DescribeAclCheck-阿里云帮助中心

Queries the details of an Access Control List (ACL) check.

Operation description

QPS limit

This API is limited to 10 queries per second (QPS) per user. Calls exceeding this limit are throttled.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.
API: The API that you can call to perform the action.
Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.
Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.
- For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.
- For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.
Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.
Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

yundun-cloudfirewall:DescribeAclCheck

get

*All Resource

*

None

Request parameters

Parameter	Type	Required	Description	Example
Lang	string	No	The language of the response. Valid values: en : English zh : Chinese (default)	zh
TaskId	string	Yes	The task ID.	132
PageNo	integer	Yes	The page number.	1
PageSize	integer	Yes	The number of entries per page.	10

Response elements

Element	Type	Description	Example
	object
RequestId	string	The request ID.	25E655B0-CAED-53D4-8054-F983126****
CheckRecord	object	The check record.
AclTotalCount	integer	The total number of access control policies at the time of the check.	10
RecordAssessmentDetail	string	The assessment details of the ACL check.	It is recommended to remove the invalid policy, while helping to save the specification.
CheckName	string	The name of the ACL check.	PolicyHitCountZero
Description	string	The description of the ACL check item.	Due to business offline or other reasons, the number of hits of the object policy in a period of time is 0.
LastCheckTime	string	The time of the last check, provided as a UNIX timestamp in seconds.	1724982259
Level	string	The risk level.	High
TaskId	string	The task ID.	task-c92d4544ef7b6a42
Acls	array<object>	The ACL check results.
	array<object>	An ACL check result.
Acl	object	The ACL check result.
Direction	string	The direction of internet traffic. Valid values: in: inbound traffic out: outbound traffic	out
Order	integer	The priority of the access control policy. The priority starts from 1. A smaller value indicates a higher priority.	1
SourceType	string	The type of the source address in the access control policy. Valid values: net: a source CIDR block group: a source address book location: a source region	group
ApplicationName	string	The application type supported by the access control policy for the VPC firewall. We recommend that you use the ApplicationNameList parameter instead. Valid values: HTTP HTTPS MySQL SMTP SMTPS RDP VNC SSH Redis MQTT MongoDB Memcache SSL ANY: All application types.	ANY
HitTimes	integer	The hit count of the access control policy.	1
Description	string	The description of the access control policy.	test_policy
SourceGroupType	string	The type of the source address book in the access control policy. Valid values: ip: An address book that contains one or more IP addresses or CIDR blocks. tag: An address book that contains the public IP addresses of ECS instances with specific tags. domain: A domain name address book, which contains one or more domain names. threat: a threat intelligence address book, which contains one or more malicious IP addresses or domain names. backsrc: a back-to-source address book, which contains the back-to-source IP addresses of one or more Anti-DDoS or WAF instances.	ip
DnsResultTime	integer	The time of the DNS resolution, provided as a UNIX timestamp in seconds.	1579261141
DnsResult	string	The result of the DNS resolution.	192.0.XX.XX
Proto	string	The protocol type of the traffic in the access control policy. Valid values: TCP UDP ICMP ANY: All protocol types Note	TCP
DestinationGroupType	string	The type of the destination address book in the access control policy. Valid values: ip: an IP address book, which contains one or more CIDR blocks. tag: an ECS tag-based address book, which contains the public IP addresses of ECS instances that have specific tags. domain: a domain name address book, which contains one or more domain names. threat: a threat intelligence address book, which contains one or more malicious IP addresses or domain names. backsrc: a back-to-source address book, which contains the back-to-source IP addresses of one or more Anti-DDoS or WAF instances.	domain
Destination	string	The destination address in the access control policy. The value of this parameter varies based on the value of DestinationType. If the value of DestinationType is`net`, the value of this parameter is a CIDR block. Example: 10.0.3.0/24. If the value of DestinationType is`domain`, the value of this parameter is a domain name. Example: aliyun. If the value of DestinationType is`group`, the value of this parameter is the name of an address book. Example: db_group. If the value of DestinationType is`location`, the value of this parameter is a location. For more information about the location codes, see AddControlPolicy. Example: ["BJ11", "ZB"]. Note If this parameter is omitted, all types of destination addresses are retrieved.	kms.cn-shanghai.aliyuncs.com
HitLastTime	integer	The time when the policy was last hit, provided as a UNIX timestamp in seconds.	1579261141
DestPortGroup	string	The name of the destination port address book. port: Port group: Port address book	my_port_group
AclUuid	string	The unique ID of the access control policy.	997b38e0-01fa-4db7-8d30-02ebf6fdb747
DestPortType	string	The type of the destination port in the access control policy. Valid values: port: port group: port address book	port
Source	string	The source address in the access control policy. The value of this parameter varies based on the value of SourceType. If SourceType is set to`net`, the value of this parameter is a CIDR block. Example: 192.0.XX.XX/24. If SourceType is set to`group`, the value of this parameter is the name of a source address book. Example: db_group. If SourceType is set to`location`, the value of this parameter is a location. For more information, see AddControlPolicy. Example: ["BJ11", "ZB"].	172.28.7.167
DestinationType	string	The type of the destination address in the access control policy. Valid values: net: destination CIDR block group: destination address book domain: destination domain name location: destination region	domain
DestPort	string	The destination port that is used in the access control policy.	80/80
IpVersion	integer	The IP version. Valid values: 4: IPv4 6: IPv6	4
AclAction	string	The action performed on traffic that matches the access control policy. Valid values: accept: allow drop: deny log: monitor	log
Release	string	The status of the access control policy. Valid values: true: enabled false: disabled	true
ApplicationId	string	The ID of the application that is used in the access control policy.	plugin_idp4_ciam
DestinationGroupCidrs	array	The CIDR blocks in the destination address book.
	string	The CIDR block in the destination address book.	192.0.XX.XX/32
DestPortGroupPorts	array	The ports in the destination port address book.
	string	The port in the destination port address book.	80/80
SourceGroupCidrs	array	The CIDR blocks in the source address book.
	string	The CIDR block in the source address book.	111.48.54.39/32
ApplicationNameList	array	The application types that are supported by the access control policy. Valid values: FTP HTTP HTTPS Memcache MongoDB MQTT MySQL RDP Redis SMTP SMTPS SSH SSL VNC ANY (indicates all application types)
	string	The application type supported by the access control policy for the VPC firewall. Valid values: HTTP HTTPS MySQL SMTP SMTPS RDP VNC SSH Redis MQTT MongoDB Memcache SSL ANY (indicates all application types)	ANY
SpreadCnt	integer	The number of specification units that the policy consumes. The value is calculated by using the following formula: Number of source addresses × Number of destination addresses × Number of port ranges × Number of applications.	10
CreateTime	integer	The time when the policy was created, provided as a UNIX timestamp in seconds.	1761062400
ModifyTime	integer	The time when the policy was last modified, provided as a UNIX timestamp in seconds.	1761062400
RepeatType	string	The recurrence type of the policy. Valid values: Permanent (default): The policy is always valid. None: The policy is valid only once. Daily: The policy recurs daily. Weekly: The policy recurs weekly. Monthly: The policy recurs monthly.	Permanent
RepeatDays	array	The days of a week or month on which the policy recurs. Note If RepeatType is set to Weekly, the valid values are 0 to 6. The week starts on Sunday. If RepeatType is set to Monthly, the valid values are 1 to 31.
	integer	The day of a week or month on which the policy recurs. Note If RepeatType is set to Weekly, the valid values are 0 to 6. The week starts on Sunday. If RepeatType is set to Monthly, the valid values are 1 to 31.	6
RepeatStartTime	string	The time when the policy starts to take effect. Example: 08:00. The time must be on the hour or half-hour and must be at least 30 minutes earlier than the recurrence end time. Note This parameter is returned empty if RepeatType is set to Permanent or None. This parameter is required if RepeatType is set to Daily, Weekly, or Monthly. The time is in the HH:mm format. Examples: 08:00 and 23:30.	08:00
RepeatEndTime	string	The time when the policy stops to take effect. Example: 23:30. The time must be on the hour or half-hour and must be at least 30 minutes later than the recurrence start time. Note This parameter is returned empty if RepeatType is set to Permanent or None. This parameter is required if RepeatType is set to Daily, Weekly, or Monthly. The time is in the HH:mm format. Examples: 08:00 and 23:30.	23:30
StartTime	integer	The start of the policy's validity period, provided as a UNIX timestamp in seconds.	1730318400
EndTime	integer	The end time of the policy validity period. This is a UNIX timestamp, accurate to the second. The time must be on the hour or half-hour and must be at least 30 minutes later than the start time. Note This parameter is empty if RepeatType is set to Permanent. It is required if RepeatType is set to None, Daily, Weekly, or Monthly.	1758334822
AddressListCount	integer	The number of addresses in the address book.	1
GroupUuid	string	The unique ID of the address book. This ID is required for other operations, such as deleting the address book. You can obtain the ID by calling the DescribeAddressBook operation.	b91d86c3-2b52-4534-aae9-8d0339b12a48
AutoAddTagEcs	integer	Indicates whether to automatically add the public IP addresses of new ECS instances that match the tags to the address book. New ECS instances include newly purchased instances with the specified tags and existing instances whose tags are modified to match.	0
GroupName	string	The name of the address book.	Zhong Kui Open White List
ReferenceCount	integer	The number of policies that reference this address book.	1
GroupType	string	The type of the address book. Valid values: ip: IP address book domain: domain address book port: port address book tag: ECS tag-based address book allCloud: cloud service address book threat: threat intelligence address book	ip
TagRelation	string	The logical relationship among multiple ECS tags. Valid values: and: An ECS instance must have all the specified tags. or: An ECS instance must have one of the specified tags.	or
TagList	array<object>	The ECS tags.
	object	The ECS tag.
TagValue	string	The value of the ECS tag.	tfTestAcc0
TagKey	string	The key of the ECS tag.	ss
AddressList	array	The addresses in the address book.
	string	The address in the address book.	183.2.201.71/32,60.28.235.22/32,210.51.58.107/32,60.28.235.81/32,210.51.58.51/32,60.28.235.52/32,1.1.1.1/32,154.212.141.143/32,167.94.146.55/32,185.226.197.47/32,101.251.238.174/32
NatGatewayId	string	The ID of the NAT gateway.	ngw-2ze4w62zbdkwjmoqeokgl
DomainResolveType	integer	The DNS resolution method of the domain name in the access control policy. Valid values: 0: FQDN-based resolution 1: DNS-based dynamic resolution 2: FQDN-based and DNS-based dynamic resolution	FQDN
VpcFirewallId	string	The instance ID of the VPC firewall.	vfw-925514970c2c4bcab222
Addresses	array<object>	The addresses and their remarks.
	object	The address and its remarks.
Address	string	The address in the address book.	192.0.XX.XX/32
Note	string	The remarks.	Reviewed
AclStatus	string	The status of the ACL check. Valid values: Pending : The policy is awaiting processing. Ignored : The policy is ignored. Processed : The policy is processed.	Pending
AclAssessmentDetail	string	The assessment details of the access control policy.	No traffic hit policy.

Examples

Success response

JSON format

{
  "RequestId": "25E655B0-CAED-53D4-8054-F983126****",
  "CheckRecord": {
    "AclTotalCount": 10,
    "RecordAssessmentDetail": "It is recommended to remove the invalid policy, while helping to save the specification.\n",
    "CheckName": "PolicyHitCountZero",
    "Description": "Due to business offline or other reasons, the number of hits of the object policy in a period of time is 0.\n",
    "LastCheckTime": "1724982259",
    "Level": "High",
    "TaskId": "task-c92d4544ef7b6a42",
    "Acls": [
      {
        "Acl": {
          "Direction": "out",
          "Order": 1,
          "SourceType": "group",
          "ApplicationName": "ANY",
          "HitTimes": 1,
          "Description": "test_policy",
          "SourceGroupType": "ip",
          "DnsResultTime": 1579261141,
          "DnsResult": "192.0.XX.XX",
          "Proto": "TCP",
          "DestinationGroupType": "domain",
          "Destination": "kms.cn-shanghai.aliyuncs.com",
          "HitLastTime": 1579261141,
          "DestPortGroup": "my_port_group\n",
          "AclUuid": "997b38e0-01fa-4db7-8d30-02ebf6fdb747",
          "DestPortType": "port",
          "Source": "172.28.7.167",
          "DestinationType": "domain",
          "DestPort": "80/80",
          "IpVersion": 4,
          "AclAction": "log",
          "Release": "true",
          "ApplicationId": "plugin_idp4_ciam",
          "DestinationGroupCidrs": [
            "192.0.XX.XX/32"
          ],
          "DestPortGroupPorts": [
            "80/80"
          ],
          "SourceGroupCidrs": [
            "111.48.54.39/32"
          ],
          "ApplicationNameList": [
            "ANY"
          ],
          "SpreadCnt": 10,
          "CreateTime": 1761062400,
          "ModifyTime": 1761062400,
          "RepeatType": "Permanent",
          "RepeatDays": [
            6
          ],
          "RepeatStartTime": "08:00\n",
          "RepeatEndTime": "23:30",
          "StartTime": 1730318400,
          "EndTime": 1758334822,
          "AddressListCount": 1,
          "GroupUuid": "b91d86c3-2b52-4534-aae9-8d0339b12a48",
          "AutoAddTagEcs": 0,
          "GroupName": "Zhong Kui Open White List",
          "ReferenceCount": 1,
          "GroupType": "ip",
          "TagRelation": "or",
          "TagList": [
            {
              "TagValue": "tfTestAcc0",
              "TagKey": "ss"
            }
          ],
          "AddressList": [
            "183.2.201.71/32,60.28.235.22/32,210.51.58.107/32,60.28.235.81/32,210.51.58.51/32,60.28.235.52/32,1.1.1.1/32,154.212.141.143/32,167.94.146.55/32,185.226.197.47/32,101.251.238.174/32"
          ],
          "NatGatewayId": "ngw-2ze4w62zbdkwjmoqeokgl",
          "DomainResolveType": 0,
          "VpcFirewallId": "vfw-925514970c2c4bcab222",
          "Addresses": [
            {
              "Address": "192.0.XX.XX/32",
              "Note": "Reviewed"
            }
          ]
        },
        "AclStatus": "Pending",
        "AclAssessmentDetail": "No traffic hit policy."
      }
    ]
  }
}

Error codes

HTTP status code	Error code	Error message	Description
400	ErrorAclCheckNotExist	ACL check not exist.	The access control configuration check does not exist.

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.