Compute Nest:Review standards for publishing services

Your service is created. For more information, see Create a private service, Create a fully managed service, or Create a hosted O&M service.

The service that you want to publish is tested. A service instance can be deployed, and the deployment duration meets your requirements. For more information, see Test a service.

The service is independently developed by you, or you are authorized by the service developer to publish the service in Compute Nest.

The service follows the guidelines described in this topic, such as Compute Nest Terms of Service.

Review standards for service information

• The name, icon, and description of a service cannot contain prohibited or sensitive content such as suspected violence, blood, politics, religion, discrimination, pornography, or infringement of personal privacy.

• You understand and agree that the state secrets of the People's Republic of China are protected by law and you are obliged to keep such information secret. Your service information must comply with the requirements of relevant confidentiality laws and regulations, and cannot endanger the security of the state secrets of the People's Republic of China.

Review standards for the input parameters of templates

• The input parameters of templates cannot contain the Alibaba Cloud credentials of your customers, such as passwords, public keys, private keys, or certificates.

• Do not set default values for the parameters of remote services, such as CIDR blocks, IP addresses, or database passwords. These parameters must be provided by your customers as input parameters. Such sensitive content must be entered in no echo mode and by using stricter regular expressions. Other content can be entered in regular ways with the help of relevant documents.

Review standards for the network and security parameters of templates

• The default SSH port 22 or Remote Desktop Protocol (RDP) port 3389 cannot be enabled for 0.0.0.0/0. For more information, see ECS instance security.

• Private services cannot use Alibaba Cloud resources in the classic network.

• The principle of least privilege must be applied to the permissions of Resource Access Management (RAM) roles and policies. In principle, trust relationships can be established only with Alibaba Cloud services. For more information about how to use a RAM role attached to an instance, see Instance RAM roles.

Review standards for images and deliverables

• Images cannot contain system software with vulnerabilities. Use the scan feature of Security Center to scan images for vulnerabilities.

• We recommend that you use AccessKey pairs instead of passwords to authenticate user identities for access to Elastic Compute Service (ECS) instances.

• Images cannot contain credentials such as passwords, authentication keys, AccessKey pairs, or security keys for any reason.

• Images cannot request for permissions to access Alibaba Cloud resources from your customers or use keys to access Alibaba Cloud resources.

• Linux-based images cannot allow SSH password authentication. Set the PasswordAuthentication parameter to no in the sshd_config file to disable password authentication.

Review standards for data security

You must take appropriate security measures to make sure that the collected user data is properly handled in compliance with Compute Nest Terms of Service and the legal requirements described in this topic. This prevents such data from being used, disclosed, or accessed by third parties without authorization.

Service completion

A service submitted to Alibaba Cloud for review must be the final version of the service. This ensures that your customers can purchase and obtain complete and available services. Before you submit a service for review, make sure that the service deployment process has been tested for stability. Incomplete services and services that may cause obvious errors are rejected.

Accurate metadata

The information about a service must accurately reflect the core content of the service. This helps your customers accurately understand the services that they purchase and obtain. When you update the version of a service, update the service information at the same time to ensure that the service information matches the latest version. Do not include hidden, hibernated, or unrecorded features in your services. The features included in your services must be visible.

Deployment time configurations

When you create a service, you can specify the estimated deployment duration and the deployment timeout period. The estimated deployment duration informs your customers of the estimated amount of time required to deploy a service instance. The deployment timeout period specifies the timeout period that is allowed to deploy a service instance. If the deployment duration on the customer side exceeds the specified timeout period, the service instance fails to be deployed.

Service stability

Your services must remain stable, even during the update process. The normal use of your services cannot be affected during the update process.

Service information specifications

• Your service information must be complete and provided in both Chinese and English.

• The service description must contain the limits and applicable and inapplicable scenarios of a service.

Parameter set specifications

When you create a service, you can specify parameters in different parameter sets to simplify parameter settings for your customers. After you define the parameters that customers need to set in a template, select the parameters to be included in parameter sets from the defined template parameters and set the default values of the parameters in each parameter set.

Template content specifications

• Before you specify a template for a service, you must create the template. For more information, see Create and verify a ROS template.

• The description of template parameters must be provided in both Chinese and English.

Data collection and storage regulations

• Authorization: Before you collect user data, you must obtain permissions from your customers. Paid features cannot rely on access permissions on user data or request for such permissions from your customers. You must take appropriate security measures to properly handle the collected user data and prevent such data from being used, disclosed, or accessed by third parties without authorization.

• Access permissions: You must request access permissions on user data in compliance with the purchase agreement reached with your customers. Such data includes user contact information and user data to be obtained for hosted O&M.

Data use and sharing regulations

• Unless otherwise permitted by law, you are allowed to use, transmit, or share user personal data only with the consent of your customers. You must provide relevant information on how and where to use such data. If your services share user data without the consent of your customers or in violation of data privacy protection laws, your services may be unpublished and you may be removed from Compute Nest Service Provider Program.

• Unless otherwise expressly permitted by law, the data collected for one purpose cannot be used for other purposes without the additional consent of your customers.

Intellectual property regulations

• You own the intellectual property rights of your brand, logo, services published in Compute Nest, various information published in Compute Nest, and derivative works. You agree to grant a license to Compute Nest free of charge, so that Compute Nest has all or part of the rights to use, copy, reprint, execute, and display your brand, logo, and various information published in Compute Nest.

• You must guarantee that you own the legal intellectual property rights of your services published in Compute Nest, including copyright, patent rights, and trademark rights, or you have obtained legal and sufficient authorization. You must bear all legal responsibilities and risks regarding the legality of these intellectual property rights. Compute Nest has the right to request you to provide relevant evidentiary materials for verification at any time. You must make sure that your services do not infringe on the legal rights or interests of any third party.

Duration: Alibaba Cloud will check your service at the earliest opportunity and complete the review within three business days. If your service is complex or involves new issues, Alibaba Cloud may need more time to further review and consider your service.

Status update: You can check the review status of your service on the Review Requests tab of the service details page in the Compute Nest console.

Publish date: After your service passes the review, you need to publish the service in the Compute Nest console. Then, you need to create a product in Alibaba Cloud Marketplace, associate your service with the product, and then publish the associated product. Therefore, you can control the publish date by yourself.

Rejection: If your service review application is rejected but you have questions or want to provide other information, directly communicate with your Alibaba Cloud account manager or contact Alibaba Cloud after-sales engineers.