This topic describes the check items in governance maturity checks. You can gain an understanding of each check item.
Check items about security
Category | Check item | Description | Quick fix | Auxiliary decision-making |
Manage Program Identities | Do not Leak AccessKey Pairs | Checks whether an AccessKey pair is leaked. If your AccessKey pair is leaked, attackers can access your resources or data by using the AccessKey pair. In this case, data security incidents occur. If an AccessKey pair leak is not processed, risks exist. | Not supported | Not supported |
Manage Program Identities | Use the no AccessKey Pair Solution | Checks whether you configure an instance role in Elastic Compute Service (ECS), enable the Resource Access Management (RAM) Roles for Service Accounts (RRSA) plug-in for Container Service for Kubernetes (ACK), or configure service roles for Function Compute within the current account. If yes, the check result is compliant. | Not supported | Not supported |
Use Logon Credential Reports | Enable the Basic Compliance Package for Identities and Permissions | Checks whether the BestPracticesForIdentityAndPermissions compliance package is enabled in Cloud Config. If yes, the check result is compliant. | Supported This fix creates a compliance package for you in Cloud Config based on the BestPracticesForIdentityAndPermissions template. To view the compliance check results, go to the Compliance Package page of the Cloud Config console. | Not supported |
Manage Log Archiving | Configure a Long-term Archiving Duration for ActionTrail Logs | Checks whether you create a trail, archive events in all regions, archive all read and write operations, and set the storage duration to a period greater than or equal to 180 days. If no, risks exist. | Supported This fix configures the trails within your account, including the delivery of user-initiated read and write events and events in all regions. Select at least one trail to be configured. After the fix, the generated read and write events and events in all regions are delivered to the destination storage service specified for the trail. The historical events that are delivered to the specified storage service are not affected. | Not supported |
Enable Configuration Change Test | Configure Cloud Config | Checks whether Cloud Config is enabled for the current account. If no, risks exist. | Not supported | Not supported |
Enable Configuration Change Test | Enable the Resource Delivery Feature or Obtain the Resource Data | Checks whether you configure the delivery of resource changes or resource snapshots in Cloud Config. If no, risks exist. | Not supported | Not supported |
Enable Compliance Check | Enable Cloud Config Rules | Checks whether you enable Cloud Config rules for the current account. If no, risks exist. | Not supported | Not supported |
Enable Incompliance Event Alerting | Configure Alert Rules for Risky Operation Events | Checks whether an account security rule that is supported by the event alerting feature of ActionTrail or an operation rule of ActionTrail is enabled. If no, risks exist. | Not supported | Not supported |
Enable Incompliance Event Alerting | Obtain Compliant Test Data on a Regular Basis | Checks whether you configure non-compliant event delivery in Cloud Config or view the test result. If no, risks exist. | Not supported | Not supported |
Enable Automatic Remediation | Troubleshoot Incompliant Errors Automatically | Checks whether you enable the automatic troubleshooting feature of a rule. If no, risks exist. | Not supported | Not supported |
Check items about efficiency
Category | Check item | Description | Quick fix | Auxiliary decision-making |
Control Resources in a Centralized Manner | Use a Cost Unit that is Associated with a Resource Group or a Tag | Checks whether a cost center is associated with a resource group or a tag. Cost allocation is the basis of cost visibility, budget making, and cost optimization for an enterprise. If a cost center is not associated with a resource group or a tag, risks exist. | Not supported | Not supported |
Control Resources in a Centralized Manner | Manage the Alibaba Cloud Account under a Resource Directory | Checks whether your Alibaba Cloud account is managed by a resource directory. Compared with decentralized management, centralized management of multiple accounts can bring benefits to enterprises in terms of permission management, security compliance, and cost optimization. If the current account belongs to a resource directory, the check result is compliant. | Not supported | Not supported |
Check items about stability
Category | Check item | Description | Quick fix | Auxiliary decision-making |
Use an Appropriate Instance Type | Use ECS Instances with High-availability Specifications | Checks whether you use ECS instances with high-availability specifications. If you use ECS instances of the shared type or retired instance types, the computing performance of the instances cannot be ensured. If your ECS instances are not of the shared type or a retired instance type, the check result is compliant. | Not supported | Not supported |
Use an Appropriate Instance Type | Use Elasticsearch Clusters with High-Availability Specifications | Checks whether you use Elasticsearch clusters with high-availability specifications. An Elasticsearch cluster with 1 CPU core and 2 GB of memory is suitable only for test scenarios rather than production environments. If the specifications of your Elasticsearch clusters are not 1 CPU core and 2 GB of memory, the check result is compliant. | Not supported | Not supported |
Use an Appropriate Instance Type | Use ApsaraDB RDS Instances with High-Availability Specifications | Checks whether you use ApsaraDB RDS instances with high-availability specifications. If your ApsaraDB RDS instances are of Exclusive Edition, Cluster Edition, or High-availability Edition, the check result is compliant. | Not supported | Not supported |
Use an Appropriate Instance Type | Use ACK Clusters with High-availability Specifications | Checks whether you use ACK clusters with high-availability specifications. Compared with ACK standard clusters, ACK Pro clusters provide higher reliability, security, and schedulability. ACK Pro clusters are suitable for enterprises that have large-scale workloads in production environments. If your ACK clusters are ACK Pro clusters, the check result is compliant. | Not supported | Not supported |
Use an Appropriate Instance Type | Use ApsaraDB for Redis Instances with High-availability Specifications | Checks whether you use ApsaraDB for Redis instances with high-availability specifications. ApsaraDB for Redis Enhanced Edition (Tair) instances provide better performance, more data structures, and more flexible storage methods. If your ApsaraDB for Redis instances are of Enhanced Edition (Tair), the check result is compliant. | Not supported | Not supported |
Use an Appropriate Instance Type | Use ApsaraDB for MongoDB Instances with High-availability Specifications | Checks whether you use ApsaraDB for MongoDB instances with high-availability specifications. If an ApsaraDB for MongoDB instance is of the standalone architecture, an extended period of time is required for failure recovery and no service level agreement (SLA) guarantee is provided. If your ApsaraDB for MongoDB instances are of the multi-zone architecture, the check result is compliant. | Not supported | Not supported |
Use an Appropriate Instance Type | Use ApsaraMQ for RocketMQ Instances with High-availability Specifications | Checks whether you use ApsaraMQ for RocketMQ instances with high-availability specifications. We recommend that you do not use shared ApsaraMQ for RocketMQ instances in production environments. If your ApsaraMQ for RocketMQ instances are of Enterprise Platinum Edition, the check result is compliant. | Not supported | Not supported |
Use a Stable Version | Use ECS Instances Whose Version is in Stable State | Checks whether an ECS instance uses an operating system of a retired version. If no, the check result is compliant. | Not supported | Not supported |
Use a Stable Version | Use Elasticsearch Clusters Whose Version is in Stable State | Checks whether an Elasticsearch cluster is of a recommended version. If yes, the check result is compliant. | Not supported | Not supported |
Use a Stable Version | Use PolarDB Databases Whose Minor Version is in Stable State | Checks whether the minor version of a PolarDB database is in the stable state. If yes, the check result is compliant. | Not supported | Not supported |
Use a Stable Version | Use ACK Clusters of the Latest Version | Checks whether an ACK cluster is updated to the latest version. If yes, the check result is compliant. | Not supported | Not supported |
Use a Stable Version | Use ApsaraDB for Redis Instances of the Latest Minor Version | Checks whether an ApsaraDB for Redis instance is updated to the latest minor version. If yes, the check result is compliant. | Not supported | Not supported |
Prevent Expiration Risks | Use Internet Shared Bandwidth that Does not Have Expiration Risks | Checks whether the remaining validity period of an Internet Shared Bandwidth instance is more than 30 days. If yes, the check result is compliant. | Supported This fix enables auto-renewal for the selected Internet Shared Bandwidth instances. | Not supported |
Prevent Expiration Risks | Use ECS Instances Whose Resources Do not Have Expiration Risks | Checks whether the remaining validity period of a subscription ECS instance is more than 30 days. If yes, the check result is compliant. | Supported This fix enables auto-renewal for the selected ECS instances. | Not supported |
Prevent Expiration Risks | Use ApsaraDB RDS Instances Whose Resources Do not Have Expiration Risks | Checks whether the remaining validity period of a subscription ApsaraDB RDS instance is more than 30 days. If yes, the check result is compliant. | Supported This fix enables auto-renewal for the selected ApsaraDB RDS instances. | Not supported |
Prevent Expiration Risks | Use Bastion Hosts Whose Resources Do not Have Expiration Risks | Checks whether the remaining validity period of a bastion host is more than 30 days. If yes, the check result is compliant. | Supported This fix enables auto-renewal for the selected bastion hosts. | Not supported |
Prevent Expiration Risks | Use SLB Instances Whose Resources Do not Have Expiration Risks | Checks whether the remaining validity period of a subscription Server Load Balancer (SLB) instance is more than 30 days. If yes, the check result is compliant. | Supported This fix enables auto-renewal for the selected SLB instances. | Not supported |
Prevent Expiration Risks | Use EIPs Whose Resources Do not Have Expiration Risks | Checks whether the remaining validity period of a subscription elastic IP address (EIP) is more than 30 days. If yes, the check result is compliant. | Supported This fix enables auto-renewal for the selected EIPs. | Not supported |
Prevent Expiration Risks | Use AnalyticDB Instances Whose Resources Do not Have Expiration Risks | Checks whether the remaining validity period of an AnalyticDB instance is more than 30 days. If yes, the check result is compliant. | Supported This fix enables auto-renewal for the selected AnalyticDB instances. | Not supported |
Prevent Expiration Risks | Use PolarDB Clusters Whose Resources Do not Have Expiration Risks | Checks whether the remaining validity period of a subscription PolarDB cluster is more than 30 days. If yes, the check result is compliant. | Supported This fix enables auto-renewal for the selected PolarDB clusters. | Not supported |
Prevent Expiration Risks | Use CEN Bandwidth Plans Whose Resources Do not Have Expiration Risks | Checks whether the remaining validity period of a Cloud Enterprise Network (CEN) bandwidth plan is more than 30 days. If yes, the check result is compliant. | Supported This fix enables auto-renewal for the selected CEN bandwidth plans. | Not supported |
Prevent Expiration Risks | Use PolarDB-X Instances Whose Resources Do not Have Expiration Risks | Checks whether the remaining validity period of a PolarDB-X 1.0 or PolarDB-X 2.0 instance is more than 30 days. If yes, the check result is compliant. | Not supported | Not supported |
Prevent Expiration Risks | Use Anti-DDoS Instances Whose Resources Do not Have Expiration Risks | Checks whether the remaining validity period of an Anti-DDoS instance is more than 30 days. If yes, the check result is compliant. | Supported This fix enables auto-renewal for the selected Anti-DDoS instances. | Not supported |
Prevent Expiration Risks | Use ApsaraDB for Redis Instances Whose Resources Do not Have Expiration Risks | Checks whether the remaining validity period of a subscription ApsaraDB for Redis instance is more than 30 days. If yes, the check result is compliant. | Supported This fix enables auto-renewal for the selected ApsaraDB for Redis instances. | Not supported |
Prevent Expiration Risks | Use ApsaraDB for MongoDB Instances Whose Resources Do not Have Expiration Risks | Checks whether the remaining validity period of a subscription ApsaraDB for MongoDB instance is more than 30 days. If yes, the check result is compliant. | Supported This fix enables auto-renewal for the selected ApsaraDB for MongoDB instances. | Not supported |
Enable Deletion Protection | Enable the Deletion Protection Feature for ALB Instances | Checks whether the deletion protection feature is enabled for an Application Load Balancer (ALB) instance. If yes, the check result is compliant. | Supported This fix enables the deletion protection feature for the resources that you select. After the deletion protection feature is enabled for the resources, you cannot release the resources in the console, by calling API operations, or by using CLIs. Before you release an instance for which the deletion protection feature is enabled, go to the details page of the instance and disable the deletion protection feature for the instance. | Not supported |
Enable Deletion Protection | Enable the Deletion Protection Feature for ECS Instances | Checks whether the deletion protection feature is enabled for an ECS instance. If yes, the check result is compliant. | Supported This fix enables the deletion protection feature for the resources that you select. After the deletion protection feature is enabled for the resources, you cannot release the resources in the console, by calling API operations, or by using CLIs. Before you release an instance for which the deletion protection feature is enabled, go to the details page of the instance and disable the deletion protection feature for the instance. | Not supported |
Enable Deletion Protection | Enable the Deletion Protection Feature for ApsaraDB RDS Instances | Checks whether the deletion protection feature is enabled for an ApsaraDB RDS instance. If yes, the check result is compliant. | Supported This fix enables the deletion protection feature for the resources that you select. After the deletion protection feature is enabled for the resources, you cannot release the resources in the console, by calling API operations, or by using CLIs. Before you release an instance for which the deletion protection feature is enabled, go to the details page of the instance and disable the deletion protection feature for the instance. | Not supported |
Enable Deletion Protection | Enable the Deletion Protection Feature for SLB Instances | Checks whether the deletion protection feature is enabled for an SLB instance. If yes, the check result is compliant. | Supported This fix enables the deletion protection feature for the resources that you select. After the deletion protection feature is enabled for the resources, you cannot release the resources in the console, by calling API operations, or by using CLIs. Before you release an instance for which the deletion protection feature is enabled, go to the details page of the instance and disable the deletion protection feature for the instance. | Not supported |
Enable Deletion Protection | Enable the Deletion Protection Feature for EIPs | Checks whether the deletion protection feature is enabled for an EIP. If yes, the check result is compliant. | Supported This fix enables the deletion protection feature for the resources that you select. After the deletion protection feature is enabled for the resources, you cannot release the resources in the console, by calling API operations, or by using CLIs. Before you release an instance for which the deletion protection feature is enabled, go to the details page of the instance and disable the deletion protection feature for the instance. | Not supported |
Enable Deletion Protection | Enable the Deletion Protection Feature for PolarDB Clusters | Checks whether the deletion protection feature is enabled for a PolarDB cluster. If yes, the check result is compliant. | Supported This fix enables the deletion protection feature for the resources that you select. After the deletion protection feature is enabled for the resources, you cannot release the resources in the console, by calling API operations, or by using CLIs. Before you release an instance for which the deletion protection feature is enabled, go to the details page of the instance and disable the deletion protection feature for the instance. | Not supported |
Enable Deletion Protection | Enable the Deletion Protection Feature for ACK Clusters | Checks whether the deletion protection feature is enabled for an ACK cluster. If yes, the check result is compliant. | Supported This fix enables the deletion protection feature for the resources that you select. After the deletion protection feature is enabled for the resources, you cannot release the resources in the console, by calling API operations, or by using CLIs. Before you release an instance for which the deletion protection feature is enabled, go to the details page of the instance and disable the deletion protection feature for the instance. | Not supported |
Enable Deletion Protection | Enable the Deletion Protection Feature for ApsaraDB for Redis Instances | Checks whether the deletion protection feature is enabled for an ApsaraDB for Redis instance. If yes, the check result is compliant. | Supported This fix enables the deletion protection feature for the resources that you select. After the deletion protection feature is enabled for the resources, you cannot release the resources in the console, by calling API operations, or by using CLIs. Before you release an instance for which the deletion protection feature is enabled, go to the details page of the instance and disable the deletion protection feature for the instance. | Not supported |
Enable Deletion Protection | Enable the Deletion Protection Feature for ApsaraDB for MongoDB Instances | Checks whether the deletion protection feature is enabled for an ApsaraDB for MongoDB instance. If yes, the check result is compliant. | Not supported | Not supported |
Enable Configuration Change Management | Configure an Appropriate Maintenance Window for ECS Instances | Checks whether the creation time of snapshots is within the 01:00 to 02:00 time range. If you create snapshots for an ECS instance, the I/O performance of block storage is temporarily degraded. If the creation time that you specified for the automatic snapshot policy is within the 01:00 to 02:00 time range, the check result is compliant. | Supported This fix modifies the snapshot creation time of the automatic snapshot policies that you select. This ensures that the snapshot creation time falls within an appropriate time range and prevents your business from being affected. A snapshot creation time is recommended based on the best practices. You can modify the snapshot creation time based on your business requirements. | Not supported |
Enable Configuration Change Management | Configure an Appropriate Maintenance Window for ApsaraDB RDS Instances | Checks whether the maintenance window of an ApsaraDB RDS instance is within the 02:00 to 06:00 and 06:00 to 10:00 time ranges. If yes, the check result is compliant. | Supported This fix modifies the maintenance window of the instances that you select. A maintenance window is recommended based on the best practices. You can modify the maintenance window based on your business requirements. | Not supported |
Enable Configuration Change Management | Configure an Appropriate Maintenance Window for AnalyticDB for MySQL Clusters | Checks whether the maintenance window of an AnalyticDB for MySQL cluster is within the 02:00 to 04:00 and 06:00 to 10:00 time ranges. If yes, the check result is compliant. | Supported This fix modifies the maintenance window of the instances that you select. A maintenance window is recommended based on the best practices. You can modify the maintenance window based on your business requirements. | Not supported |
Enable Configuration Change Management | Configure an Appropriate Maintenance Window for PolarDB Clusters | Checks whether the maintenance window of a PolarDB cluster is within the 02:00 to 04:00 and 06:00 to 10:00 time ranges. If yes, the check result is compliant. | Supported This fix modifies the maintenance window of the instances that you select. A maintenance window is recommended based on the best practices. You can modify the maintenance window based on your business requirements. | Not supported |
Enable Configuration Change Management | Configure an Appropriate Maintenance Windows for ApsaraDB for Redis Instances | Checks whether the automatic backup period of an ApsaraDB for Redis instance is within the 04:00 to 05:00 and 05:00 to 06:00 time ranges. If yes, the check result is compliant. | Not supported | Not supported |
Enable Data Backup | Enable Data Backup for ECI | Checks whether a data volume is attached to the container group of an elastic container instance (ECI). If yes, the check result is compliant. | Not supported | Not supported |
Enable Data Backup | Enable Data Backup for Elasticsearch Clusters | Checks whether automatic backup is enabled for an Elasticsearch cluster. If yes, the check result is compliant. | Not supported | Not supported |
Enable Data Backup | Enable Log Backup for ApsaraDB RDS Instances | Checks whether log backup is enabled for an ApsaraDB RDS instance. If yes, the check result is compliant. | Supported This fix enables log backup for the ApsaraDB RDS instances that you select. By default, the backup data is stored for seven days. | Not supported |
Enable Data Backup | Enable Log Backup for AnalyticDB for MySQL Clusters | Checks whether log backup is enabled for an AnalyticDB for MySQL cluster. If yes, the check result is compliant. | Supported This fix enables log backup for the AnalyticDB for MySQL clusters that you select. By default, the backup data is stored for seven days. | Not supported |
Enable Data Backup | Enable Data Backup for PolarDB Clusters | Checks whether the level-2 backup feature is enabled for a PolarDB cluster and the retention period of level-2 backups is greater than or equal to 30 days. If yes, the check result is compliant. | Supported This fix configures the backup cycle and retention period of the level-2 backup feature for the PolarDB clusters that you select. By default, the retention period is 30 days. If the level-2 backup feature is disabled, this fix automatically enables the feature for the PolarDB clusters. | Not supported |
Enable Data Backup | Enable Data Backup for ApsaraDB for Redis Instances | Checks whether incremental backup is enabled for an ApsaraDB for Redis Enhanced Edition (Tair) instance. If yes, the check result is compliant. | Not supported | Not supported |
Enable Data Backup | Enable Versioning for OSS Buckets | Checks whether the versioning feature is enabled for an Object Storage Service (OSS) bucket. If the versioning feature is disabled for an OSS bucket, data cannot be restored when the data is overwritten or deleted. If the versioning feature is enabled for an OSS bucket, the check result is compliant. | Supported This fix enables the versioning feature for the OSS buckets that you select. After you enable versioning for an OSS bucket, data that is overwritten or deleted in the bucket is saved as a previous version. This way, you can restore objects in the bucket to a previous version to prevent your data from being accidentally overwritten or deleted. | Not supported |
Enable Data Backup | Enable Log Backup for ApsaraDB for MongoDB Instances | Checks whether log backup is enabled for an ApsaraDB for MongoDB instance. If yes, the check result is compliant. | Supported This fix enables log backup for the ApsaraDB for MongoDB instances that you select. By default, the backup data is stored for seven days. | Not supported |
Enable Snapshot | Enable the Snapshot Feature for Disks Attached to ECS Instances | Checks whether an automatic snapshot policy is configured for an ECS disk. If yes, the check result is compliant. | Not supported | Not supported |
Use Instances of the Multi-zone Architecture | Use the Multi-zone Architecture for Elasticsearch Clusters | Checks whether an Elasticsearch cluster is of the multi-zone architecture. If yes, the check result is compliant. | Not supported | Not supported |
Use Instances of the Multi-zone Architecture | Use the Multi-zone Architecture for ApsaraDB RDS Instances | Checks whether an ApsaraDB RDS instance is of the multi-zone architecture. If yes, the check result is compliant. | Not supported | Not supported |
Use Instances of the Multi-zone Architecture | Use the Multi-zone Architecture for SLB Instances | Checks whether an SLB instance is of the multi-zone architecture and the resources of multiple zones are added to the server groups used by the listeners of the SLB instance. If yes, the check result is compliant. | Not supported | Not supported |
Use Instances of the Multi-zone Architecture | Use the Multi-zone Architecture for PolarDB Clusters | Checks whether hot standby storage is enabled for a PolarDB cluster and whether data is distributed in multiple zones. If yes, the check result is compliant. | Not supported | Not supported |
Use Instances of the Multi-zone Architecture | Use the Multi-zone Architecture for ApsaraDB for Redis Instances | Checks whether an ApsaraDB for Redis instance is of the multi-zone architecture. If yes, the check result is compliant. | Not supported | Not supported |
Use Instances of the Multi-zone Architecture | Use the Multi-zone Architecture for OSS Buckets | Checks whether zone-redundant storage is enabled for an OSS bucket. If yes, the check result is compliant. | Not supported | Not supported |
Use Instances of the Multi-zone Architecture | Use the Multi-zone Architecture for ApsaraDB for MongoDB Instances | Checks whether an ApsaraDB for MongoDB instance is of the multi-zone architecture. If yes, the check result is compliant. | Not supported | Not supported |
Use Instances of the Cluster Architecture | Use the Cluster Architecture for PolarDB Clusters | Checks whether a PolarDB cluster is of Cluster Edition or Multi-master Cluster Edition. If yes, the check result is compliant. | Not supported | Not supported |
Use Instances of the Cluster Architecture | Use the Cluster Architecture for CEN Instances | Checks whether the health check feature is enabled for a virtual border router (VBR) that is attached to a CEN instance. If yes, the check result is compliant. | Not supported | Not supported |
Check items about cost-effectiveness
Category | Check item | Description | Quick fix | Auxiliary decision-making |
Optimize Resource Costs | Enable the Compliance Package for Idle Resources | Checks whether the BestPracticeForIdleResourceDetection compliance package is enabled in Cloud Config. If yes, the check result is compliant. | Not supported | Not supported |
Optimize Resource Costs | Check Idle ALB Instances | Checks whether an idle ALB instance exists. If yes, the check result is non-compliant. | Not supported | Not supported |
Optimize Resource Costs | Check Idle Internet Shared Bandwidth Instances | Checks whether an idle Internet Shared Bandwidth instance exists. If yes, the check result is non-compliant. | Not supported | Not supported |
Optimize Resource Costs | Check Idle Container Registry Instances | Checks whether an idle Container Registry instance exists. If yes, the check result is non-compliant. | Not supported | Not supported |
Optimize Resource Costs | Check Idle ECS Instances | Checks whether an idle ECS instance exists. If yes, the check result is non-compliant. | Not supported | Not supported |
Optimize Resource Costs | Check Idle ECS Instances that Use Cloud Disks | Checks whether an idle ECS instance that uses cloud disks exists. If yes, the check result is non-compliant. | Not supported | Not supported |
Optimize Resource Costs | Check Idle EIPs | Checks whether an idle EIP exists. If yes, the check result is non-compliant. | Not supported | Not supported |
Optimize Resource Costs | Check Idle NAT Gateways | Checks whether an idle Internet NAT gateway exists. If yes, the check result is non-compliant. | Not supported | Not supported |
Optimize Resource Costs | Check Idle VPC-connected NAT Gateways | Checks whether an idle virtual private cloud (VPC) NAT gateway exists. If yes, the check result is non-compliant. | Not supported | Not supported |
Optimize Resource Costs | Check Idle NAS File Systems | Checks whether an idle Apsara File Storage NAS (NAS) file system exists. If yes, the check result is non-compliant. | Not supported | Not supported |
Optimize Resource Costs | Check Idle SLB Instances | Checks whether an idle SLB instance exists. If yes, the check result is non-compliant. | Not supported | Not supported |
Optimize Resource Costs | Check Idle VPN Gateways | Checks whether an idle VPN gateway exists. If yes, the check result is non-compliant. | Not supported | Not supported |