This topic describes the check items supported by governance maturity detection model 2.0.
Security
Category | Check item | Description | Quick fix description | Auxiliary decision support |
Account Management | MFA is disabled for the Alibaba Cloud account | Multi-factor authentication (MFA) provides advanced security protection for your Alibaba Cloud account. If MFA is disabled for an Alibaba Cloud account, the account is considered non-compliant. | Quick fix is not supported. | No |
Account Management | An AccessKey pair is enabled for the Alibaba Cloud account | An AccessKey pair for an Alibaba Cloud account grants full permissions on all resources within the account. Limits, such as source IP addresses or access times, cannot be applied. If the AccessKey pair is leaked, the account's resources are exposed to high security risks. An Alibaba Cloud account with an enabled AccessKey pair is considered non-compliant. | Quick fix is not supported. | No |
Account Management | The Alibaba Cloud account was used to log on to the console in the last 90 days | An Alibaba Cloud account has full permissions and cannot be restricted by conditions such as source IP addresses or access times. If the credentials are leaked, the account's resources are exposed to high security risks. If the Alibaba Cloud account is used to log on to the console more than three times within 90 days, the account is considered non-compliant. | Quick fix is not supported. | No |
User management | RAM SCIM is not used to synchronize users | You can use the System for Cross-domain Identity Management (SCIM) protocol to synchronize user identities from your enterprise to Alibaba Cloud without manually creating users. If SCIM synchronization is not configured for the current account, or if a synchronized user has not logged on in the last 60 days, the account is considered non-compliant. | Quick fix is not supported. | No |
User management | RAM SSO is not used for console logon | Single sign-on (SSO) helps you centrally manage identities, which improves management efficiency and reduces risks. If RAM SSO is not configured for the current account, or if there are no SSO-based logons within the last 30 days, the account is considered non-compliant. | Quick fix is not supported. | No |
User management | A RAM user has both console logon and an AccessKey pair enabled | Follow the single-responsibility principle in all scenarios. If a RAM user has both an AccessKey pair and console logon enabled, the account is considered non-compliant. | Quick fix is not supported. | Yes |
User management | RAM is not used for identity management | An Alibaba Cloud account has full permissions. If the credentials are leaked, the account's resources are exposed to high security risks. You should perform daily operations as a RAM identity. If no RAM identity exists in the current account, the account is considered non-compliant. | Quick fix is not supported. | No |
Personnel identity management | A complete password strength policy is not configured | A strong password reduces the risk of dictionary attacks and brute-force attacks. If you do not configure a strong password policy that includes password strength, a validity period, historical password checks, and retry limits, the account is considered non-compliant. | This fix modifies key password strength settings in Resource Access Management (RAM). The settings include a minimum password length of 8 characters, at least three character types, a validity period of less than 90 days, and a maximum of 5 logon retries per hour. These settings are based on recommended best practices. You can modify the parameters for stricter password requirements as needed. After the settings are applied, they affect all RAM users. | No |
Personnel identity management | MFA is disabled for a RAM user | MFA provides advanced security protection for RAM users. If a RAM user has console logon enabled but MFA is not, the account is considered non-compliant. | Quick fix is not supported. | Yes |
Personnel identity management | An idle RAM user exists | When you enable console logon for a RAM user, a logon password is set. The longer a password is used, the higher the risk of exposure. If a RAM user has been idle for more than 90 days, the account is considered non-compliant. | Quick fix is not supported. | Yes |
Programmatic identity management | ECS instances do not use the security-hardened metadata service (New in Model 2.0) | Ensure that ECS instances use the security-hardened mode of the metadata service (Version 2) to prevent potential Security Token Service (STS) token leaks from Version 1. An ECS instance that uses Version 1 of the metadata service is considered non-compliant. To resolve this, you can upgrade the metadata service to Version 2. | Quick fix is not supported. | No |
Programmatic identity management | An AccessKey pair is not rotated regularly | Rotate AccessKey pairs regularly to reduce their exposure time and lower the risk of leaks. If a RAM user's AccessKey pair has been in use for more than 90 days, the account is considered non-compliant. | Quick fix is not supported. | No |
Programmatic identity management | An AccessKey-free solution is not used for programmatic access | The account is considered non-compliant if an instance role is not configured for ECS, the RRSA plug-in is not enabled for ACK, or a service role is not configured in Function Compute. | Quick fix is not supported. | No |
Programmatic identity management | A leaked AccessKey pair is not handled | After an AccessKey pair is leaked, an attacker can use it to access your resources or data, which can cause a security incident. If there is an unhandled AccessKey pair leak event, the account is considered non-compliant. | Quick fix is not supported. | No |
Programmatic identity management | A RAM user has two enabled AccessKey pairs | If a RAM user has two enabled AccessKey pairs, the user cannot rotate them, which poses a security risk. If a RAM user has two enabled AccessKey pairs, the account is considered non-compliant. | Quick fix is not supported. | No |
Programmatic identity management | A RAM user has an idle AccessKey pair | A RAM user's AccessKey pair can be used to call Alibaba Cloud API operations. The longer an AccessKey pair is exposed, the higher the risk of a leak. If a RAM user's AccessKey pair has not been used for more than 90 days, the account is considered non-compliant. | Quick fix is not supported. | Yes |
Use granular authorization | No RAM identity has a restricted scope of operations | For permission management of RAM identities, follow the principle of least privilege and grant only the necessary permissions. The requirement is met if a RAM identity in the current Alibaba Cloud account is granted only a subset of the operation permissions for a cloud service. | Quick fix is not supported. | No |
Use granular authorization | No RAM identity has restricted access to OSS or SLS | For permission management of RAM identities, follow the principle of least privilege and grant only the necessary permissions. For access to data products such as OSS and SLS, use granular authorization to reduce the risk of data breaches caused by identity leaks. If a RAM identity in the current Alibaba Cloud account is granted permissions for data-related products, you must use granular authorization. Do not grant batch authorization using the wildcard character (*). | Quick fix is not supported. | No |
Use granular authorization | No RAM identity has granular authorization (Deleted in Model 2.0) | For permission management of RAM identities, follow the principle of least privilege and grant only the necessary permissions. You can use custom policies to grant granular permissions to RAM identities. If no RAM identity is attached to a custom policy, the account is considered non-compliant. | Quick fix is not supported. | No |
Use logon credential reports | Identity and permission check reports are not obtained regularly (Deleted in Model 2.0) | If you have not viewed the identity and permission governance report, user credential report, or cloud governance maturity report for the current account in the last 90 days, the account is considered non-compliant. | Quick fix is not supported. | No |
Use logon credential reports | The "AccessKey and Permission Governance Best Practices" compliance package is not enabled (Deleted in Model 2.0) | If the "AccessKey and Permission Governance Best Practices" compliance package in Cloud Config is not enabled, the account is considered non-compliant. | This fix creates a compliance package in Cloud Config based on the "AccessKey and Permission Governance Best Practices" template. You can then view the check results in Cloud Config. | No |
Control log archiving | ActionTrail logs are not retained for a long period | If no trail is created, or if the created trail does not archive events from all regions, does not archive all read and write events, or has an archive storage period of less than 180 days, the account is considered non-compliant. | This fix improves the existing trail settings for the current account. This includes enabling complete management read and write events and events in all regions. You can select at least one existing trail from the list to improve its settings. After the fix is applied, new read, write, and all-region events are delivered to the trail's destination. Historical events in storage are not affected. | No |
Configuration change detection | Cloud Config is not enabled | If Cloud Config is not enabled for the current account, the account is considered non-compliant. | Quick fix is not supported. | No |
Configuration change detection | Delivery of resource changes or snapshots is not configured | If the delivery of resource changes or snapshots is not configured in Cloud Config, the account is considered non-compliant. | Quick fix is not supported. | No |
Compliance check coverage | Cloud Config compliance rules do not cover all cloud resources | The evaluation is based on the percentage of resources covered by rules. If the coverage is less than 100%, the account is considered non-compliant. | Quick fix is not supported. | No |
Compliance check coverage | Cloud Config compliance rules are not enabled | If Cloud Config rules are not enabled for the current account, the account is considered non-compliant. | Quick fix is not supported. | No |
Non-compliance alert response | Compliance check data is not obtained regularly | If the delivery of non-compliance events is not configured or check results are not viewed in Cloud Config, the account is considered non-compliant. | Quick fix is not supported. | No |
Non-compliance alert response | Alert rules are not configured for risky operation events | If none of the account security-related rules or ActionTrail operation compliance-related rules supported in ActionTrail event alerts are enabled, the account is considered non-compliant. | Quick fix is not supported. | No |
Alert event handling | A cloud resource is non-compliant | If the compliance rate of resources that are checked by enabled Cloud Config rules is less than 100%, the account is considered non-compliant. | Quick fix is not supported. | No |
Enable automatic remediation | Automatic remediation is not used for non-compliant items | If automatic remediation is not enabled for any rule, the account is considered non-compliant. | Quick fix is not supported. | No |
Prevent privilege abuse | Too many RAM identities are granted high-risk permissions for OSS and SLS | For permission management of RAM identities, follow the principle of least privilege and grant only the necessary permissions. A RAM identity with | Quick fix is not supported. | No |
Prevent privilege abuse | Too many RAM identities are granted administrator permissions | For permission management of RAM identities, follow the principle of least privilege and grant only the necessary permissions. Administrator permissions allow any operation on any resource in the account. Avoid granting administrator permissions to too many RAM identities to prevent business impact in the event of an identity leak. In the current Alibaba Cloud account, the requirement is met if three or fewer RAM identities have administrator permissions. | Quick fix is not supported. | No |
Prevent privilege abuse | Too many RAM identities are granted high-risk permissions for the User Center | For permission management of RAM identities, follow the the principle of least privilege and grant only the necessary permissions. A RAM identity with write permissions for the billing and User Center product (BSS) can modify information such as orders, invoices, contracts, and bills, and perform financial operations such as transactions and withdrawals. Poor management can result in asset loss. In the current Alibaba Cloud account, the requirement is met if three or fewer RAM identities have write permissions such as | Quick fix is not supported. | No |
Prevent privilege abuse | Too many RAM identities are granted high-risk permissions for RAM | For permission management of RAM identities, follow the principle of least privilege and grant only the necessary permissions. A RAM identity with write permissions for the RAM product can create new identities or modify the permissions of existing identities. This can result in excessive authorization and pose risks to the security and confidentiality of resources in the account. In the current Alibaba Cloud account, the requirement is met if three or fewer RAM identities have write permissions such as | Quick fix is not supported. | No |
Prevent privilege abuse | All RAM identities are granted administrator permissions | For permission management of RAM identities, follow the principle of least privilege and grant only the necessary permissions. Avoid granting administrator permissions to all RAM identities to prevent business impact in the event of an identity leak. If a RAM identity is granted non-administrator permissions, the requirement is met. | Quick fix is not supported. | No |
Authorization efficiency and control | No RAM user inherits authorization from a RAM user group (New in Model 2.0) | By default, RAM users, groups, and roles cannot access any resources. You can grant permissions to users, groups, or roles using RAM policies. You should apply RAM policies directly to groups and roles, not to users. Assigning permissions at the group or role level reduces management complexity as the number of users grows. It also reduces the risk of unintentionally expanding a RAM user's permissions. If any RAM user inherits authorization from a RAM user group, this is considered a best practice. | Quick fix is not supported. | No |
Authorization efficiency and control | The scope of a custom policy granted to a RAM identity does not specify a resource group (New in Model 2.0) | By default, when you grant a custom policy to a RAM identity, the policy takes effect at the account level. In this case, if the custom policy does not explicitly limit the specified resources or specify the conditions for the permissions to take effect, the RAM identity has the specified permissions on all resources in the account. As a best practice for cloud resource management, you can group resources by resource group and grant permissions to RAM identities based on these groups. During authorization, restricting the scope to a resource group can better limit the permissions of the RAM identity and achieve granular authorization. If a custom policy granted to a RAM identity has its scope set to a resource group, or if a resource group is specified in the policy conditions, this is considered a best practice. | Quick fix is not supported. | No |
Authorization efficiency and control | No RAM identity with administrator permissions has its authorization restricted to a resource group | For permission management of RAM identities, follow the principle of least privilege and grant only the necessary permissions. By dividing cloud resources into resource groups based on dimensions such as applications and environments, you can grant permissions by resource group. This further narrows the permission scope and avoids risks from excessive permissions. In the current account, if a RAM identity with the AdministratorAccess permission has its authorization scope set to a resource group, the requirement is met. | Quick fix is not supported. | No |
Authorization efficiency and control | No RAM identity with a service-level system policy has its authorization restricted to a resource group | For permission management of RAM identities, follow the principle of least privilege and grant only the necessary permissions. By dividing cloud resources into resource groups based on dimensions such as applications and environments, you can grant permissions by resource group. This further narrows the permission scope and avoids risks from excessive permissions. In the current Alibaba Cloud account, if a RAM identity with a service-level system policy, such as AliyunECSFullAccess, has its authorization scope set to a resource group, the requirement is met. | Quick fix is not supported. | No |
Data storage instances should avoid public access | Public read is not disabled for an OSS bucket (New in Model 2.0) | Prevent OSS bucket content from being publicly readable to ensure data confidentiality and security. If an OSS bucket is set to public-read, it is considered non-compliant. | Quick fix is not supported. | No |
Data storage instances should avoid public access | An OSS bucket grants access permissions to an anonymous account (New in Model 2.0) | Implementing the principle of least privilege is fundamental to reducing security risks and minimizing the impact of errors or malicious actions. If an OSS bucket policy allows anonymous access, attackers can exfiltrate data. In addition, if an external account is controlled by a malicious attacker, your data can be tampered with or deleted. This not only threatens data integrity and confidentiality but can also lead to business interruptions and legal issues. As a best practice, you should prohibit anonymous access to OSS buckets using policies. If a bucket policy allows anonymous access, which means the authorized user is all accounts (*) and the effect is Allow, it does not meet the best practice. | Quick fix is not supported. | No |
Data storage instances should avoid public access | An OSS bucket is configured for public write (New in Model 2.0) | OSS supports public access through bucket policies and access control lists (ACLs). Public write means that any OSS resource can be modified or new file objects can be uploaded to a bucket without specific permissions or authentication. Public write allows anyone to upload and modify data in an OSS bucket, which can easily lead to data breaches and high costs from malicious access. As a best practice, you should disable public write permissions for OSS buckets and access data in OSS buckets only through signed URLs or API calls. If an OSS bucket policy or ACL includes public write semantics, the OSS bucket may be at risk of public write, which does not comply with best practices. | Quick fix is not supported. | No |
Data transmission should use TLS | HTTPS listeners are not enabled for SLB (New in Model 2.0) | Ensure that Server Load Balancer (SLB) has HTTPS listeners enabled to encrypt data during transmission using the TLS protocol. If SLB does not have HTTPS listeners enabled, it is considered non-compliant. | Quick fix is not supported. | No |
Data storage instances should avoid public access | A PolarDB instance has a public endpoint configured (New in Model 2.0) | Exposing a database to the Internet may pose security risks. Once a database is exposed, it may be visible to malicious attackers. In addition, if proper access controls are not implemented, data breaches or damage can easily occur. As a best practice, you should allow database instances to be accessed only from within a VPC, set an appropriate IP address whitelist, and configure complex accounts and passwords for the database. If a cluster has a public endpoint enabled, it does not comply with best practices. | Quick fix is not supported. | No |
Data transmission should use TLS | An Elasticsearch instance does not use the HTTPS protocol for transmission (New in Model 2.0) | An Elasticsearch instance that provides services only over HTTP may pose data security risks. Because HTTP communications are transmitted in plaintext, attackers can easily obtain and view the content, acquiring sensitive information and leading to data breaches. As a best practice, you should access Elasticsearch using HTTPS within your application or client to ensure data is encrypted during transmission. If the HTTPS protocol switch is enabled in the cluster network settings of an Elasticsearch instance, it is considered compliant with best practices. | Quick fix is not supported. | No |
Data storage instances should avoid public access | The IP address whitelist of a PolarDB instance is set to 0.0.0.0/0 (New in Model 2.0) | An IP address whitelist is a list of IP addresses that are allowed to access a PolarDB cluster. If the IP address whitelist is set to % or 0.0.0.0/0, any IP address can access the database cluster. This setting greatly reduces database security. Do not use this setting unless necessary. As a best practice, you should follow the principle of least privilege and set an appropriate IP address whitelist to provide high-level access security for your PolarDB cluster. If a cluster's IP address whitelist is set to 0.0.0.0/0 or %, it does not comply with best practices. | Quick fix is not supported. | No |
Data storage instances should avoid public access | The IP address whitelist of an Elasticsearch instance is set to 0.0.0.0/0 (New in Model 2.0) | An instance IP address whitelist is a list of IP addresses that are allowed to access an Elasticsearch instance. If the IP address whitelist is set to | Quick fix is not supported. | No |
Data storage instances should avoid public access | The IP address whitelist of a Redis instance is set to 0.0.0.0/0 (New in Model 2.0) | An IP address whitelist is a list of IP addresses that are allowed to access a Redis instance. If the IP address whitelist is set to 0.0.0.0/0, any IP address can access the database cluster. This setting greatly reduces database security. Do not use this setting unless necessary. As a best practice, you should follow the principle of least privilege and set an appropriate IP address whitelist to provide high-level access security for your database instance. If an instance's IP address whitelist is set to 0.0.0.0/0, it does not comply with best practices. | Quick fix is not supported. | No |
Data transmission should use TLS | A certificate in SSL Certificate Service will expire within 30 days (New in Model 2.0) | After an SSL Certificate expires, a client cannot verify the server's identity. This may cause users to be unable to access the service or see warnings, which affects user experience. Failure to update the certificate promptly can lead to decreased service availability, reduced customer trust, and even data breaches. In addition, certificate renewal and updates often require a certain period. You should reserve sufficient time to update certificates to avoid service interruptions. If a digital certificate in the certificate management service has an expiration time of 30 days or less, it does not comply with best practices. | Quick fix is not supported. | No |
Network boundary protection | A security group inbound rule is set to 0.0.0.0/0 and allows access from any port (New in Model 2.0) | Prohibit security group rules that allow all IP addresses (0.0.0.0/0) to access from any port. Access must be restricted to specific IP address ranges and ports. If a security group's inbound rule contains 0.0.0.0/0 and does not specify a port, it is considered non-compliant. | Quick fix is not supported. | No |
Data storage instances should avoid public access | The IP address whitelist of an RDS instance is set to 0.0.0.0/0 (New in Model 2.0) | An IP address whitelist is a list of IP addresses that are allowed to access an RDS instance. If the IP address whitelist is set to 0.0.0.0/0, any IP address can access the database cluster. This setting greatly reduces database security. Do not use this setting unless necessary. As a best practice, you should follow the principle of least privilege and set an appropriate IP address whitelist to provide high-level access security for your database instance. If an instance's IP address whitelist is set to 0.0.0.0/0, it does not comply with best practices. | Quick fix is not supported. | No |
Data storage instances should avoid public access | Public access is enabled for an Elasticsearch instance (New in Model 2.0) | Exposing Elasticsearch to the Internet may pose security risks. Once an instance is exposed, it may be visible to malicious attackers. In addition, if proper access controls are not implemented, data breaches or damage can easily occur. As a best practice, you should allow Elasticsearch instances to be accessed only from within a VPC, set an appropriate IP address whitelist, and configure appropriate access controls. If an instance has a public endpoint enabled, it does not comply with best practices. | Quick fix is not supported. | No |
Data transmission should use TLS | A CDN domain name is not configured to force HTTP to HTTPS redirection (New in Model 2.0) | Providing external services over HTTP only with CDN may pose data security risks. Because HTTP communications are transmitted in plaintext, attackers can easily obtain and view the content, acquiring sensitive information such as user credentials and private data, which can lead to data breaches. As a best practice, you should use HTTPS for CDN domain names that provide external services, and force requests on HTTP listeners to redirect to HTTPS listeners. This ensures that data is encrypted during transmission. If the force redirect type for a CDN domain name's HTTPS configuration is not set to HTTPS, it does not comply with best practices. | Quick fix is not supported. | No |
Network boundary protection | ECS instances are not prohibited from being assigned public IP addresses (New in Model 2.0) | To reduce the risk of attacks, you should prevent ECS instances from being directly exposed to the Internet. You can access the Internet through a NAT Gateway or Server Load Balancer. If an ECS instance is assigned a public IP address, it is considered non-compliant. | Quick fix is not supported. | No |
Data storage instances should avoid public access | A Redis instance has a public endpoint configured (New in Model 2.0) | Exposing a database to the Internet may pose security risks. Once a database is exposed, it may be visible to malicious attackers. In addition, if proper access controls are not implemented, data breaches or damage can easily occur. As a best practice, you should allow database instances to be accessed only from within a VPC, set an appropriate IP address whitelist, and configure complex accounts and passwords for the database. If an instance has a public endpoint enabled, it does not comply with best practices. | Quick fix is not supported. | No |
Data transmission should use TLS | A CDN domain name is not configured with HTTPS (New in Model 2.0) | Providing external services over HTTP only with CDN may pose data security risks. Because HTTP communications are transmitted in plaintext, attackers can easily obtain and view the content, acquiring sensitive information such as user credentials and private data, which can lead to data breaches. As a best practice, you should use HTTPS for CDN domain names that provide external services, and force requests on HTTP listeners to redirect to HTTPS listeners. This ensures that data is encrypted during transmission. If HTTPS secure acceleration is not enabled for a CDN domain name, it does not comply with best practices. | Quick fix is not supported. | No |
Data storage instances should avoid public access | An RDS instance has a public endpoint configured (New in Model 2.0) | Exposing a database to the Internet may pose security risks. Once a database is exposed, it may be visible to malicious attackers. In addition, if proper access controls are not implemented, data breaches or damage can easily occur. As a best practice, you should allow database instances to be accessed only from within a VPC, set an appropriate IP address whitelist, and configure complex accounts and passwords for the database. If an instance has a public endpoint enabled, it does not comply with best practices. | Quick fix is not supported. | No |
Data storage instances should avoid public access | The Kibana service of an Elasticsearch instance has public access enabled (New in Model 2.0) | Exposing Kibana to the Internet may pose security risks. Once an instance is exposed, it may be visible to malicious attackers. In addition, if proper access controls are not implemented, data breaches or damage can easily occur. As a best practice, you should allow Kibana instances to be accessed only from within a VPC, set an appropriate IP address whitelist, and configure appropriate access controls. If the Kibana service of an Elasticsearch instance has public access enabled, it does not comply with best practices. | Quick fix is not supported. | No |
Data storage instances should avoid public access | A Tablestore instance has public access configured (New in Model 2.0) | By default, Tablestore creates a public domain name, a VPC domain name, and a classic network domain name for each instance. The public domain name is visible on the Internet, and any user can access Tablestore resources through it. The classic network domain name is visible to ECS servers in the same region, and applications on classic network ECS servers in the same region can access the instance through it. As a best practice, you should allow instances to be accessed only from the console or a VPC. Restricting access from the Internet or classic network provides better network isolation and enhances data security. If a Tablestore instance's network type is set to "Console or VPC Access Only" or "Bound VPC Access Only", it is considered compliant with best practices. | Quick fix is not supported. | No |
Data transmission should use TLS | An API with public access in API Gateway is not configured with HTTPS (New in Model 2.0) | Providing external APIs only over HTTP may pose data security risks. Because HTTP communications are transmitted in plaintext, attackers can easily obtain and view the content, acquiring sensitive information such as user credentials and private data, which can lead to data breaches. As a best practice, you should use HTTPS for APIs that provide external services, and force requests on HTTP listeners to redirect to HTTPS listeners. This ensures that data is encrypted during transmission. If a domain name associated with API Gateway is not configured with the HTTPS protocol, it does not comply with best practices. | Quick fix is not supported. | No |
Network boundary protection | A security group exposes high-risk ports (22, 3389, etc.) to the Internet (New in Model 2.0) | Prohibit security group rules that allow Internet access to high-risk ports such as SSH (22) and RDP (3389) to prevent network attacks and unauthorized access. If a security group exposes high-risk ports such as SSH (22) and RDP (3389) to the Internet, it is considered non-compliant. | Quick fix is not supported. | No |
Data storage instances should avoid public access | A MongoDB instance has a public endpoint configured (New in Model 2.0) | Exposing a database to the Internet may pose security risks. Once a database is exposed, it may be visible to malicious attackers. In addition, if proper access controls are not implemented, data breaches or damage can easily occur. As a best practice, you should allow database instances to be accessed only from within a VPC, set an appropriate IP address whitelist, and configure complex accounts and passwords for the database. If an instance has a public endpoint enabled, it does not comply with best practices. | Quick fix is not supported. | No |
Data storage instances should avoid public access | The IP address whitelist of a MongoDB instance is set to 0.0.0.0/0 (New in Model 2.0) | An IP address whitelist is a list of IP addresses that are allowed to access a MongoDB instance. If the IP address whitelist is set to 0.0.0.0/0, any IP address can access the database cluster. This setting greatly reduces database security. Do not use this setting unless necessary. As a best practice, you should follow the principle of least privilege and set an appropriate IP address whitelist to provide high-level access security for your database instance. If an instance's IP address whitelist is set to 0.0.0.0/0, it does not comply with best practices. | Quick fix is not supported. | No |
Data transmission should use TLS | An SLB server certificate will expire in less than 30 days (New in Model 2.0) | Ensure that the server certificate used by SLB will not expire within 30 days to avoid transmission encryption failure due to certificate expiration. If the remaining validity of an SLB server certificate is 30 days or less, it is considered non-compliant. | Quick fix is not supported. | No |
Data storage instances should avoid public access | An OSS bucket allows access from accounts outside the organization (New in Model 2.0) | Ensure that OSS buckets are accessible only to accounts within your organization to prevent data breach risks. If an OSS bucket allows access from accounts outside the organization, it is considered non-compliant. | Quick fix is not supported. | No |
Network boundary protection | VPC access traffic is not fully protected by the VPC firewall (New in Model 2.0) | All VPC access traffic must be protected by the VPC firewall of Cloud Firewall to reduce risks from internal network traffic. If you use Cloud Firewall but some VPC access traffic is not protected by the VPC firewall, the check item is considered non-compliant with network security best practices. | Quick fix is not supported. | No |
Host vulnerabilities | The anti-virus feature is not enabled (New in Model 2.0) | Enabling virus scanning can effectively clean various malicious threats from servers. It provides effective protection against major ransomware, DDoS Trojans, mining programs, trojans, malicious programs, back doors, and worms. If you have purchased Security Center Anti-virus (Enterprise or Ultimate Edition) but have not configured a periodic virus scan policy, it is considered non-compliant. | Quick fix is not supported. | No |
Network boundary protection | Virtual Patches are not enabled for Cloud Firewall IPS (New in Model 2.0) | The intrusion prevention system (IPS) module of Cloud Firewall should have Virtual Patches enabled. Cloud Firewall can provide real-time protection against popular high-risk and emergency vulnerabilities. Virtual Patches provide hotfixes at the network layer for remotely exploitable high-risk and emergency vulnerabilities. It intercepts vulnerability attacks in real time and avoids business interruptions when you fix host vulnerabilities. If you use Cloud Firewall but have not enabled this feature, it does not comply with network security best practices. | Quick fix is not supported. | No |
Network boundary protection | Cloud Firewall has an insufficient number of available authorizations (New in Model 2.0) | This check item ensures that the Cloud Firewall specifications are reasonable in terms of available authorizations. If you use Cloud Firewall, but the number of public assets without Internet firewall protection exceeds the number of available protection authorizations, it does not comply with network security best practices. | Quick fix is not supported. | No |
Alert handling | There are pending Security Center alerts (New in Model 2.0) | Security alert events are threats detected by Security Center on your servers or cloud products. They cover alert types such as web tamper proofing, process anomalies, web shells, anomalous logons, and malicious processes. Handling alerts promptly can improve your asset security posture. If the number of unhandled alerts is greater than 0, it is considered non-compliant. | Quick fix is not supported. | No |
Network attack response | DDoS intelligent protection for websites is set to strict mode (New in Model 2.0) | Intelligent protection aims to enhance website security. However, enabling strict mode in the policy configuration can cause some false positives for your business. Therefore, strict mode is more suitable for websites with poor performance or unsatisfactory protection. Website domain name services already have inherent protection against common Layer 4 attacks. For most website services, you should not enable strict mode in intelligent protection. Use the default normal mode to balance protection effectiveness and business continuity. | Quick fix is not supported. | No |
Network boundary protection | No ACL policy is created for Cloud Firewall (New in Model 2.0) | After you enable the firewall, if you do not configure an access control policy, Cloud Firewall allows all traffic by default during the policy matching stage. You can configure traffic blocking and allowing policies for different firewalls as needed to better control unauthorized access to your assets. If you use Cloud Firewall but have not created an access control policy, it does not comply with network security best practices. | Quick fix is not supported. | No |
Network boundary protection | NAT gateways are not fully protected by NAT firewalls (New in Model 2.0) | To reduce the risk of private networks accessing the Internet, all NAT Gateway instances should be protected by Cloud Firewall NAT firewalls. If you use Cloud Firewall but there are NAT gateways without protection enabled, it does not comply with network security best practices. | Quick fix is not supported. | No |
Network boundary protection | Block Mode is not enabled for Cloud Firewall IPS (New in Model 2.0) | The intrusion prevention system (IPS) module of Cloud Firewall should be configured in Block Mode to intercept malicious traffic and block intrusion activities. If you use Cloud Firewall but have not enabled this feature, it does not comply with network security best practices. | Quick fix is not supported. | No |
Network boundary protection | Threat intelligence is not enabled for Cloud Firewall IPS (New in Model 2.0) | The intrusion prevention system (IPS) module of Cloud Firewall should have the threat intelligence feature enabled to scan for reconnaissance threats and provide command-and-control intelligence blocking. If you use Cloud Firewall but have not enabled this feature, it does not comply with network security best practices. | Quick fix is not supported. | No |
Monitoring and auditing | Logs of Cloud Firewall are not collected and stored for 180 days or more (New in Model 2.0) | Cloud Firewall automatically records all traffic and provides a visual log audit page for convenient querying of attack events, traffic details, and operation logs. This makes it easy to trace the source of attacks and review traffic. By default, Cloud Firewall stores audit logs for 7 days to meet basic audit and analysis needs. However, to better meet compliance requirements and improve security, we recommend that you extend the log storage period to 180 days or more. If you have purchased a subscription version of Cloud Firewall but do not collect and store its logs for 180 days or more, it does not comply with network security best practices. | Quick fix is not supported. | No |
Host vulnerabilities | There are vulnerabilities to be fixed (New in Model 2.0) | Vulnerability management is a continuous, proactive process that protects systems, networks, and enterprise applications from network attacks and data breaches. Promptly addressing potential security weaknesses can prevent attacks and minimize damage if an attack occurs. If the number of vulnerabilities to be fixed in your Alibaba Cloud account is greater than 0, it is considered non-compliant. | Quick fix is not supported. | No |
Business risk control | Web tamper proofing is not enabled (New in Model 2.0) | The web tamper proofing feature monitors website directories or files in real time. If a website is maliciously tampered with, this feature can restore the tampered files or directories from backups. This prevents illegal information from being injected into the website and ensures its normal operation. If you have purchased the tamper-proofing feature but have not bound any servers to it, it is considered non-compliant. | Quick fix is not supported. | No |
Host vulnerabilities | There are host baselines to be fixed (New in Model 2.0) | Viruses and hackers exploit security vulnerabilities in server configurations to steal data or plant back doors. The baseline check feature inspects the security of server configurations, including operating systems, databases, software, and containers. Timely remediation of identified baseline risks strengthens system security, reduces intrusion risks, and helps you meet security compliance requirements. An Alibaba Cloud account is considered non-compliant if it has one or more unfixed baseline risks. | Quick fix is not supported. | No |
Network boundary protection | Basic protection is not enabled for Cloud Firewall IPS (New in Model 2.0) | The intrusion prevention system (IPS) module of Cloud Firewall should have basic protection enabled. Basic protection provides fundamental intrusion prevention capabilities, including brute-force attack interception, command execution vulnerability interception, and control over connections to command-and-control (C&C) servers after infection. This provides basic protection for your assets. If you use Cloud Firewall but have not enabled this feature, it does not comply with network security best practices. | Quick fix is not supported. | No |
Network boundary protection | The protection bandwidth of Cloud Firewall is insufficient (New in Model 2.0) | This check item ensures that the Cloud Firewall specifications are reasonable in terms of protection bandwidth. If you use Cloud Firewall, but the actual peak bandwidth in the last 30 days exceeds the purchased protection bandwidth, it does not comply with network security best practices. | Quick fix is not supported. | No |
Network boundary protection | A default deny policy is not configured for Cloud Firewall (New in Model 2.0) | To ensure network security, Cloud Firewall should have a default deny policy configured (an IPv4 address policy where both the source and destination for inbound/outbound access are 0.0.0.0/0, and the action is Deny). All traffic other than explicitly allowed trusted traffic should be blocked by default. If you use Cloud Firewall but have not configured a default deny policy, it does not comply with network security best practices. | Quick fix is not supported. | No |
Network boundary protection | Cloud Firewall does not protect all public assets (New in Model 2.0) | This check item ensures that all public assets are protected by Cloud Firewall. If you use Cloud Firewall but there are public assets without Internet firewall protection enabled, it does not comply with network security best practices. | Quick fix is not supported. | No |
Network attack response | Anti-DDoS Origin does not have a corresponding protected object added (New in Model 2.0) | After you purchase Anti-DDoS Origin or an Anti-DDoS instance, you must add public assets as protected objects for DDoS to provide DDoS mitigation capability. Otherwise, the protection is not effective and results in wasted costs. | Quick fix is not supported. | No |
Container vulnerabilities | Container image scanning is not configured (New in Model 2.0) | If an image has system or application vulnerabilities, or is replaced with a malicious image, services created from the problematic image will have vulnerabilities. By scanning images in the image repository, security personnel can push the scan results to developers to fix the image issues and ensure business security. If you have purchased container image scanning but have not configured a scan scope in the settings, it is considered non-compliant. | Quick fix is not supported. | No |
Application runtime security | An application protection configuration is not created (New in Model 2.0) | By detecting attacks and protecting applications at runtime, you can effectively protect Java applications, prevent 0-day vulnerability attacks, and provide security defense for your applications. If you have purchased application protection but have not created an application configuration (the group count is 0), it is considered non-compliant. | Quick fix is not supported. | No |
Host vulnerabilities | An anti-ransomware policy is not enabled (New in Model 2.0) | Ransomware intrusions can encrypt customer business data, which leads to business interruptions, data breaches, and data loss, and poses serious business risks. Configuring an anti-ransomware policy promptly can effectively reduce these risks. If you have purchased the anti-ransomware feature but have not created a protection policy, it is considered non-compliant. | Quick fix is not supported. | No |
Network boundary protection | Cloud Firewall is not used to protect network traffic (New in Model 2.0) | Alibaba Cloud Firewall is a SaaS firewall on the cloud platform. It provides unified security isolation and control for your cloud network assets at the Internet border, VPC border, and internal border. It is the first line of network defense for your business on the cloud. If you do not use Cloud Firewall, it does not comply with network security best practices. | Quick fix is not supported. | No |
Centralized multi-account management | Centrally manage multi-account identities | Using CloudSSO, you can centrally manage enterprise users who use Alibaba Cloud, configure single sign-on between your enterprise identity management system and Alibaba Cloud, and centrally configure access permissions for all users to member accounts in the resource directory. If you have not used CloudSSO to log on for more than 90 days, it is considered non-compliant. | Quick fix is not supported. | No |
Centralized multi-account management | Centrally collect multi-account operation logs | By default, ActionTrail records events for each Alibaba Cloud account for only the last 90 days. Creating a trail helps enterprises persistently store operation records to meet internal and external compliance requirements. A multi-account trail helps enterprise administrators centrally track and audit logs from multiple accounts within the enterprise. If no multi-account trail is detected, it is considered non-compliant. | Quick fix is not supported. | No |
Centralized multi-account management | Use control policies for multi-account border protection | A control policy for a resource directory allows an organization to restrict the Alibaba Cloud services and operations that member accounts can access. This centrally manages the permission boundaries of member accounts and ensures that the entire organization complies with unified security and compliance standards. If the account has not created a custom access control policy and attached it to a folder or member of the resource directory, it is considered non-compliant. | Quick fix is not supported. | No |
Stability
Category | Check item | Description | Quick fix description | Auxiliary decision support |
Instance types | ECS resources do not use high-availability instance types | Using shared or retired ECS instance types cannot guarantee stable computing performance. If you use a retired or shared ECS instance family, it is considered non-compliant. | Quick fix is not supported. | No |
Instance types | Elasticsearch resources do not use high-availability instance types | An Elasticsearch instance with 1 vCPU and 2 GB of memory is suitable only for testing, not for production environments. If you use an Elasticsearch instance with 1 vCPU and 2 GB of memory, it is considered non-compliant. | Quick fix is not supported. | No |
Instance types | RDS resources do not use high-availability instance types | An RDS Basic Edition instance has only one database node and no secondary node for hot backup. Therefore, if the node unexpectedly fails or tasks such as restarting the instance, changing configurations, or upgrading versions are performed, the service is unavailable for a long time. In addition, the shared and general-purpose instance families of RDS share resources with other instances on the same physical server, which makes them suitable only for application scenarios with low stability requirements. If your business has high availability requirements for databases, use the High-availability or Cluster series for the product series, and the Dedicated type for the instance family. If the RDS product series is not High-availability or Cluster, or the RDS instance family is not Dedicated, it is considered non-compliant. | Quick fix is not supported. | No |
Instance types | ACK resources are not deployed on high-availability instance types. | Compared to the original managed edition, ACK Pro managed clusters have enhanced reliability, security, and scheduling capabilities, which makes them suitable for large-scale businesses in production environments. If you do not use the Professional Edition for managed clusters, it is considered non-compliant. | Quick fix is not supported. | No |
Instance types | Redis resources do not use high-availability instance types | Redis Enterprise Edition provides stronger performance, more data structures, and more flexible storage methods. If you do not use Redis Enterprise Edition, it is considered non-compliant. | Quick fix is not supported. | No |
Instance types | MongoDB resources do not use high-availability instance types | When MongoDB uses a single-node architecture, the fault recovery time is long and there is no SLA guarantee. If you do not use a multi-zone MongoDB instance, it is considered non-compliant. | Quick fix is not supported. | No |
Instance types | ONS resources do not use high-availability instance types | The Standard Edition of RocketMQ uses shared instances, which is not recommended for production environments. If you use a shared RocketMQ instance, it is considered non-compliant. | Quick fix is not supported. | No |
Stable versions | PolarDB resources do not use stable versions | If the minor version of a PolarDB database is not stable, it is considered non-compliant. | Quick fix is not supported. | No |
Stable versions | Redis resources do not use stable versions | If a Redis instance is not upgraded to the latest minor version, it is considered non-compliant. | Quick fix is not supported. | No |
Stable versions | ACK resources do not use stable versions | If an ACK cluster is not upgraded to the latest version, it is considered non-compliant. | Quick fix is not supported. | No |
Stable versions | The MSE engine version has risks (New in Model 2.0) | Using the latest MSE engine version is key to ensuring MSE service continuity. An outdated engine version can lead to issues such as code defects that cause garbage collection failures, memory overflows that lead to continuous memory growth, slow startup speeds, and JSON serialization defects. If the MSE-ZK or MSE-Ans engine version, or the MSE-Ans client version is too low, it is considered non-compliant. | Quick fix is not supported. | No |
Stable versions | Elasticsearch resources do not use stable versions | If an Elasticsearch instance is using a version that is not recommended, it is considered non-compliant. | Quick fix is not supported. | No |
Stable versions | ECS resources do not use stable versions | If an ECS instance uses an operating system version that is no longer supported, it is considered non-compliant. | Quick fix is not supported. | No |
Stable versions | The MSE-Ingress gateway version has security or stability risks (New in Model 2.0) | Using the latest version of Ingress is key to ensuring gateway service continuity. An outdated version can pose security or stability risks, and can cause inaccurate instance lists when you subscribe to Nacos services. If the MSE-Ingress version is too low, it is considered non-compliant. | Quick fix is not supported. | No |
Expiration risk | DDoS resources are at risk of expiration | If a DDoS instance will expire in less than 30 days and auto-renewal is not enabled, it is considered non-compliant. | This fix enables auto-renewal for your selected subscription DDoS instance resources. | No |
Expiration risk | EIP resources are at risk of expiration | If a subscription EIP instance will expire in less than 30 days from the check time and auto-renewal is not enabled, it is considered non-compliant. | This fix enables auto-renewal for your selected subscription EIP instance resources. | No |
Expiration risk | CEN resources are at risk of expiration | If a Cloud Enterprise Network bandwidth plan will expire in less than 30 days and auto-renewal is not enabled, it is considered non-compliant. | This fix enables auto-renewal for your selected subscription CEN instance resources. | No |
Expiration risk | RDS resources are at risk of expiration | If a subscription RDS instance will expire in less than 30 days from the check time and auto-renewal is not enabled, it is considered non-compliant. | This fix enables auto-renewal for your selected subscription RDS instance resources. | No |
Expiration risk | ADB resources are at risk of expiration | If an AnalyticDB for MySQL Data Warehouse Edition instance will expire in less than 30 days from the check time and auto-renewal is not enabled, it is considered non-compliant. | This fix enables auto-renewal for your selected subscription ADB instance resources. | No |
Expiration risk | PolarDB resources are at risk of expiration | If a subscription PolarDB instance will expire in less than 30 days from the check time and auto-renewal is not enabled, it is considered non-compliant. | This fix enables auto-renewal for your selected subscription PolarDB instance resources. | No |
Expiration risk | Bastionhost resources are at risk of expiration | If a Bastionhost instance will expire in less than 30 days from the check time and auto-renewal is not enabled, it is considered non-compliant. | This fix enables auto-renewal for your selected subscription Bastionhost instance resources. | No |
Expiration risk | SLB resources are at risk of expiration | If a subscription SLB instance will expire in less than 30 days from the check time and auto-renewal is not enabled, it is considered non-compliant. | This fix enables auto-renewal for your selected subscription SLB instance resources. | No |
Expiration risk | Redis resources are at risk of expiration | If a subscription Redis instance will expire in less than 30 days from the check time and auto-renewal is not enabled, it is considered non-compliant. | This fix enables auto-renewal for your selected subscription Redis instance resources. | No |
Expiration risk | MongoDB resources are at risk of expiration | If a subscription MongoDB instance will expire in less than 30 days from the check time and auto-renewal is not enabled, it is considered non-compliant. | This fix enables auto-renewal for your selected subscription MongoDB instance resources. | No |
Expiration risk | DRDS resources are at risk of expiration | If a PolarDB-X 1.0 or PolarDB-X 2.0 instance will expire in less than 30 days and auto-renewal is not enabled, it is considered non-compliant. | Quick fix is not supported. | No |
Expiration risk | CBWP resources are at risk of expiration | If a shared bandwidth instance will expire in less than 30 days and auto-renewal is not enabled, it is considered non-compliant. | This fix enables auto-renewal for your selected CBWP resources. | No |
Expiration risk | ECS resources are at risk of expiration | If a subscription ECS instance will expire in less than 30 days from the check time and auto-renewal is not enabled, it is considered non-compliant. | This fix enables auto-renewal for your selected subscription ECS instance resources. | No |
Deletion protection | Deletion protection is not enabled for EIP resources | If an EIP instance does not have deletion protection enabled, it is considered non-compliant. | This fix enables deletion protection for the selected resources. The resources cannot be released through the console, API, or command line. To release the instance, you must first disable deletion protection on the instance details page. | No |
Deletion protection | Cluster lock is not enabled for PolarDB resources | If a PolarDB instance does not have cluster lock enabled, it is considered non-compliant. | This fix enables deletion protection for the selected resources. The resources cannot be released through the console, API, or command line. To release the instance, you must first disable deletion protection on the instance details page. | No |
Deletion protection | Deletion protection is not enabled for MongoDB resources | If a MongoDB instance does not have deletion protection enabled, it is considered non-compliant. | Quick fix is not supported. | No |
Deletion protection | Deletion protection is not enabled for ALB resources | If an ALB instance does not have deletion protection enabled, it is considered non-compliant. | This fix enables deletion protection for the selected resources. The resources cannot be released through the console, API, or command line. To release the instance, you must first disable deletion protection on the instance details page. | No |
Deletion protection | Deletion protection is not enabled for ACK resources | If an ACK cluster does not have deletion protection enabled, it is considered non-compliant. | This fix enables deletion protection for the selected resources. The resources cannot be released through the console, API, or command line. To release the instance, you must first disable deletion protection on the instance details page. | No |
Deletion protection | Deletion protection is not enabled for RDS resources | If an RDS instance does not have deletion protection enabled, it is considered non-compliant. | This fix enables deletion protection for the selected resources. The resources cannot be released through the console, API, or command line. To release the instance, you must first disable deletion protection on the instance details page. | No |
Deletion protection | Deletion protection is not enabled for SLB resources | If an SLB instance does not have deletion protection enabled, it is considered non-compliant. | This fix enables deletion protection for the selected resources. The resources cannot be released through the console, API, or command line. To release the instance, you must first disable deletion protection on the instance details page. | No |
Deletion protection | Deletion protection is not enabled for ECS resources | If an ECS instance does not have deletion protection enabled, it is considered non-compliant. | This fix enables deletion protection for the selected resources. The resources cannot be released through the console, API, or command line. To release the instance, you must first disable deletion protection on the instance details page. | No |
Deletion protection | Deletion protection is not enabled for Redis resources | If a Redis instance does not have deletion protection enabled, it is considered non-compliant. | This fix enables deletion protection for the selected resources. The resources cannot be released through the console, API, or command line. To release the instance, you must first disable deletion protection on the instance details page. | No |
Change management | RDS resources have an unreasonable maintenance window | If the maintenance window of an RDS instance is not within the 02:00-06:00 or 06:00-10:00 range, it is considered non-compliant. | This fix uniformly modifies the maintenance window for the selected instances. A recommended maintenance window is suggested based on best practices. You can modify this parameter based on your business needs. | No |
Change management | PolarDB resources have an unreasonable maintenance window | If the maintenance window of a PolarDB cluster is not within the 02:00-04:00 or 06:00-10:00 range, it is considered non-compliant. | This fix uniformly modifies the maintenance window for the selected instances. A recommended maintenance window is suggested based on best practices. You can modify this parameter based on your business needs. | No |
Change management | ECS resources have an unreasonable maintenance window | Creating snapshots for an ECS instance temporarily reduces the I/O performance of its block storage. If the snapshot creation time in the automatic snapshot policy is not set to 01:00 or 02:00, the instance is considered non-compliant. | This fix uniformly modifies the automatic creation time in the selected snapshot policy to ensure that the snapshot time is within a reasonable range and avoids impacting your business. A creation time is recommended based on best practices. You can modify this parameter based on your business needs. | No |
Change management | Redis resources have an unreasonable maintenance window | If the automatic backup time period of a Redis instance is not within the 04:00-05:00, 05:00-06:00, or 12:00-13:00 range, it is considered non-compliant. | Quick fix is not supported. | No |
Change management | ADB resources have an unreasonable maintenance window | If the maintenance window of an ADB cluster is not within the 02:00-04:00, 06:00-08:00, or 12:00-13:00 range, it is considered non-compliant. | This fix uniformly modifies the maintenance window for the selected instances. A recommended maintenance window is suggested based on best practices. You can modify this parameter based on your business needs. | No |
Data backup | Data backup is not configured for ECI resources | If an ECI container group does not have a data volume mounted, it is considered non-compliant. | Quick fix is not supported. | No |
Data backup | Data backup is not configured for Redis resources | If a Tair-type Redis instance does not have incremental backup enabled, it is considered non-compliant. | Quick fix is not supported. | No |
Data backup | Data backup is not configured for Elasticsearch resources | If an Elasticsearch instance does not have automatic backup enabled, it is considered non-compliant. | Quick fix is not supported. | No |
Data backup | Log backup is not enabled for MongoDB resources | If a MongoDB instance does not have log backup enabled, it is considered non-compliant. | This fix enables log backup for the selected MongoDB clusters with a default storage period of 7 days. | No |
Data backup | Log backup is not enabled for AnalyticDB for MySQL | If an ADB cluster does not have log backup enabled, it is considered non-compliant. | This fix enables log backup for the selected AnalyticDB for MySQL clusters with a default storage period of 7 days. | No |
Data backup | Log backup is not enabled for RDS resources | If an RDS instance does not have log backup enabled, it is considered non-compliant. | This fix enables log backup for the selected RDS instances with a default storage period of 7 days. | No |
Data backup | Versioning is not enabled for an OSS bucket | If an OSS instance does not have versioning enabled, data cannot be recovered when it is overwritten or deleted. An OSS instance without versioning enabled is considered non-compliant. | This fix enables versioning for the selected OSS instances. After versioning is enabled, objects in the bucket are stored as previous versions when they are overwritten or deleted. If you accidentally overwrite or delete an object, you can restore the object in the bucket to any of its previous versions. | No |
Data backup | Data backup is not configured for PolarDB resources | If a PolarDB cluster does not have level-2 backup enabled with a retention period of 30 days or more, it is considered non-compliant. | This fix sets the level-2 backup cycle and retention period (default is 30 days) for the selected PolarDB clusters. If level-2 backup is not currently enabled, it will be automatically enabled. | No |
Host snapshots | Host snapshots are not enabled for ECS resources | If an automatic snapshot policy is not configured for an ECS disk, it is considered non-compliant. | This fix enables the specified snapshot policy for the selected ECS disk instances. Because snapshot policies in each region are independent, if a policy with the same name exists in the region where the selected disk is located, the existing policy is used. Otherwise, a new snapshot policy is created. | No |
Multi-zone architecture | Elasticsearch resources do not use a multi-zone architecture | If an Elasticsearch instance does not use multi-zone deployment, it is considered non-compliant. | Quick fix is not supported. | No |
Multi-zone architecture | Redis resources do not use a multi-zone architecture | If a Redis instance does not use multi-zone deployment, it is considered non-compliant. | Quick fix is not supported. | No |
Multi-zone architecture | RDS resources do not use a multi-zone architecture | If an RDS instance does not use multi-zone deployment, it is considered non-compliant. | Quick fix is not supported. | No |
Multi-zone architecture | MSE-related components are at risk of single-zone deployment (New in Model 2.0) | Deploy MSE-related components in a multi-zone architecture to improve stability. If MSE-related components are deployed in a single zone, they are considered non-compliant. | Quick fix is not supported. | No |
Multi-zone architecture | OSS resources do not use a multi-zone architecture | If an OSS bucket does not have zone-redundant storage enabled, it is considered non-compliant. | Quick fix is not supported. | No |
Multi-zone architecture | MongoDB resources do not use a multi-zone architecture | A MongoDB instance that does not use multi-zone deployment is considered non-compliant. | Quick fix is not supported. | No |
Multi-zone architecture | An MSE gateway is at risk due to a single-zone architecture (New in Model 2.0) | Currently, all instance replicas of the gateway are deployed in the same zone. This deployment lacks high availability, and in extreme cases, your business may be affected. Upgrade to a new version as soon as possible to distribute gateway instances across multiple zones. If the MSE Ingress gateway component has a single-zone architecture, it is considered non-compliant. | Quick fix is not supported. | No |
Multi-zone architecture | SLB resources do not use a multi-zone architecture | If an SLB instance is in a single zone, or if resources from multiple zones are not added to the server group that is used by a listener under the SLB instance, it is considered non-compliant. | Quick fix is not supported. | No |
Multi-zone architecture | PolarDB resources do not use a multi-zone architecture | If a PolarDB cluster does not have a hot standby storage cluster enabled and data is distributed in a single zone, it is considered non-compliant. | Quick fix is not supported. | No |
Cluster architecture | CEN resources do not use a cluster architecture | If a Virtual Border Router (VBR) associated with a CEN instance does not have a health check configured, it is considered non-compliant. | Quick fix is not supported. | No |
Cluster architecture | An ACK cluster is at risk of single-point deployment (New in Model 2.0) | Using a regional cluster can achieve cross-region disaster recovery. If an ACK cluster is not a regional cluster, it is considered non-compliant. | Quick fix is not supported. | No |
Cluster architecture | PolarDB resources do not use a cluster architecture | If the PolarDB product series used is not Cluster Edition or Multi-master Cluster Edition, it is considered non-compliant. | Quick fix is not supported. | No |
Cluster architecture | An MSE gateway is at risk of single-point deployment (New in Model 2.0) | A standalone instance has architectural risks. A single point of failure can cause service unavailability. You should scale out to 2 or more nodes. If the MSE Ingress component is deployed as a single node, it is considered non-compliant. | Quick fix is not supported. | No |
Cluster architecture | MSE-related resources are at risk of single-point deployment (New in Model 2.0) | For the MSE ZK component, you should scale out to 3 or more nodes. For the Nacos-Ans component, you should scale out to more than 3 nodes. If an MSE-related component is deployed as a single node, it is considered non-compliant. | Quick fix is not supported. | No |
Monitoring discovery | Monitoring alert rules are not configured for core cloud product resources | Achieving full resource monitoring coverage is fundamental to ensuring business continuity. Configuring alert rules for cloud product resources is a necessary step for monitoring them. If a cloud product resource is not covered by any alert rule, it is considered non-compliant. | This fix automatically enables alert rules based on best practices for cloud resource types that do not have CloudMonitor configured. By default, notifications are sent to recipients of the "Alibaba Cloud account alert contact" type. You can confirm that the settings are correct. After you enable the rules, you can view the status or update alert parameters in the one-click alerting feature of CloudMonitor. | No |
Monitoring discovery | Prometheus monitoring is not configured for an ACK cluster | Connecting an ACK cluster to monitoring helps developers and O&M engineers view the system's running status, including the infrastructure layer and container performance layer. For all ACK clusters, if "Enable Alibaba Cloud Prometheus Monitoring" is not configured, the cluster is considered non-compliant. | Quick fix is not supported. | No |
Monitoring discovery | Application monitoring is not configured for an ACK cluster | For distributed and microservice applications, you can connect to Application Real-Time Monitoring Service (ARMS) for full-link tracing and code-level real-time performance monitoring. This helps O&M engineers stay informed about application health. For applications deployed in Container Service for Kubernetes or Elastic Compute Service, if they are not connected to ARMS, they are considered non-compliant. | Quick fix is not supported. | No |
Monitoring and alerts | Continuous alerts from an alert rule are not handled promptly | An alert rule that is continuously in an alert state requires attention and governance. Typically, you should resolve the issue quickly to restore monitoring metrics to normal levels, or adjust the alert rule based on the actual situation. This avoids interference with normal monitoring and O&M work that is caused by many alerts or alert fatigue. For all alert rules set in CloudMonitor, if a rule remains in an alert state for more than 24 hours, it is considered non-compliant. | Quick fix is not supported. | No |
Monitoring and alerts | High-priority alert rules are not configured | Configuring effective alert rules provides timely notifications when a business system does not meet operational expectations, which allows for a prompt emergency response. If no P1-level alert rules for application monitoring or Prometheus monitoring are configured in ARMS, or if no corresponding notification policies are configured, it is considered non-compliant. | Quick fix is not supported. | No |
Monitoring and alerts | A high-priority alert is not handled within the specified time (30 minutes) | MTTx (Mean Time To X, such as MTTR: Mean Time To Recovery) metrics are important measures of alert handling efficiency. A timely response to high-priority alerts can effectively improve the recovery efficiency of alerts and even faults, which enhances the service quality of business systems. If no P1-level alert rules for application monitoring or Prometheus monitoring are configured, or if there are alerts in ARMS that are not resolved within 30 minutes (pending, in progress, or resolved after more than 30 minutes), it is considered non-compliant. | Quick fix is not supported. | No |
Centralized multi-account management | Centrally monitor ARMS resources across Alibaba Cloud accounts | Create a global aggregation instance to achieve unified monitoring across accounts. If the current account is using ARMS but has not created a globalview instance, it is considered non-compliant. | Quick fix is not supported. | No |
Centralized multi-account management | Enable unified resource configuration checks for multiple accounts | The current account is considered non-compliant if it does not meet the following two conditions: 1. An account group exists and rules have been created under it. 2. Non-compliant events are delivered to SLS. | Quick fix is not supported. | No |
Instance capacity | MSE-related components have capacity risks (New in Model 2.0) | Ensure that resource capacity remains within a reasonable range. Exceeding the capacity limit may lead to stability risks. If MSE has related metrics that exceed their capacity limits, it is considered non-compliant. | Quick fix is not supported. | No |
Anomalous event monitoring | There are ECS instances shut down due to overdue payments or security blocks (New in Model 2.0) | A passive shutdown of an ECS instance can cause service interruptions, data loss, and data inconsistency, which affects system performance or creates security vulnerabilities. If there are ECS instances in the current account that have been shut down due to overdue payments or security blocks, it is considered a risk. | Quick fix is not supported. | No |
Anomalous event monitoring | There are ECS instances with pending O&M events (New in Model 2.0) | Failure to respond to and handle scheduled O&M events for ECS instances in a timely manner can cause the instances to restart during peak business hours, which affects the stability of the services on them. If there are pending ECS O&M events (in inquiring, scheduled, or executing status) in the current account, it is considered a risk. | Quick fix is not supported. | No |
Cost
Category | Check item | Description | Quick fix description | Auxiliary decision support |
Resource cost optimization | An RDS instance has low resource utilization for an extended period (New in Model 2.0) | Maintaining RDS instance resource utilization at a reasonable level is an important task in cloud cost management. The cloud platform provides RDS instances of various specifications. Choose instances of appropriate specifications based on your business cycle to control RDS instance costs. If an RDS instance has CPU utilization, memory usage, and disk usage continuously below 3% for 30 days, it does not comply with best practices. | Quick fix is not supported. | No |
Resource cost optimization | An ECS instance has low resource utilization for an extended period (New in Model 2.0) | Maintaining ECS instance resource utilization at a reasonable level is an important task in cloud cost management. The cloud platform provides ECS instances of various specifications. Choose instances of appropriate specifications based on your business cycle to control ECS instance costs. If an ECS instance has both CPU and memory utilization continuously below 3% for 30 days, it does not comply with best practices. | Quick fix is not supported. | No |
Resource cost optimization | An ECS disk has low resource utilization for an extended period (New in Model 2.0) | Maintaining ECS instance resource utilization at a reasonable level is an important task in cloud cost management. The cloud platform provides ECS instances of various specifications. Choose instances of appropriate specifications based on your business cycle to control ECS instance costs. If an ECS disk has utilization continuously below 3% for 30 days, it does not comply with best practices. | Quick fix is not supported. | No |
Resource cost optimization | An RDS instance disk has low resource utilization for an extended period (New in Model 2.0) | Maintaining RDS instance resource utilization at a reasonable level is an important task in cloud cost management. The cloud platform provides RDS instances of various specifications. Choose instances of appropriate specifications based on your business cycle to control RDS instance costs. If an RDS disk has utilization continuously below 3% for 30 days, it does not comply with best practices. | Quick fix is not supported. | No |
Resource cost optimization | EIP resources are idle | If an EIP is not bound to a resource instance and was created more than 7 days ago, it is considered non-compliant. | Quick fix is not supported. | No |
Resource cost optimization | VPC NAT resources are idle | If a VPC NAT Gateway is not bound to an EIP, or the bound EIP does not have an SNAT or DNAT entry, and the gateway was created more than 7 days ago, it is considered non-compliant. | Quick fix is not supported. | No |
Resource cost optimization | SLB resources are idle | If an SLB instance has no running listeners and was created more than 7 days ago, it is considered non-compliant. | Quick fix is not supported. | No |
Resource cost optimization | Use subscription or savings plans for ECS instances (New in Model 2.0) | For resources used stably over a long term, use a subscription plan. Normally, the cost of a subscription ECS instance is lower than that of a pay-as-you-go instance. A savings plan is a discount plan that offers lower pay-as-you-go rates in exchange for a commitment to a stable amount of resource usage over a period. If an ECS instance uses a pay-as-you-go billing method and is not included in a savings plan, it does not comply with best practices. | Quick fix is not supported. | No |
Resource cost optimization | ECS resources are idle | If an ECS instance is in the Stopped state and the economical mode for stopped instances is not enabled, it is considered non-compliant. | Quick fix is not supported. | No |
Resource cost optimization | CR resources are idle | If a container image instance has not created a namespace or image repository and was created more than 7 days ago, it is considered non-compliant. | Quick fix is not supported. | No |
Resource cost optimization | VPN resources are idle | If a VPN Gateway has not configured a destination-based route or enabled automatic BGP route propagation, and was created more than 7 days ago, it is considered non-compliant. | Quick fix is not supported. | No |
Resource cost optimization | NAS resources are idle | If a NAS file system has no mount targets and was created more than 7 days ago, it is considered non-compliant. | Quick fix is not supported. | No |
Resource cost optimization | Use a subscription plan for RDS instances (New in Model 2.0) | For resources used stably over a long term, use a subscription plan. Normally, the cost of a subscription RDS instance is lower than that of a pay-as-you-go instance. If an RDS instance uses a pay-as-you-go billing method, it does not comply with best practices. | Quick fix is not supported. | No |
Resource cost optimization | ALB resources are idle | If an ALB instance has a listener with no backend servers added and was created more than 7 days ago, it is considered non-compliant. | Quick fix is not supported. | No |
Resource cost optimization | NAT resources are idle | If a NAT Gateway is not bound to an EIP, or the bound EIP does not have an SNAT or DNAT entry, and the gateway was created more than 7 days ago, it is considered non-compliant. | Quick fix is not supported. | No |
Resource cost optimization | CBWP resources are idle | If a shared bandwidth instance is not bound to a resource and was created more than 7 days ago, it is considered non-compliant. | Quick fix is not supported. | No |
Resource cost optimization | ECS disks are idle | If a disk is not in use and was created more than 7 days ago, it is considered non-compliant. | Quick fix is not supported. | No |
Resource cost optimization | The "Resource Idle Detection Best Practices" compliance package is not enabled | If the resource idle detection compliance package is not enabled in Cloud Config, it is considered non-compliant. | Quick fix is not supported. | No |
Cost allocation and analysis | The cost management suite is not enabled for an ACK cluster (New in Model 2.0) | Traditional methods lack effective cost insight and control in cloud-native scenarios. The cost management suite provides features such as resource waste checks and resource cost prediction. If an ACK cluster does not have the cost management suite enabled, it is not following best practices. | Quick fix is not supported. | No |
Efficiency
Category | Check item | Description | Quick fix description | Auxiliary decision support |
Automation level | Calls to deprecated Redis APIs (added in the 2.0 model) | Deprecated Redis APIs are no longer maintained. They are unstable and do not support new features. Calling a deprecated Redis API in the last 30 days is non-compliant. | Not supported | No |
Automation level | Calls to deprecated ECS APIs (Added in Model 2.0) | Deprecated ECS APIs are no longer maintained. This poses stability risks and prevents the use of new features. Any calls to deprecated ECS APIs within the last 30 days are considered non-compliant. | A quick fix is not currently available. | No |
Automation level | Users call deprecated CEN APIs (added in 2.0 model) | Deprecated CEN APIs are no longer maintained. This creates stability risks and prevents access to new features. Any call to a deprecated CEN API within the last 30 days is a compliance violation. | Quick fix is not supported. | No |
Automation level | Users call deprecated PolarDB APIs (added in the 2.0 model) | Deprecated PolarDB APIs are no longer maintained. They pose stability risks and prevent the use of new features. Any call to a deprecated PolarDB API in the last 30 days is non-compliant. | A quick fix is not supported. | No |
Automation level | Calls to deprecated VPC APIs (added in model 2.0) | Deprecated VPC APIs are no longer maintained. They pose stability risks and do not support new features. Calls to deprecated VPC APIs within the last 30 days are considered non-compliant. | A quick fix is not currently supported. | No |
Automation level | Use of deprecated RocketMQ APIs (added in the 2.0 model) | Deprecated RocketMQ APIs are no longer maintained, posing stability risks and preventing the use of new features. Calling a deprecated RocketMQ API within the last 30 days is non-compliant. | A quick fix is not available. | No |
Automation level | Use of deprecated NAS APIs (added in the 2.0 model) | Deprecated NAS APIs are no longer maintained. This poses stability threats and prevents the use of new features. A call to a deprecated NAS API within the last 30 days is considered non-compliant. | Not supported | No |
Automation level | Calls to deprecated CDN APIs (added in the 2.0 model) | Deprecated CDN APIs are no longer maintained, posing stability risks and preventing the use of new features. Calls to deprecated CDN APIs in the last 30 days are considered non-compliant. | Quick fix is not supported. | No |
Automation level | A user calls deprecated RDS APIs (added in model 2.0) | Deprecated RDS APIs are no longer maintained. This poses stability risks and prevents the use of new features. Any call to a deprecated RDS API within the last 30 days is considered non-compliant. | A quick fix is not supported. | No |
Automation level | Use of deprecated ACK APIs (New in Model 2.0) | Deprecated ACK APIs are no longer maintained. This poses stability risks and prevents the use of new features. Calls to deprecated ACK APIs within the last 30 days are considered non-compliant. | A quick fix is not supported. | No |
Automation level | Use of deprecated SLB APIs (New in Model 2.0) | Deprecated SLB APIs are no longer maintained, posing stability risks and preventing the use of new features. If there have been calls to deprecated SLB APIs in the last 30 days, it is considered non-compliant. | Quick fix is not supported. | No |
Automation level | Users call deprecated ALB APIs (added in the 2.0 model) | Deprecated ALB APIs are no longer maintained, posing stability risks and preventing the use of new features. If there have been calls to deprecated ALB APIs in the last 30 days, it is considered non-compliant. | Not supported | No |
Automation level | Use automated methods to control resources. | The configuration is considered non-compliant if less than 100% of OpenAPI calls are made using automated tools, such as SDK, Terraform, Cloud Control API, CADT, ROS, and Service Catalog, over the last 30 days. | A quick fix is not available. | No |
Automation level | Use automated methods for daily resource provisioning. | If the percentage of resources created by calling OpenAPI outside the console is less than 100% in the last year, the configuration is considered non-compliant. | Quick fix is not supported. | No |
Automation level | Use automated methods for continuous resource management. | If the ratio of OpenAPI calls made outside the console for continuous resource management is less than 100% over the last 30 days, the resource is non-compliant. | Quick fix is not supported. | No |
Automation quality | RDS OpenAPI calls are at risk of being throttled (added in 2.0 model) | Throttled API calls can fail and affect business stability. An API call is considered non-compliant if it was throttled within the last 7 days. | A quick fix is not supported. | No |
Automation quality | Risk of throttling for NAS OpenAPI calls (new in model 2.0) | Throttling can cause API calls to fail and impact business stability. An API call is considered non-compliant if it was abnormally throttled within the last 7 days. | A quick fix is not available. | No |
Automation quality | Risk of throttling for ECS OpenAPI calls (New in model 2.0) | Throttling can cause API calls to fail, which may affect business stability. An API call is considered non-compliant if it was throttled within the last 7 days. | A quick fix is not available. | No |
Automation quality | VPC OpenAPI calls are at risk of being throttled (New in model 2.0) | Throttling can cause API calls to fail. Failed calls can affect business stability. API calls with throttling exceptions in the last 7 days are considered non-compliant. | A quick fix is not available. | No |
Automation quality | Redis OpenAPI calls are at risk of being throttled (new in model 2.0) | Throttled API calls can fail, which may affect business stability. A resource is considered non-compliant if its API calls experienced throttling exceptions in the last 7 days. | A quick fix is not available. | No |
Automation quality | ALB OpenAPI calls are at risk of being throttled (added in 2.0 model) | Throttled API calls can fail, which may affect business stability. If API calls have experienced abnormal throttling within the last 7 days, the configuration is considered non-compliant. | Not supported | No |
Automation quality | SLB OpenAPI calls are at risk of being throttled (New in Model 2.0) | Throttling API calls can cause them to fail, which can affect business stability. An item is considered non-compliant if API calls have been throttled in the last 7 days. | A quick fix is not currently available. | No |
Automation quality | CEN OpenAPI calls are at risk of being throttled (New in model 2.0) | API calls being throttled can lead to call failures, which may affect business stability. If API calls have experienced throttling exceptions in the last 7 days, it is considered non-compliant. | Quick fix is not supported. | No |
Automation quality | RocketMQ OpenAPI calls are at risk of being throttled (New in Model 2.0) | Throttling can cause API calls to fail. This can affect business stability. An API call is non-compliant if it was abnormally throttled in the last 7 days. | Quick fix is not supported. | No |
Automation quality | ACK OpenAPI calls are at risk of being throttled (added in 2.0 model) | Throttling can cause API calls to fail, which may affect business stability. The check is considered non-compliant if API calls were throttled in the last 7 days. | A quick fix is not available. | No |
Automation quality | PolarDB OpenAPI calls are at risk of being throttled (added in 2.0 model) | Throttling can cause API calls to fail, which may affect business stability. If API calls have experienced throttling exceptions in the last 7 days, the service is considered non-compliant. | Quick fix is not supported. | No |
Automation quality | CDN API traffic is within normal range (new in the 2.0 model) | Throttling API calls can cause them to fail, which can affect business stability. If API calls have experienced throttling exceptions in the last 7 days, this is considered non-compliant. | A quick fix is not available. | No |
Automation quality | Risk of ACK quota saturation (New in model 2.0) | Creating or modifying resources, or using product features, can cause errors. A risk is flagged if a resource quota item shows high usage and has triggered quota_exceed errors within the last 7 days. | A quick fix is not available. | No |
Automation quality | Risk of CDN quota saturation (Added in Model 2.0) | Creating or modifying product resources, or using product features, can cause errors. A threat exists if a product has a resource quota with high usage and has received quota_exceed errors within the last 7 days. | Quick fixes are not supported. | No |
Automation quality | Risk of ECS quota saturation (New in model 2.0) | You may encounter errors when creating or changing product resources, or when using product features. A threat is present if a product has experienced both high resource quota usage and `quota_exceed` errors within the last 7 days. | Not supported | No |
Automation quality | VPC quota has saturation risk (added in model 2.0) | You may encounter errors when you create or modify resources, or use product features. A threat exists if a resource quota has high usage and you have received a quota_exceed error within the last 7 days. | Not supported | No |
Automation quality | Risk of SLB quota saturation (added in model 2.0) | Errors can occur when you create or modify product resources, or use product features. A threat exists if a resource quota item has high usage and has triggered `quota_exceed` errors within the last seven days. | Not supported | No |
Automation quality | Threat of CEN quota saturation (added in model 2.0) | You may encounter errors when you create or modify product resources, or use product features. A product is considered at risk if it has resource quotas with high usage and has triggered quota_exceed errors in the last 7 days. | Quick fixes are not supported. | No |
Automation quality | The success rate of resource modification API calls has not reached 100%. | A success rate of less than 100% for automated infrastructure changes in the last 30 days indicates non-compliance. These changes use tools such as OpenAPI, Cloud Control API, SDK, and Terraform. | Not supported | No |
Automation quality | The success rate of resource creation API calls is less than 100% | If the success rate of creating infrastructure resources using automation (OpenAPI, Cloud Control API, SDK, Terraform, etc.) is below 100% in the last 30 days, it is considered non-compliant. | Not supported | No |
Automation quality | Not using diagnostic tools to observe and diagnose faults (deleted in the 2.0 model) | If you have not used a Request ID in the OpenAPI Portal to self-diagnose errors related to core products in the past year, it is considered non-compliant. | Not supported | No |
Automation quality | Quotas were not viewed or adjusted using the Quota Platform (Removed in the 2.0 model) | An account is considered non-compliant if you have not viewed quotas for core products on the quota platform or used the self-service request feature within the last year. | Not supported | No |
Automation quality | API calls are at risk of throttling exceptions (deleted in model 2.0) | If API calls were throttled in the last 7 days, the item is non-compliant. | Not supported | No |
Automation quality | Cloud product resource quota has saturation risk (deleted in 2.0 model) | A threat is identified if a product has a resource quota with high usage and a quota_exceed error occurred within the last 7 days. | Not supported | No |
Unified control | The account is not managed by a resource directory. | Centralized management of multiple accounts improves permissions, security, and cost. If the current account does not belong to a resource directory, it is considered non-compliant. | Not supported | No |
Unified control | Resource groups or tags are not used for cost center allocation (deleted in 2.0 model) | Cost allocation is the foundation for cost visibility, budgeting, and cost optimization in enterprise finance. A cost center that is not linked to a resource group or tag is non-compliant. | Not supported | No |
Resource grouping and isolation | Linked instances are divided into different resource groups (New in Model 2.0). | If associated resources are not placed in the same resource group, management of permissions, finances, and O&M based on that group cannot cover all target resources. Associated resources that are not in the same custom resource group are considered non-compliant. | Not supported | No |
Resource grouping and fencing | The organization does not use multiple accounts to manage resources. | An Alibaba Cloud account serves several key functions. Each account is a fully isolated tenant. By default, its resource access, network deployments, and identity permissions are completely separate from other accounts. Accounts are also linked to bills. This lets you deploy different business workloads into separate accounts for independent accounting and billing. Multi-account management benefits enterprises by providing environment fencing, security compliance, and business innovation. If an entity has two or more Alibaba Cloud accounts, this condition is met. | Quick fixes are not supported. | No |
Resource grouping and isolation | Resources are not grouped into custom resource groups. | Custom resource groups provide more flexible control over resource access and use. If resources in custom resource groups account for less than 75% of the total resources, the setup is non-compliant. | Not supported | No |
Resource grouping and isolation | Creator tags are not enabled | As an enterprise's cloud resources expand, multiple people often manage them. In scenarios such as cost management and security, identifying the creator of each resource is essential. This practice allows for cost allocation, provides security traceability, and improves management efficiency. A resource is considered non-compliant if creator tags are not enabled. | Quick fixes are not supported. | No |
Resource grouping and isolation | Custom tags are not applied to resources. | Custom tags let users flexibly identify, sort, and organize various resources. If less than 75% of total resources have custom tags, it is considered non-compliant. | Not supported | No |
Resource grouping and isolation | No predefined tags used | Predefined tags are created in advance and apply to all regions. They simplify attaching and managing cloud resources during the implementation phase. If the ratio of predefined tags to custom tags is less than 80%, the configuration is non-compliant. | Not supported | No |
Centralized management of multiple accounts | Enable centralized log collection for multiple accounts | If the SLS log audit trusted service is not enabled, the status is non-compliant. | Not supported | No |
Centralized multi-account management | Set a delegated administrator account for the account's resource directory. | Delegated administrator accounts separate organization management tasks from business management tasks. The management account performs organization management tasks for the resource directory, and delegated administrator accounts perform business management tasks for trusted services. If no delegated administrator account is set for the trusted services enabled by the resource directory management account (MA), the configuration is non-compliant. | Not supported | No |
Centralized management of multiple accounts | Enable multi-account resource search | When you use Resource Directory to manage multiple Alibaba Cloud accounts, management accounts or delegated administrator accounts can view and search the cloud resources of all members in the resource directory. If cross-account resource search is disabled, the configuration is non-compliant. | Not supported | No |
Centralized management of multiple accounts | Use centralized management of multi-account message contacts | The contact management feature of the resource directory centrally manages contacts across accounts. If no contacts are detected in the resource directory, or if contacts are not attached to the resource directory, folders, or members, the check result is Non-compliant. | Not supported | No |
Performance
Category | Check item | Description | Quick fix description | Decision support |
Performance anomaly detection | Performance risk on EBS disks due to high disk space usage (New in model 2.0) | High disk space usage can increase the risk of data loss. This check helps you identify potential performance bottlenecks early to prevent performance degradation. An EBS disk is considered non-compliant if its disk space usage exceeds 80%. | Quick fix is not supported. | No |
Performance anomaly detection | Performance risk for ECS resources due to high memory usage (New in model 2.0) | This check ensures that the memory usage of your core ECS instances remains at a healthy level to prevent performance degradation or service interruptions from out of memory issues. An ECS instance is considered non-compliant if its memory usage exceeded 85% for a total of more than 9 hours in the past 24 hours. | Quick fix is not supported. | No |
Performance anomaly detection | Performance risk on EBS disks due to high throughput (New in model 2.0) | This check helps you prevent performance bottlenecks, assess if your storage resource allocation is reasonable, and determine to scale out to ensure business continuity. An EBS disk is considered non-compliant if its input/output operations per second (IOPS) or bytes per second (BPS) usage in the past 24 hours exceeded 90% of the maximum IOPS or BPS for its disk type. | Quick fix is not supported. | No |
Performance anomaly detection | Performance risk for ECS resources due to high CPU usage (New in model 2.0) | Keeping the CPU usage of your core ECS instances at a healthy level is fundamental to stable business operations. A high load can slow down application responses and may trigger automatic protection mechanisms, such as system restarts or service degradation. An ECS instance is considered non-compliant if its CPU usage exceeded 85% for a total of more than 8 hours in the past 24 hours. | Quick fix is not supported. | No |
Performance anomaly detection | Risk that ECS resources cannot be automatically scaled (New in model 2.0) | Core cloud products such as ECS should automatically add or remove resources based on performance load to ensure business stability. An ECS instance is considered non-compliant if Auto Scaling is not enabled, or if Auto Scaling is enabled but the success rate of the Auto Scaling group was below 90% in the past 24 hours. | Quick fix is not supported. | No |