Updated on 2025-08-25 GMT+08:00

Predefined Policy List

You can use predefined policies to create rules on the Config console.

The following table lists predefined policies provided by Config.

Table 1 Predefined policies

Service

Policy

Triggered By

Object

General policies

Resource Names Meet Regular Expression Requirements

Configuration change

All resources

Resources Have All the Specified Tags Attached

Configuration change

Supported Services and Resources

Resources Have One of the Specified Tags Attached

Configuration change

Supported Services and Resources

Tag Prefixes and Suffixes Check

Configuration change

Supported Services and Resources

Resources Have at Least One Tags Attached

Configuration change

Supported Services and Resources

Resource Tag Check

Configuration change

Supported Services and Resources

Resources Are in Specified Enterprise Projects

Configuration change

All resources

Resources Are in Specified Regions

Configuration change

All resources

Resource Type Check by Specifying Allowed Resource Types

Configuration change

All resources

Resource Type Check by Specifying Unallowed Resource Types

Configuration change

All resources

Resource Status Check

Configuration change

All resources

API Gateway (APIG)

Dedicated API Gateways Have an Authorization Type Set

Configuration change

apig.instances

Dedicated API Gateways Have Logging Enabled

Configuration change

apig.instances

Dedicated API Gateways Use SSL Certificates

Configuration change

apig.instances

Dedicated API Gateway Bound to a Specified VPC

Configuration change

apig.instances

Dedicated API Gateway Deployed in Multiple AZs

Configuration change

apig.instances

EIP Bound to a Dedicated API Gateway

Configuration change

apig.instances

CodeArts Deploy

Clusters Are Available

Configuration change

codeartsdeploy.host-cluster

Project Parameter Encryption Check

Configuration change

codeartsbuild.CloudBuildServer

MapReduce Service (MRS)

MRS Clusters Have Specified Security Groups Attached

Configuration change

mrs.mrs

MRS Clusters Are in Specified VPCs

Configuration change

mrs.mrs

MRS Clusters Have Kerberos Enabled

Configuration change

mrs.mrs

MRS Clusters Are Deployed Across AZs

Configuration change

mrs.mrs

MRS Clusters Should Not Use EIPs

Configuration change

mrs.mrs

KMS Encryption Is Enabled for MRS Clusters

Configuration change

mrs.mrs

NAT Gateway

Private NAT Gateways Are in Specified VPCs

Configuration change

nat.privateNatGateways

VPC Endpoint (VPCEP)

VPC Endpoint Check for Specified Services

Periodic

Account

Web Application Firewall (WAF)

Protection Policies Must Be Configured for Domain Names Protected with WAF

Configuration change

waf.instance

WAF Protection Policies Must Have Rules Configured

Configuration change

waf.policy

WAF Instances Must Be Enabled to Protect Domain Names

Periodic

Account

Geolocation Access Control Rule Must be Configured

Periodic

Account

Protective Action for WAF Instance Protection Policies Must Be "Block"

Configuration change

waf.instance

ELB

Load Balancers Should Not Use EIPs

Configuration change

elb.loadbalancers

ELB Listeners Have Specified Security Policies Added

Configuration change

elb.loadbalancers

ELB Listeners Are Configured to Use HTTPS or TLS

Configuration change

elb.loadbalancers

Weight Check for Backend Servers

Configuration change

elb.members

HTTPS Redirection Check

Configuration change

elb.listeners

Single-AZ Load Balancer Check

Configuration change

elb.loadbalancers

ELB Load Balancers Have Access Logging Configured

Configuration change

elb.loadbalancers

Elastic IP (EIP)

EIP Bandwidth Limit Check

Configuration change

vpc.publicips

Idle EIP Check

Configuration change

vpc.publicips

EIPs Bound Within Specified Days

Periodic

vpc.publicips

Auto Scaling (AS)

AS Priority Policy Check

Configuration change

as.scalingGroups

AS Groups Are Associated with an Elastic Load Balancer that Uses Health Check

Configuration change

as.scalingGroups

Multi-AZ Deployment Has Been Configured

Configuration change

as.scalingGroups

IPv6 Bandwidth Check

Configuration change

as.scalingGroups

AS Groups Are in Specified VPCs

Configuration change

as.scalingGroups

Scalable File Service Turbo (SFS Turbo)

SFS Turbo File Systems Have KMS Encryption Enabled

Configuration change

sfsturbo.shares

SFS Turbo Systems Are Associated with Backup Vaults

Configuration change

sfsturbo.shares

SFS Turbo Backup Time Check

Periodic

sfsturbo.shares

Elastic Cloud Server (ECS)

Flavor Check

Configuration change

ecs.cloudservers

Image Check

Configuration change

ecs.cloudservers

Image Check by Tag

Configuration change

ecs.cloudservers

Security Group Check by ID

Configuration change

ecs.cloudservers

Number of ECS vCPUs

Configuration change

ecs.cloudservers

ECS Instances Are in the Specified VPC

Configuration change

ecs.cloudservers

ECSs Have Key Pairs Attached

Configuration change

ecs.cloudservers

ECS Memory Size

Configuration change

ecs.cloudservers

ECSs Cannot Be Accessed Through Public Networks

Configuration change

ecs.cloudservers

ECS Status Check

Configuration change

ecs.cloudservers

An ECS Must Have No More Than One EIP

Configuration change

ecs.cloudservers

Idle ECS Check

Periodic

ecs.cloudservers

ECSs Have IAM Agencies Attached

Configuration change

ecs.cloudservers

Image Check by Name

Configuration change

ecs.cloudservers

ECSs Have Backup Vaults Attached

Configuration change

ecs.cloudservers

ECS Backup Time Check

Periodic

ecs.cloudservers

ECSs Have HSS Agents Attached

Configuration change

ecs.cloudservers

Distributed Cache Service (DCS)

DCS for Memcached Instances Support SSL

Configuration change

dcs.memcached

DCS Memcached Instances Are in a Specified VPC

Configuration change

dcs.memcached

DCS for Memcached Instances Should Not Use EIPs

Configuration change

dcs.memcached

DCS for Memcached Access Password Check

Configuration change

dcs.memcached

DCS for Redis Instances Support SSL

Configuration change

dcs.redis

Cross-AZ Deployment Check

Configuration change

dcs.redis

DCS Redis Instances Are in the Specified VPC

Configuration change

dcs.redis

DCS for Redis Instances Should Not Use EIPs

Configuration change

dcs.redis

DCS for Redis Access Password Check

Configuration change

dcs.redis

DCS for Redis Instance Version

Configuration change

dcs.redis

DCS for Redis Instance Port Check

Configuration change

dcs.redis

FunctionGraph

Concurrency Check

Configuration change

fgs.functions

FunctionGraph Functions Are Allowed to Access Resources in a Specified VPC Only

Configuration change

fgs.functions

Public Access Check

Configuration change

fgs.functions

Basic Configuration Check

Configuration change

fgs.functions

FunctionGraph Functions Have Log Collection Enabled

Configuration change

fgs.functions

Content Delivery Network (CDN)

CDN Domains Use HTTPS Certificates

Configuration change

cdn.domains

Origin Protocol Policy Check

Configuration change

cdn.domains

TLS Version Check

Configuration change

cdn.domains

Certificate Source Check

Configuration change

cdn.domains

Config

The Resource Recorder Is Enabled

Periodic

Account

Data Warehouse Service (DWS)

KMS Encryption Check

Configuration change

dws.clusters

Audit Log Dump Is Enabled for DWS Clusters

Configuration change

dws.clusters

Automated Snapshots are Enabled for DWS Clusters

Configuration change

dws.clusters

SSL Encryption Is Enabled for DWS Clusters

Configuration change

dws.clusters

DWS Clusters Should Not Use EIPs

Configuration change

dws.clusters

O&M Time Window Check

Configuration change

dws.clusters

DWS Clusters Are in Specified VPCs

Configuration change

dws.clusters

Data Replication Service (DRS)

Network Type Check for DR Tasks

Configuration change

drs.dataGuardJob

Network Type Check for Migration Tasks

Configuration change

drs.migrationJob

Network Type Check for Synchronization Tasks

Configuration change

drs.synchronizationJob

SSL Enabled for DRS Tasks

Configuration change

drs.dataGuardJob, drs.migrationJob, drs.synchronizationJob

Data Encryption Workshop (DEW)

Key Status Check

Configuration change

kms.keys

Key Rotation Has Been Enabled

Configuration change

kms.keys

CSMS Secretes Are Rotated

Configuration change

csms.secrets

CSMS Secrets Have Enabled Automatic Rotation

Configuration change

csms.secrets

CSMS Secrets Must Use the Specified KMS Keys

Configuration change

csms.secrets

CSMS Secrets Have Been Rotated Within the Specified Period

Periodic

csms.secrets

Identity and Access Management (IAM)

Key Rotation Check

Periodic

iam.users

IAM Policies Do Not Allow Blocked Actions on KMS Keys

Configuration change

iam.roles&iam.policies

Each User Group Has at Least One User

Configuration change

iam.groups

Password Strength Check

Configuration change

iam.users

Unintended Policy Check

Configuration change

iam.users, iam.groups, iam.agencies

Admin Permissions Check

Configuration change

iam.roles, iam.policies

Custom Policies Do Not Allow All Actions for a Service

Configuration change

iam.roles, iam.policies

The Root User Should Not Have Available Access Keys

Periodic

Account

Access Mode Check

Configuration change

iam.users

Access Key Check

Configuration change

iam.users

IAM Users Are in Specified User Groups

Configuration change

iam.users

Last Login Check

Periodic

iam.users

Multi-Factor Authentication Check

Configuration change

iam.users

A User Does Not have Multiple Active Access Keys

Configuration change

iam.users

MFA Has Been Enabled for Console Login

Configuration change

iam.users

The Root User Has MFA Enabled

Periodic

Account

All IAM Policies Are in Use

Configuration change

iam.policies

All IAM Roles Are in Use

Configuration change

iam.roles

Login Protection Check

Periodic

iam.users

IAM Agencies Contain Specified Policies

Configuration change

iam.agencies

The Admin User Group Only Contains the Root User

Configuration change

iam.users

IAM Users Do Not Have Directly Assigned Policies or Permissions

Configuration change

iam.users

Access Key Used Within the Specified Period

Periodic

iam.users

Document Database Service (DDS)

SSL Has Been Enabled

Configuration change

dds.instances

DDS Instance Type Check

Configuration change

dds.instances

DDS Instances Should Not Use EPIs

Configuration change

dds.instances

DDS Instances Should Not Use Unallowed Ports

Configuration change

dds.instances

DDS Instance Version Check

Configuration change

dds.instances

Simple Message Notification (SMN)

Log Reporting to LTS Has Been Enabled

Configuration change

smn.topic

Virtual Private Cloud (VPC)

Idle ACL Check

Configuration change

vpc.firewallGroups

VPC Connected to a Specified VPC Endpoint Service

Periodic

vpc.vpcs

Default Security Group Check

Configuration change

vpc.securityGroups

VPCs Have Enabled Flow Logs

Configuration change

vpc.vpcs

Security Group Port Check

Configuration change

vpc.securityGroups

Inbound Traffic Is Allowed on Specified Ports Only

Configuration change

vpc.securityGroups

Inbound Traffic Is Allowed on SSH Ports Only

Configuration change

vpc.securityGroups

Non-whitelisted Ports Must Be Disabled in a Security Group

Configuration change

vpc.securityGroups

A Security Group Should Connect to At Least One Elastic Network Interface

Configuration change

vpc.securityGroups

Virtual Private Network (VPN)

Connection State Check

Configuration change

vpnaas.vpnConnections, vpnaas.ipsec-site-connections

Cloud Eye

Alarm Rules Are Enabled

Configuration change

ces.alarms

Alarm Rules Have Been Configured for Key Disablement and Deletion

Periodic

Account

Alarms Have Been Created for OBS Bucket Policy Changes

Periodic

Account

Specified Resources Have Certain Metric Attached

Periodic

Account

Alarm Rule Configurations Check

Configuration change

ces.alarms

Alarms Have Been Configured for VPC Changes

Periodic

Account

Cloud Container Engine (CCE)

End of Maintenance Check

Configuration change

cce.clusters

Oldest Supported Version Check

Configuration change

cce.clusters

CCE Clusters Should Not Use EIPs

Configuration change

cce.clusters

Flavor Check

Configuration change

cce.clusters

CCE Clusters Are in Specified VPCs

Configuration change

cce.clusters

Cloud Trace Service (CTS)

CTS Trackers Have Traces Encrypted

Configuration change

cts.trackers

Log Transfer to LTS Is Enabled

Configuration change

cts.trackers

CTS Trackers Have Been Created for the Specified OBS Bucket

Periodic

Account

Trace File Verification Is Enabled

Configuration change

cts.trackers

At Least One Tracker Is Enabled

Periodic

Account

There Are CTS Trackers In the Specified Regions

Periodic

Account

CTS Trackers Comply with Security Best Practices

Periodic

Account

Relational Database Service (RDS)

Backup Is Enabled for RDS DB Instances

Configuration change

rds.instances

Error Log Collection Is Enabled for RDS Instances

Configuration change

rds.instances

RDS Instances Support Slow Query Logs

Configuration change

rds.instances

Single-AZ Cluster Check

Configuration change

rds.instances

RDS DB Instances Should Not Use EIPs

Configuration change

rds.instances

RDS Instances Use KMS Encryption

Configuration change

rds.instances

RDS Instances Are in the Specified VPC

Configuration change

rds.instances

Both Error Logs and Slow Query Logs Are Collected for RDS Instances

Configuration change

rds.instances

Flavor Check

Configuration change

rds.instances

RDS Instances Have SSL Enabled

Configuration change

rds.instances

RDS Default Port Check

Configuration change

rds.instances

Version Check for RDS Instance Engines

Configuration change

rds.instances

RDS Instances Have Audit Log Enabled

Configuration change

rds.instances

GaussDB

GaussDB Instances Are in the Specified VPC

Configuration change

gaussdb.instance

Audit Log Collection Is Enabled

Configuration change

gaussdb.instance

Automated Backup Is Enabled

Configuration change

gaussdb.instance

Error Log Collection Is Enabled

Configuration change

gaussdb.instance

Slow Query Log Collection Is Enabled

Configuration change

gaussdb.instance

GaussDB Instance EIP Check

Configuration change

gaussdb.instance

Cross-AZ Deployment Check

Configuration change

gaussdb.instance

Data Transmission Encryption Is Enabled

Configuration change

gaussdb.instance

GaussDB Instance Port Check

Configuration change

gaussdb.instance

TaurusDB

The Audit Log Reporting Is Enabled

Configuration change

gaussdbformysql.instance

Backup Is Enabled

Configuration change

gaussdbformysql.instance

Error Logging Is Enabled

Configuration change

gaussdbformysql.instance

The Slow Query Log Is Enabled

Configuration change

gaussdbformysql.instance

Data Transmission Encryption Is Enabled

Configuration change

gaussdbformysql.instance

Cross-AZ Deployment Check

Configuration change

gaussdbformysql.instance

TaurusDB Instance EIP Check

Configuration change

gaussdbformysql.instance

VPC Check

Configuration change

gaussdbformysql.instance

TaurusDB Database Engine Version

Configuration change

gaussdbformysql.instance

TaurusDB Instance Port Check

Configuration change

gaussdbformysql.instance

GeminiDB

SSL-Encrypted Transmission for GeminiDB Instances

Configuration change

nosql.instances

GeminiDB Instance Port Check

Configuration change

nosql.instances

GeminiDB Database Engine Version

Configuration change

nosql.instances

GeminiDB Instances Are Deployed Across AZs

Configuration change

nosql.instances

GeminiDB Instances Have Backup Enabled

Configuration change

nosql.instances

GeminiDB Instances Have Disk Encryption Enabled

Configuration change

nosql.instances

GeminiDB Instances Have Error Logs Enabled

Configuration change

nosql.instances

GeminiDB Instances Have Slow Logs Enabled

Configuration change

nosql.instances

Cloud Search Service (CSS)

CSS Clusters Have the Security Mode Enabled

Configuration change

css.clusters

The Snapshot Function Is Enabled for CSS Clusters

Configuration change

css.clusters

Disk Encryption Is Enabled for CSS Clusters

Configuration change

css.clusters

HTTPS Access Is Enabled for CSS Clusters

Configuration change

css.clusters

CSS Clusters Are in Specified VPCs

Configuration change

css.clusters

Single-AZ CSS Cluster Check

Configuration change

css.clusters

A CSS Cluster Has at Least Two Instances

Configuration change

css.clusters

CSS Clusters Are Not Publicly Accessible

Configuration change

css.clusters

CSS Clusters Support the Security Mode

Configuration change

css.clusters

CSS Clusters Have Access Control Enabled

Configuration change

css.clusters

CSS Clusters Have Kibana Public Access Control Enabled

Configuration change

css.clusters

CSS Clusters Have Slow Query Log Enabled

Configuration change

css.clusters

CSS Cluster Update Check

Configuration change

css.clusters

Elastic Volume Service (EVS)

EVS Disk Type Check

Configuration change

evs.volumes

Disks Are Used Within the Specified Time

Periodic

evs.volumes

Idle EVS Disk Check

Configuration change

evs.volumes

EVS Disks Are Encrypted

Configuration change

evs.volumes

Disk Encryption Are Enabled

Configuration change

evs.volumes

EVS Disks Have Backup Vaults Attached

Configuration change

evs.volumes

EVS Backup Time Check

Periodic

evs.volumes

Cloud Certificate Manager (CCM)

Expiration Check for Private CAs

Periodic

pca.ca

Expiration Check for Private Certificates

Periodic

pca.cert

Private Root CAs Are Disabled

Periodic

pca.ca

Private CA Algorithm Check

Configuration change

pca.ca, pca.cert

Distributed Message Service (for Kafka)

SSL Is Enabled for Private Networks Access of DMS for Kafka

Configuration change

dms.kafka

SSL Is Enabled for Public Networks Access of DMS for Kafka

Configuration change

dms.kafka

DMS for Kafka Queues Are Not Publicly Accessible

Configuration change

dms.kafka

Distributed Message Service (DMS) for RabbitMQ

SSL Is Enabled for DMS RabbitMQ Queues

Configuration change

dms.rabbitmqs

DMS for RabbitMQ Instances Are Not Publicly Accessible

Configuration change

dms.rabbitmqs

Distributed Message Service for RocketMQ (for RocketMQ)

DMS RocketMQ Instances Have SSL Enabled

Configuration change

dms.reliabilitys

RocketMQ Allows Public Access

Configuration change

dms.reliabilitys

Organizations

Accounts Have Been Added to Organizations

Periodic

Account

Cloud Firewall (CFW)

CFW Instances Have Protection Policies Attached

Configuration change

cfw.cfw_instance

Cloud Backup and Recovery (CBR)

Backup Encryption Check

Configuration change

cbr.backup

Backup Policy Execution Frequency Check

Configuration change

cbr.policy

Minimum Retention Days of CBR Vault

Configuration change

cbr.vault

Cross-Region Replication for CBR Backup Vaults

Configuration change

cbr.vault

Backup Locked for CBR Vaults

Configuration change

cbr.vault

Multi-AZ Backup for CBR Vaults

Configuration change

cbr.vault

Object Storage Service (OBS)

OBS Bucket Policies Do Not Allow Blacklisted Actions

Configuration change

obs.buckets

OBS Bucket Policies Only Allow Access from the Specified Objects

Configuration change

obs.buckets

Permission Boundary Check

Configuration change

obs.buckets

OBS Bucket Policies Do Not Allow Public Read Access

Configuration change

obs.buckets

OBS Bucket Policies Do Not Allow Public Write Access

Configuration change

obs.buckets

OBS Buckets Do Not Allow HTTP Requests

Configuration change

obs.buckets

OBS Buckets Have Logging Enabled

Configuration change

obs.buckets

OBS Buckets Have Enabled Versioning

Configuration change

obs.buckets

OBS Buckets Are Not Associated with Non-Default ACLs

Configuration change

obs.buckets

OBS Buckets Have Cross-Region Replication Enabled

Configuration change

obs.buckets

OBS Buckets Have Server-side Encryption Enabled

Configuration change

obs.buckets

OBS Buckets Have Lifecycle Management Enabled

Configuration change

obs.buckets

OBS Buckets Have WORM Enabled

Configuration change

obs.buckets

OBS Buckets Use Server-side Encryption with KMS-Managed Keys

Configuration change

obs.buckets

Storage Class Check

Configuration change

obs.buckets

OBS Bucket Policy Check

Configuration change

obs.buckets

Image Management Service (IMS)

Private Images Have Encryption Enabled

Configuration change

ims.images

Bare Metal Server (BMS)

BMSs Have Key Pair Login Enabled

Configuration change

bms.servers

Graph Engine Service (GES)

GES Graphs Are Encrypted Using KMS

Configuration change

ges.graphs

GES Graphs Have LTS Enabled

Configuration change

ges.graphs

GES Graphs Support Cross-AZ HA

Configuration change

ges.graphs

IAM Identity Center

IdP Certificate Validity Check

Periodic

identitycenter.idp

SCIM Token Validity Check

Periodic

identitycenter.scim

Workspace

Workspace Backup Time Window

Periodic

workspace.desktops

Workspace Attached to a Backup Vault

Configuration change

workspace.desktops