This topic describes the managed rules that are provided in the RMiTComplianceCheck compliance package template.

Rule name Description
actiontrail-trail-intact-enabled If an active trail exists in ActionTrail and the events of all types that are generated in all regions are tracked, the evaluation result is compliant.
actiontrail-enabled If at least one active trail exists in ActionTrail, the evaluation result is compliant.
oss-encryption-byok-check If the specified customer master key (CMK) managed by Key Management Service (KMS) is used to encrypt each Object Storage Service (OSS) bucket, the evaluation result is compliant.
ecs-disk-auto-snapshot-policy If an automatic snapshot policy is specified for each Elastic Compute Service (ECS) data disk, the evaluation result is compliant.
ecs-disk-encrypted If encryption is enabled for each ECS data disk, the evaluation result is compliant.
ecs-instance-no-public-ip If no public IPv4 addresses are associated with each ECS instance, the evaluation result is compliant.
ecs-instances-in-vpc If you do not specify the vpcIds parameter, the system checks whether the network type of each ECS instance is set to VPC. If yes, the evaluation result is compliant. If you specify the vpcIds parameter, the system checks whether the VPC in which ECS instances reside matches the specified setting. If yes, the evaluation result is compliant.
slb-aliyun-certificate-required If each Server Load Balancer (SLB) instance uses certificates that are issued by Alibaba Cloud, the evaluation result is compliant.
slb-server-certificate-expired If the certificates used by each SLB instance are valid, the evaluation result is compliant.
slb-delete-protection-enabled If the release protection feature is enabled for each SLB instance, the evaluation result is compliant.
slb-listener-https-enabled If ports 80 and 8080 are used by the HTTPS listeners of each SLB instance, the evaluation result is compliant.
ram-group-has-member-check If each RAM user group contains one or more RAM users, the evaluation result is compliant.
ram-password-policy-check If the settings of password policies configured for each RAM user meet the specified values, the evaluation result is compliant.
ram-policy-no-statements-with-admin-access-check If the Action parameter is not set to * in the policies attached to each RAM user, RAM user group, and RAM role, the evaluation result is compliant. * indicates the super administrator permissions.
root-ak-check If no AccessKey pairs exist in each Alibaba Cloud account, the evaluation result is compliant.
ram-user-group-membership-check If each RAM user belongs to a RAM user group, the evaluation result is compliant.
ram-user-mfa-check If multi-factor authentication (MFA) is enabled for each RAM user, the evaluation result is compliant.
ram-user-no-policy-check If no policies are attached to each RAM user, the evaluation result is compliant.
ram-user-last-login-expired-check If each RAM user logs on to the system at least once in the last 90 days, the evaluation result is compliant. If no logon record exists for a RAM user, the system checks the update time. If the last update time is not more than 90 days before the current time, the evaluation result is compliant.
rds-public-access-check If 0.0.0.0/0 is not added to the IP address whitelist of each ApsaraDB RDS instance, the evaluation result is compliant.
rds-event-log-enabled If the event history feature is enabled for each ApsaraDB RDS instance, the evaluation result is compliant.
rds-multi-az-support If ApsaraDB RDS instances are deployed across multiple zones, the evaluation result is compliant.
rds-instance-enabled-tde If the Transparent Data Encryption (TDE) feature is enabled in the data security settings of each ApsaraDB RDS instance, the evaluation result is compliant.
oss-bucket-logging-enabled If the log storage feature is enabled for each OSS bucket, the evaluation result is compliant.
oss-bucket-anonymous-prohibited If the access control list (ACL) of each OSS bucket is set to private and no read/write permissions are granted to anonymous accounts in the authorization policy of each OSS bucket, the evaluation result is compliant.
oss-bucket-server-side-encryption-enabled If server-side encryption is enabled for each OSS bucket, the evaluation result is compliant.
oss-default-encryption-kms If server-side encryption by using KMS is enabled for each OSS bucket, the evaluation result is compliant.
oss-bucket-versioning-enabled If the versioning feature is enabled for each OSS bucket, the evaluation result is compliant.
vpc-flow-logs-enabled If the flow log feature is enabled for each VPC, the evaluation result is compliant.
vpn-ipsec-connection-status-check If the IPsec-VPN connection is established, the evaluation result is compliant.
waf-instance-logging-enabled If the log collection feature is enabled for each domain name that is protected by Web Application Firewall (WAF), the evaluation result is compliant.
oss-bucket-only-https-enabled If the permission policy of each OSS bucket includes settings that allow HTTPS requests and deny HTTP requests, the evaluation result is compliant.
sg-public-access-check If the inbound authorization policy of each security group is set to Allow and you set the port range to -1/-1 or the authorized IP address to 0.0.0.0/0, the evaluation result is compliant.
kms-key-rotation-enabled If automatic rotation is enabled for CMKs managed by KMS, the evaluation result is compliant.
elasticsearch-instance-in-vpc If you do not specify the vpcIds parameter, the system checks whether the network type of each Elasticsearch instance is set to VPC. If yes, the evaluation result is compliant. If you specify the vpcIds parameter, the system checks whether the VPC in which Elasticsearch instances reside matches the specified setting. If yes, the evaluation result is compliant.