The BestPracticesForECS compliance package checks the compliance in the status, security settings, protection settings, and snapshot settings of ECS instances to prevent service interruptions and cost overrun risks. This topic describes the rules that are provided in the BestPracticesForECS compliance package.
Rule name | Description |
Checks whether each ECS instance is in the Stopped state. If not, the evaluation result is Compliant. | |
Checks whether the duration between the expiration date and the check date of each subscription resource is greater than a specified number of days. If so, the evaluation result is Compliant. Default value: 30. If you use subscription resources, you must renew the resources before they expire. This prevents your instances from being stopped due to expired resources. If auto-renewal is enabled for an instance, the evaluation result is also Compliant. For pay-as-you-go resources, the evaluation result is Not Applicable. | |
Checks whether the release protection feature is enabled for each ECS instance. If so, the evaluation result is Compliant. | |
Checks whether the network type of each ECS instance is set to VPC if you do not configure the vpcIds parameter. If so, the evaluation result is Compliant. Checks whether the VPC where each ECS instance resides is the same as a specified VPC if you configure the vpcIds parameter. If so, the evaluation result is also Compliant. | |
Checks whether disk encryption is enabled for each ECS instance. If so, the evaluation result is Compliant. | |
Checks whether each ECS data disk is attached to an ECS instance. If so, the evaluation result is Compliant. | |
Checks whether the inbound authorization policy of each security group is set to Allow and the port range is set to -1/-1 or the authorized IP address is set to 0.0.0.0/0, or an authorization policy with a higher priority is configured. If so, the evaluation result is Compliant. If the security groups are used by cloud services or virtual network operators, the evaluation result is Not Applicable. | |
Checks whether each ECS instance is added to a specified security group. If so, the evaluation result is Compliant. | |
Checks whether the system image of each ECS instance falls within the specified parameter range. If so, the evaluation result is Compliant. | |
Checks whether the vulnerabilities that are identified by Security Center on each ECS instance are fixed. If so, the evaluation result is Compliant. | |
Checks whether the Security Center agent is installed on each ECS instance that belongs to the current account. If so, the evaluation result is Compliant. | |
Checks whether no ECS instance is locked due to issues such as overdue payments or security risks. If so, the evaluation result is Compliant. | |
Checks whether the health check feature is enabled for the ECS instances of each scaling group. If so, the evaluation result is Compliant. | |
Checks whether an automatic snapshot policy is specified for each ECS disk. If so, the evaluation result is Compliant. | |
Checks whether no ECS disk is locked due to issues such as overdue payments or security risks. If so, the evaluation result is Compliant. | |
Checks whether the auto snapshots of each ECS disk are retained when the disk is released. If so, the evaluation result is Compliant. | |
Checks whether the auto snapshots of ECS instances are retained for a period longer than or equal to the specified number of days. If so, the evaluation result is Compliant. Default value: 7. | |
Checks whether 0.0.0.0/0 is added to the IP address whitelist of each security group and high-risk ports are disabled. If so, the evaluation result is Compliant. If 0.0.0.0/0 is not added to the IP address whitelist of a security group, the evaluation result is Compliant regardless of whether high-risk ports are disabled. If a high-risk port is denied by an authorization policy with a higher priority, the evaluation result is Compliant. If the security groups are used by cloud services or virtual network operators, the evaluation result is Not Applicable. |