The best practices for ApsaraDB for Redis help you check whether each ApsaraDB for Redis instance meets the requirements and whether the following items are exposed to risks: settings of audit logs, public networks, and whitelists, cross-zone disaster recovery capabilities, instance renewal and expiration, and change management. This ensures that you can use ApsaraDB for Redis as expected and ensures system stability and security. This topic describes the default rules in the best practices for ApsaraDB for Redis.
Rule name | Description |
Checks whether the audit logging feature is enabled for each ApsaraDB for Redis instance and the retention period of logs is greater than or equal to a specified value. If so, the evaluation result is Compliant. Default value: 180. Unit: day. | |
Checks whether each ApsaraDB for Redis instance uses the multi-zone architecture. If so, the evaluation result is Compliant. | |
Checks whether the node type of each ApsaraDB for Redis instance is master-replica. If so, the evaluation result is Compliant. | |
Checks whether the transparent data encryption (TDE) feature is enabled for each ApsaraDB for Redis instance by using a custom key. If so, the evaluation result is Compliant. | |
Checks whether the audit logging feature is enabled for each ApsaraDB for Redis instance. If so, the evaluation result is Compliant. If the audit logging feature is disabled for each ApsaraDB for Redis instance, the evaluation result is Non-compliant. | |
Checks whether the Transport Layer Security (TLS) encryption feature is enabled for each ApsaraDB for Redis instance. If so, the evaluation result is Compliant. | |
Checks whether each ApsaraDB for Redis instance is upgraded to the latest minor version. If so, the evaluation result is Compliant. | |
Checks whether the release protection feature is enabled for each ApsaraDB for Redis instance. If so, the evaluation result is Compliant. This rule does not apply to subscription ApsaraDB for Redis instances. | |
Checks whether high-risk commands are disabled for each ApsaraDB for Redis instance. If so, the evaluation result is Compliant. | |
Checks whether the available queries per second (QPS) of an ApsaraDB for Redis instance is greater than or equal to a specified value. If so, the evaluation result is Compliant. Default value: 1000. | |
Checks whether the available bandwidth of an ApsaraDB for Redis instance is greater than or equal to a specified value. If so, the evaluation result is Compliant. Default value: 1000. Unit: MB/s. | |
Checks whether the memory size of an ApsaraDB for Redis instance is greater than or equal to a specified value. If so, the evaluation result is Compliant. Default value: 1000. Unit: MB. | |
Checks whether Internet access is enabled for each ApsaraDB for Redis instance and all CIDR blocks are added to the IP whitelist of the instance. If Internet access is disabled for each ApsaraDB for Redis instance, or if the instance can access the Internet but its whitelists do not contain 0.0.0.0/0, the evaluation result is Compliant. If Internet access is enabled for an ApsaraDB for Redis instance and its whitelists contain 0.0.0.0/0, the evaluation result is Non-compliant. | |
Checks whether the automatic backup period of each ApsaraDB for Redis instance matches one of the specified time ranges. If so, the evaluation result is Compliant. If the peak hours of your business overlap with the backup period, your business may be affected. | |
Checks whether the duration between the expiration date and the check date of each subscription ApsaraDB for Redis instance is greater than a specified number of days. If so, the evaluation result is Compliant. Default value: 30. Unit: day. If auto-renewal is enabled for an ApsaraDB for Redis instance, the evaluation result is also Compliant. For pay-as-you-go resources, the evaluation result is Not Applicable. | |
Checks whether incremental backup is enabled for each ApsaraDB for Redis instance. If so, the evaluation result is Compliant. If an ApsaraDB for Redis instance is not a Tair instance, the evaluation result is Not Applicable. |