This topic describes the background information, scenarios, and default rules of the BestPracticeForInternetAccessResourceDetection compliance package template.
Background information
If you set no limits when you enable Internet access for Alibaba Cloud resources, this may cause high security risks and increase management costs. To meet the requirements for Internet security, costs, permissions, and monitoring, the IT management team of an enterprise always deploys secure Internet egress in a centralized manner. This prevents Internet access from being enabled for Alibaba Cloud resources on which no limits are set. This way, you can reduce the security risks that may be caused by cyber attacks and data leaks. You can use a compliance package that is created from the template to check whether Internet access is enabled for cloud resources when no limits are set.
Scenarios
This template applies when enterprises have important business data and services that are managed by Alibaba Cloud.
Default rules
Rule name | Description |
Checks whether Internet access is enabled for each ApsaraDB for Redis instance and all CIDR blocks are added to the IP whitelist of the instance. If not, the evaluation result is Compliant. If so, the evaluation result is Non-compliant. | |
Checks whether Internet access is enabled for each ApsaraDB RDS instance and the 0.0.0.0/0 CIDR block is added to the whitelist. If so, the evaluation result is Non-compliant. | |
Checks whether Internet access is enabled and any Internet access is allowed for each PolarDB instance. If so, the evaluation result is Non-compliant. | |
Checks whether Internet access is enabled and access from any IP address is allowed for each PolarDB instance. If so, the evaluation result is Non-compliant. | |
Checks whether Internet access is enabled and any Internet access is allowed for each ApsaraDB for MongoDB instance. If so, the evaluation result is Non-compliant. | |
Checks whether Internet access is enabled and any Internet access is allowed for each Elasticsearch cluster. If so, the evaluation result is Non-compliant. | |
Checks whether the network type of each Tablestore instance is set to VPC or Console Access. If so, the evaluation result is Compliant. | |
Checks whether each MSE cluster allows access from the Internet and authentication is enabled, or denies access from the Internet. If so, the evaluation result is Compliant. | |
Checks whether the inbound authorization policy of each security group is set to Allow and the port range is set to -1/-1 or the authorized IP address is set to 0.0.0.0/0, or an authorization policy with a higher priority is configured. If so, the evaluation result is Compliant. If the security groups are used by cloud services or virtual network operators, the evaluation result is Not Applicable. | |
Checks whether a public endpoint is specified for each Container Service for Kubernetes cluster. If not, the evaluation result is Compliant. | |
Checks whether the type of the Container Registry image repository is Private. if so, the evaluation result is Compliant. | |
Internet access is disabled for the ApsaraDB for HBase cluster. | Checks whether Internet access is disabled for an ApsaraDB for HBase cluster. If so, the evaluation result is Compliant. |
Checks whether Internet access is disabled for each AnalyticDB instance. If so, the evaluation result is Compliant. | |
Checks whether no public IPv4 addresses or elastic IP addresses are assigned to running ECS instances. If so, the evaluation result is Compliant. |