTrail	actiontrail-enabled	N/A
ActionTrail	actiontrail-trail-intact-enabled	N/A
Elastic Compute Service (ECS)	ecs-disk-encrypted	N/A
	ecs-instance-expired-check	N/A
	ecs-instances-in-vpc	N/A
	ecs-cpu-min-count-limit	N/A
	ecs-desired-instance-type	N/A
	ecs-gpu-min-count-limit	N/A
	ecs-memory-min-size-limit	N/A
	ecs-disk-in-use	N/A
	ecs-instance-no-public-ip	N/A
	eip-attached	N/A
	ecs-instance-imageId-check	N/A
	ecs-instance-attached-security-group	N/A
	ecs-instance-deletion-protection-enabled	ACS-ECS-BulkyEnableDeletionProtection
	ecs-command-exclude-sensitive-content	N/A
	ecs-instance-status-no-stopped	N/A
	sg-public-access-check	N/A
	sg-risky-ports-check	N/A
	ecs-instance-no-lock	N/A
	ess-group-health-check	N/A
	ecs-disk-auto-snapshot-policy	N/A
	ecs-disk-no-lock	N/A
	ecs-disk-retain-auto-snapshot	N/A
	ecs-snapshot-retention-days	N/A
	ecs-instance-chargetype-check	N/A
	ecs-security-group-not-used	N/A
	ecs-instance-login-use-keypair	N/A
	ecs-internet-charge-type-check	N/A
	ecs-internetmaxbandwidth-check	N/A
	ecs-instance-running-process-check	N/A
	ecs-instance-installed-software-check	N/A
	ecs-available-disk-encrypted	N/A
	ecs-in-use-disk-encrypted	N/A
	ecs-instance-image-type-check	N/A
	ecs-system-disk-encrypted	N/A
	ecs-instance-auto-renewal-enabled	N/A
	ecs-system-disk-size-check	N/A
	ecs-instance-enabled-security-protection	N/A
	ecs-security-group-description-check	N/A
	ecs-instance-updated-security-vul	N/A
	ecs-instance-monitor-enabled	N/A
	ecs-instance-meta-data-mode-check	N/A
	ecs-security-group-not-open-all-port	N/A
	ecs-security-group-not-open-all-protocol	N/A
	ecs-security-group-not-internet-cidr-access	N/A
	ecs-security-group-egress-not-all-access	N/A
	ecs-security-group-white-list-port-check	N/A
Dedicated Host	ddh-cpu-min-count-limit	N/A
	ddh-memory-min-size-limit	N/A
	ddh-socket-min-count-limit	N/A
Elastic IP Address (EIP)	eip-bandwidth-limit	N/A
Elastic IP Address (EIP)	eip-address-expired-check	N/A
ApsaraDB RDS	rds-min-maxiops-limit	N/A
	rds-desired-instance-type	N/A
	rds-instances-in-vpc	N/A
	rds-memory-min-size-limit	N/A
	rds-cpu-min-count-limit	N/A
	rds-instance-storage-min-size-limit	N/A
	rds-high-availability-category	N/A
	rds-multi-az-support	N/A
	rds-public-access-check	ACS-RDS-ReleaseInstancePublicConnection
	rds-instance-enabled-ssl	N/A
	rds-instance-enabled-tde	N/A
	rds-instance-enabled-security-ip-list	ACS-RDS-BulkyModifySecurityIpsByInstanceIPArray
	rds-dbinstance-nettype-intranet-limit	N/A
	rds-connectionmode-safe-enabled	N/A
	rds-instance-enabled-auditing	ACS-RDS-BulkyModifySQLCollectorPolicy
	rds-instance-sql-collector-retention	ACS-RDS-BulkyModifySQLCollectorRetention
	rds-postgresql-parameter-log-connections	N/A
	rds-postgresql-parameter-log-disconnections	N/A
	rds-postgresql-parameter-log-duration	N/A
	rds-event-log-enabled	ACS-RDS-BulkyModifyActionEventPolicy
	rds-instance-expired-check	N/A
	rds-instance-enabled-log-backup	N/A
	rds-instance-enabled-disk-encryption	N/A
	rds-instance-enabled-byok-tde	N/A
	rds-instacne-delete-protection-enabled	N/A
	rds-account-managed-by-kms	None
ApsaraDB for Redis	redis-min-qps-limit	N/A
	redis-min-bandwidth-limit	N/A
	redis-min-capacity-limit	N/A
	redis-instance-in-vpc	N/A
	redis-public-access-check	ACS-Redis-BulkyDeleteSecurityIpFromInstanceIPArray
	redis-architecturetype-cluster-check	N/A
	redis-instance-release-protection	N/A
	redis-instance-disable-risk-commands	ACS-Redis-BulkyModifyInstanceConfig
	redis-instance-expired-check	N/A
	redis-instance-enabled-audit-log	ACS-REDIS-BulkyModifyAuditLogConfig
	redis-instance-audit-log-retention	ACS-REDIS-BulkyModifyAuditLogConfig
	redis-instance-enabled-tde	N/A
	redis-instance-open-auth-mode	N/A
	redis-instance-multi-zone	N/A
	redis-instance-no-public-ip	ACS-Redis-ReleaseInstancePublicConnection
	redis-instance-enabled-ssl	N/A
	redis-instance-enabled-byok-tde	N/A
	redis-instance-double-node-type	N/A
ApsaraDB for MongoDB	mongodb-instance-in-vpc	N/A
	mongodb-public-access-check	N/A
	mongodb-min-maxiops-limit	N/A
	mongodb-min-maxconnections-limit	N/A
	mongodb-instance-release-protection	N/A
	mongodb-instance-lock-mode	N/A
	mongodb-instance-log-audit	N/A
PolarDB	polardb-dbcluster-in-vpc	N/A
	polardb-public-access-check	N/A
	polardb-cluster-enabled-tde	N/A
	polardb-cluster-enabled-ssl	N/A
Object Storage Service (OSS)	oss-bucket-public-read-prohibited	ACS-OSS-PutBucketAcl
	oss-bucket-public-write-prohibited	ACS-OSS-PutBucketAcl
	oss-zrs-enabled	N/A
	oss-bucket-versioning-enabled	N/A
	oss-bucket-logging-enabled	N/A
	oss-default-encryption-kms	N/A
	oss-bucket-server-side-encryption-enabled	ACS-OSS-PutBucketEncryption
	oss-bucket-name-regex-match	N/A
	oss-bucket-referer-enabled	N/A
	oss-bucket-referer-limit	ACS-OSS-PutBucketReferer
	oss-bucket-anonymous-prohibited	N/A
	oss-bucket-only-https-enabled	N/A
	oss-bucket-authorize-specified-ip	N/A
	oss-bucket-policy-no-any-anonymous	N/A
Resource Access Management (RAM)	ram-user-login-check	N/A
	ram-password-policy-check	ACS-RAM-SetPasswordPolicy
	ram-policy-in-use-check	N/A
	ram-risky-policy-user-mfa-check	N/A
	ram-group-has-member-check	N/A
	ram-policy-no-statements-with-admin-access-check	N/A
	ram-user-no-policy-check	N/A
	ram-user-group-membership-check	N/A
	ram-user-last-login-expired-check	N/A
	ram-user-mfa-check	ACS-ECS-BulkyUpdateLoginProfile
	ram-user-ak-create-date-expired-check	N/A
	ram-user-ak-used-expired-check	N/A
	ram-user-invalid-ak-check	N/A
	root-ak-check	N/A
	root-mfa-check	N/A
	root-has-specified-role	N/A
Tag management Note For more information about the Alibaba Cloud services that support tags, see Services that work with Tag.	required-tags	ACS-TAG-TagResources
	required-any-tags	N/A
	contains-tag	N/A
Virtual Private Cloud (VPC)	vpn-ipsec-connection-status-check	N/A
	vpn-ipsec-connection-health-check-open	N/A
	vpc-flow-logs-enabled	N/A.
	vpc-secondary-cidr-route-check	N/A
	vswitch-available-ip-count	N/A
Server Load Balancer (SLB)	slb-loadbalancer-bandwidth-limit	N/A
	slb-acl-public-access-check	N/A
	slb-aliyun-certificate-required	N/A
	slb-listener-https-enabled	N/A
	slb-no-public-ip	N/A
	slb-delete-protection-enabled	ACS-SLB-BulkySetLoadBalancerDeleteProtection
	slb-loadbalancer-in-vpc	N/A
	slb-status-active-check	N/A
	slb-modify-protection-check	ACS-SLB-BulkySetLoadBalancerModificationProtection
	slb-server-certificate-expired	N/A
	slb-instance-expired-check	N/A
	slb-instance-autorenewal-check	N/A
	slb-instance-loadbalancerspec-check	N/A
	slb-backendserver-weight-check	N/A
	slb-acl-has-specified-ip	N/A
	slb-listener-risk-ports-check	N/A
	slb-acl-no-has-specified-ip	N/A
	slb-instance-spec-check	N/A
	slb-all-listener-enabled-acl	N/A
Resource Management	resource-region-limit	N/A
Resource Management	resources-inherit-tags-from-resource-group	ACS-TAG-TagResourcesIgnoreCaseSensitive
Container Service for Kubernetes (ACK)	ack-cluster-public-endpoint-check	N/A
	ack-cluster-deletion-protection-enabled	N/A
	ack-cluster-network-type-check	N/A
	ack-cluster-node-monitorenabled	N/A
Security Center (SAS)	security-center-version-check	N/A
Security Center (SAS)	security-center-notice-config-check	N/A
ApsaraDB for HBase	hbase-cluster-type-check	N/A
	hbase-cluster-in-vpc	N/A
	hbase-cluster-ha-check	N/A
	hbase-cluster-deletion-protection	N/A
	hbase-cluster-expired-check	N/A
Web Application Firewall (WAF)	waf-instance-logging-enabled	ACS-WAF-BulkyModifyLogServiceStatus
	waf-domain-enabled-specified-protection-module	N/A
	waf-domain-enabled-specified-protection-mode	N/A
	api-gateway-group-domain-access-waf	N/A
Key Management Service (KMS)	kms-key-delete-protection-enabled	ACS-KMS-BulkySetDeletionProtection
	kms-key-rotation-enabled	ACS-KMS-BulkyUpdateRotationPolicy
	kms-secret-rotation-enabled	N/A
	kms-key-state-not-pending-deletion	N/A
NAT Gateway	nat-risk-ports-check	ACS-VPC-BulkyDeleteForwardEntry
	natgateway-delete-protection-enabled	N/A
	internet-nat-gateway-in-specified-vpc	N/A
	intranet-nat-gateway-in-specified-vpc	N/A
	not-use-specified-type-nat-gateway	N/A
Apsara File Storage NAS	nas-filesystem-status-check	N/A
	nas-filesystem-encrypt-type-check	N/A
	nas-access-group-public-access-check	N/A
Cloud Enterprise Network (CEN)	cen-bandwidth-package-expired-check	N/A
	cen-cross-region-bandwidth-check	N/A
	cen-all-vbr-health-check-enabled	N/A
EIP Bandwidth Plan	cbwp-bandwidth-package-expired-check	N/A
Bastionhost (BH)	bastionhost-instance-expired-check	N/A
API Gateway	api-gateway-api-visibility-private	N/A
	api-gateway-api-internet-request-https	ACS-ApiGateway-BulkyModifyApiGroupNetworkPolicy
	api-gateway-group-https-policy-check	N/A
	api-gateway-group-bind-domain	N/A
	api-gateway-group-enabled-ssl	N/A
	api-gateway-api-auth-jwt	N/A
	api-gateway-api-auth-required	N/A
Function Compute	fc-service-vpc-binding	N/A
Function Compute	fc-trigger-http-not-anonymous	N/A
Elasticsearch	elasticsearch-instance-in-vpc	N/A
Cloud Firewall (CFW)	cloud-fire-wall-all-asset-open	N/A
	cloud-fire-wall-no-matched-control-policy	N/A
	cloud-fire-wall-has-matched-control-policy	N/A
Log Service	sls-logstore-enabled-encrypt	N/A
ApsaraDB for OceanBase	oceanbase-instance-enabled-ssl	N/A
	oceanbase-tenant-security-ip-check	N/A
	oceanbase-tenant-enabled-encryption	N/A
	oceanbase-instance-enabled-backup	N/A
	oceanbase-instance-enabled-sql-diagnosis	N/A
Container Registry	cr-repository-type-private	N/A
Tablestore (OTS)	ots-instance-network-not-normal	N/A
Application Load Balancer (ALB)	alb-delete-protection-enabled	N/A
Application Load Balancer (ALB)	alb-address-type-check	N/A