The BestPracticesForECS compliance package evaluates ECS instance status, security, protection, and snapshot settings to prevent service interruptions and cost overruns.
|
Rule name |
Description |
|
Evaluates as Compliant if the ECS instance is not in the Stopped state. |
|
|
Evaluates as Compliant if subscription resources expire in more than the specified number of days (default: 30). Instances with auto-renewal enabled are also Compliant. Pay-as-you-go resources: Not Applicable. |
|
|
Evaluates as Compliant if release protection is enabled for the ECS instance. |
|
|
Without the vpcIds parameter, evaluates as Compliant if the ECS instance network type is VPC. With vpcIds configured, evaluates as Compliant if the instance resides in a specified VPC. |
|
|
Evaluates as Compliant if disk encryption is enabled for the ECS instance. |
|
|
Evaluates as Compliant if the data disk is attached to an ECS instance. |
|
|
Evaluates as Compliant if the security group inbound policy is set to Allow with port range -1/-1 or authorized IP 0.0.0.0/0, or a higher-priority authorization policy exists. Security groups used by cloud services or virtual network operators: Not Applicable. |
|
|
Evaluates as Compliant if the ECS instance belongs to a specified security group. |
|
|
Evaluates as Compliant if the ECS instance system image falls within the specified range. |
|
|
Evaluates as Compliant if all Security Center vulnerabilities on the ECS instance are fixed. |
|
|
Evaluates as Compliant if the Security Center agent is installed on the ECS instance. |
|
|
Evaluates as Compliant if the ECS instance is not locked due to issues such as overdue payments or security risks. |
|
|
Evaluates as Compliant if health checks are enabled for ECS instances in the scaling group. |
|
|
Evaluates as Compliant if an automatic snapshot policy is configured for the ECS disk. |
|
|
Evaluates as Compliant if the ECS disk is not locked due to issues such as overdue payments or security risks. |
|
|
Evaluates as Compliant if auto snapshots are retained when the ECS disk is released. |
|
|
Evaluates as Compliant if auto snapshots are retained for at least the specified number of days (default: 7). |
|
|
When 0.0.0.0/0 is in the security group whitelist, evaluates as Compliant if high-risk ports are disabled or denied by a higher-priority policy. Without 0.0.0.0/0, evaluates as Compliant regardless of port settings. Security groups used by cloud services or virtual network operators: Not Applicable. |