All Products
Search
Document Center

Cloud Config:BestPracticesForResourceStability

Last Updated:Sep 25, 2023

This topic describes the background information, scenarios of the BestPracticesForResourceStability compliance package. This topic also describes the rules in the compliance package.

Background information

Risk control is one of the primary concerns for cloud users. Most enterprises use Alibaba Cloud services to ensure business continuity with high availability. To ensure business continuity, a solution is required for cloud users to identify the security risks of cloud resource configurations in an efficient and comprehensive manner.

The following section describes a case in which a system failure occurs due to non-compliant configurations of cloud resources.

Enterprise A deploys its core business system based on an ApsaraDB RDS Basic Edition instance, which is suitable for test environments. In daily operations, no issues occur because only small traffic fluctuations exist. The volume of workloads increases by two to three times during large-scale promotional events. The amount of data that is processed in real time increases by more than 10 times. Therefore, the response time of the database instance becomes slow and may affect business continuity. The root cause is that the database configurations cannot meet business requirements. After the database specifications are upgraded, the issue is resolved.

Scenarios

Cloud Config allows you to perform compliance evaluation on static configurations of core resources, and generates compliance evaluation results to identify non-compliant configurations based on technical experience and cloud service specifications. You can download evaluation reports and remediate non-compliant configurations, such as upgrading the specifications of an instance and modifying configurations.

Static configurations are the configurations of cloud resources, such as the instance type and the zone where an instance resides.

The following figure shows the process of using the BestPracticesForResourceStability compliance package.场景流程

Default rules

Rule name

Description

rds-instance-enabled-log-backup

Checks whether log backup is enabled for each RDS instance. If so, the evaluation result is Compliant. If log backup is disabled, lost local logs cannot be recovered.

rds-instance-class-type-check

Checks whether each RDS instance belongs to the dedicated instance family. If so, the evaluation result is Compliant.

rds-instance-sql-collector-retention

Checks whether the SQL explorer and audit feature is enabled for each ApsaraDB RDS for MySQL instance and whether the number of days for which SQL audit logs can be retained is greater than or equal to a specified number of days. If so, the evaluation result is Compliant. Default value: 180.

rds-multi-az-support

Checks whether each RDS instance uses the multi-zone architecture. If so, the evaluation result is Compliant.

rds-public-access-check

Checks whether no public endpoint is configured for each RDS instance. If so, the evaluation result is Compliant. To prevent cyberattacks, we recommend that you do not configure direct access to RDS instances in production environments over the Internet.

rds-instance-maintain-time-check

Checks whether the maintenance period of each RDS instance matches one of the specified time ranges. If so, the evaluation result is Compliant. If the peak hours of your business overlap with the maintenance period, your business may be affected.

rds-instacne-delete-protection-enabled

Checks whether the deletion protection feature is enabled for each RDS instance. If so, the evaluation result is Compliant. For subscription resources, the evaluation result is Not Applicable.

rds-instance-enabled-security-ip-list

Checks whether an IP address whitelist is configured for each RDS instance and 0.0.0.0/0 is not added to the IP address whitelist. If so, the evaluation result is Compliant.

redis-instance-expired-check

Checks whether the duration between the expiration date and the check date of each subscription ApsaraDB for Redis instance is greater than a specified number of days. If so, the evaluation result is Compliant. Default value: 30. If auto-renewal is enabled for an instance, the evaluation result is also Compliant. For pay-as-you-go resources, the evaluation result is Not Applicable.

redis-instance-backup-time-check

Checks whether the automatic backup period of each Redis instance matches one of the specified time ranges. If so, the evaluation result is Compliant. If the peak hours of your business overlap with the backup period, your business may be affected.

redis-public-access-check

Checks whether 0.0.0.0/0 is added to the IP whitelist of each ApsaraDB for Redis instance. If not, the evaluation result is Compliant.

redis-instance-disable-risk-commands

Checks whether high-risk commands are disabled for each ApsaraDB for Redis instance. If so, the evaluation result is Compliant.

redis-architecturetype-cluster-check

Checks whether the edition of each ApsaraDB for Redis instance is Cluster Edition. If so, the evaluation result is Compliant.

mongodb-cluster-expired-check

Checks whether the duration between the expiration date and the check date of each subscription ApsaraDB for MongoDB cluster is greater than a specified number of days. If so, the evaluation result is Compliant. Default value: 30. If auto-renewal is enabled for a cluster, the evaluation result is also Compliant.

mongodb-instance-backup-log-enabled

Checks whether the log backup feature is enabled for each ApsaraDB for MongoDB instance. If so, the evaluation result is Compliant.

mongodb-instance-class-not-shared

Checks whether each RDS instance is a general-purpose instance. If not, the evaluation result is Compliant.

mongodb-public-access-check

Checks whether 0.0.0.0/0 is added to the IP whitelist of each ApsaraDB for MongoDB instance. If not, the evaluation result is Compliant.

polardb-cluster-expired-check

Checks whether the duration between the expiration date and the check date of each subscription resource is greater than a specified number of days. If so, the evaluation result is Compliant. Default value: 30. If you use subscription resources, you must renew the resources before they expire. This prevents your instances from being stopped due to expired resources. If auto-renewal is enabled for an instance, the evaluation result is also Compliant. For pay-as-you-go resources, the evaluation result is Not Applicable.

polardb-cluster-category-normal

Checks whether the edition of each PolarDB instance is Cluster Edition or Multi-master Cluster Edition. If so, the evaluation result is Compliant. Proceed with caution when you use standalone databases. These databases provide slow failovers.

polardb-cluster-maintain-time-check

Checks whether the maintenance period of each PolarDB cluster matches one of the specified time ranges. If so, the evaluation result is Compliant. If the peak hours of your business overlap with the maintenance period, your business may be affected.

polardb-public-access-check

Checks whether 0.0.0.0/0 is added to the IP whitelist of each PolarDB instance. If not, the evaluation result is Compliant.

natgateway-eip-used-check

Checks the SNAT and DNAT entries of each NAT gateway use different elastic IP addresses (EIPs). If so, the evaluation result is Compliant. For VPC NAT gateways, the evaluation result is Not Applicable.

natgateway-snat-eip-bandwidth-check

Checks whether multiple EIPs associated with each SNAT entry of a NAT gateway are added to an EIP bandwidth plan, or the specified maximum bandwidth of these EIPs is the same. If so, the evaluation result is Compliant. For VPC NAT gateways, the evaluation result is Not Applicable.

slb-all-listener-health-check-enabled

Checks whether health check is enabled for all listeners of each Server Load Balancer (SLB) instance. If so, the evaluation result is Compliant.

alb-all-listener-health-check-enabled

Checks whether health check is configured for all listeners and forwarding rules of each Application Load Balancer (ALB) instance. If so, the evaluation result is Compliant.

alb-all-listenter-has-server

Checks whether the number of backend servers added to the default forwarding rules associated with the listeners of each ALB instance is less than the specified number. If not, the evaluation result is Compliant. Default value: 1.

slb-instance-expired-check

Checks whether the duration between the expiration date and the check date of each subscription resource is greater than a specified number of days. If so, the evaluation result is Compliant. Default value: 30. If you use subscription resources, you must renew the resources before they expire. This prevents your instances from being stopped due to expired resources. If auto-renewal is enabled for an instance, the evaluation result is also Compliant. For pay-as-you-go resources, the evaluation result is Not Applicable.

slb-delete-protection-enabled

Checks whether the deletion protection feature is enabled for each ALB instance. If so, the evaluation result is Compliant. The feature prevents instances from being released due to misoperations.

slb-delete-protection-enabled

Checks whether the release protection feature is enabled for each SLB instance. If so, the evaluation result is Compliant.

slb-instance-spec-check

Checks whether the instance type of each SLB instance is in a specified specification list. If so, the evaluation result is Compliant. We recommend that you use SLB instances that can meet your performance requirements. If you use shared-resource SLB instances, your performance requirements may not be met. Proceed with caution.

cen-cross-region-bandwidth-check

Checks whether the bandwidth that is allocated to the inter-region connections of each Cloud Enterprise Network (CEN) instance is greater than a specified value. If so, the evaluation result is Compliant. Default value: 1 Mbit/s.

cen-all-vbr-health-check-enabled

Checks whether the health check feature is enabled for the virtual border routers (VBRs) that are attached to each CEN instance. If so, the evaluation result is Compliant.

region-vswitch-no-crossed-cidr

Checks whether the IP address of each vSwitch in a region is unique. If so, the evaluation result is Compliant.

ecs-instance-status-no-stopped

Checks whether each ECS instance is in the Stopped state. If not, the evaluation result is Compliant.

ecs-instance-expired-check

Checks whether the duration between the expiration date and the check date of each subscription resource is greater than a specified number of days. If so, the evaluation result is Compliant. Default value: 30. If you use subscription resources, you must renew the resources before they expire. This prevents your instances from being stopped due to expired resources. If auto-renewal is enabled for an instance, the evaluation result is also Compliant. For pay-as-you-go resources, the evaluation result is Not Applicable.

ecs-snapshot-policy-timepoints-check

Checks whether the snapshot creation time that you specified for each automatic snapshot policy falls in a specified time range. If so, the evaluation result is Compliant. When a snapshot is being created for an Elastic Block Storage (EBS) device, the I/O performance of the device degrades by up to 10%. This can result in a transient I/O speed decrease. We recommend that you create automatic snapshots during off-peak hours.

sg-risky-ports-check

Checks whether 0.0.0.0/0 is added to the IP address whitelist of each security group and high-risk ports are disabled. If so, the evaluation result is Compliant. If 0.0.0.0/0 is not added to the IP address whitelist of a security group, the evaluation result is Compliant regardless of whether high-risk ports are disabled. If a high-risk port is denied by an authorization policy with a higher priority, the evaluation result is Compliant. If the security groups are used by cloud services or virtual network operators, the evaluation result is Not Applicable.

cdn-domain-enabled-cache

Checks whether a CDN cache and an expiration time are specified for each domain name. If so, the evaluation result is Compliant.

cdn-domain-oss-source-check

Checks whether the origin server of each domain name accelerated by Alibaba Cloud CDN is set to an OSS domain name and the type of the origin server is set to OSS. If so, the evaluation result is Compliant.

kafka-instance-public-access-check

Checks whether the public IP whitelist of each Kafka instance allows access from all IP addresses. If so, the evaluation result is Compliant.

elasticsearch-public-and-any-ip-access-check

Checks whether Internet access is enabled and any Internet access is allowed for each Elasticsearch cluster. If so, the evaluation result is Non-compliant.

elasticsearch-instance-enabled-kibana-public-check

Checks whether each Elasticsearch instance denies access from public networks for Kibana and does not allow access from all IP address. If so, the evaluation result is Compliant.

oss-bucket-versioning-enabled

Checks whether versioning is enabled for each OSS bucket. If so, the evaluation result is Compliant. If versioning is disabled, data cannot be recovered when it is overwritten or deleted.

oss-bucket-public-write-prohibited

Checks whether the ACL policy of each OSS bucket denies read and write access from the Internet. If so, the evaluation result is Compliant.

ecs-instance-type-family-not-deprecated

Checks whether the instance family of each ECS instance is different from the specified values. If so, the evaluation result is Compliant. The default values of the instanceTypeFamily parameter are discontinued or shared instance families.

elasticsearch-instance-node-not-use-specified-spec

Checks whether the instance type of each Elasticsearch cluster is different from the specified values. If so, the evaluation result is Compliant.

rds-instance-category-check

Checks whether the edition of each RDS instance matches a specified value. If so, the evaluation result is Compliant. The default value of the categories parameter indicates Cluster Edition or High-availability Edition.

ack-cluster-spec-check

Checks whether each Kubernetes cluster is an ACK edge Pro cluster. If so, the evaluation result is Compliant. For unmanaged Kubernetes clusters, the evaluation result is Not Applicable.

redis-instance-edition-type-check

Checks whether the edition of each ApsaraDB for Redis instance is Enhanced Edition (Tair). If so, the evaluation result is Compliant.

mongodb-instance-multi-node

Checks whether each ApsaraDB for MongoDB instance uses the multi-zone architecture. If so, the evaluation result is Compliant.

ons-instance-type-check

Checks whether the edition of each ApsaraMQ for RocketMQ instance is Enterprise Platinum Edition. If so, the evaluation result is Compliant.

ecs-instance-os-name-check

Checks whether the name of the operating system for each ECS instance appears in a specified whitelist or does not appear in a specified blacklist. If so, the evaluation result is Compliant. Enterprises can standardize the operating system version within the enterprises, and upgrade the operating systems that are no longer maintained in time to prevent security vulnerabilities.

elasticsearch-instance-version-not-deprecated

Checks whether the version of each Elasticsearch cluster is recommended. If so, the evaluation result is Compliant.

polardb-dbversion-status-check

Checks whether the minor version of each PolarDB database is stable. If so, the evaluation result is Compliant.

ack-cluster-upgrade-latest-version

Checks whether each ACK cluster is upgraded to the latest version. If so, the evaluation result is Compliant.

redis-instance-upgrade-latest-version

Checks whether each Redis instance is upgrade to the latest minor version. If so, the evaluation result is Compliant.

ecs-instance-deletion-protection-enabled

Checks whether the release protection feature is enabled for each ECS instance. If so, the evaluation result is Compliant.

eip-delete-protection-enabled

Checks whether the deletion protection feature is enabled for each EIP. If so, the evaluation result is Compliant. For EIPs created with service accounts and subscription EIPs, the evaluation result is Not Applicable. These EIPs do not support the deletion protection feature.

polardb-cluster-delete-protection-enabled

Checks whether the deletion protection feature is enabled for each PolarDB cluster. If so, the evaluation result is Compliant.

ack-cluster-deletion-protection-enabled

Checks whether the deletion protection feature is enabled for each ACK cluster. If so, the evaluation result is Compliant.

redis-instance-release-protection

Checks whether the release protection feature is enabled for each ApsaraDB for Redis instance. If so, the evaluation result is Compliant.

mongodb-instance-release-protection

Checks whether the release protection feature is enabled for each ApsaraDB for MongoDB instance. If so, the evaluation result is Compliant.

adb-cluster-maintain-time-check

Checks whether the maintenance period of each AnalyticDB cluster falls in a specified time range. If so, the evaluation result is Compliant.

eci-container-group-volumn-mounts

Checks whether a data volume is mounted on each container group. If so, the evaluation result is Compliant.

elasticsearch-instance-snapshot-enabled

Checks whether the automatic backup feature is enabled for each Elasticsearch cluster. If so, the evaluation result is Compliant.

adb-cluster-log-backup-enabled

Checks whether the log backup feature is enabled for each AnalyticDB cluster. If so, the evaluation result is Compliant.

polardb-cluster-level-two-backup-retention

Checks whether the retention period of the level-2 backup of each PolarDB cluster is longer than or equal to the specified number of days. If so, the evaluation result is Compliant. Default value: 30. If level-2 backup is not enabled or the backup retention period is less than the specified number of days, the evaluation result is Non-compliant.

redis-instance-backup-log-enabled

Checks whether incremental backup is enabled for each ApsaraDB for Redis instance. If so, the evaluation result is Compliant. For non-Tair instances, the evaluation result is Not Applicable.

ecs-disk-auto-snapshot-policy

Checks whether an automatic snapshot policy is specified for each ECS disk. If so, the evaluation result is Compliant.

elasticsearch-instance-multi-zone

Checks whether each Elasticsearch instance uses the multi-zone architecture. If so, the evaluation result is Compliant.

slb-all-listener-servers-multi-zone

Checks whether each SLB instance uses the multi-zone architecture and the resources of multiple zones are added to the server group that is used by all listeners of the SLB instance. If so, the evaluation result is Compliant.

slb-instance-multi-zone

Checks whether each SLB instance uses the multi-zone architecture. If so, the evaluation result is Compliant.

polardb-cluster-multi-zone

Checks whether the hot standby cluster feature is enabled for each PolarDB cluster and data is distributed across multiple zones. If so, the evaluation result is Compliant.

redis-instance-multi-zone

Checks whether each ApsaraDB for Redis instance uses the multi-zone architecture. If so, the evaluation result is Compliant.

oss-zrs-enabled

Checks whether the zone-redundant storage (ZRS) feature is enabled for each OSS bucket. If so, the evaluation result is Compliant. If the ZRS feature is disabled, OSS cannot provide consistent services and ensure data recovery when a data center becomes unavailable.

mongodb-instance-multi-zone

Checks whether each ApsaraDB for MongoDB instance uses the multi-zone architecture. If so, the evaluation result is Compliant.

cbwp-bandwidth-package-expired-check

Checks whether the duration between the expiration date of each EIP bandwidth plan and the current date is greater than a specified period of time. If so, the evaluation result is Compliant. Default value: 30. For pay-as-you-go resources, the evaluation result is Not Applicable.

rds-instance-expired-check

Checks whether the duration between the expiration date and the check date of each subscription resource is greater than a specified number of days. If so, the evaluation result is Compliant. If you use subscription resources, you must renew the resources before they expire. This prevents your instances from being stopped due to expired resources. Default value: 30. For pay-as-you-go resources, the evaluation result is Not Applicable.

bastionhost-instance-expired-check

Checks whether the duration between the expiration date of each bastion host and the current date is greater than a specified period of time. If so, the evaluation result is Compliant. Default value: 30.

eip-address-expired-check

Checks whether the duration between the expiration date of each EIP and the current date is greater than a specified period of time. If so, the evaluation result is Compliant. Default value: 30. For pay-as-you-go resources, the evaluation result is Not Applicable.

adb-cluster-expired-check

Checks whether the duration between the expiration date of each AnalyticDB for MySQL cluster (Data Warehouse Edition) and the current date is greater than a specified period of time. If so, the evaluation result is Compliant. Default value: 30. If auto-renewal is enabled for an instance, the evaluation result is also Compliant. For pay-as-you-go resources, the evaluation result is Not Applicable.

cen-bandwidth-package-expired-check

Checks whether the duration between the expiration date of each CEN bandwidth plan and the current date is greater than a specified period of time. If so, the evaluation result is Compliant. Default value: 30.

polardb-x1-instance-expired-check

Checks whether the duration between the expiration date of each PolarDB for Xscale 1.0 instance and the current date is greater than a specified number of days. If so, the evaluation result is Compliant. Default value: 30. For pay-as-you-go resources, the evaluation result is Not Applicable.

polardb-x2-instance-expired-check

Checks whether the duration between the expiration date of each PolarDB for Xscale 2.0 instance and the current date is greater than a specified number of days. If so, the evaluation result is Compliant. Default value: 30. For pay-as-you-go resources, the evaluation result is Not Applicable.

ddoscoo-instance-expired-check

Checks whether the duration between the expiration date of each Anti-DDoS instance and the current date is greater than a specified number of days. If so, the evaluation result is Compliant. Default value: 30.