Checks the compliance of Alibaba Cloud resources based on the specific requirements of Multi-Level Protection Scheme (MLPS) 2.0 Level 3. A compliance package template provides a common framework that is used to create compliance packages. You can specify input parameters of rules and configure remediation settings based on a compliance package template to create a compliance package that meets your business requirements. If resources are evaluated as Compliant, the resources are based on only the compliance rules. In this case, the resources may not be compliant with legal requirements, regulations, and industry standards.
Rule name | Code | Code description | Rule description |
eip-bandwidth-limit | 8.1.2.1 | b) Make sure that the bandwidth of each network component meets your requirements during peak hours. c) Plan network zones and assign IP addresses to each zone to perform efficient management operations. | Checks whether the available bandwidth of each elastic IP address (EIP) is greater than or equal to a specified value. If so, the evaluation result is Compliant. Default value: 10. Unit: MB. |
slb-loadbalancer-bandwidth-limit | Checks whether the available bandwidth of each Server Load Balancer (SLB) instance is greater than or equal to the specified value. If so, the evaluation result is Compliant. Default value: 10. Unit: MB. | ||
cen-cross-region-bandwidth-check | Checks whether the bandwidth that is allocated to the inter-region connections of each Cloud Enterprise Network (CEN) instance is greater than a specified value. If so, the evaluation result is Compliant. Default value: 1 Mbit/s. | ||
natgateway-snat-eip-bandwidth-check | Checks whether multiple EIPs associated with each SNAT entry of a NAT gateway are added to an EIP bandwidth plan, or the specified maximum bandwidth of these EIPs is the same. If so, the evaluation result is Compliant. This rule does not apply to Virtual Private Cloud (VPC) NAT gateways. | ||
ecs-instances-in-vpc | Checks whether the network type of each Elastic Compute Service (ECS) instance is set to VPC if no parameter is configured. If you configure the required parameter, the system checks whether the VPC where ECS instances reside matches the specified setting. If so, the evaluation result is Compliant. Separate multiple parameter values with commas (,). | ||
rds-instances-in-vpc | Checks whether the network type of each ApsaraDB RDS instance is VPC if the vpcIds parameter is not configured. If each ApsaraDB RDS instance is deployed in one of the specified VPCs when the vpcIds parameter is configured, the evaluation result is Compliant. Separate multiple parameter values with commas (,). | ||
redis-instance-in-vpc | Checks whether the network type of each ApsaraDB for Redis instance is set to VPC when the vpcIds parameter is not configured. If so, the evaluation result is Compliant. If the VPC where each ApsaraDB for Redis instance resides is the same as a specified VPC when the vpcIds parameter is configured, the evaluation result is Compliant. | ||
slb-all-listenter-tls-policy-check | 8.1.2.2 | b) Use cryptography techniques to ensure data confidentiality during communication. | Checks whether the HTTPS listeners of each SLB instance use a specified security policy suite version. If so, the evaluation result is Compliant. This rule does not apply to SLB instances for which no HTTPS listener is configured. |
rds-instance-tls-version-check | Checks whether the SSL feature is enabled for each ApsaraDB RDS instance and the Transport Layer Security (TLS) version that is used on the instance is within a specified version range. If so, the evaluation result is Compliant. | ||
oss-security-access-enabled | Checks whether the bucket policy of each Object Storage Service (OSS) bucket allows read and write access over HTTPS and denies access over HTTP. If so, the evaluation result is Compliant. This rule does not apply to OSS buckets for which no policies are configured. | ||
cdn-domain-tls13-enabled | Checks whether the TLS 1.3 protocol is enabled for each domain name accelerated by Alibaba Cloud CDN. If so, the evaluation result is Compliant. | ||
polardb-cluster-enabled-ssl | Checks whether the SSL encryption feature is enabled for each PolarDB cluster. If so, the evaluation result is Compliant. | ||
api-gateway-group-https-policy-check | Checks whether the HTTPS security policies configured for an API group in API Gateway are included in the policy list specified by the input parameter of this rule. If so, the evaluation result is Compliant. | ||
oss-bucket-policy-no-any-anonymous | Checks whether read and write permissions are granted to each anonymous account. If read and write permissions are not granted to each anonymous account, the evaluation result is Compliant. If no policies are specified for OSS buckets, the evaluation result is Compliant. | ||
sg-public-access-check | 8.1.3.1 8.1.3.2 | 8.1.3.1 a) Allow only cross-border access requests and data packets transmitted over the controlled interfaces of border devices. b) Perform access control or check access requests that are sent from unauthorized devices over the internal network. 8.1.3.2 a) Configure access control rules at network borders or between network zones based on access control policies. Managed interfaces allow only communication requests that comply with the rules. c) Perform a check on source IP addresses, destination IP addresses, source ports, destination ports, and protocols to allow or deny incoming and outgoing packets. | Checks whether the inbound authorization policy of each security group is set to Allow and the port range is set to -1/-1 or the authorized IP address is set to 0.0.0.0/0, or an authorization policy with a higher priority is configured. If so, the evaluation result is Compliant. This rule does not apply to the security groups that are used by cloud services or virtual network operators. |
rds-public-connection-and-any-ip-access-check | Checks whether a public IP address is used for the ApsaraDB RDS instance within your account or whether the whitelist is not enabled for all source IP addresses. If so, the evaluation result is Compliant. | ||
cr-instance-any-ip-access-check | Checks whether 0.0.0.0/0 is added to the IP address whitelist of each Container Registry instance. If not, the evaluation result is Compliant. This rule applies to Container Registry Enterprise Edition instances. | ||
elasticsearch-public-and-any-ip-access-check | Checks whether each Elasticsearch cluster denies access from public networks or does not allow access from all IP addresses. If so, the evaluation result is Compliant. | ||
cr-instance-public-access-check | Checks whether the public access portal is enabled for a Container Registry instance. If the public access portal is not enabled, the evaluation result is Compliant. This rule applies to Container Registry Enterprise Edition instances. | ||
redis-public-and-any-ip-access-check | Checks whether Internet access is enabled for each ApsaraDB for Redis instance and all CIDR blocks are added to the IP whitelist of the instance. If Internet access is disabled for each ApsaraDB for Redis instance, or if the instance can access the Internet but its whitelists do not contain 0.0.0.0/0, the evaluation result is Compliant. If Internet access is enabled for each ApsaraDB for Redis instance and all CIDR blocks are added to the IP whitelist of the instance, the evaluation result is Non-compliant. | ||
security-group-high-risk-port-all-disabled | Checks whether 0.0.0.0/0 is specified as the authorization object in inbound rules of each security group and the selected ports do not contain risky ports. If so, the evaluation result is Compliant. If 0.0.0.0/0 is not specified as the authorization object in inbound rules of each security group, the evaluation result is Compliant regardless of whether the selected ports contain risky ports. If a risky port is denied by a policy with a higher priority, the evaluation result is Compliant. This rule does not apply to the security groups that are used by cloud services or virtual network operators. | ||
nat-risk-ports-check | Checks whether the specified risky ports are mapped by using the DNAT entries of NAT Gateway. If the specified high-risk ports are not mapped by using the DNAT entries of NAT Gateway, the evaluation result is Compliant. | ||
nas-filesystem-mount-target-access-group-check | 8.1.3.1 | a) Allow only cross-border access requests and data packets transmitted over the controlled interfaces of border devices. b) Perform access control or check access requests that are sent from unauthorized devices over the internal network. | Checks whether 0.0.0.0/0 is added to any rule of the permission group of the NAS file system. If 0.0.0.0/0 is not added to any rule of the permission group of the NAS file system, the evaluation result is Compliant. This rule does not apply to the NAS file system for which no mount target is created or whose permission group has no rule. |
oss-bucket-policy-outside-organization-check | Checks whether public read is enabled for an OSS bucket and whether external authorization exists in the analysis result. If public read is not enabled for an OSS bucket and external authorization does not exist in the analysis result, the evaluation result is Compliant. If the analysis result of the bucket policy indicates that the analysis cannot be performed on the bucket policy, the evaluation result is Non-compliant. If all analysis results of the bucket policy exist in the resource directory, the evaluation result is Compliant. If the authorization is not performed by the account in the resource directory, the evaluation result is Non-compliant. | ||
oss-bucket-public-read-prohibited | Checks whether the access control list (ACL) policy of each OSS bucket denies read access from the Internet. If so, the evaluation result is Compliant. | ||
ack-cluster-public-endpoint-check | Checks whether public endpoints are configured for the API server in each Container Service for Kubernetes (ACK) cluster. If so, the evaluation result is Compliant. | ||
ecs-running-instance-no-public-ip | Checks whether no public IPv4 addresses or EIPs are assigned to the ECS instances that are running. If so, the evaluation result is Compliant. | ||
slb-no-public-ip | Checks whether a public IP address is associated with each SLB instance. If no public IP address is associated with each SLB instance, the evaluation result is Compliant. If you do not want an SLB instance to access public networks, we recommend that you do not bind a public IP address to an SLB instance. If you want an SLB instance to access public networks, we recommend that you purchase an EIP and bind the EIP to the required SLB instance. EIPs provide more flexibility. You can also use an EIP bandwidth plan to reduce costs. | ||
redis-instance-open-auth-mode | Checks whether the password-based authentication feature is enabled for each ApsaraDB for Redis instance in your VPCs. If so, the evaluation result is Compliant. | ||
vpc-network-acl-risky-ports-check | 8.1.3.2 | a) Configure access control rules at network borders or between network zones based on access control policies. Managed interfaces allow only communication requests that comply with the rules. c) Perform a check on source IP addresses, destination IP addresses, source ports, destination ports, and protocols to allow or deny incoming and outgoing packets. | Checks whether the destination IP address specified in the inbound rule for VPC access control is set to 0.0.0.0/0 and the specified port range does not contain a risky port. If so, the evaluation result is Compliant. |
slb-all-listener-enabled-acl | 8.1.3.2 | Checks whether the access control feature is configured for the listeners of each SLB instance. If so, the evaluation result is Compliant. This rule does not apply to SLB instances for which no listeners are configured. | |
alb-all-listener-enabled-acl | 8.1.3.2 | Checks whether the access control feature is enabled for all listeners of each ALB instance. If so, the evaluation result is Compliant. This rule does not apply to ALB instances for which no listeners are configured. | |
slb-acl-public-access-check | 8.1.3.2 | Checks whether the ACL of each SLB instance does not include 0.0.0.0/0. If so, the evaluation result is Compliant. | |
oss-bucket-authorize-specified-ip | 8.1.3.2 | Checks whether the read/write permission of OSS buckets is set to private or the authorization policies of OSS buckets include specific IP whitelists. If so, the evaluation result is Compliant. | |
slb-listener-risk-ports-check | 8.1.3.2 | Checks whether a specified risky port is added to a listener of each SLB instance. If a specified risky port is not added to a listener of each SLB instance, the evaluation result is Compliant. | |
oss-bucket-referer-enabled | 8.1.3.2 | Checks whether the whitelist of the OSS bucket is empty and the value of the AllowEmpty parameter is the same as the value of a specified parameter. If the whitelist of the OSS bucket is not empty and the value of the AllowEmpty parameter is the same as the value of a specified parameter, the evaluation result is Compliant. | |
polardb-public-and-any-ip-access-check | 8.1.3.2 | Checks whether Internet access is enabled and any Internet access is allowed for each PolarDB instance. If so, the evaluation result is Non-compliant. | |
use-waf-instance-for-security-protection | 8.1.3.3 8.1.3.4 8.1.4.4 8.1.5.4 | 8.1.3.3 a) Detect, prevent, or limit external network attacks on critical network nodes. b) Detect, prevent, or limit internal network attacks on critical network nodes. c) Implement technical measures to analyze network behavior and network attacks, especially new network attacks. d) Record the attack source IP address, attack type, attack destination, and attack time when an attack is detected, and report an alert when a serious intrusion event occurs. 8.1.3.4 a) Detect and remove malicious code on critical network nodes, and maintain the upgrade and update of the malicious code prevention mechanism. b) Detect and block spam emails on critical network nodes, and maintain the upgrade and update of the spam prevention mechanism. 8.1.4.4 e) Detect possible known vulnerabilities, and fix the vulnerabilities after full testing and evaluation. f) Detect intrusions into your servers, and report an alert when a serious intrusion event occurs. 8.1.5.4 d) Collect, summarize, and analyze audit data scattered on each device in a centralized manner and make sure that the retention time of audit records complies with relevant laws and regulations. e) Manage security-related matters, such as security policies, malicious code, and patch upgrades, in a centralized manner. | Checks whether Web Application Firewall (WAF) is used to protect your website or application. If so, the evaluation result is Compliant. |
security-center-version-check | Checks whether Security Center Enterprise Edition or a more advanced edition is used. If so, the evaluation result is Compliant. | ||
use-ddos-instance-for-security-protection | 8.1.3.3 8.1.4.4 8.1.5.4 | 8.1.3.3 a) Detect, prevent, or limit external network attacks on critical network nodes. b) Detect, prevent, or limit internal network attacks on critical network nodes. c) Implement technical measures to analyze network behavior and network attacks, especially new network attacks. d) Record the attack source IP address, attack type, attack destination, and attack time when an attack is detected, and report an alert when a serious intrusion event occurs. 8.1.4.4 e) Detect possible known vulnerabilities, and fix the vulnerabilities after full testing and evaluation. f) Detect intrusions into your servers, and report an alert when a serious intrusion event occurs. 8.1.5.4 d) Collect, summarize, and analyze audit data scattered on each device in a centralized manner and make sure that the retention time of audit records complies with relevant laws and regulations. e) Manage security-related matters, such as security policies, malicious code, and patch upgrades, in a centralized manner. | Checks whether Anti-DDoS is used to prevent DDoS attacks. If so, the evaluation result is Compliant. |
use-cloud-fire-wall-for-security-protection | Checks whether Cloud Firewall is used to protect your network boundary. If so, the evaluation result is Compliant. | ||
firewall-asset-open-protect | 8.1.3.3 | a) Detect, prevent, or limit external network attacks on critical network nodes. b) Detect, prevent, or limit internal network attacks on critical network nodes. c) Implement technical measures to analyze network behavior and network attacks, especially new network attacks. d) Record the attack source IP address, attack type, attack destination, and attack time when an attack is detected, and report an alert when a serious intrusion event occurs. | Checks whether asset protection is enabled in Cloud Firewall. If so, the evaluation result is Compliant. This rule applies only to users that have activated the Cloud Firewall service. No detection data is available for users that have not activated the service or have used the service for free. |
security-center-defense-config-check | 8.1.3.5 8.1.5.4 | 8.1.3.5 b) Provide the event date, event time, user, event type, whether the event is successful, and other information relevant to the audit in the audit record. 8.1.5.4 d) Collect, summarize, and analyze audit data scattered on each device in a centralized manner and make sure that the retention time of audit records complies with relevant laws and regulations. e) Manage security-related matters, such as security policies, malicious code, and patch upgrades, in a centralized manner. | Checks whether a proactive defense of a specified type is enabled in the Security Center console. If so, the evaluation result is Compliant. |
waf3-instance-enabled-specified-defense-rules | 8.1.3.5 8.1.5.4 | Checks whether rules for the specified protection scenario are enabled for a WAF 3.0 instance. If so, the evaluation result is Compliant. | |
actiontrail-trail-intact-enabled | 8.1.3.5 8.1.5.4 | Checks whether an active trail exists in ActionTrail and events of all types that are generated in all regions are tracked. If so, the evaluation result is Compliant. If the administrator of a resource directory has created a trail that applies to all members, the evaluation result is Compliant. | |
rds-instance-enabled-auditing | 8.1.3.5 8.1.5.4 | Checks whether the SQL explorer and audit feature is enabled for each ApsaraDB RDS instance. If so, the evaluation result is Compliant. | |
adb-cluster-audit-log-enabled | 8.1.3.5 8.1.5.4 | Checks whether the SQL explorer and audit feature is enabled for each AnalyticDB for MySQL cluster. If so, the evaluation result is Compliant. | |
vpc-flow-logs-enabled | 8.1.3.5 8.1.5.4 | Checks whether the flow log feature is enabled for each VPC. If so, the evaluation result is Compliant. | |
ram-password-policy-check | 8.1.4.1 | b) Handle logon failures, and configure relevant features to automatically close sessions, limit logon abuse, and log out when sessions time out. d) Use a combination of two or more of the following techniques to authenticate user identities: password, cryptography technique, and biotechnology. A cryptography technique must be used in each combination. | Checks whether the settings of password policies configured for each RAM user meet the specified values. If so, the evaluation result is Compliant. |
root-mfa-check | 8.1.4.1 | Checks whether multi-factor authentication (MFA) is enabled for each Alibaba Cloud account. If so, the evaluation result is Compliant. | |
ram-user-mfa-check | 8.1.4.1 | Checks whether MFA is enabled in the logon settings of each RAM user for which the console access feature is enabled. If so, the evaluation result is Compliant. | |
ram-user-last-login-expired-check | 8.1.4.2 | c) Delete or disable redundant and expired accounts, and disable shared accounts. d) Apply the principle of least privilege to administrators to ensure privilege separation. | Checks whether each RAM user has logged on within the last 90 days. If so, the evaluation result is Compliant. If a RAM user was updated within the previous 90 days, the evaluation result is Compliant regardless of whether the RAM user recently logged on to the system. The rule does not apply to the RAM users for which console access is disabled. |
ram-policy-in-use-check | 8.1.4.2 | Checks whether a policy is attached to at least one RAM user group, RAM role, or RAM user. If so, the evaluation result is Compliant. | |
ram-group-has-member-check | 8.1.4.2 | Checks whether each RAM user group contains at least one RAM user. If so, the evaluation result is Compliant. | |
ram-user-no-policy-check | 8.1.4.2 | Checks whether a policy is attached to each RAM user. If so, the evaluation result is Compliant. We recommend that RAM users inherit permissions from RAM user groups or roles. | |
ram-user-ak-used-expired-check | 8.1.4.2 | Checks whether the duration between the date when the AccessKey pair of each RAM user was last used and the current date is less than a specified number of days. If so, the evaluation result is Compliant. Default value: 90. Unit: days. | |
ram-policy-no-statements-with-admin-access-check | 8.1.4.2 | Checks whether the Action and Resource parameters of each RAM user, RAM user group, and RAM role are not set to *. If so, the evaluation result is Compliant. An asterisk (*) indicates the super administrator permissions. | |
ram-user-login-check | 8.1.4.2 | c) Delete or disable redundant and expired accounts, and disable shared accounts. d) Apply the principle of least privilege to administrators to ensure privilege separation. | Checks whether one of the console access and API access features is enabled for each RAM user. If so, the evaluation result is Compliant. |
ecs-instance-enabled-security-protection | 8.1.4.4 | e) Detect possible known vulnerabilities, and fix the vulnerabilities after full testing and evaluation. f) Detect intrusions into your servers, and report an alert when a serious intrusion event occurs. | Allows you to install a CloudMonitor agent on an instance to provide security protection services. If a Security Center agent is installed on each ECS instance, the evaluation result is Compliant. This rule does not apply to ECS instances that are not running. |
ecs-instance-updated-security-vul | 8.1.4.4 | Checks whether unfixed vulnerabilities of a specified type or a specified level are detected by Security Center on an ECS instance. If not, the evaluation result is Compliant. This rule does not apply to ECS instances that are not running. | |
security-center-notice-config-check | 8.1.4.4 | Checks whether a notification method is specified for each notification item of Security Center. If so, the evaluation result is Compliant. | |
oss-bucket-server-side-encryption-enabled | 8.1.4.8 | b) Use cryptography techniques to ensure the integrity of important data during transmission, including authentication of data and important business data, audit data, configuration data, videos, and personal data. | Checks whether the Encryption Method parameter of the server-side encryption feature is set to OSS-Managed for each OSS bucket. If so, the evaluation result is Compliant. |
ecs-in-use-disk-encrypted | 8.1.4.8 | Checks whether the encryption feature is enabled for each ECS data disk that is in use. If so, the evaluation result is Compliant. | |
ack-cluster-encryption-enabled | 8.1.4.8 | Checks whether Secret encryption is configured for each ACK Pro cluster. If so, the evaluation result is Compliant. This rule does not apply to non-professional managed clusters. | |
redis-instance-enabled-tde | 8.1.4.8 | Checks whether the transparent data encryption (TDE) feature is enabled for each ApsaraDB for Redis instance. If so, the evaluation result is Compliant. | |
rds-instance-enabled-disk-encryption | 8.1.4.8 | Checks whether disk encryption is enabled for each ApsaraDB RDS instance. If so, the evaluation result is Compliant. This rule does not apply to instances that use local disks or do not support disk encryption. | |
sls-logstore-enabled-encrypt | 8.1.4.8 | Checks whether data encryption is enabled for each Logstore in Simple Log Service. If so, the evaluation result is Compliant. | |
polardb-cluster-enabled-tde | 8.1.4.8 | Checks whether the TDE feature is enabled in the data security settings of each PolarDB cluster. If so, the evaluation result is Compliant. | |
ecs-disk-auto-snapshot-policy | 8.1.4.9 | a) Provide the required features to back up and restore important local data. b) Provide the required features to back up important data to a remote destination site in real time over communication networks. c) Provide hot redundancy for important data processing systems to ensure system availability. | Checks whether an automatic snapshot policy is specified for each ECS disk. If so, the evaluation result is Compliant. This rule does not apply to disks that are not in use, disks that do not support automatic snapshot policies, and non-persistent disks that are attached to the ACK cluster. |
polardb-cluster-level-two-backup-retention | 8.1.4.9 | Checks whether the retention period of the level-2 backup of each PolarDB cluster is longer than or equal to the specified number of days. If so, the evaluation result is Compliant. Default value: 30. If level-2 backup is not enabled or the backup retention period is less than the specified number of days, the evaluation result is Non-compliant. | |
nas-filesystem-enable-backup-plan | 8.1.4.9 | Checks whether a backup plan is created for each Apsara File Storage NAS file system. If so, the evaluation result is Compliant. | |
rds-instance-enabled-log-backup | 8.1.4.9 | Checks whether the log backup feature is enabled for each ApsaraDB RDS instance. If so, the evaluation result is Compliant. | |
oss-bucket-versioning-enabled | 8.1.4.9 | Checks whether the versioning feature is enabled for each OSS bucket. If the versioning feature is disabled, data may fail to be restored when the data is overwritten or deleted. If the versioning feature is enabled for each OSS bucket, the evaluation result is Compliant. | |
elasticsearch-instance-snapshot-enabled | 8.1.4.9 | Checks whether the automatic backup feature is enabled for each Elasticsearch cluster. If so, the evaluation result is Compliant. | |
mongodb-instance-backup-log-enabled | 8.1.4.9 | Checks whether the log backup feature is enabled for each ApsaraDB for MongoDB instance. If so, the evaluation result is Compliant. | |
rds-instance-has-guard-instance | 8.1.4.9 | Checks whether a disaster recovery instance is created for each ApsaraDB RDS instance. If so, the evaluation result is Compliant. If a fault occurs in the region where an ApsaraDB RDS instance resides, the disaster recovery instance can be used to recover services in a timely manner. | |
oss-zrs-enabled | 8.1.4.9 | Checks whether the zone-redundant storage (ZRS) feature is enabled for an OSS bucket. If the ZRS feature is disabled, OSS cannot provide consistent services and ensure data recovery when a data center becomes unavailable. If the ZRS feature is enabled for an OSS bucket, the evaluation result is Compliant. | |
alb-instance-multi-zone | 8.1.4.9 | Checks whether each ALB instance uses the multi-zone architecture. If so, the evaluation result is Compliant. If a failure occurs on an ALB instance when you deploy the instance in only one zone, business may be disrupted. | |
rds-multi-az-support | 8.1.4.9 | Checks whether each ApsaraDB RDS instance uses the multi-zone architecture. If so, the evaluation result is Compliant. | |
polardb-cluster-multi-zone | 8.1.4.9 | Checks whether the hot standby cluster feature is enabled for each PolarDB cluster and data of the cluster is distributed across multiple zones. If so, the evaluation result is Compliant. | |
mongodb-instance-multi-zone | 8.1.4.9 | Checks whether each ApsaraDB for MongoDB instance is of the multi-zone architecture. If so, the evaluation result is Compliant. | |
ack-cluster-node-multi-zone | 8.1.4.9 | Checks whether region-level ACK clusters whose nodes are distributed across three or more zones are used. If so, the evaluation result is Compliant. | |
redis-instance-multi-zone | 8.1.4.9 | Checks whether each ApsaraDB for Redis instance uses the multi-zone architecture. If so, the evaluation result is Compliant. | |
elasticsearch-instance-multi-zone | 8.1.4.9 | Checks whether each Elasticsearch cluster is of the multi-zone architecture. If so, the evaluation result is Compliant. | |
slb-all-listener-servers-multi-zone | 8.1.4.9 | Checks whether each SLB instance uses the multi-zone architecture and the resources of multiple zones are added to the server group that is used by all listeners of the SLB instance. If so, the evaluation result is Compliant. |