Best practices for ECS compliance management

更新时间:
复制 MD 格式

The BestPracticesForECS compliance package evaluates ECS instance status, security, protection, and snapshot settings to prevent service interruptions and cost overruns.

Rule name

Description

ecs-instance-status-no-stopped

Evaluates as Compliant if the ECS instance is not in the Stopped state.

ecs-instance-expired-check

Evaluates as Compliant if subscription resources expire in more than the specified number of days (default: 30). Instances with auto-renewal enabled are also Compliant. Pay-as-you-go resources: Not Applicable.

ecs-instance-deletion-protection-enabled

Evaluates as Compliant if release protection is enabled for the ECS instance.

ecs-instances-in-vpc

Without the vpcIds parameter, evaluates as Compliant if the ECS instance network type is VPC. With vpcIds configured, evaluates as Compliant if the instance resides in a specified VPC.

ecs-disk-encrypted

Evaluates as Compliant if disk encryption is enabled for the ECS instance.

ecs-disk-in-use

Evaluates as Compliant if the data disk is attached to an ECS instance.

sg-public-access-check

Evaluates as Compliant if the security group inbound policy is set to Allow with port range -1/-1 or authorized IP 0.0.0.0/0, or a higher-priority authorization policy exists. Security groups used by cloud services or virtual network operators: Not Applicable.

ecs-instance-attached-security-group

Evaluates as Compliant if the ECS instance belongs to a specified security group.

ecs-instance-imageId-check

Evaluates as Compliant if the ECS instance system image falls within the specified range.

ecs-all-updated-security-vul

Evaluates as Compliant if all Security Center vulnerabilities on the ECS instance are fixed.

ecs-all-enabled-security-protection

Evaluates as Compliant if the Security Center agent is installed on the ECS instance.

ecs-instance-no-lock

Evaluates as Compliant if the ECS instance is not locked due to issues such as overdue payments or security risks.

ess-group-health-check

Evaluates as Compliant if health checks are enabled for ECS instances in the scaling group.

ecs-disk-auto-snapshot-policy

Evaluates as Compliant if an automatic snapshot policy is configured for the ECS disk.

ecs-disk-no-lock

Evaluates as Compliant if the ECS disk is not locked due to issues such as overdue payments or security risks.

ecs-disk-retain-auto-snapshot

Evaluates as Compliant if auto snapshots are retained when the ECS disk is released.

ecs-snapshot-retention-days

Evaluates as Compliant if auto snapshots are retained for at least the specified number of days (default: 7).

sg-risky-ports-check

When 0.0.0.0/0 is in the security group whitelist, evaluates as Compliant if high-risk ports are disabled or denied by a higher-priority policy. Without 0.0.0.0/0, evaluates as Compliant regardless of port settings. Security groups used by cloud services or virtual network operators: Not Applicable.