What are the rule templates for Cloud Config - Cloud Config

When you create a rule in the Cloud Config console, you can use a rule template.

Template description

Rule templates are predefined functions in Function Compute that you can use to quickly create rules and audit your resources.
The following table lists the rule templates supported by Cloud Config. The templates are categorized by Alibaba Cloud service and service category to help you find and use them quickly.
If you need a rule template that is not listed, you can submit a ticket. Alibaba Cloud evaluates all requests and adds new templates for rules that have broad applicability.

Compute

Alibaba Cloud service	Rule template	OOS template ID for remediation	Supports dry run
ECS	ECS instances use the subscription billing method	None	Yes
	Subscription ECS instances are checked for expiration	None	No
	Auto-renewal is enabled for subscription ECS instances	None	No
	ECS instances are not in the Stopped state	None	No
	Stopped pay-as-you-go ECS instances use economical mode	None	No
	Pay-as-you-go ECS instances are checked for long-running status	None	No
	ECS instances with static public IP addresses use the pay-by-bandwidth billing method	None	No
	No idle ECS data disks exist	None	No
	Idle disks are detected	None	No
	ECS instances are not locked	None	No
	Deletion protection is enabled for ECS instances	ACS-ECS-BulkyEnableDeletionProtection	Yes
	The number of CPU cores for ECS instances meets the minimum requirement	None	No
	The number of GPU cores for ECS instances meets the minimum requirement	None	No
	The system disk capacity for a specified operating system type is greater than or equal to a specified value	None	No
	Deprecated ECS instance families are not used	None	No
	ECS instances use a specified operating system version	None	Yes
	ECS instance types meet standard requirements	None	No
	ECS instances are deployed in a VPC	None	No
	Running ECS instances are in a VPC	ACS-ECS-BulkyStopClassicInstances	No
	ECS instances are not associated with public IP addresses	None	Yes
	Running ECS instances are not associated with public IP addresses	ACS-ECS-BulkyStopInstancesWithPublicIp	No
	The maximum outbound public bandwidth of an ECS instance with a public IP address is less than a specified value	None	No
	Security Center protection is enabled for running ECS instances	None	No
	ECS instances are in a specified security group	None	Yes
	Inbound rules of security groups are valid	None	Yes
	Security groups do not open high-risk ports to all CIDR blocks	None	Yes
	Security groups do not open high-risk ports to all CIDR blocks for a specified protocol	None	No
	Inbound rules of security groups do not allow access from all ports	None	Yes
	Inbound rules of security groups do not allow access for all protocols	None	Yes
	Outbound rules of security groups are not set to allow all traffic	None	Yes
	Inbound rules for ports not on the whitelist are valid	None	Yes
	The source IP addresses allowed by inbound security group rules do not include public IP addresses	None	Yes
	A security group description is required	None	Yes
	Idle security groups are checked	None	No
	Enterprise security groups are used	None	No
	Public network access is not configured in ECS launch templates	None	No
	ECS instances use specified images	None	Yes
	The source of ECS instance images meets specified requirements	None	No
	ECS instances use images shared by a specified account	None	No
	ECS instances use images that are within their validity period	None	No
	Images from a specified source are used in ECS launch template versions	None	No
	Security groups are specified in ECS launch template versions	None	No
	Data disk encryption is configured in ECS launch template versions	None	No
	System disk encryption is configured in ECS launch template versions	None	No
	An instance RAM role is granted to ECS instances	None	No
	ECS instances are not associated with an SSH key pair	None	No
	Key pairs are used to log on to Linux hosts	None	Yes
	System disk encryption is enabled for ECS instances	None	No
	Data disk encryption is enabled for ECS instances	None	Yes
	The memory size of ECS instances meets the minimum requirement	None	Yes
	Encryption is enabled for ECS data disks that are to be attached	None	No
	Encryption is enabled for in-use ECS data disks	None	No
	KMS encryption is enabled for ECS disks	None	No
	An automatic snapshot policy is configured for ECS disks	None	Yes
	A reasonable creation time is set for the automatic snapshot policy	None	No
	The retention period of automatic snapshots for ECS instances meets specified requirements	None	No
	Automatic snapshots are retained when ECS data disks are released	None	Yes
	ECS disks are not locked	None	No
	The automatic snapshot policy for ECS disks or the entire-machine backup feature of Cloud Backup is used	None	No
	Cross-region replication for automatic snapshots of ECS disks or remote replication for entire-machine backups in Cloud Backup is enabled	None	No
	Cross-region replication is enabled for the File Backup repository of an ECS instance	None	No
	The data protection score for ECS instance backups is checked	None	No
	A process with a specified name runs on an ECS instance	None	No
	A process with a specified name is disabled on an ECS instance	None	No
Software with a specified name is installed on an ECS instance	None	No
Running ECS instances have no unpatched vulnerabilities	None	No
The CloudMonitor agent is installed on running ECS instances	None	No
The reinforced mode is enforced for accessing ECS instance metadata	None	No
The content of Cloud Assistant commands is checked	None	No
Brute-force attack protection rules are created for ECS instances	None	No
Simple Log Service is used for centralized business log collection and monitoring	None	No
Application Load Balancer is used to build a high-availability application architecture	None	No
An ECS instance is attached to only one elastic network interface (ENI)	None	No
The number of ECS instances is unbalanced across zones	None	No
Zone-redundant ESSD data disks are used	None	No
The Anti-DDoS protection status for ECS instances is checked	None	No
Idle ECS instances are detected based on CPU utilization	None	No
Idle ECS instances are detected based on memory usage	None	No
Idle ECS instances are detected based on disk usage	None	No
The application checklist for ECS instances is checked	None	No
Health check is enabled for ECS instances in an Auto Scaling group	None	No
Idle ECS instances are detected based on GPU utilization	None	No
Idle ECS instances are detected based on GPU memory usage	None	No
File Backup or self-managed database backup is enabled for ECS instances	None	No
ECS instances are not associated with public IP addresses and do not allow inbound traffic from all IP addresses	None	No
Dedicated Host (DDH)	The number of CPU cores for a Dedicated Host meets the minimum requirement	None	No
	The memory size of a Dedicated Host meets the minimum requirement	None	No
	The number of sockets for a Dedicated Host meets the minimum requirement	None	No
Auto Scaling	A security group is associated with instances in an Auto Scaling configuration	None	No
	The security group configured for an ESS scaling group is not set to 0.0.0.0/0	None	No
	Data disk encryption is configured in an Auto Scaling configuration	None	No
	System disk encryption is configured in an Auto Scaling configuration	None	No
	Images from a specified source are used in an Auto Scaling configuration	None	No
	Images in an Auto Scaling configuration are checked	None	No
	The existence of the Server Load Balancer instance associated with an Auto Scaling group is checked	None	No
Function Compute	A Function Compute service is configured to be invoked only from a specified VPC	None	No
	Public network access is disabled for a Function Compute service	None	No
	A Function Compute service can be accessed from the Internet and is mapped to a custom domain name	None	No
	An HTTP trigger for a function is configured to require identity verification	None	No
	A Function Compute function is mapped to a custom domain name and a specified TLS version is enabled	None	No
	A Function Compute function is mapped to a custom domain name and a certificate is uploaded	None	No
	A Function Compute function is mapped to a custom domain name and HTTPS is enabled	None	No
	Tracing Analysis is enabled for a Function Compute service	None	No
	The logging feature is enabled for a Function Compute service	None	No
	A server role is configured for a Function Compute service	None	No
	Deprecated runtimes are not used in Function Compute	None	No
	The settings of a function in Function Compute meet specified parameter requirements	None	No

Containers

Alibaba Cloud service	Rule template	OOS template ID for remediation	Can I perform a dry run?
Container Service for Kubernetes	Enable release protection for ACK clusters	None	No
	Use managed ACK clusters of the Professional Edition	None	No
	The ACK cluster is running the latest version	None	No
	Use a supported ACK version	None	No
	Enable the managed node pool feature for ACK clusters	None	No
	Enable node autoscaling for ACK node pools	None	No
	Check the availability of scaling configurations for ACK node pools	None	No
	Check the availability of security groups for ACK node pools	None	No
	Check the availability of vSwitches for ACK node pools	None	No
	Check the availability of scaling groups for ACK node pools	None	No
	An ACK cluster without an Internet endpoint	None	No
	Use the Terway network plugin for ACK clusters	None	No
	Use multi-zone ACS clusters at the region level	None	No
	Use multi-zone ACK clusters at the region level	None	No
	Enable the RRSA feature for ACK clusters	None	No
	Install the ack-ram-authenticator component in ACK clusters for RAM-based request authentication	None	No
	Enable and configure container security policies for ACK clusters	None	No
	Configure at-rest encryption for Secrets in ACK clusters	None	No
	Install the CloudMonitor agent on ACK cluster nodes	None	No
	Install the CloudMonitor agent on running nodes in ACK clusters	None	No
	Enable logging for control plane components in ACK clusters	None	No
	Install the audit log plugin in ACK clusters	None	No
	Enable the API Server audit feature for ACK clusters	None	No
	Install the intra-container audit component in ACK clusters to audit executed commands	None	No
	Check that the number of backend servers for the CoreDNS service is not zero in ACK clusters	None	No
	Check the number of replicas for CoreDNS in ACK clusters	None	No
	Check the pod status of CoreDNS in ACK clusters	None	No
	Check the backend status of the CLB instance for the API Server in ACK clusters	None	No
	Check that the CLB instance attached to the API Server exists in ACK clusters	None	No
	Check that the CLB instance attached to the API Server is in the Normal status in ACK clusters	None	No
	Check that the port listener configuration of the CLB instance attached to the API Server is normal in ACK clusters	None	No
	Check the availability of APIService in ACK clusters	None	No
	Check the status of elasticity components in ACK clusters	None	No
	Install and configure the inspection component in ACK clusters to check for workload security threats	None	No
	Check for medium-risk threats during ACK cluster inspections	None	No
	Enable the AIOps-based inspection feature for ACK clusters	None	No
	Install the cost analysis component in ACK clusters	None	No
	Check for Kubelet version consistency across ACK cluster nodes	None	No
	Check for certificate ID consistency for LoadBalancer services in ACK clusters	None	No
	Check for billing method consistency for LoadBalancer services in ACK clusters	None	No
Container Registry (ACR)	Set the image repository type to private in Container Registry	None	Yes
	Image versions in Container Registry are immutable	None	No
	Check the whitelist for Container Registry instances	None	No
	Public network access is disabled for the Container Registry instance	None	No
	Check for idle Container Registry instances	None	No
	Update image versions in image repositories within the specified time	None	No
	Enable security scanning for Container Registry instances	None	No
	Associate Container Registry instances with zone-redundant OSS buckets	None	No
Elastic Container Instance	Mount volumes to container groups in ECI instances	None	No
	Ensure environment variables for ECI container groups do not contain sensitive information	None	No
	Ensure that running ECI instances have no vulnerabilities to be fixed	None	No
	Enable Security Center protection for running ECI container groups	None	No

Storage

Alibaba Cloud service	Rule template	OOS template ID for remediation	Does this service support dry run?
Object Storage Service (OSS)	OSS bucket ACL prohibits public-read access	ACS-OSS-PutBucketAcl	No
	OSS bucket ACL prohibits public-read-write access	ACS-OSS-PutBucketAcl	Yes
	OSS bucket access policy is configured for secure access	None	No
	OSS bucket does not grant permissions to anonymous accounts	None	Yes
	Public OSS bucket has an access policy and does not grant permissions to anonymous accounts	None	No
	OSS bucket authorization policy is configured with IP address restrictions	None	No
	Bucket policy is checked for authorization outside the organization	None	No
	Bucket policy does not grant authorization outside the organization	None	No
	OSS bucket policy does not contain the authorization specified by parameters	None	No
	Server-side encryption with KMS is enabled for the OSS bucket	None	No
	Default server-side encryption is enabled for the OSS bucket	ACS-OSS-PutBucketEncryption	Yes
	OSS bucket is encrypted using a custom KMS key	None	No
	Versioning is enabled for the OSS bucket	ACS-OSS-PutBucketVersioning	No
	Zone-redundant storage is enabled for the OSS bucket	ACS-OSS-EnableBucketZRS	No
	Cloud Backup is enabled for the OSS bucket	None	No
	Cross-region replication is enabled for the OSS bucket	None	No
	Cross-region replication is enabled for the OSS bucket backup vault	None	No
	Data protection score is checked for OSS bucket backups	None	No
	Log storage is enabled for the OSS bucket	ACS-OSS-BulkyPutBucketLogging	Yes
	Prefix matching for log storage is enabled for the OSS bucket	None	Yes
	Real-time logging is enabled for Object Storage Service	None	No
	Delivery of OOS execution records is configured for the specified region	None	No
	Hotlink protection is enabled for the OSS bucket	None	No
	Referer for the OSS bucket is in the specified hotlink protection whitelist	ACS-OSS-PutBucketReferer	No
	Check for custom domain names is enabled for the OSS bucket	None	No
	TLS version is checked for the OSS bucket	None	No
	OSS bucket name matches the regular expression	None	No
File Storage NAS	Encryption is configured for the NAS file system	None	Yes
	NAS file system is in the specified status	None	No
	NAS file system is checked for inactivity	None	No
	Authorization object for the NAS permission group rule is not set to all network segments	None	No
	Permission group used by the NAS file system is not open to all sources	None	No
	RAM policies are enabled for the NAS access point	None	No
	Root directory of the NAS access point is not set to the default directory	None	No
	Recycle bin is enabled for the NAS file system	ACS-NAS-BulkyEnableRecycleBin	No
	A backup plan is created for the NAS file system	None	No
	Cross-region replication is enabled for the NAS backup vault	None	No
	Data protection score is checked for the NAS backup vault	ACS-NAS-BulkyEnableRecycleBin	No
Tablestore	Network type for the Tablestore instance is set to VPC-only or console-only access	ACS-Config-OTS-RemovePublicAccess	Yes
	All data tables in the Tablestore instance are encrypted	None	No
	Tablestore instance uses zone-redundant storage	None	No
	Cloud Backup is enabled for the Tablestore instance	None	No
	Cross-region backup is enabled for the Tablestore backup vault	None	No
	Data protection score is checked for the Tablestore instance	None	No
Simple Log Service	Data encryption is configured for the Simple Log Service Logstore	None	No
	Key material for Simple Log Service Logstore encryption is imported by the user	None	No
	Automatic storage tiering is enabled for the SLS Logstore	None	No
	Log project uses zone-redundant storage	None	No
Cloud Storage Gateway	A cross-zone high-availability Cloud Storage Gateway is used	None	No
	Cloud Storage Gateway uses an OSS bucket with an SSL connection	None	No
	Server-side encryption is used for shares of the Cloud Storage Gateway	None	No

Network and CDN

Alibaba Cloud service	Rule template	OOS template ID for setting correction	Is dry run supported?
Classic Load Balancer (CLB)	Enable release protection for an SLB instance	ACS-SLB-BulkySetLoadBalancerDeleteProtection	Yes
	Enable configuration read-only mode for an SLB instance	ACS-SLB-BulkySetLoadBalancerModificationProtection	Yes
	Check for SLB subscription instance expiration	ACS-BssOpenApi-SetRenewal ACS-BssOpenApi-EnableAutoRenewal	No
	Enable auto-renewal for a subscription SLB instance	None	Yes
	Idle detection for subscription Server Load Balancer instances	None	No
	SLB idle detection	None	No
	The SLB instance status is Running	None	No
	Use an SLB instance in a VPC	None	Yes
	The SLB instance is not bound to a public IP address	None	Yes
	SLB access control lists do not allow entries for all address segments	None	Yes
	Set Resource Access Management for all running listeners on an SLB instance	None	No
	The access control whitelist for the SLB instance contains specified IP addresses or CIDR blocks.	None	No
	The access control whitelist of the SLB instance does not include the specified IP address or network segment	None	No
	The SLB instance listener does not include the specified port	None	Yes
	Check the Anti-DDoS status of SLB	None	No
	SLB instance has an unconfigured HTTP listener	None	No
	Enable an HTTPS listener for SLB	None	Yes
	The HTTPS listener of an SLB instance uses a specified security policy suite	None	No
	Use an Alibaba Cloud-issued certificate for SLB	None	No
	The SLB server certificate is valid	None	No
	SLB certificate expiration check	None	No
	Use a multi-zone SLB instance	None	Yes
	Use a multi-zone SLB instance and add resources from multiple zones to the server group	None	No
	All listeners of the Server Load Balancer have at least the specified number of backend servers	None	No
	The default server group of an SLB instance contains at least two servers	None	No
	Add resources from multiple zones to a default server group of Server Load Balancer	None	No
	Add resources from multiple zones to an SLB primary/secondary server group	None	No
	Add resources from multiple zones to an SLB vServer group	None	No
	The SLB instance is a guaranteed-performance instance	None	Yes
	The SLB instance meets the specified bandwidth requirements	None	Yes
	The SLB instance type meets the requirements	None	Yes
	Check for average utilization rate of maximum connections on an SLB instance	None	No
	Checking the average new connection usage rate for an SLB instance	None	No
	SLB instance outbound bandwidth average utilization check	None	No
	All SLB listeners have health checks set up	None	No
	The server weight for an SLB instance is not 0	None	No
	Enable access logs for an SLB instance	None	No
	Troubleshoot a non-existent threshold abnormality for a CLB instance	None	No
Application Load Balancer (ALB)	Enabling release protection for an ALB instance	None	No
	ALB idle connection detection	None	No
	Monitoring the outbound bandwidth utilization of an Internet Shared Bandwidth associated with an ALB instance	None	No
	Monitoring outbound bandwidth usage for EIPs associated with an ALB	None	No
	The network type of the ALB instance is private	None	No
	Set access control for all running listeners of the ALB instance	None	No
	ALB access control lists do not allow configuring all address segments	None	No
	The access control whitelist for the ALB instance does not contain the specified IP address or network segment	None	No
	The access control whitelist for an ALB instance contains specified IP addresses or network segments.	None	No
	Remove Header forwarding feature for an ALB HTTP listener	None	No
	Using multi-zone ALB instances	None	No
	The ALB server group contains at least two servers	None	No
	Add resources from multiple zones to an ALB server group	None	No
	All ALB listeners and forwarding rules have health checks configured	None	No
	The default forwarding rule for each listener on an Application Load Balancer (ALB) contains at least a specified number of servers	None	No
	Expiration check for SSL certificates on listeners of running ALB instances	None	No
	Enable Web Application Firewall for an ALB instance	None	No
	ALB instance connection failure rate check	None	No
	ALB instance 4xx error rate detection	None	No
	ALB instance 5xx error rate detection	None	No
	ALB instance TLS handshake failure rate check	None	No
	The virtual IP of an ALB instance is unavailable for processing due to an abnormal high-water mark	None	No
Network Load Balancer (NLB)	Using a multi-zone Network Load Balancer instance	None	No
	Add resources from multiple zones to a Network Load Balancer server group	None	No
	Missing threshold abnormality in virtual IP processing for an NLB instance	None	No
	Specified security policy for an NLB instance listener	None	No
Gateway Load Balancer (GWLB)	Use a multi-zone Gateway Load Balancer instance	None	No
Gateway Load Balancer (GWLB)	GWLB server group servers are deployed across multiple zones	None	No
Elastic IP Address	Subscription Elastic IP Address expiration check	None	No
	Detect idle Elastic IP Addresses	None	No
	Idle EIP detection	None	No
	Enable deletion protection for an Elastic IP Address	None	No
	The service status of the Elastic IP Address instance is Normal	None	No
	The bandwidth of the Elastic IP address (EIP) instance meets the minimum requirements	None	No
	No abnormal bandwidth level for the Elastic IP Address instance	None	No
	Enable Cloud Firewall protection for an EIP	None	No
	Check the Anti-DDoS status of an EIP	None	No
	A public IPv4 address is not assigned in the scaling configuration	None	No
	Associate an Auto Scaling group with a Server Load Balancer	None	No
	Associate an Auto Scaling group with at least two vSwitches	None	No
	Detecting EIP tag inheritance from an associated resource	ACS-TAG-TagResourcesIgnoreCaseSensitive	No
Internet Shared Bandwidth (CBWP)	Internet Shared Bandwidth instance expiration check	None	Yes
Internet Shared Bandwidth (CBWP)	Idle shared bandwidth detection	None	No
Virtual Private Cloud (VPC)	Routing is set for the custom VPC network segment	None	No
	The destination CIDR block of the VPC custom route is not set to all CIDR blocks	None	No
	The IP address ranges of vSwitches in the same region cannot overlap	None	No
	The available IP address count for a VPC vSwitch is greater than a specified value	None	No
	VPC network ACL has no open risky ports	None	No
	The VPC network ACL is not empty	None	No
	Attach a network ACL to at least one resource	None	No
	Enable flow logs for a VPC	None	No
	IPsec VPN connection is normal	None	No
	Enable a health check for an IPsec VPN connection	None	No
	Configure multiple zones for an endpoint service	None	No
	Peer account ID check for an Express Connect router interface	None	No
NAT Gateway	NAT Gateway does not allow mapping for specified threat ports	ACS-VPC-BulkyDeleteForwardEntry	No
	An Internet NAT gateway is created in a specific virtual private cloud (VPC).	None	No
	A private NAT gateway is created in a specified virtual private cloud (VPC).	None	No
	NAT Gateway not using the specified network type	None	No
	SNAT and DNAT do not use the same EIP in a NAT Gateway	None	No
	Consistent peak bandwidth settings when attaching multiple EIPs to an SNAT entry	None	No
	Enable release protection for a NAT Gateway	None	No
	NAT Gateway idle detection	None	No
	VPC private gateway idle detection	None	No
	Abnormal threshold handling when a NAT Gateway is missing	None	No
	NAT Gateway zone independence	None	No
	NAT Gateway status check	None	No
CEN	Expiration check for Cloud Enterprise Network bandwidth plans	ACS-BssOpenApi-SetRenewal ACS-BssOpenApi-EnableAutoRenewal	No
	The bandwidth allocation for the inter-region connection in the CEN instance meets the specified requirements	None	No
	Health checks are configured for all VBR connections in the CEN instance	None	No
	Configure multiple zones for a TransitRouter VPC connection	None	No
	No abnormal cross-region bandwidth levels	None	No
	No threat of exceeding the TR route entry limit	None	No
VPN Gateway	VPN Gateway not activated	None	No
	VPN Gateway idle detection	None	No
	VPN instance expiration check	ACS-BssOpenApi-EnableAutoRenewal	No
	The encryption algorithm for the VPN connection is not None	None	No
	Use a multi-zone VPN Gateway	None	No
	The VPN Gateway status is Normal	None	No
	Both the active and standby tunnels of a dual-tunnel VPN Gateway are connected	None	No
	VPN Gateway inbound bandwidth utilization check	None	No
	VPN Gateway outbound bandwidth usage check	None	No
	The VPN Gateway service has no abnormal thresholds	None	No
Express Connect	Using Express Connect in high-reliability mode	None	No
	Configure a health check for a VBR instance	None	No
	The VBR instance has no missing redundancy	None	No
	The BGP connection status of the VBR instance is normal.	None	No
	No abnormal ports on the Express Connect circuit	None	No
	Multiple valid routes on an Express Connect circuit gateway	None	No
CDN	Enable HTTPS encryption for an accelerated domain name	None	No
	The CDN SSL certificate has not expired	None	No
	Enable force redirect from HTTP to HTTPS for an accelerated domain name	None	No
	Enable Referer hotlink protection for an accelerated domain name	None	No
	Enable URL signing for an accelerated domain name	None	No
	Enable OCSP stapling for an accelerated domain name	None	No
	Enable TLS 1.3 detection for an accelerated domain name	None	No
	Set CDN cache for a domain name	None	No
	Enable Gzip compression for an accelerated domain name	None	No
	Enable Brotli compression for an accelerated domain name	None	No
	Enable range origin fetch for an accelerated domain name	None	No
	Enable parameter filtering for an accelerated domain name	None	No
	Optimize OSS data transmission using CDN	None	No
	The source of a CDN configuration should not point to a non-existent OSS bucket	None	No
	The OSS origin configuration for the accelerated domain name is consistent	None	No
	Configure multiple origins for an accelerated domain name	None	No
	Enable IPv6 access for an accelerated domain name	None	No
Edge Security Acceleration	Configure multiple sources for a DCDN accelerated domain name	None	No
Alibaba Cloud DNS	The CNAME record in DNS points to an existing OSS bucket Endpoint	None	No
	The domain name format in Cloud DNS matches a specified regular expression	None	No
	DNS MX record compliance check	None	No

Security

Alibaba Cloud service	Rule template	OOS template ID for correcting settings	Is dry run supported?
Anti-DDoS	DDoS instance expiration check	None	No
	Prevent DDoS attacks with Anti-DDoS	None	No
	Status check for the protected IP of an Anti-DDoS Pro or Anti-DDoS Premium instance	None	No
Web Application Firewall	Use a web firewall to protect a website or app	None	No
	Add an API group domain from API Gateway to WAF	None	No
	Enable a specific protection feature for a WAF-protected domain name	None	No
	Enable a specific prevention mode for a specific protection feature of a WAF domain name	None	No
	Enable a specific protection rule for a WAF instance	None	No
	Enable log collection for a WAF instance	ACS-WAF-BulkyModifyLogServiceStatus	No
	Enable log detection for a WAF 3.0 protected object	None	No
Cloud Firewall	All assets in Cloud Firewall are protected	None	No
	No control policy in Cloud Firewall matches the specified conditions	None	No
	A control policy in Cloud Firewall matches the specified conditions	None	No
	Enable protection for assets in Cloud Firewall	None	No
	Cloud Firewall IPS has basic protection enabled	ACS-Cloudfw-ModifyIPSConfig	No
	Cloud Firewall IPS has threat intelligence enabled	ACS-Cloudfw-ModifyIPSConfig	No
	Cloud Firewall IPS has enabled Virtual Patches	ACS-Cloudfw-ModifyIPSConfig	No
	The Cloud Firewall intrusion prevention system (IPS) is in Block Mode	ACS-Cloudfw-ModifyIPSConfig	No
	Use Cloud Firewall to secure network borders	None	No
Security Center	Use Security Center Enterprise Edition	None	No
	All ECS instances in the account have the Security Center proxy installed	None	No
	A notification method is set for the Security Center notification item	None	No
	All ECS instance vulnerabilities are fixed	None	No
	No pending image vulnerabilities in Security Center	None	No
	Configure a vulnerability scan for a specified priority in Security Center	None	No
	Security Center detects no leaked AccessKeys	None	No
	Security Center found no assets with high-risk weak passwords	None	No
	Enable specific types of proactive protection in Security Center	None	No
	Enable asset fingerprint collection for specific types in Security Center	None	No
Digital Certificate Management Service (SSL Certificate)	SSL certificate expiration check	None	No
Key Management Service	Enable delete protection for a KMS master key	ACS-KMS-BulkySetDeletionProtection	No
	The KMS master key is not scheduled for deletion	None	No
	Set automatic master key rotation in Key Management Service	ACS-KMS-BulkyUpdateRotationPolicy	No
	Set automatic credential rotation in Key Management Service (KMS)	None	No
	KMS credential successfully rotated	None	No
	Not using a KMS master key from an external source	None	No
	Using multi-zone KMS instances	None	No
	KMS instance expiration check	ACS-BssOpenApi-EnableAutoRenewal	No
Data Security Center	Sensitive data detection is not enabled in Data Security Center	None	No
Bastionhost	Bastionhost instance expiration check	None	No
	Bastionhost versions that support multi-zone deployment	None	No
	Available storage for the Bastionhost meets minimum requirements	None	No

Middleware

Alibaba Cloud service	Rule template	OOS template ID for remediation	Can I perform a dry run?
Microservices Engine (MSE)	MSE cluster allows public network access and enables authentication	None	No
	MSE cluster public network access check	None	No
	Use a High-availability Edition MSE registry	None	No
	MSE registry multi-node deployment check	None	No
	MSE registry DPI engine version check	None	No
	MSE registry capacity check	None	No
	MSE cloud-native gateway multi-node deployment check	None	No
	Deploy an MSE cloud-native gateway in multiple zones	None	No
	MSE cloud-native gateway version check	None	No
Enterprise Distributed Application Service (EDAS)	Log collection is not configured for EDAS	None	No
ApsaraMQ for RocketMQ	Use a multi-zone ApsaraMQ for RocketMQ 5.0 instance	None	No
ApsaraMQ for RocketMQ	Use a Platinum Edition ApsaraMQ for RocketMQ instance	None	No
Message Queue for Apache Kafka	The public IP address whitelist of a Kafka instance is not open to all IP addresses	None	No
Message Queue for Apache Kafka	Use a multi-zone Message Queue for Apache Kafka instance	None	No
Lightweight message queue	Disable public network access for MNS queues	None	No
API Gateway	Set APIs in API Gateway to private	None	No
	Enable IPv4 access control for an API Gateway instance and configure a valid list	None	No
	Enable IPv6 access control for an API Gateway instance and configure a valid list	None	No
	Set the request method to HTTPS for APIs in API Gateway that allow public network access	ACS-ApiGateway-BulkyModifyApiGroupNetworkPolicy	No
	The HTTPS security policy of an API group in API Gateway meets requirements	None	No
	Attach a custom domain name to an API group in API Gateway	None	No
	Configure an SSL certificate for the custom domain name of an API group in API Gateway	None	No
	Attach an independent domain name to an API group and enable force redirect to HTTPS	None	No
	Set the API security authentication method to JWT in API Gateway	None	No
	Configure API security authentication in API Gateway	None	No
	Configure log storage for API calls in an API group	None	No
	Connect the domain name attached to an API group in API Gateway to WAF or WAF 3.0	None	No
	Configure the Tracing Analysis feature for an API group	None	No
	Use a multi-zone API Gateway instance	None	No

Database

Alibaba Cloud service	Rule template	OOS template ID for remediation	Is Dry Run supported?
Cloud-native database PolarDB	PolarDB subscription cluster expiration check	None	No
	PolarDB-X1 instance expiration check	None	No
	PolarDB-X2 instance expiration check	None	No
	Enable delete protection for a PolarDB cluster	None	No
	Set a maintenance window for a PolarDB cluster	None	No
	The log backup retention period for PolarDB clusters meets specified requirements	None	No
	The level-2 backup retention period for the PolarDB cluster meets the specified requirements	None	No
	The level-1 backup retention period for the PolarDB cluster meets the specified requirements	None	No
	Use a PolarDB instance in a virtual private cloud (VPC)	None	No
	Use a dedicated PolarDB instance	None	No
	The PolarDB product series is the Cluster Edition.	None	No
	Use a multi-zone PolarDB-X2 instance	None	No
	PolarDB cluster with a stable kernel version	None	No
	The PolarDB database minor version is stable	None	No
	The IP whitelist for a PolarDB instance cannot be set to all network segments	None	Yes
	No PolarDB cluster endpoints are enabled for public access	None	No
	The PolarDB instance has no Internet endpoint, or its IP whitelist is not set to all network segments	None	No
	Set the connection type of PolarDB cluster endpoints to a specified value	None	No
	Set the read/write pattern of the PolarDB cluster endpoint to Read/Write	None	No
	Set the session consistency level for the PolarDB cluster endpoint to a specified value	None	No
	The connection format of the PolarDB cluster endpoint is valid.	None	No
	The connection format for the primary endpoint of the PolarDB cluster is valid.	None	No
	The format of the read-only connection string for the PolarDB cluster is correct	None	No
	Enable a hot standby cluster for a PolarDB cluster	None	No
	Disable automatic addition of new nodes to a read-only endpoint of a PolarDB cluster	None	No
	Enable automatic addition of new nodes to PolarDB cluster endpoints	None	No
	Set the PolarDB cluster endpoints to accept reads on the primary database	None	No
	The transaction splitting status for the PolarDB cluster endpoints is set to Shutdown	None	No
	Enable TDE for a PolarDB cluster	None	No
	Configure SSL encryption for a PolarDB cluster	None	No
	Enable SQL Audit for a PolarDB cluster	None	No
	The default time zone parameter of the PolarDB cluster is not System	None	No
	The description for each account in a PolarDB cluster is not empty	None	No
ApsaraDB RDS	RDS subscription instance expiration check	None	Yes
	Long-running pay-as-you-go RDS instance check	None	No
	Enable delete protection for an RDS instance	None	No
	The RDS instance is not accessible over the Internet, or the IP whitelist is not set to all network segments	None	No
	The RDS instance is not connected to the Internet, and the IP whitelist is not set to all network segments	None	No
	No outdated RDS instances are used	None	No
	The RDS instance type meets the specified requirements	None	No
	The RDS instance meets the minimum CPU core requirements	None	No
	The RDS instance meets the minimum memory requirements	None	Yes
	The RDS instance meets minimum storage requirements	None	No
	The RDS instance meets the minimum read/write frequency	None	No
	Average connection utilization check for an RDS instance	None	No
	Average CPU utilization check for an RDS instance	None	Yes
	RDS instance average IOPS utilization check	None	No
	Average memory usage check for an RDS instance	None	No
	Idle CPU utilization check for an RDS instance	None	No
	RDS instance idle disk usage check	None	Yes
	Idle memory usage check for an RDS instance	None	No
	Check the remaining storage space of an RDS instance	None	No
	Use a dedicated RDS instance	None	No
	Use an RDS instance that runs in Cluster Edition	None	No
	Use an RDS instance in a virtual private cloud (VPC)	None	No
	The network type of the RDS instance is a virtual private cloud (VPC).	None	No
	The RDS instance has no public IP address	ACS-RDS-ReleaseInstancePublicConnection	No
	Configure the whitelist for an RDS instance	ACS-RDS-BulkyModifySecurityIpsByInstanceIPArray	Yes
	The IP whitelist of an RDS instance does not include the Internet	None	No
	Enable enhanced whitelist mode for an RDS instance	ACS-RDS-BulkyMigrateSecurityIPMode	No
	Use an SSL certificate for an RDS instance	None	No
	Enable SSL and specify a TLS version for an RDS instance	None	No
	Access SQL Server using the database proxy pattern	None	No
	Use a high-availability RDS instance	None	No
	Use a multi-zone RDS instance	None	No
	Automatic switchover configuration check for a primary/standby RDS instance	ACS-RDS-BulkyModifyHASwitchConfig	No
	RDS instance data replication is not asynchronous	None	No
	Create a disaster recovery instance for RDS	None	No
	RDS read/write instance latency check	None	No
	The primary and secondary nodes of an RDS cluster have inconsistent CPU and memory configurations	None	No
	The primary and secondary nodes of the RDS cluster are not configured with the same instance class	None	No
	Enable TDE for an RDS instance	None	No
	Enable TDE for an RDS instance using a custom key	None	No
	Enable disk encryption for an RDS instance	None	No
	RDS PostgreSQL data durability check	ACS-RDS-BulkyModifyParameter	No
	Enable log backup for an RDS instance	None	No
	Enable cross-region backup for an RDS instance	None	No
	RDS instance storage auto-scaling check	ACS-RDS-BulkyModifyDasInstanceConfig	No
	Check if auto scaling is enabled for RDS instances	None	No
	Enable SQL Audit for an RDS instance	ACS-RDS-BulkyModifySQLCollectorPolicy	No
	The SQL audit log for an RDS instance has the required retention period.	ACS-RDS-BulkyModifySQLCollectorRetention	No
	Enable historical events for an RDS instance	ACS-RDS-BulkyModifyActionEventPolicy	No
	Slow SQL statement detection for RDS instances	None	No
	Enable automatic minor version updates for an RDS instance	ACS-RDS-BulkyModifyDBInstanceAutoUpgradeMinorVersion	No
	Set a reasonable maintenance window for an RDS instance	None	No
	The RDS monitoring granularity settings meet the requirements.	None	No
	Create a dynamic ApsaraDB RDS secret for an RDS instance	None	No
	Set the PostgreSQL database parameter log_connections to on	None	No
	Set the PostgreSQL database parameter log_disconnections to on	None	No
	Set the PostgreSQL database parameter log_duration to on	None	No
	Enable security audit for a database instance	None	No
	Enable SQL Audit for a database instance	None	No
ApsaraDB Tair (Redis-compatible)	Expiration check for Redis subscription instances	None	No
	Enable release protection for a Redis instance	None	No
	Set a reasonable backup time window for a Redis instance	None	No
	Enable incremental backup for a Redis instance	None	No
	Upgrade a Redis instance to the latest minor version	None	No
	Meet the required queries per second (QPS) for a Redis instance	None	No
	The Redis instance meets the specified bandwidth requirements	None	No
	The Redis instance meets the memory capacity requirement	None	No
	Average connection usage check for a Redis instance	None	No
	Average CPU usage of a Redis instance	None	No
	Average memory usage check for Redis instances	None	No
	Use a Redis instance in a VPC	None	No
	The Redis instance does not have a public IP address	ACS-Redis-ReleaseInstancePublicConnection	No
	Do not set the IP whitelist for a Redis instance to all network segments	ACS-Redis-BulkyDeleteSecurityIpFromInstanceIPArray	Yes
	Internet access is not enabled for the Redis instance, or the whitelist is not set to allow access from any source	None	No
	Enable password authentication for a Redis instance	None	No
	Enable SSL encryption for a Redis instance	None	No
	Enable SSL and specify a TLS version for a Redis instance	None	No
	Use a cluster Redis instance	None	No
	The Redis instance is a multi-zone instance	None	No
	The Redis instance has a dual-replica node type	None	No
	Use an Enterprise Edition Redis instance	None	No
	Enable TDE encryption for a Redis instance	None	No
	Enable transparent data encryption (TDE) for a Redis instance with a custom key	None	No
	Disable AOF persistence for a Tair instance	None	No
	Enable the audit log for a Redis instance	ACS-REDIS-BulkyModifyAuditLogConfig	No
	The audit logs for a Redis instance are kept for the required number of days	ACS-REDIS-BulkyModifyAuditLogConfig	No
	Disable high-risk commands for a Redis instance	ACS-Redis-BulkyModifyInstanceConfig	No
	Specified high-risk commands are disabled for the Redis instance	None	No
	Using DTS data synchronization to build real-time cache consistency	None	No
	Idle CPU utilization check for a Redis instance	None	No
	Idle detection for Redis instance memory usage	None	No
Lindorm	Use a multi-zone Lindorm instance	None	No
Lindorm	Public network access is not enabled for the Lindorm instance	None	No
ApsaraDB MongoDB	MongoDB subscription cluster expiration check	None	No
	Enable release protection for a MongoDB instance	None	No
	The MongoDB instance is not locked	None	No
	Enable the audit log on a MongoDB cluster	None	No
	Enable log backup for a MongoDB instance	None	No
	The MongoDB instance meets the specified read/write count requirement	None	No
	MongoDB meets the specified connection requirements	None	No
	MongoDB: Using dedicated or exclusive instances	None	No
	Use a MongoDB instance in a VPC	None	No
	Do not set the IP whitelist for a MongoDB instance to all network segments	None	No
	The MongoDB instance has no Internet access, or its security whitelist is not set to allow access from any source	None	No
	Enable Secure Sockets Layer (SSL) encryption for a MongoDB instance	None	No
	Use a multi-node MongoDB instance	None	No
	Using a multi-zone MongoDB instance	None	No
	Use a custom key to set TDE for MongoDB	None	No
	Idle CPU detection for a MongoDB instance	None	No
	MongoDB instance idle check by memory usage	None	No
	Free disk space check for MongoDB instances	None	No
AnalyticDB for MySQL	The AnalyticDB for MySQL cluster has no Internet endpoint	None	No
	The ADB cluster is in multi-zone deployment mode	None	No
	Enable SQL audit logs for an ADB cluster	None	No
	Enable log backup for an ADB cluster	None	No
	Set a reasonable maintenance window for an ADB cluster	None	No
	Check instance expiration for AnalyticDB for Data Warehouse	None	No
Cloud-native data warehouse AnalyticDB for PostgreSQL	Use a multi-zone cloud-native data warehouse AnalyticDB instance	None	No
	Enable disk encryption for a PostgreSQL instance	None	No
	Enable SSL encryption for a PostgreSQL instance	None	No
	AnalyticDB for PostgreSQL: Check active data backups	None	No
ApsaraDB for ClickHouse	Using a multi-zone ApsaraDB for ClickHouse cluster instance	None	No
Time Series Database (TSDB)	The TSDB instance has no Internet access	None	No
Time Series Database (TSDB)	TSDB instance security whitelist check	None	No
ApsaraDB for HBase	The HBase cluster type is Cluster Edition	None	No
	HBase cluster in a VPC	None	No
	The HBase cluster does not have an Internet address	None	No
	Configure an HBase cluster for high availability	None	No
	Use a multi-zone HBase cluster	None	No
	Enable deletion protection for an HBase cluster	None	No
	HBase subscription cluster expiration check	None	No
ApsaraDB OceanBase	Enable Secure Sockets Layer (SSL) encryption for an OceanBase cluster	None	No
	The IP whitelist group settings for an OceanBase tenant are effective.	None	No
	Internet access is not enabled for the OceanBase tenant, or the security whitelist is not set to allow access from any source	None	No
	Enable transparent data encryption (TDE) for an OceanBase tenant	None	No
	Enable database backup for an OceanBase cluster	None	No
	Enable SQL diagnostics in an OceanBase cluster	None	No
Data Management (DMS)	Enable Stable Change checks in a DMS instance	None	No
Data Management (DMS)	Enable sensitive data protection for a database instance	None	No
Data Transmission Service (DTS)	Use a secure SSL connection for the source and destination databases of a DTS migration task	None	No
	Use SSL for the source database of a DTS tracking task	None	No
	Use SSL connections for the source and destination databases of a DTS sync task	None	No
	Enable geo-disaster recovery for a database instance using DTS	None	No

Big Data Computing

Alibaba Cloud service	Rule template	OOS template ID for remediation	Is dry run supported?
Cloud-native big data computing service	Enable encryption for a MaxCompute project	None	No
	Enable an IP whitelist for a MaxCompute project	None	No
	A MaxCompute project uses a zone-disaster recovery architecture	None	No
Hologres	The Hologram instance has remote backup data	None	No
Realtime Compute for Apache Flink	Use multi-zone Flink instances	None	No
Retrieval and Analysis Service (Elasticsearch Edition)	Elasticsearch instance in a virtual private cloud (VPC)	None	No
	Kibana public network access is disabled for the Elasticsearch instance	None	Yes
	The Elasticsearch instance does not have public network access	None	Yes
	Internet access is not enabled for the Elasticsearch instance or access from any IP address is not allowed	None	No
	Enable disk encryption for data nodes of an Elasticsearch instance	None	No
	Enable disk encryption on elastic data nodes in an Elasticsearch instance	None	No
	Enable disk encryption for cold data nodes of an Elasticsearch instance	None	No
	Use the HTTPS transport protocol for an Elasticsearch instance	None	No
	Use a multi-zone Elasticsearch instance	None	No
	Enable automatic backups for an Elasticsearch instance	None	No
	Deprecated Elasticsearch instances are not used	None	No
	All Elasticsearch instances use supported versions	None	No
Open source big data platform E-MapReduce	Internet access check for the master node of an EMR cluster	None	No
Open source big data platform E-MapReduce	Unrestricted whitelist in EMR cluster security group	None	No

Migration and operations management

Alibaba Cloud service	Rule template	OOS template ID for remediation	Supports dry run
Resource Access Management (RAM)	No AccessKey for the Alibaba Cloud account	None	No
	No RAM users are created for the Alibaba Cloud account	None	No
	MFA is enabled for the Alibaba Cloud account	None	No
	Available credit alert is enabled	ACS-Config-BSS-ModifyAlarm	No
	Check your account password policy	None	No
	Resources with a specified name exist under the Alibaba Cloud account	None	No
	Simple Log Service data transformation tasks that meet specified requirements exist under the Alibaba Cloud account	None	No
	RAM user logon is checked	None	No
	RAM users have logged on within a specified period	None	No
	AccessKeys for RAM users are rotated within a specified period	None	No
	No active keys exist for RAM users	None	No
	No idle AccessKeys exist for RAM users	None	No
	No disabled AccessKeys exist for RAM users	None	No
	No access policies that meet specified conditions are attached to RAM users or their user groups	None	No
	No specified high-risk permissions are granted to RAM users	None	No
	A RAM user has no more than one active AccessKey	None	No
	Console access and API call access are not enabled for a RAM user at the same time	None	No
	The password policy for RAM users meets requirements	ACS-RAM-SetPasswordPolicy	No
	Password complexity in the password policy for RAM users meets requirements	None	No
	Maximum logon retries in the password policy for RAM users meets requirements	None	No
	Password expiration period in the password policy for RAM users meets requirements	None	No
	MFA is enabled for high-privilege RAM users	None	No
	MFA is enabled for RAM users	ACS-ECS-BulkyUpdateLoginProfile	No
	Check if a RAM user has enabled MFA for logon	None	No
	Permissions are not granted directly to RAM users	None	No
	RAM users belong to a user group	None	No
	RAM user groups are not empty	None	No
	No super administrator exists	None	No
	RAM users and their user groups do not have super administrator permissions or administrator permissions for any Alibaba Cloud service	None	No
	An access policy that meets specified parameter conditions is attached to RAM users	None	No
	Custom RAM policies do not contain the permission configuration specified by parameters	None	No
	No idle RAM access policies exist	None	No
	No idle RAM user groups exist	None	No
	The Alibaba Cloud account has a role with the specified name	None	No
	Roles defined by RAM users do not include product management permissions	None	No
	RAM roles do not have super administrator permissions or administrator permissions for any Alibaba Cloud service	None	No
	An access policy that meets specified parameter conditions is attached to RAM roles	None	No
	Role-based SSO is enabled	None	No
	SSO is enabled for RAM users	None	No
	CloudSSO SAML signing certificate expiration is checked	None	No
	CloudSSO SCIM key expiration is checked	None	No
Resource Management	Resources are located in specified regions	None	No
	Resource names match the specified regular expression	None	No
	Resource groups for linked instances are inherited from the parent ECS instance	ACS-Config-ResourceManager-BulkyMoveResources	No
	Linked resources inherit the resource group of the ECS disk	ACS-Config-ResourceManager-BulkyMoveResources	No
	Linked resources inherit the resource group of the ECS network interface card	ACS-Config-ResourceManager-BulkyMoveResources	No
	Linked resources inherit the resource group of the NAT Gateway	ACS-Config-ResourceManager-BulkyMoveResources	No
	Linked resources inherit the resource group of the SLB instance	ACS-Config-ResourceManager-BulkyMoveResources	No
	The resource group associated with a resource is not the default resource group	None	No
	Resources inherit specified tags from the resource group	ACS-TAG-TagResourcesIgnoreCaseSensitive	No
	Resources inherit tags from disks	ACS-TAG-TagResourcesIgnoreCaseSensitive	No
	Resources inherit tags from the parent ECS instance	None	No
	The account type for Resource Management is checked	None	No
	Resources inherit tags from Kafka instances	ACS-TAG-TagResourcesIgnoreCaseSensitive	No
Tags Note For information about Alibaba Cloud services that support tags, see Alibaba Cloud services that support tags.	All specified tags exist	ACS-TAG-TagResources	No
	At least one specified tag exists	None	No
	Matching multiple tag values with an enumeration	None	No
	All specified tags are matched	None	No
	Resources have tags	None	No
	Resource tags match the specified regular expression	ACS-TAG-TagResources	No
	Resource tags have consistent case and no leading or trailing whitespace	ACS-Config-Tag-TagResources	No
ActionTrail	A trail is enabled for ActionTrail	None	No
ActionTrail	Full log tracking is enabled for ActionTrail	None	No
CloudMonitor	A CloudMonitor alert rule is set for the specified Alibaba Cloud service	None	No
CloudMonitor	An event-triggered alert rule with the specified name is set in CloudMonitor	None	No

Artificial intelligence

Alibaba Cloud service	Rule template	OOS template ID for remediation	Dry run supported
Platform for AI (PAI)	Set alerts for the PAI-DLC distributed training service	None	No
	Set alerts for the PAI-EAS online model service	None	No
	Enable AIMaster-based fault tolerance monitoring for PAI distributed training	None	No
	Enable computing power health checks for PAI distributed training	None	No
	PAI online model service instances are distributed across multiple zones	None	No
Alibaba Cloud Model Studio	Enable the input content safety guardrail for Model Studio	None	No
	Enable the output content safety guardrail for Model Studio	None	No
	Enable the input content prompt attack safety guardrail for Model Studio	None	No
	Enable the output content prompt attack safety guardrail for Model Studio	None	No
	Enable the output content malicious URL safety guardrail for Model Studio	None	No

Template description

Compute

ECS

Dedicated Host (DDH)

Auto Scaling

Function Compute

Containers

Container Service for Kubernetes

Container Registry (ACR)

Elastic Container Instance

Storage

Object Storage Service (OSS)

File Storage NAS

Tablestore

Simple Log Service

Cloud Storage Gateway

Network and CDN

Classic Load Balancer (CLB)

Application Load Balancer (ALB)

Network Load Balancer (NLB)

Gateway Load Balancer (GWLB)

Elastic IP Address

Internet Shared Bandwidth (CBWP)

Virtual Private Cloud (VPC)

NAT Gateway

CEN

VPN Gateway

Express Connect

CDN

Edge Security Acceleration

Alibaba Cloud DNS

Security

Anti-DDoS

Web Application Firewall

Cloud Firewall

Security Center

Digital Certificate Management Service (SSL Certificate)

Key Management Service

Data Security Center

Bastionhost

Middleware

Microservices Engine (MSE)

Enterprise Distributed Application Service (EDAS)

ApsaraMQ for RocketMQ

Message Queue for Apache Kafka

Lightweight message queue

API Gateway

Database

Cloud-native database PolarDB

ApsaraDB RDS

ApsaraDB Tair (Redis-compatible)

Lindorm

ApsaraDB MongoDB

AnalyticDB for MySQL

Cloud-native data warehouse AnalyticDB for PostgreSQL

ApsaraDB for ClickHouse

Time Series Database (TSDB)

ApsaraDB for HBase

ApsaraDB OceanBase

Data Management (DMS)

Data Transmission Service (DTS)

Big Data Computing

Cloud-native big data computing service

Hologres

Realtime Compute for Apache Flink

Retrieval and Analysis Service (Elasticsearch Edition)

Open source big data platform E-MapReduce

Migration and operations management

Resource Access Management (RAM)

Resource Management

Tags

ActionTrail

CloudMonitor

Artificial intelligence

Platform for AI (PAI)

Alibaba Cloud Model Studio