Governance Spotlights group risks by business scenario. This process helps you systematically identify and remediate key risks across security, stability, cost, efficiency, and performance. With Governance Spotlights, you can shift from reactive responses to proactive, sustainable cloud governance.
Scope of governance spotlights
The following Governance Spotlights are available:
Spotlight | Description |
identity and access security | Helps you prevent credential leakage, promptly remediate idle users and high-risk permissions, and stop privilege abuse. This supports least privilege, traceability, and dynamic access control. |
expiration and deletion risks | Prevents unexpected resource suspension, keeps your environment stable, and ensures business continuity. This avoids downtime caused by missed renewals or accidental deletion. |
idle and underutilized resources | Identifies idle and inefficient resources, monitors resource utilization, and enables account quota alerts. This helps you reduce costs with precision and maintain efficient, sustainable resource usage. |
Governance spotlights overview
Log on to the Cloud Governance Center console.
In the navigation pane on the left, choose to open the Governance Spotlights overview page.
Each spotlight card displays three key pieces of information:
Spotlight name and description
The number of high-risk items in this spotlight
The potential score increase after you complete remediation
The overview page contains cards for the identity and access security, expiration and deletion risks, and idle and underutilized resources spotlights.
Governance spotlight details
On the Governance Spotlights overview page, click Details in the lower-right corner of a spotlight card to view its details page.
On the details page, you can view information for each check item in the spotlight, such as the check item name, use case, and risk level.
The list of check items also includes the Affected Resources, Compliance Rate, Est. Score Improvement, and Actions columns. The Actions column provides entries for QuickFix or Manual Remediation. The top of the page displays the total estimated score improvement and a Start Remediation button. The filter area allows you to filter check items by Risk Level, Resource Type, Check Item Name, and Risk Status.
You can click a check item name to view its details, including a description, a list of affected resources, and manual remediation guidance. If the check item supports quick remediation, the QuickFix option is displayed.
In the check details pop-up, tabs categorize non-compliant resources by usage statistics, such as the percentage of never-used AccessKeys or the percentage of users who have never logged on to the console. Each record in the resource list provides an entry point for Assisted Governance Details. At the bottom, you can click Download CSV to export the non-compliant resource data.
Governance spotlight remediation
Batch remediation
For check items that support QuickFix, you can navigate to the Remediation Center to fix multiple items at once.
On the governance spotlight details page, click Start Remediation.
This redirects you to the Remediation Center, which opens in batch remediation mode and pre-loads all check items from the spotlight that support QuickFix.
On the Batch remediation page, select the check items to remediate on the left. The corresponding resource list appears on the right. Select the target resources. After confirmation, click Next: Preview to enter the preview stage. The bottom of the page indicates the number of affected check items and resources.
NoteBatch remediation is available only for check items and resources that support QuickFix. For other items, you must switch to single-item remediation mode and follow the manual remediation guide.
Single-item remediation
On the governance spotlight details page, find the target check item and click the corresponding action in the Actions column. This action redirects you to the Remediation Center, which opens in single-item remediation mode.
The Actions column includes options such as Assisted Decision-Making, QuickFix, and Manual Remediation.
For more information about batch and single-item remediation, see Remediation Center.
Check items
The following table lists all supported check items:
Spotlight | Check item |
Identity and access security | The Alibaba Cloud account has an active AccessKey. |
A RAM user has both console access and an active AccessKey. | |
An AccessKey leak has not been remediated. | |
A RAM user has two active AccessKeys. | |
Too many RAM identities have been granted administrator permissions. | |
A strong password policy is not configured for RAM users. | |
An idle RAM user exists. | |
An idle AccessKey exists. | |
A RAM identity has idle product-level permissions. | |
Expiration and deletion risks | Account quota alerts are not enabled. |
An ApsaraDB for MongoDB instance is at risk of expiration. | |
A Tair instance is at risk of expiration. | |
An Anti-DDoS Proxy instance is at risk of expiration. | |
A Cloud Enterprise Network (CEN) bandwidth plan is at risk of expiration. | |
A PolarDB instance is at risk of expiration. | |
An AnalyticDB for MySQL Data Warehouse Edition instance is at risk of expiration. | |
An EIP instance is at risk of expiration. | |
An SLB instance is at risk of expiration. | |
A bastion host is at risk of expiration. | |
An ApsaraDB RDS instance is at risk of expiration. | |
An ECS instance is at risk of expiration. | |
An internet shared bandwidth instance is at risk of expiration. | |
A VPN gateway is at risk of expiration. | |
A KMS instance is at risk of expiration. | |
Release protection is not enabled for an ApsaraDB for MongoDB instance. | |
A cluster lock is not enabled for an ACK cluster. | |
A cluster lock is not enabled for a PolarDB cluster. | |
Deletion protection is not enabled for an EIP. | |
Deletion protection is not enabled for an SLB instance. | |
Deletion protection is not enabled for an ApsaraDB RDS instance. | |
Deletion protection is not enabled for an ALB instance. | |
Idle and underutilized resources | An idle VPN gateway exists. |
An idle SLB instance exists. | |
An idle NAS file system exists. | |
An idle VPC NAT gateway instance exists. | |
An idle NAT gateway exists. | |
An idle EIP instance exists. | |
An idle ECS disk exists. | |
An idle ECS instance exists. | |
An idle Container Registry instance exists. | |
An idle internet shared bandwidth instance exists. | |
An idle ALB instance exists. | |
The resource usage of an ECS instance is low. | |
The resource usage of an ECS disk is low. | |
The resource usage of an ApsaraDB RDS instance is low. | |
The disk usage of an ApsaraDB RDS instance is low. |