The default rules of the BestPracticesForNetworkAndDataSecurity compliance package template help you perform a full-scale check from multiple aspects, including the network architecture and data security. This ensures that the system and data are properly configured and protected and reduces network and data leak risks. This rule is created based on the requirements of CIS Benchmarks. This topic describes the default rules of the BestPracticesForNetworkAndDataSecurity compliance package template.
Rule name | Description |
Checks whether the encryption feature is enabled for each ECS data disk that is in use. If so, the evaluation result is Compliant. | |
Checks whether the network type of each ECS instance is set to VPC if you do not configure the vpcIds parameter. If so, the evaluation result is Compliant. Checks whether the virtual private cloud (VPC) where each ECS instance resides is the same as a specified VPC if you configure the vpcIds parameter. If so, the evaluation result is also Compliant. Separate multiple parameter values with commas (,). | |
Checks whether server-side encryption is enabled for each OSS bucket. If so, the evaluation result is Compliant. | |
Checks whether no public endpoint is configured for each RDS instance. If so, the evaluation result is Compliant. To prevent cyberattacks, we recommend that you do not configure direct access to RDS instances in production environments over the Internet. | |
Checks whether MFA is enabled in the logon settings of each RAM user for which the console access feature is enabled. If so, the evaluation result is Compliant. | |
Checks whether an AccessKey pair is created for each Alibaba Cloud account. If not, the evaluation result is Compliant. | |
Checks whether multi-factor authentication (MFA) is enabled for each Alibaba Cloud account. If so, the evaluation result is Compliant. | |
Checks whether the settings of password policies that are configured for each RAM user meet specified values. If so, the evaluation result is Compliant. | |
Checks whether the Action parameter of each RAM user, RAM user group, and RAM role is not set to *. If so, the evaluation result is Compliant. An asterisk (*) specifies the super administrator permissions. | |
Checks whether a policy is attached to each RAM user. If so, the evaluation result is Compliant. We recommend that RAM users inherit permissions from RAM user groups or roles. | |
Checks whether the logging feature is enabled for each Object Storage Service (OSS) bucket on the Logs page. If so, the evaluation result is Compliant. | |
Checks whether a custom KMS key is used to encrypt the data of each OSS bucket. If so, the evaluation result is Compliant. | |
Checks whether the SQL explorer and audit feature is enabled for each ApsaraDB RDS instance. If so, the evaluation result is Compliant. | |
Checks whether the SQL explorer and audit feature is enabled for each ApsaraDB RDS for MySQL instance and whether the number of days for which SQL audit logs can be retained is greater than or equal to a specified number of days. If so, the evaluation result is Compliant. Default value: 180. Unit: days. | |
Checks whether the log_connections parameter of each ApsaraDB RDS for PostgreSQL database is set to on. If so, the evaluation result is Compliant. | |
Checks whether the log_disconnections parameter of each ApsaraDB RDS for PostgreSQL database is set to on. If so, the evaluation result is Compliant. | |
Checks whether the log_duration parameter of each ApsaraDB RDS for PostgreSQL database is set to on. If so, the evaluation result is Compliant. | |
Checks whether an authorization policy is specified for each OSS bucket that allows public read and write access and no read/write permissions are granted to anonymous accounts in the authorization policy. If so, the evaluation result is Compliant. This rule does not apply to OSS buckets on which the read/write permissions are private. | |
Checks whether the bucket policy of each OSS bucket allows read and write access over HTTPS and denies access over HTTP. If so, the evaluation result is Compliant. This rule does not apply to OSS buckets that do not have a bucket policy. | |
Checks whether the read/write permission of OSS buckets is set to private or the authorization policies of OSS buckets include specific IP whitelists. If so, the evaluation result is Compliant. | |
Checks whether the bucket policy of each OSS bucket denies read and write access from the Internet. If so, the evaluation result is Compliant. | |
Checks whether the bucket policy of each OSS bucket denies read access from the Internet. If so, the evaluation result is Compliant. | |
Checks whether the Security Center agent is installed on each ECS instance that belongs to the current account. If so, the evaluation result is Compliant. | |
Checks whether the vulnerabilities that are identified by Security Center on each ECS instance are fixed. If so, the evaluation result is Compliant. | |
Checks whether at least one entry that contains the routing information about the IP addresses of each custom VPC CIDR block exists in the related route table. If so, the evaluation result is Compliant. | |
Checks whether each RAM user has logged on within the last 90 days. If so, the evaluation result is Compliant. Checks whether a RAM user has been updated within the last 90 days. If so, the evaluation result is Compliant regardless of whether the RAM user has recently logged on. This rule does not apply to RAM users for which console access is disabled. | |
Checks whether the time when the AccessKey pair of each RAM user was created is earlier than the specified number of days before the check time. If so, the evaluation result is Compliant. Default value: 90. Unit: days. | |
Checks whether the flow log feature is enabled for each virtual private cloud (VPC). If so, the evaluation result is Compliant. | |
Checks whether the Transparent Data Encryption (TDE) feature is enabled in the data security settings of each ApsaraDB RDS instance. If so, the evaluation result is Compliant. | |
Checks whether the SSL certificate feature is enabled in the data security settings of each ApsaraDB RDS instance. If so, the evaluation result is compliant. | |
Checks whether an active trail exists in ActionTrail and the events of all types that are generated in all regions are tracked. If so, the evaluation result is compliant. Checks whether the administrator of each resource directory has created a trail that applies to all member accounts. If so, the evaluation result is Compliant. | |
Checks whether the log collection feature is enabled for each domain name that is protected by Web Application Firewall (WAF). If so, the evaluation result is Compliant. | |
Checks whether the Terway network plug-in is used on each ACK cluster. If so, the evaluation result is Compliant. | |
Checks whether a public endpoint is configured for the API server in each ACK cluster. If not, the evaluation result is Compliant. | |
Checks whether a CloudMonitor agent is installed on all nodes in each Container Service for Kubernetes (ACK) cluster and runs as expected. If so, the evaluation result is Compliant. | |
Checks whether a notification method is specified for each notification item of Security Center. If so, the evaluation result is compliant. | |
Checks whether Security Center Enterprise Edition or a more advanced edition is used. If so, the evaluation result is compliant. | |
Checks whether 0.0.0.0/0 is added to the IP address whitelist of each security group and risky ports are disabled. If so, the evaluation result is Compliant. Checks whether 0.0.0.0/0 is not added to the IP address whitelist of each security group. If so, the evaluation result is Compliant regardless of whether risky ports are disabled. Checks whether a risky port is denied by an authorization policy with a higher priority. If so, the evaluation result is Compliant. This rule does not apply to Alibaba Cloud services other than ECS or security groups that are used by virtual network operators (VNOs). | |
Security Center agents help protect the security of ECS instances. Checks whether a Security Center agent is installed on each ECS instance. If so, the evaluation result is Compliant. This rule does not apply to ECS instances that are not running. | |
Checks whether a vulnerability scan for risks of a specified level is configured in the Security Center console. If so, the evaluation result is Compliant. | |
Checks whether a custom key is used to enable TDE for each ApsaraDB RDS instance. If so, the evaluation result is Compliant. |