Resource Orchestration Service (ROS) is integrated with Cloud Config to help you easily monitor a large-scale resource infrastructure and maintain continuous compliance. When you use a template to create a stack in the ROS console, you can perform a compliance precheck on the resources specified in the template.
Operations
When you use a template to create a stack, the ROS console selects a matching managed rule based on the resources that you specified in the template to check whether the resource configurations are compliant. For more information, see Step 7.
Cloud services that support compliance prechecks
ROS supports the compliance precheck feature only for specific Alibaba Cloud services.
For more information about the cloud services that support compliance prechecks, see Managed rules.
Regions that support compliance prechecks
The compliance precheck feature is supported in all regions.
Resource types that support compliance prechecks
Resource type | Precheck rule name | Precheck rule description |
ALIYUN::CR::Repository | cr-repository-type-private | Checks whether the type of your Container Registry image repository is private. If so, the result is compliant. |
ALIYUN::ECS::Disk | ecs-disk-encrypted | Checks whether all data disks within your account are encrypted. If a data disk is not encrypted, the result is non-compliant. |
ALIYUN::ECS::Instance | ecs-memory-min-size-limit | Checks whether the memory size of an Elastic Compute Service (ECS) instance is greater than or equal to the specified threshold. If so, the result is compliant. |
ecs-instance-deletion-protection-enabled | Checks whether the release protection feature is enabled for a pay-as-you-go ECS instance within your account. If so, the result is compliant. | |
ecs-instance-login-use-keypair | Checks whether a key pair is used to log on to a Linux host. If so, the result is compliant. | |
ALIYUN::ECS::SecurityGroup | sg-public-access-check | Checks whether the inbound network access settings of a security group include the following rules: the policy is allowed, the port range is -1/-1, and the authorized item is 0.0.0.0/0. If so, the result is non-compliant. |
ALIYUN::Elasticsearch::Instance | elasticsearch-instance-enabled-public-check | Checks whether the Internet access feature is disabled for an Elasticsearch instance. If so, the result is compliant. |
ALIYUN::OSS::Bucket | oss-bucket-public-write-prohibited | Checks whether public writes are not allowed for an Object Storage Service (OSS) bucket. If the policy or the access control list (ACL) of an OSS bucket allows public writes, the result is non-compliant. |
oss-bucket-logging-enabled | Checks whether the logging feature is enabled for your OSS bucket. If so, the result is compliant. | |
ALIYUN::OTS::Instance | ots-instance-network-not-normal | Checks whether a Tablestore instance can be accessed only over a virtual private cloud (VPC) or in the Tablestore console. If so, the result is compliant. |
ALIYUN::POLARDB::DBCluster | polardb-public-access-check | Checks whether access to a PolarDB instance within your account over the Internet is not allowed. If so, the result is compliant. |
ALIYUN::RDS::DBInstance | rds-instance-enabled-security-ip-list | Checks whether the whitelist feature is enabled for an ApsaraDB RDS instance within your account. If so, the result is compliant. |