Updated on 2024-12-10 GMT+08:00

Predefined Policy List

You can use predefined policies to create rules on the Config console.

The following table lists predefined policies provided by Config.

Table 1 Predefined policies

Service

Policy

Triggered By

Object

General policies

Resource Names Meet Regular Expression Requirements

Configuration change

All resources

Resources Have All the Specified Tags Attached

Configuration change

Supported Services and Resources

Resources Have One of the Specified Tags Attached

Configuration change

Supported Services and Resources

Tag Prefixes and Suffixes Check

Configuration change

Supported Services and Resources

Resources Have at Least One Tags Attached

Configuration change

Supported Services and Resources

Resource Tag Check

Configuration change

Supported Services and Resources

Resources Are in Specified Enterprise Projects

Configuration change

All resources

Resources Are in Specified Regions

Configuration change

All resources

Resource Type Check by Specifying Allowed Resource Types

Configuration change

All resources

Resource Type Check by Specifying Unallowed Resource Types

Configuration change

All resources

API Gateway (APIG)

Dedicated API Gateways Have an Authorization Type Set

Configuration change

apig.instances

Dedicated API Gateways Have Logging Enabled

Configuration change

apig.instances

Dedicated API Gateways Use SSL certificates

Configuration change

apig.instances

CodeArts Deploy

Clusters Are Available

Configuration change

codeartsdeploy.host-cluster

Project Parameter Encryption Check

Configuration change

codeartsbuild.CloudBuildServer

MapReduce Service (MRS)

MRS Clusters Have Specified Security Groups Attached

Configuration change

mrs.mrs

MRS Clusters Are in Specified VPSs

Configuration change

mrs.mrs

MRS Clusters Have Kerberos Enabled

Configuration change

mrs.mrs

MRS Clusters Support Multi-AZ Deployment

Configuration change

mrs.mrs

MRS Clusters Do Not Have EIPs Attached

Configuration change

mrs.mrs

MRS Clusters Have KMS Encryption Enabled

Configuration change

mrs.mrs

NAT Gateway

Private NAT Private Gateways Are in Specified VPCs

Configuration change

nat.privateNatGateways

VPC Endpoint (VPCEP)

VPC Endpoint Check for Specified Services

Periodic

Account

Web Application Firewall (WAF)

WAF Instances Have Protection Policies Attached

Configuration change

waf.instance

WAF Protection Policies Are Not Empty

Configuration change

waf.policy

WAF Instances Have Domain Name Protection Enabled

Periodic

Account

WAF Policies Have Geolocation Access Control Enabled

Periodic

Account

WAF Instances Have Block Policies Attached

Configuration change

waf.instance

ELB

Load Balancers Do Not Have EIPs Attached

Configuration change

elb.loadbalancers

ELB Listeners Have Specified Security Policies Added

Configuration change

elb.loadbalancers

ELB Listeners Are Configured with HTTPS

Configuration change

elb.loadbalancers

Weight Check for Backend Servers

Configuration change

elb.members

HTTPS Redirection Check

Configuration change

elb.listeners

Single-AZ Load Balancer Check

Configuration change

elb.loadbalancers

Elastic IP (EIP)

Bandwidth Check

Configuration change

vpc.publicips

Idle Elastic IP Check

Configuration change

vpc.publicips

Elastic IPs Are Used Within a Given Period of Time

Periodic

vpc.publicips

Auto Scaling (AS)

Priority Policy Check

Configuration change

as.scalingGroups

AS Groups Are Associated with an Elastic Load Balancer that Uses Health Check

Configuration change

as.scalingGroups

Multi-AZ Deployment Has Been Configured

Configuration change

as.scalingGroups

IPv6 Bandwidth Check

Configuration change

as.scalingGroups

AS Groups Are in Specified VPCs

Configuration change

as.scalingGroups

Scalable File Service Turbo (SFS Turbo)

SFS Turbo File Systems Have KMS Encryption Enabled

Configuration change

sfsturbo.shares

SFS Turbo Systems Are Associated with Backup Vaults

Configuration change

sfsturbo.shares

Backup Time Check

Periodic

sfsturbo.shares

Elastic Cloud Server (ECS)

Flavor Check

Configuration change

ecs.cloudservers

Image Check

Configuration change

ecs.cloudservers

Image Check by Tag

Configuration change

ecs.cloudservers

Security Group Check by ID

Configuration change

ecs.cloudservers

VPC Check by ID

Configuration change

ecs.cloudservers

ECSs Have Key Pairs Attached

Configuration change

ecs.cloudservers

ECSs Cannot Be Accessed Through Public Networks

Configuration change

ecs.cloudservers

An ECS Does Not Have Multiple EIPs Attached

Configuration change

ecs.cloudservers

Idle ECS Check

Periodic

ecs.cloudservers

ECSs Have IAM Agencies Attached

Configuration change

ecs.cloudservers

Image Check by Name

Configuration change

ecs.cloudservers

ECSs Have Backup Vaults Attached

Configuration change

ecs.cloudservers

Backup Time Check

Periodic

ecs.cloudservers

ECSs Have HSS Agents Attached

Configuration change

ecs.cloudservers

Distributed Cache Service (DCS)

DCS Memcached Instances Support SSL

Configuration change

dcs.memcached

DCS Memcached Instances Are in a Specified VPC

Configuration change

dcs.memcached

DCS Memcached Instances Do Not Have EIPs Attached

Configuration change

dcs.memcached

Access Mode Check

Configuration change

dcs.memcached

DCS Redis Instances Support SSL

Configuration change

dcs.redis

Cross-AZ Deployment Check

Configuration change

dcs.redis

DCS Redis Instances Are in the Specified VPC

Configuration change

dcs.redis

DCS Redis Instances Do Not Have EIPs Attached

Configuration change

dcs.redis

Access Mode Check

Configuration change

dcs.redis

FunctionGraph

Concurrency Check

Configuration change

fgs.functions

Functions Are in the Specified VPC

Configuration change

fgs.functions

Public Access Check

Configuration change

fgs.functions

Basic Configuration Check

Configuration change

fgs.functions

FunctionGraph Functions Have Log Collection Enabled

Configuration change

fgs.functions

Content Delivery Network (CDN)

CDN Domains Use HTTPS Certificates

Configuration change

cdn.domains

Origin Protocol Policy Check

Configuration change

cdn.domains

TLS Version Check

Configuration change

cdn.domains

Certificate Source Check

Configuration change

cdn.domains

Config

The Resource Recorder Is Enabled

Periodic

Account

Data Warehouse Service (DWS)

KMS Encryption Check

Configuration change

dws.clusters

DWS Clusters Have Enabled Log Transfer

Configuration change

dws.clusters

DWS Clusters Have Enabled Automated Snapshots

Configuration change

dws.clusters

DWS Clusters Use SSL

Configuration change

dws.clusters

DWS Clusters Do Not Have EIPs Attached

Configuration change

dws.clusters

O&M Time Window Check

Configuration change

dws.clusters

DWS Clusters Are in Specified VPCs

Configuration change

dws.clusters

Data Replication Service (DRS)

Network Type Check for DR Tasks

Configuration change

drs.dataGuardJob

Network Type Check for Migration Tasks

Configuration change

drs.migrationJob

Network Type Check for Synchronization Tasks

Configuration change

drs.synchronizationJob

Data Encryption Workshop (DEW)

Key Status Check

Configuration change

kms.keys

Key Rotation Has Been Enabled

Configuration change

kms.keys

CSMS Secrets Are Rotated

Configuration change

csms.secrets

CSMS Secrets Have Enabled Automatic Rotation

Configuration change

csms.secrets

CSMS Secrets Have Been Configured with Specified KMS Keys

Configuration change

csms.secrets

CSMS Secrets Have Been Rotated Within the Specified Period

Periodic

csms.secrets

Identity and Access Management (IAM)

Key Rotation Check

Periodic

iam.users

IAM Policies Do Not Allow Blocked Actions on KMS Keys

Configuration changes

iam.roles&iam.policies

Each User Group Has at Least One User

Configuration change

iam.groups

Password Strength Check

Configuration change

iam.users

Unintended Policy Check

Configuration change

iam.users, iam.groups, iam.agencies

Admin Permissions Check

Configuration change

iam.roles, iam.policies

Custom Policies Do Not Allow All Actions for a Service

Configuration change

iam.roles, iam.policies

The Root User Does Not Have Available Access Keys

Periodic

Account

Access Mode Check

Configuration change

iam.users

Access Key Check

Configuration change

iam.users

IAM Users Are in Specified User Groups

Configuration change

iam.users

Last Login Check

Periodic

iam.users

Multi-Factor Authentication Check

Configuration change

iam.users

A User Does Not have Multiple Active Access Keys

Configuration change

iam.users

MFA Has Been Enabled for Console Login

Configuration change

iam.users

The Root User Has MFA Enabled

Periodic

Account

All IAM Policies Are in Use

Configuration change

iam.policies

All IAM Roles Are in Use

Configuration change

iam.roles

Login Protection Check

Periodic

iam.users

IAM Agencies Contain Specified Policies

Configuration change

iam.agencies

The Admin User Group Only Contains the Root User

Configuration change

iam.users

IAM Users Do Not Have Directly Assigned Policies or Permissions

Configuration change

iam.users

Document Database Service (DDS)

SSL Has Been Enabled

Configuration change

dds.instances

DDS Instance Type Check

Configuration change

dds.instances

DDS Instances Do Not Have EPIs Attached

Configuration change

dds.instances

DDS Instances Do Not Have Unallowed Ports Enabled

Configuration change

dds.instances

DDS Instance Version Check

Configuration change

dds.instances

DDS Instances Are in the Specified VPC

Configuration change

dds.instances

Simple Message Notification (SMN)

Log Reporting to LTS Has Been Enabled

Configuration change

smn.topic

Virtual Private Cloud (VPC)

Idle ACL Check

Configuration change

vpc.firewallGroups

Default Security Group Check

Configuration change

vpc.securityGroups

VPCs Have Enabled Flow Logs

Configuration change

vpc.vpcs

Port Check

Configuration change

vpc.securityGroups

Inbound Traffic Can Only Access Specified Ports

Configuration change

vpc.securityGroups

SSH Check

Configuration change

vpc.securityGroups

Access Control Check for Non-whitelisted Ports

Configuration change

vpc.securityGroups

A Security Group is Attached to Elastic Network Interfaces

Configuration change

vpc.securityGroups

Virtual Private Network (VPN)

Connection State Check

Configuration change

vpnaas.vpnConnections, vpnaas.ipsec-site-connections

Cloud Eye

Alarm Rules Are Enabled

Configuration change

ces.alarms

Alarm Rules Have Been Configured for Key Disablement and Deletion

Periodic

Account

There Are Alarm Rules Configured for OBS Bucket Policy Changes

Periodic

Account

Specified Resources Have Certain Metric Attached

Periodic

Account

Alarm Rule Configurations Check

Configuration change

ces.alarms

Alarms Have Been Created for VPC Changes

Periodic

Account

Cloud Container Engine (CCE)

CCE Clusters Are Supported for Maintenance

Configuration change

cce.clusters

Oldest Supported Version Check

Configuration change

cce.clusters

CCE Clusters Do Not Have EIPs Attached

Configuration change

cce.clusters

Flavor Check

Configuration change

cce.clusters

CCE Clusters Are in Specified VPCs

Configuration change

cce.clusters

Cloud Trace Service (CTS)

CTS Trackers Have Traces Encrypted

Configuration change

cts.trackers

CTS Trackers Have Trace Transfer to LTS Enabled

Configuration change

cts.trackers

CTS Trackers Have Been Created for the Specified OBS Bucket

Periodic

Account

Trace File Verification Is Enabled

Configuration change

cts.trackers

At Least One Tracker Is Enabled

Periodic

Account

There Are CTS Trackers In the Specified Regions

Periodic

Account

CTS Trackers Comply with Security Best Practices

Periodic

Account

Relational Database Service (RDS)

Error Log Collection Is Enabled for RDS Instances

Configuration change

rds.instances

Error Log Collection Is Enabled for RDS Instances

Configuration change

rds.instances

RDS Instances Support Slow Query Logs

Configuration change

rds.instances

Single-AZ Cluster Check

Configuration change

rds.instances

RDS Instances Do Not Have EIPs Attached

Configuration change

rds.instances

RDS Instances Use KMS Encryption

Configuration change

rds.instances

RDS Instances Are in the Specified VPC

Configuration change

rds.instances

Both Error Logs and Slow Query Logs Are Collected for RDS Instances

Configuration change

rds.instances

Flavor Check

Configuration change

rds.instances

RDS Instances Have SSL Enabled

Configuration change

rds.instances

RDS Instance Port Check

Configuration change

rds.instances

Version Check for RDS Instance Engines

Configuration change

rds.instances

RDS Instances Have Audit Log Enabled

Configuration change

rds.instances

GaussDB

GaussDB Instances Are in the Specified VPC

Configuration change

gaussdb.instance

Audit Log Collection Is Enabled

Configuration change

gaussdb.instance

Automated Backup Is Enabled

Configuration change

gaussdb.instance

Error Log Collection Is Enabled

Configuration change

gaussdb.instance

Slow Query Log Collection Is Enabled

Configuration change

gaussdb.instance

GaussDB Instances Do Not Have EIPs Attached

Configuration change

gaussdb.instance

Cross-AZ Deployment Check

Configuration change

gaussdb.instance

Data Transmission Encryption Is Enabled

Configuration change

gaussdb.instance

GaussDB (for MySQL)

Audit Log Collection is Enabled

Configuration change

gaussdbformysql.instance

Backup Is Enabled

Configuration change

gaussdbformysql.instance

Error Log Collection Is Enabled

Configuration change

gaussdbformysql.instance

Slow Query Log Collection Is Enabled

Configuration change

gaussdbformysql.instance

Data Transmission Encryption Is Enabled

Configuration change

gaussdbformysql.instance

Cross-AZ Deployment Check

Configuration change

gaussdbformysql.instance

GaussDB (for MySQL) Instances Do Not Have EIPs Attached

Configuration change

gaussdbformysql.instance

GaussDB (for MySQL) Instances Are in Specified VPCs

Configuration change

gaussdbformysql.instance

GeminiDB

Single-AZ Instance Check

Configuration change

nosql.instances

GeminiDB Instances Have Backup Enabled

Configuration change

nosql.instances

GeminiDB Instances Have Disk Encryption Enabled

Configuration change

nosql.instances

GeminiDB Instances Have Error Log Collection Enabled

Configuration change

nosql.instances

GeminiDB Instances Have the Slow Log Enabled

Configuration change

nosql.instances

Cloud Search Service (CSS)

CSS Clusters Have the Security Mode Enabled

Configuration change

css.clusters

The Snapshot Function Is Enabled for CSS Clusters

Configuration change

css.clusters

Disk Encryption Is Enabled for CSS Clusters

Configuration change

css.clusters

HTTPS Access Is Enabled for CSS Clusters

Configuration change

css.clusters

CSS Clusters Are in Specified VPCs

Configuration change

css.clusters

Single-AZ CSS Cluster Check

Configuration change

css.clusters

A CSS Cluster Has at Least Two Instances

Configuration change

css.clusters

CSS Clusters Are Not Publicly Accessible

Configuration change

css.clusters

CSS Clusters Support the Security Mode

Configuration change

css.clusters

CSS Clusters Have Access Control Enabled

Configuration change

css.clusters

CSS Clusters Have Kibana Access Control Enabled

Configuration change

css.clusters

CSS Clusters Have Slow Query Log Enabled

Configuration change

css.clusters

Elastic Volume Service (EVS)

EVS Disk Type Check

Configuration changes

evs.volumes

Disks Are Used Within the Specified Time

Periodic

evs.volumes

Idle EVS Disk Check

Configuration changes

evs.volumes

EVS Disks Are Encrypted

Configuration change

evs.volumes

Disk Encryption Are Enabled

Configuration change

evs.volumes

EVS Disks Have Backup Vaults Attached

Configuration change

evs.volumes

EVS Backup Time Check

Periodic

evs.volumes

Cloud Certificate Manager (CCM)

Private CAs Expiration Check

Periodic

pca.ca

Expiration Check for Private Certificates

Periodic

pca.cert

Private Root CAs Are Disabled

Periodic

pca.ca

Private CA Algorithm Check

Configuration change

pca.ca, pca.cert

Distributed Message Service (for Kafka)

Kafka Instances Have SSL Enabled for Private Access

Configuration change

dms.kafkas

Kafka Instances Have Enabled SSL for Public Access

Configuration change

dms.kafkas

DMS Kafka Instances Are Not Publicly Accessible

Configuration change

dms.kafkas

Distributed Message Service for RabbitMQ (for RabbitMQ)

RabbitMQ Instances Have SSL Enabled

Configuration change

dms.rabbitmqs

DMS RabbitMQ Instances Have Public Access Enabled

Configuration change

dms.rabbitmqs

Distributed Message Service for RocketMQ (for RocketMQ)

DMS RocketMQ Instances Have SSL Enabled

Configuration change

dms.reliabilitys

RocketMQ Allows Public Access

Configuration change

dms.reliabilitys

Organizations

Accounts Have Been Added to Organizations

Periodic

Account

Cloud Firewall (CFW)

CFW Instances Have Protection Policies Attached

Configuration change

cfw.cfw_instance

Cloud Backup and Recovery (CBR)

Backup Encryption Check

Configuration change

cbr.backup

Backup Policy Execution Frequency Check

Configuration change

cbr.policy

Minimum Retention Days of CBR Vault

Configuration change

cbr.vault

Object Storage Service (OBS)

OBS Bucket Policies Do Not Allow Blacklisted Actions

Configuration change

obs.buckets

OBS Bucket Policies Only Allow Access from the Specified Objects

Configuration change

obs.buckets

Permission Boundary Check

Configuration change

obs.buckets

OBS Bucket Policies Do Not Allow Public Read Access

Configuration change

obs.buckets

OBS Bucket Policies Do Not Allow Public Write Access

Configuration change

obs.buckets

OBS Buckets Do Not Allow HTTP Requests

Configuration change

obs.buckets

Image Management Service (IMS)

Private Images Have Encryption Enabled

Configuration change

ims.images

Bare Metal Server (BMS)

BMSs Have Key Pair Login Enabled

Configuration change

bms.servers