Perform a comprehensive check of your network architecture and data security to ensure that your systems and data are properly configured and protected. This practice also reduces the risk of network and data breaches. For more information, see the CIS Benchmarks requirements. This topic describes the default rules for network and data security best practices.
Rule name | Description |
Checks whether the encryption feature is enabled for each ECS data disk that is in use. If so, the evaluation result is compliant. | |
Checks whether the network type of each ECS instance is set to VPC if you do not configure the vpcIds parameter. If so, the evaluation result is compliant. Checks whether the virtual private cloud (VPC) where each ECS instance resides is the same as a specified VPC if you configure the vpcIds parameter. If so, the evaluation result is also compliant. Separate multiple parameter values with commas (,). | |
Checks whether server-side encryption is enabled for each OSS bucket. If so, the evaluation result is compliant. | |
Checks whether no public endpoint is configured for each RDS instance. If so, the evaluation result is compliant. To prevent cyberattacks, we recommend that you do not configure direct access to RDS instances in production environments over the Internet. | |
Checks whether MFA is enabled in the logon settings of each RAM user for which the console access feature is enabled. If so, the evaluation result is compliant. | |
An Alibaba Cloud account is considered "compliant" if it has no AccessKeys. | |
Checks whether multi-factor authentication (MFA) is enabled for each Alibaba Cloud account. If so, the evaluation result is compliant. | |
Checks whether the settings of password policies that are configured for each RAM user meet specified values. If so, the evaluation result is compliant. | |
Checks whether the Action parameter of each RAM user, RAM user group, and RAM role is not set to *. If so, the evaluation result is compliant. An asterisk (*) specifies the super administrator permissions. | |
Checks whether a policy is attached to each RAM user. If so, the evaluation result is compliant. We recommend that RAM users inherit permissions from RAM user groups or roles. | |
Checks whether the logging feature is enabled for each Object Storage Service (OSS) bucket on the Logs page. If so, the evaluation result is compliant. | |
Checks whether a custom KMS key is used to encrypt the data of each OSS bucket. If so, the evaluation result is compliant. | |
Checks whether the SQL explorer and audit feature is enabled for each ApsaraDB RDS instance. If so, the evaluation result is compliant. | |
The SQL Audit log retention period for an RDS instance is compliant | Checks whether the SQL explorer and audit feature is enabled for each ApsaraDB RDS for MySQL instance and whether the number of days for which SQL audit logs can be retained is greater than or equal to a specified number of days. If so, the evaluation result is compliant. Default value: 180. Unit: days. |
Checks whether the log_connections parameter of each ApsaraDB RDS for PostgreSQL database is set to on. If so, the evaluation result is compliant. | |
Checks whether the log_disconnections parameter of each ApsaraDB RDS for PostgreSQL database is set to on. If so, the evaluation result is compliant. | |
Checks whether the log_duration parameter of each ApsaraDB RDS for PostgreSQL database is set to on. If so, the evaluation result is compliant. | |
Set an access policy to prohibit anonymous access to public OSS buckets | Checks whether an authorization policy is specified for each OSS bucket that allows public read and write access and no read/write permissions are granted to anonymous accounts in the authorization policy. If so, the evaluation result is compliant. This rule does not apply to OSS buckets on which the read/write permissions are private. |
Set an access policy for an OSS bucket to enforce secure access | Checks whether the bucket policy of each OSS bucket allows read and write access over HTTPS and denies access over HTTP. If so, the evaluation result is compliant. This rule does not apply to OSS buckets that do not have a bucket policy. |
Setting IP restrictions in an OSS bucket authorization policy | Checks whether the read/write permission of OSS buckets is set to private or the authorization policies of OSS buckets include specific IP whitelists. If so, the evaluation result is compliant. |
Checks whether the bucket policy of each OSS bucket denies read and write access from the Internet. If so, the evaluation result is compliant. | |
Checks whether the bucket policy of each OSS bucket denies read access from the Internet. If so, the evaluation result is compliant. | |
All ECS instances in the account have the Security Center agent installed | Checks whether the Security Center agent is installed on each ECS instance that belongs to the current account. If so, the evaluation result is compliant. |
Checks whether the vulnerabilities that are identified by Security Center on each ECS instance are fixed. If so, the evaluation result is compliant. | |
Checks whether at least one entry that contains the routing information about the IP addresses of each custom VPC CIDR block exists in the related route table. If so, the evaluation result is compliant. | |
Checks whether each RAM user has logged on within the last 90 days. If so, the evaluation result is compliant. Checks whether a RAM user has been updated within the last 90 days. If so, the evaluation result is compliant regardless of whether the RAM user has recently logged on. This rule does not apply to RAM users for which console access is disabled. | |
Checks whether the time when the AccessKey pair of each RAM user was created is earlier than the specified number of days before the check time. If so, the evaluation result is compliant. Default value: 90. Unit: days. | |
Checks whether the flow log feature is enabled for each virtual private cloud (VPC). If so, the evaluation result is compliant. | |
Checks whether the Transparent Data Encryption (TDE) feature is enabled in the data security settings of each ApsaraDB RDS instance. If so, the evaluation result is compliant. | |
Checks whether the SSL certificate feature is enabled in the data security settings of each ApsaraDB RDS instance. If so, the evaluation result is compliant. | |
Checks whether an active trail exists in ActionTrail and the events of all types that are generated in all regions are tracked. If so, the evaluation result is compliant. Checks whether the administrator of each resource directory has created a trail that applies to all member accounts. If so, the evaluation result is compliant. | |
Checks whether the log collection feature is enabled for each domain name that is protected by Web Application Firewall (WAF). If so, the evaluation result is compliant. | |
An ACK cluster is compliant if it uses the Terway network plugin. | |
Checks whether a public endpoint is configured for the API server in each ACK cluster. If not, the evaluation result is compliant. | |
Checks whether a CloudMonitor agent is installed on all nodes in each Container Service for Kubernetes (ACK) cluster and runs as expected. If so, the evaluation result is compliant. | |
Checks whether a notification method is specified for each notification item of Security Center. If so, the evaluation result is compliant. | |
Checks whether Security Center Enterprise Edition or a more advanced edition is used. If so, the evaluation result is compliant. | |
Checks whether a security group allows unrestricted access to risky ports for a specified protocol | If the inbound CIDR block of a security group is set to 0.0.0.0/0, the port range for the specified protocol does not include the specified threat ports. This is compliant. If the inbound CIDR block is not set to 0.0.0.0/0, the security group is compliant even if the port range includes the specified threat ports. If a detected threat port is denied by a higher-priority authorization policy, the security group is compliant. This rule is not applicable to security groups used by cloud products or virtual operators. |
Security Center agents help protect the security of ECS instances. Checks whether a Security Center agent is installed on each ECS instance. If so, the evaluation result is compliant. This rule does not apply to ECS instances that are not running. | |
Set the severity level for Security Center vulnerability scans | Checks whether a vulnerability scan for risks of a specified level is configured in the Security Center console. If so, the evaluation result is compliant. |
Checks whether a custom key is used to enable TDE for each ApsaraDB RDS instance. If so, the evaluation result is compliant. |