Cloud Config provides built-in rules to evaluate your Tair (Redis OSS-compatible) instances against best practices for security and stability. These rules check instance types, audit log settings, public network access, whitelists, multi-zone disaster recovery, renewal and expiration, and change management.
|
Rule name |
Rule description |
|
A Redis instance is considered "compliant" if its audit log is enabled and the log retention period is greater than or equal to the specified value. Default value: 180 days. |
|
|
A Redis instance is considered "compliant" if it is a multi-zone instance. |
|
|
A Redis instance is considered "compliant" if its node type is dual-replica. |
|
|
A Redis instance is considered "compliant" if transparent data encryption (TDE) is enabled with a custom key. |
|
|
A Redis instance is considered "compliant" if audit logs are enabled. Instances of versions that do not support audit logs are considered "not applicable". |
|
|
A Redis instance is considered "compliant" if TLS encryption is configured. |
|
|
A Redis instance is considered "compliant" if it is upgraded to the latest minor version. |
|
|
A Redis instance is considered "compliant" if release protection is enabled. This rule does not apply to subscription instances, which are considered "not applicable". |
|
|
A Redis instance is considered "compliant" if high-risk commands are disabled. |
|
|
A Redis instance is considered "compliant" if its available queries per second (QPS) is greater than or equal to the specified parameter value. Default value: 1000. |
|
|
A Redis instance is considered "compliant" if its available bandwidth is greater than or equal to the specified parameter value. Default value: 1000 MB/s. |
|
|
Redis instances meet the specified memory capacity requirement |
A Redis instance is considered "compliant" if its total memory is greater than or equal to the specified parameter value. Default value: 1000 MB. |
|
A Redis instance is considered "compliant" if public network access is disabled or its security whitelist is not configured to allow access from any source. An instance is considered "non-compliant" if it has public network access enabled and its whitelist allows access from any source. |
|
|
A reasonable backup time window is configured for Redis instances |
A Redis instance is considered "compliant" if its automatic backup time falls within one of the time windows specified in the parameters. If the backup time window overlaps with your business peak hours, your services may be affected. |
|
A subscription Redis instance is considered "compliant" if its remaining subscription period is greater than the specified number of days. Default value: 30 days. Instances with auto-renewal enabled are also considered "compliant". This rule does not apply to pay-as-you-go instances, which are considered "not applicable". |
|
|
A Redis instance is considered "compliant" if incremental backup is enabled. This rule applies only to Tair instances. Other instance types are considered "not applicable". |