All Products
Search
Document Center

Resource Orchestration Service:Compliance precheck

Last Updated:Sep 30, 2024

Resource Orchestration Service (ROS) is integrated with Cloud Config to help you easily monitor a large-scale resource infrastructure and maintain continuous compliance. When you use a template to create a stack in the ROS console, you can perform a compliance precheck on the resources specified in the template.

Operations

When you use a template to create a stack, the ROS console selects a matching managed rule based on the resources that you specified in the template to check whether the resource configurations are compliant. For more information, see Step 7.

Cloud services that support compliance prechecks

ROS supports the compliance precheck feature only for specific Alibaba Cloud services.

For more information about the cloud services that support compliance prechecks, see Managed rules.

Regions that support compliance prechecks

The compliance precheck feature is supported in all regions.

Resource types that support compliance prechecks

Resource type

Precheck rule name

Precheck rule description

ALIYUN::CR::Repository

cr-repository-type-private

Checks whether the type of your Container Registry image repository is private. If so, the result is compliant.

ALIYUN::ECS::Disk

ecs-disk-encrypted

Checks whether all data disks within your account are encrypted. If a data disk is not encrypted, the result is non-compliant.

ALIYUN::ECS::Instance

ecs-memory-min-size-limit

Checks whether the memory size of an Elastic Compute Service (ECS) instance is greater than or equal to the specified threshold. If so, the result is compliant.

ecs-instance-deletion-protection-enabled

Checks whether the release protection feature is enabled for a pay-as-you-go ECS instance within your account. If so, the result is compliant.

ecs-instance-login-use-keypair

Checks whether a key pair is used to log on to a Linux host. If so, the result is compliant.

ALIYUN::ECS::SecurityGroup

sg-public-access-check

Checks whether the inbound network access settings of a security group include the following rules: the policy is allowed, the port range is -1/-1, and the authorized item is 0.0.0.0/0. If so, the result is non-compliant.

ALIYUN::Elasticsearch::Instance

elasticsearch-instance-enabled-public-check

Checks whether the Internet access feature is disabled for an Elasticsearch instance. If so, the result is compliant.

ALIYUN::OSS::Bucket

oss-bucket-public-write-prohibited

Checks whether public writes are not allowed for an Object Storage Service (OSS) bucket. If the policy or the access control list (ACL) of an OSS bucket allows public writes, the result is non-compliant.

oss-bucket-logging-enabled

Checks whether the logging feature is enabled for your OSS bucket. If so, the result is compliant.

ALIYUN::OTS::Instance

ots-instance-network-not-normal

Checks whether a Tablestore instance can be accessed only over a virtual private cloud (VPC) or in the Tablestore console. If so, the result is compliant.

ALIYUN::POLARDB::DBCluster

polardb-public-access-check

Checks whether access to a PolarDB instance within your account over the Internet is not allowed. If so, the result is compliant.

ALIYUN::RDS::DBInstance

rds-instance-enabled-security-ip-list

Checks whether the whitelist feature is enabled for an ApsaraDB RDS instance within your account. If so, the result is compliant.