All Products
Search
Document Center

Cloud Governance Center:Configure protection rules in a centralized manner

Last Updated:Nov 06, 2024

You can configure and enable protection rules provided by Cloud Config for all member accounts of your resource directory in a centralized manner in the Cloud Governance Center console. This prevents the basic configurations of Cloud Governance Center and the resource structure that is created in Cloud Governance Center from being modified. This also ensures the security of the multi-account environment.

Run the protection rule initialization task

  1. Log on to the Cloud Governance Center console.

  2. In the left-side navigation pane, choose Landing Zone > LandingZone Setup.

  3. In the Standard Blueprint or Standard Blueprint (CEN) section, click Build.

    In this example, a standard blueprint is used.

  4. In the Added Items section of the Configure Blueprint page, click Guardrails.

  5. Select the protection rules that you want to enable.

    By default, the required rules are selected. You can select one or more recommended rules or optional rules.

Manage protection rules

After protection rules are initialized, you can manage the protection rules. You can view the details of a rule, view the compliance evaluation results of resources, or enable or disable a recommended rule or an optional rule.

  1. Log on to the Cloud Governance Center console.

  2. In the left-side navigation pane, choose Multi-account Management > Guardrails.

  3. In the Overview section, view the risk identification rules, enabled rules, disabled rules, and last modification time of the rules.

  4. On the All tab, click the name of the rule that you want to manage.

    • Click the Guardrail details tab and view the details of the rule. You can also enable or disable a recommended rule or an optional rule.

    • On the Result tab, view the compliance evaluation results of resources.

Protection rules

You can enable the following types of protection rules based on your business requirements:

  • Required rules: the basic protection rules. The required rules are automatically enabled and cannot be disabled.

  • Recommended rules: the security compliance rules. We recommend that you enable the recommended rules. You can enable or disable the recommended rules based on your business requirements.

  • Optional rules: You can enable or disable the optional rules based on your business requirements. After an optional rule is enabled, you can disable the optional rule.

Rule name

Rule description

Rule scope

Type

The OSS bucket that is specified for Cloud Governance Center to store audit logs denies the public read/write access.

If the access control list (ACL) is not public-read-write for the Object Storage Service (OSS) buckets that are specified for Cloud Governance Center to store audit logs, the configuration is considered compliant.

Log archive account

Required rule

The server-side OSS-managed encryption feature is enabled for the OSS bucket that is specified for Cloud Governance Center to store audit logs.

If server-side encryption is enabled for the OSS buckets that are specified for Cloud Governance Center to store audit logs, the configuration is considered compliant.

Log archive account

Required rule

A role that is specified to provide services exists in Cloud Governance Center.

If a service-linked role of Cloud Governance Center is created and can be searched by name, the configuration is considered compliant.

Log archive account

Optional rule

oss-bucket-audit-log-delete-prohibited

If the OSS buckets that are created by Cloud Governance Center to store audit logs within a log archive account are not deleted, the configuration is considered compliant.

Core folder

Required rule

oss-bucket-encryption-modify-prohibited

If the encryption settings of the OSS buckets that are created by Cloud Governance Center to store audit logs within a log archive account are not modified, the configuration is considered compliant.

Core folder

Required rule

oss-bucket-audit-logs-lifecycle-modify-prohibited

If the lifecycle settings of the OSS buckets that are created by Cloud Governance Center to store audit logs within a log archive account are not modified, the configuration is considered compliant.

Core folder

Required rule

cloud-governance-center-role-modify-prohibited

If the service-linked role that is used by Cloud Governance Center to provide services is not changed, the configuration is considered compliant.

Core folder

Required rule

cloud-config-feature-disable-prohibited

If Cloud Config that is used to perform compliance auditing on resources is activated, the configuration is considered compliant.

Core folder

Required rule

None of Alibaba Cloud accounts in the resource directory have AccessKey pairs.

If no AccessKey pairs are created for the Alibaba Cloud accounts in a resource directory, the configuration is considered compliant.

Global resource directory

Recommended rule

The MFA feature is enabled for all Alibaba Cloud accounts in the resource directory.

If multi-factor authentication (MFA) is enabled for all Alibaba Cloud accounts in a resource directory, the configuration is considered compliant.

Global resource directory

Recommended rule

Encryption is enabled for all data disks of the ECS instance.

If encryption is enabled for all the data disks of each Elastic Compute Service (ECS) instance, the configuration is considered compliant.

Global resource directory

Recommended rule

Not all networks are allowed access to high-risk ports of the security group.

If port 22 and port 3389 are disabled when 0.0.0.0/0 is added to the inbound IP address whitelist of a security group, the configuration is considered compliant.

Global resource directory

Recommended rule

The network access settings of the security group are valid.

If the port range -1/-1 and the authorized CIDR block 0.0.0.0/0 are not specified when the inbound authorization policy of a security group is set to Allow, the configuration is considered compliant.

Global resource directory

Recommended rule

The public read/write permissions are not granted on all OSS buckets.

If the ACL of each OSS bucket is not public-read-write, the configuration is considered compliant.

Global resource directory

Recommended rule

TDE encryption is enabled for the RDS instance.

If the Transparent Data Encryption (TDE) feature is enabled in the data security settings of each ApsaraDB RDS instance, the configuration is considered compliant.

Global resource directory

Recommended rule

Use ApsaraDB RDS Instances in VPCs.

If no virtual private cloud (VPC) IDs are specified and the network type of each ApsaraDB RDS instance is set to VPC, the configuration is considered compliant. If VPC IDs are specified and each ApsaraDB RDS instance resides in one of the specified VPCs, the configuration is considered compliant. Separate multiple VPC IDs with commas (,).

Global resource directory

Recommended rule

The whitelist of an ApsaraDB RDS instance does not include all CIDR blocks.

If 0.0.0.0/0 is not added to the IP address whitelist of each ApsaraDB RDS instance, the configuration is considered compliant.

Global resource directory

Recommended rule

oss-bucket-logging-enabled

If logging is enabled on the Logging page of each OSS bucket, the configuration is considered compliant.

Global resource directory

Optional rule

The password policy of the RAM user meets the requirements.

If the password policy for each Resource Access Management (RAM) user meets the requirements, the configuration is considered compliant.

Global resource directory

Recommended rule

The RAM user does not have idle AccessKey pairs.

If the period between the most recent time when a RAM user used an AccessKey pair and the current time is less than the specified number of days, the configuration is considered compliant. The default period is 90 days.

Global resource directory

Recommended rule

The release protection feature is enabled for the ECS instance.

If the release protection feature is enabled for each ECS instance, the configuration is considered compliant.

Global resource directory

Recommended rule

The release protection feature is enabled for the SLB instance.

If the release protection feature is enabled for each Server Load Balancer (SLB) instance, the configuration is considered compliant.

Global resource directory

Recommended rule

The server-side OSS-managed encryption feature is enabled for OSS buckets.

If server-side encryption is enabled for each OSS bucket, the configuration is considered compliant.

Global resource directory

Optional rule

The MFA feature is enabled for all RAM users.

If MFA is enabled for each RAM user, the configuration is considered compliant.

Global resource directory

Optional rule

A resource must have at least one of the specified tags.

The value parameter can be set to multiple tag values. If the tag of a resource contains one of the tag values, the configuration is considered compliant.

Global resource directory

Optional rule

A resource must have all specified tags.

If a resource has all specified tags, the configuration is considered compliant. You can specify up to six tags.

Global resource directory

Optional rule

The RAM user has logged on within the specified time.

If each RAM user logs on to the system at least once in the previous 90 days, the configuration is considered compliant. If no logon record exists for a RAM user, the system checks the update time. If the RAM user is updated in the previous 90 days, the configuration is considered compliant. The rule does not take effect for the RAM users for which console access is disabled.

Global resource directory

Optional rule

The HTTPS listening feature is enabled for the SLB instance.

If port 80 and port 8080 are specified for the HTTPS listeners of each SLB instance, the configuration is considered compliant.

Global resource directory

Optional rule

The resource belongs to the specified region.

If each resource resides in the specified region, the configuration is considered compliant.

Global resource directory

Optional rule

waf-instance-logging-enabled

If the log collection feature is enabled for each domain name that is protected by Web Application Firewall (WAF), the configuration is considered compliant.

Global resource directory

Optional rule

vpc-flow-logs-enabled

If the flow log feature is enabled for each VPC, the configuration is considered compliant.

Global resource directory

Optional rule

api-group-integrated-waf

If an API group of API Gateway is bound to each custom domain name and the domain name is protected by WAF, the configuration is considered compliant.

Global resource directory

Optional rule

waf-domain-enabled-specified-protection-module

If a protection feature is enabled for each domain name that is protected by WAF, the configuration is considered compliant.

Global resource directory

Optional rule

security-group-high-risk-port-all-disabled

If 0.0.0.0/0 is added to the inbound IP address whitelist of each security group and high-risk ports are disabled, the configuration is considered compliant. If 0.0.0.0/0 is not added to the inbound IP address whitelist of a security group, the configuration is considered compliant regardless of whether high-risk ports are disabled. If a high-risk port is denied by an authorization policy with a higher priority, the configuration is considered compliant. The rule does not take effect for the security groups that are used by cloud services or virtual network operators (VNOs).

Global resource directory

Optional rule

security-group-non-whitelist-port-setting-valid

If each inbound rule in a security group allows access only from the ports within a range when the Authorization Object parameter of the inbound rule is set to 0.0.0.0/0, the configuration is considered compliant. The rule does not take effect for the security groups that are used by cloud services or VNOs.

Global resource directory

Optional rule

oss-bucket-anonymous-prohibited

If a bucket policy is configured for each OSS bucket whose ACL is public-read-write and the read and write permissions are not granted to anonymous accounts in the bucket policy, the configuration is considered compliant. The rule does not take effect for the OSS buckets whose ACL is private.

Global resource directory

Optional rule

ecs-public-access-check

If no public IPv4 address or elastic IP address (EIP) is specified for each ECS instance, the configuration is considered compliant.

Global resource directory

Optional rule

rds-public-and-any-ip-access-check

If Internet access is enabled for an ApsaraDB RDS instance and 0.0.0.0/0 is added to the IP address whitelist, the configuration is considered non-compliant.

Global resource directory

Optional rule

polardb-dbcluster-in-vpc

If Internet access is enabled for a PolarDB instance and 0.0.0.0/0 is added to the IP address whitelist, the configuration is considered non-compliant.

Global resource directory

Optional rule

cfw-all-asset-protection-enabled

If the protection feature is enabled for all assets in Cloud Firewall, the configuration is considered compliant. The rule takes effect only for Cloud Firewall of a paid edition. If you do not activate Cloud Firewall or use Cloud Firewall of a free edition, the configuration is considered compliant even if protection is disabled for an asset in Cloud Firewall.

Global resource directory

Optional rule

ecs-instance-enabled-security-protection

If the Security Center agent is installed on all running ECS instances to provide the protection feature, the configuration is considered compliant. The rule does not take effect for the ECS instances that are not running.

Global resource directory

Optional rule

security-center-version-check

If Security Center Enterprise Edition or a more advanced edition is used, the configuration is considered compliant.

Global resource directory

Optional rule

ecs-instance-updated-security-vul

If no unfixed vulnerabilities of a specific type or a specific level are detected by Security Center on each running ECS instance, the configuration is considered compliant. The rule does not take effect for the ECS instances that are not running.

Global resource directory

Optional rule

rds-high-availability-category

If the SQL Explorer and Audit feature is enabled for each ApsaraDB RDS instance, the configuration is considered compliant.

Global resource directory

Optional rule

actiontrail-trail-intact-enabled

If an active trail exists in ActionTrail and all types of events that are generated in all regions are tracked, the configuration is considered compliant. If the administrator of a resource directory has created a trail that applies to all members, the configuration is considered compliant.

Global resource directory

Optional rule

rds-instance-sql-collector-retention

If the SQL Explorer and Audit feature is enabled for each ApsaraDB RDS for MySQL instance and the number of days for which SQL audit logs can be retained is no less than the specified period, the configuration is considered compliant. The default period is 180 days.

Global resource directory

Optional rule

ecs-snapshot-retention-days

If the auto snapshots of ECS instances are retained for a period no less than the specified number of days, the configuration is considered compliant. The default period is seven days.

Global resource directory

Optional rule

polardb-cluster-level-one-backup-retention

If the retention period for the level-1 backups of each PolarDB cluster is no less than the specified number of days, the configuration is considered compliant. The default period is seven days.

Global resource directory

Optional rule

polardb-cluster-enabled-tde

If the TDE feature is enabled in the data security settings of each PolarDB cluster, the configuration is considered compliant.

Global resource directory

Optional rule

kms-credential-automatic-rotation-enabled

If the automatic rotation feature is enabled for Key Management Service (KMS) secrets, the configuration is considered compliant.

Global resource directory

Optional rule

cmk-automatic-rotation-enabled

If the automatic rotation feature is enabled for the customer master keys (CMKs) in KMS, the configuration is considered compliant.

Global resource directory

Optional rule

cmk-delete-protection-enabled

If the deletion protection feature is enabled for KMS CMKs, the configuration is considered compliant.

Global resource directory

Optional rule

oss-encryption-byok-check

If the Encryption Method parameter of each OSS bucket is set to KMS, the configuration is considered compliant.

Global resource directory

Optional rule

rds-instance-enabled-byok-tde

If a custom key is used to enable TDE for each ApsaraDB RDS instance, the configuration is considered compliant.

Global resource directory

Optional rule

redis-instance-enabled-byok-tde

If a custom key is used to enable TDE for each ApsaraDB for Redis instance, the configuration is considered compliant.

Global resource directory

Optional rule

cdn-domain-https-enabled

If HTTPS is enabled for each domain name that is accelerated by Alibaba Cloud CDN, the configuration is considered compliant.

Global resource directory

Optional rule

api-gateway-api-internet-request-https

If the request method of each API that allows Internet access in API Gateway is set to HTTPS, the configuration is considered compliant. The rule does not take effect for the APIs that allow only internal access.

Global resource directory

Optional rule

elasticsearch-instance-used-https-protocol

If HTTPS is enabled for each Elasticsearch instance, the configuration is considered compliant.

Global resource directory

Optional rule

oss-security-access-enabled

If the bucket policy of each OSS bucket allows read and write operations over HTTPS and denies access over HTTP, the configuration is considered compliant. The rule does not take effect for OSS buckets without a bucket policy.

Global resource directory

Optional rule

slb-http-listener-security-policy-suite

If the HTTPS listeners of each SLB instance use a specific security policy suite version, the configuration is considered compliant. The rule does not take effect for SLB instances without HTTPS listeners.

Global resource directory

Optional rule

fc-function-custom-domain-and-tls-enable

If each function in Function Compute is bound to a custom domain name and Transport Layer Security (TLS) of a specific version is enabled for the function, the configuration is considered compliant.

Global resource directory

Optional rule

ecs-all-enabled-account-security-protection

If the Security Center agent is installed on each ECS instance that belongs to the current account, the configuration is considered compliant.

Global resource directory

Optional rule

security-center-concern-necessity-check

If a vulnerability scan for risks of a specific level is configured in Security Center, the configuration is considered compliant.

Global resource directory

Optional rule

security-center-notice-config-check

If a notification method is specified for each notification item of Security Center, the configuration is considered compliant.

Global resource directory

Optional rule

rds-instance-maintain-time-check

If the maintenance period of each ApsaraDB RDS instance matches one of the specified time ranges, the configuration is considered compliant. If the peak hours of your business overlap with the maintenance period, your business may be affected.

Global resource directory

Optional rule

polardb-cluster-maintain-time-check

If the maintenance period of each PolarDB cluster matches one of the specified time ranges, the configuration is considered compliant. If the peak hours of your business overlap with the maintenance period, your business may be affected.

Global resource directory

Optional rule

ram-user-no-has-specified-policy

If a policy that meets the specified conditions and includes the permissions that are inherited from a RAM user group is not attached to each RAM user, the configuration is considered compliant. A policy that uses the default settings includes the administrator permissions. If this policy is attached to a RAM user, the configuration is considered non-compliant.

Global resource directory

Optional rule

ram-policy-no-statements-with-admin-access-check

If the Resource and Action parameters of RAM users, RAM user groups, and RAM roles are not set to *, which indicates the super administrator permissions, the configuration is considered compliant.

Global resource directory

Optional rule

ram-user-ak-create-date-expired-check

If the period between the time when the AccessKey pair of each RAM user was created and the current time is no more than the specified number of days, the configuration is considered compliant. The default period is 90 days.

Global resource directory

Optional rule

ram-user-group-membership-check

If each RAM user belongs to a RAM user group, the configuration is considered compliant.

Global resource directory

Optional rule

ram-user-login-check

If console access and API access are not enabled for each RAM user at the same time, the configuration is considered compliant.

Global resource directory

Optional rule

ram-user-sso-enabled

If the single sign-on (SSO) feature is enabled for each RAM user, the configuration is considered compliant.

Global resource directory

Optional rule

No RAM policies are idle.

If a policy is attached to one or more RAM user groups, RAM roles, or RAM users, the configuration is considered compliant.

Global resource directory

Optional rule

ram-group-has-member-check

If each RAM user group contains one or more RAM users, the configuration is considered compliant.

Global resource directory

Optional rule

security-center-leak-ak-check

If no leaked AccessKey pairs are detected in Security Center, the configuration is considered compliant.

Global resource directory

Optional rule

polardb-cluster-enabled-auditing

If the SQL audit feature is enabled for each PolarDB cluster, the configuration is considered compliant.

Global resource directory

Optional rule

rds-instance-enabled-log-backup

If you do not enable the log backup feature, you cannot restore the lost data in local logs. If the log backup feature is enabled for each ApsaraDB RDS instance, the configuration is considered compliant.

Global resource directory

Optional rule

nas-filesystem-enable-backup-plan

If a backup plan is created for each File Storage NAS file system, the configuration is considered compliant.

Global resource directory

Optional rule

polardb-cluster-log-backup-retention

If the retention period for the log backups of each PolarDB cluster is no less than the specified number of days, the configuration is considered compliant. The default period is 30 days. If log backup is not enabled or the backup retention period is less than the specified number of days, the configuration is considered non-compliant.

Global resource directory

Optional rule

oss-zrs-enabled

If the zone-redundant storage feature is disabled, OSS cannot provide consistent services or ensure data recovery when a data center becomes unavailable. If the zone-redundant storage feature is enabled for each OSS bucket, the configuration is considered compliant.

Global resource directory

Optional rule

sls-logstore-enabled-encrypt

If data encryption is enabled for each Logstore in Simple Log Service, the configuration is considered compliant.

Global resource directory

Optional rule

rds-event-log-enabled

If the event history feature is enabled for each ApsaraDB RDS instance, the configuration is considered compliant.

Global resource directory

Optional rule

polardb-cluster-default-time-zone-not-system

If the default_time_zone parameter of each PolarDB cluster is not set to SYSTEM, the configuration is considered compliant. We recommend that you specify a valid time zone for each PolarDB cluster.

Global resource directory

Optional rule

ecs-instance-os-name-check

You can use this rule to make sure that all ECS instances in the production environment use the same operating system version, or update the operating systems whose support is officially stopped to prevent security vulnerabilities. If the name of the operating system of each ECS instance is included in a whitelist or is not included in a blacklist, the configuration is considered compliant.

Global resource directory

Optional rule

ecs-instance-monitor-enabled

If the CloudMonitor agent is installed on each running ECS instance and the agent is running as expected, the configuration is considered compliant. The rule does not take effect for the ECS instances that are not running.

Global resource directory

Optional rule

cms-created-rule-for-specified-product

If at least one alert rule is configured in CloudMonitor for each Alibaba Cloud service of a namespace, the configuration is considered compliant.

Global resource directory

Optional rule

rds-instance-enabled-disk-encryption

If the disk encryption feature is enabled for each ApsaraDB RDS instance, the configuration is considered compliant.

Global resource directory

Optional rule

ecs-in-use-disk-encrypted

If the encryption feature is enabled for each ECS data disk that is in use, the configuration is considered compliant.

Global resource directory

Optional rule

ecs-disk-mount-encrypted

If the encryption feature is enabled for each ECS data disk that you want to mount, the configuration is considered compliant.

Global resource directory

Optional rule

ecs-vpc-enabled

If no VPC IDs are specified and the network type of each ECS instance is set to VPC, the configuration is considered compliant. If VPC IDs are specified and each ECS instance resides in one of the specified VPCs, the configuration is considered compliant. Separate multiple VPC IDs with commas (,).

Global resource directory

Optional rule

ram-user-no-policy-check

If no policy is attached to each RAM user, the configuration is considered compliant. We recommend that you configure each RAM user to inherit permissions from a RAM user group or a RAM role.

Global resource directory

Optional rule

rds-postgresql-parameter-log-connections

If the log_connections parameter of each ApsaraDB RDS for PostgreSQL database is set to on, the configuration is considered compliant.

Global resource directory

Optional rule

rds-postgresql-parameter-log-disconnections

If the log_disconnections parameter of each ApsaraDB RDS for PostgreSQL database is set to on, the configuration is considered compliant.

Global resource directory

Optional rule

rds-postgresql-parameter-log-duration

If the log_duration parameter of each ApsaraDB RDS for PostgreSQL database is set to on, the configuration is considered compliant.

Global resource directory

Optional rule

oss-authorization-policy-ip-limit-enabled

If the ACL of each OSS bucket is set to private or the bucket policy of each OSS bucket allows access only from specific IP addresses, the configuration is considered compliant.

Global resource directory

Optional rule

oss-acl-public-read-disabled

If the ACL of each OSS bucket is not public-read, the configuration is considered compliant.

Global resource directory

Optional rule

ecs-all-enabled-account-security-protection

If the Security Center agent is installed on each ECS instance that belongs to the current account, the configuration is considered compliant.

Global resource directory

Optional rule

vpc-secondary-cidr-route-check

If the related route table includes at least one entry that indicates the routing information of IP addresses for a custom VPC CIDR block, the configuration is considered compliant.

Global resource directory

Optional rule

rds-instance-enabled-ssl

If the SSL certificate feature is enabled in the data security settings of each ApsaraDB RDS instance, the configuration is considered compliant.

Global resource directory

Optional rule

ack-cluster-terway-plugin-enabled

If the Terway network plug-in is used in each Container Service for Kubernetes (ACK) cluster, the configuration is considered compliant.

Global resource directory

Optional rule

ack-cluster-public-endpoint-disabled

If no public endpoint is configured for the API server in each ACK cluster, the configuration is considered compliant.

Global resource directory

Optional rule

ack-cluster-cloudmonitor-agent-installed

If the CloudMonitor agent is installed on all nodes in each ACK cluster and the agent is running as expected, the configuration is considered compliant.

Global resource directory

Optional rule

actiontrail-trail-enabled

If a trail is enabled in ActionTrail, the configuration is considered compliant.

Global resource directory

Optional rule

A high-availability RDS instance is purchased

If the edition of each ApsaraDB RDS instance is High-availability, the configuration is considered compliant. We recommend that you use ApsaraDB RDS instances of High-availability Edition. If you use ApsaraDB RDS instances of Basic Edition, the stability of your system may not be ensured. Proceed with caution.

Global resource directory

Optional rule

rds-multi-az-support

If ApsaraDB RDS instances are deployed across multiple zones, the configuration is considered compliant.

Global resource directory

Optional rule

rds-instance-enabled-security-ip-list

If an IP address whitelist is configured for each ApsaraDB RDS instance and 0.0.0.0/0 is not added to the IP address whitelist, the configuration is considered compliant.

Global resource directory

Optional rule

redis-instance-in-vpc

If no VPC IDs are specified and the network type of each ApsaraDB for Redis instance is set to VPC, the configuration is considered compliant. If VPC IDs are specified and each ApsaraDB for Redis instance resides in one of the specified VPCs, the configuration is considered compliant.

Global resource directory

Optional rule

redis-public-access-check

If 0.0.0.0/0 is not added to the IP address whitelist of each ApsaraDB for Redis instance, the evaluation result is Compliant.

Global resource directory

Optional rule

mongodb-instance-in-vpc

If no VPC IDs are specified and the network type of each ApsaraDB for MongoDB instance is set to VPC, the configuration is considered compliant. If VPC IDs are specified and each ApsaraDB for MongoDB instance resides in one of the specified VPCs, the configuration is considered compliant.

Global resource directory

Optional rule

mongodb-public-access-check

If 0.0.0.0/0 is not added to the IP address whitelist of each ApsaraDB for MongoDB instance, the configuration is considered compliant.

Global resource directory

Optional rule

The network type of the PolarDB instance is VPC

If no VPC IDs are specified and the network type of each PolarDB instance is set to VPC, the configuration is considered compliant. If VPC IDs are specified and each PolarDB instance resides in one of the specified VPCs, the configuration is considered compliant.

Global resource directory

Optional rule

sql-server-database-proxy-enabled

If the access mode of each ApsaraDB RDS for SQL Server database is set to proxy, the configuration is considered compliant.

Global resource directory

Optional rule

slb-acl-public-access-check

If the ACL of each SLB instance does not include 0.0.0.0/0, the configuration is considered compliant.

Global resource directory

Optional rule

eip-bandwidth-limit

If the available bandwidth of each EIP is no less than the specified bandwidth, the configuration is considered compliant. The default bandwidth is 10 MB.

Global resource directory

Optional rule

slb-loadbalancer-bandwidth-limit

If the available bandwidth of each SLB instance is no less than the specified bandwidth, the configuration is considered compliant. The default bandwidth is 10 MB.

Global resource directory

Optional rule

polardb-public-access-check

If 0.0.0.0/0 is not added to the IP address whitelist of each PolarDB instance, the configuration is considered compliant.

Global resource directory

Optional rule