Checks the compliance of Alibaba Cloud resources based on the specific requirements of Multi-Level Protection Scheme (MLPS) 2.0 Level 2. A compliance package template provides a common framework that is used to create compliance packages. You can specify input parameters of rules and configure remediation settings based on a compliance package template to create a compliance package that meets your business requirements. If resources are evaluated as compliant, the resources are based on only the compliance rules. In this case, the resources may not be compliant with legal requirements, regulations, and industry standards.
Rule name | Code | Code description | Rule description |
Rule name | Code | Code description | Rule description |
eip-bandwidth-limit | 7.1.2.1 | b) Make sure that the bandwidth of each network component meets your requirements during peak hours. | Checks whether the available bandwidth of each elastic IP address (EIP) is greater than or equal to a specified value. If so, the evaluation result is Compliant. Default value: 10. Unit: MB. |
slb-loadbalancer-bandwidth-limit | Checks whether the available bandwidth of each Server Load Balancer (SLB) instance is greater than or equal to the specified value. If so, the evaluation result is Compliant. Default value: 10. Unit: MB. | ||
cen-cross-region-bandwidth-check | Checks whether the bandwidth that is allocated to the inter-region connections of each Cloud Enterprise Network (CEN) instance is greater than a specified value. If so, the evaluation result is Compliant. Default value: 1. Unit: Mbit/s. | ||
natgateway-snat-eip-bandwidth-check | Checks whether multiple EIPs associated with each SNAT entry of a NAT gateway are added to an EIP bandwidth plan, or the specified maximum bandwidth of these EIPs is the same. If so, the evaluation result is Compliant. This rule does not apply to Virtual Private Cloud (VPC) NAT gateways. | ||
oss-bucket-policy-no-any-anonymous | 7.1.3.1 | a) Allow only cross-border access requests and data packets transmitted over the controlled interfaces of border devices. | Checks whether read and write permissions are granted to each anonymous account. If not, the evaluation result is Compliant. If no policies are specified for Object Storage Service (OSS) buckets, the evaluation result is Compliant. |
sg-public-access-check | Checks whether the inbound authorization policy of each security group is set to Allow and the port range is set to -1/-1 or the authorized IP address is set to 0.0.0.0/0, or an authorization policy with a higher priority is configured. If so, the evaluation result is Compliant. This rule does not apply to the security groups that are used by cloud services or virtual network operators. | ||
rds-public-connection-and-any-ip-access-check | Checks whether a public IP address is used for the ApsaraDB RDS instance within your account or whether the whitelist is not enabled for all source IP addresses. If so, the evaluation result is Compliant. | ||
redis-instance-open-auth-mode | Checks whether the password-based authentication feature is enabled for each ApsaraDB for Redis instance in your VPCs. If so, the evaluation result is Compliant. | ||
cr-instance-any-ip-access-check | Checks whether 0.0.0.0/0 is added to the IP address whitelist of each Container Registry instance. If not, the evaluation result is Compliant. This rule applies to Container Registry Enterprise Edition instances. | ||
elasticsearch-public-and-any-ip-access-check | 7.1.3.1 | a) Allow only cross-border access requests and data packets transmitted over the controlled interfaces of border devices. | Checks whether each Elasticsearch cluster denies access from public networks or does not allow access from all IP addresses. If so, the evaluation result is Compliant. |
sg-risky-ports-check | 7.1.3.2 | a) Configure access control rules at network borders or between network zones based on access control policies. Managed interfaces allow only communication requests that comply with the rules. | Checks whether 0.0.0.0/0 is specified as the authorization object in inbound rules of each security group and the selected ports do not contain risky ports. If so, the evaluation result is Compliant. If 0.0.0.0/0 is not specified as the authorization object in inbound rules of each security group, the evaluation result is Compliant regardless of whether the selected ports contain risky ports. If a high-risk port is denied by an authorization policy with a higher priority, the configuration is considered compliant. This rule does not apply to the security groups that are used by cloud services or virtual network operators. |
nat-risk-ports-check | Checks whether the specified high-risk ports are mapped by using the DNAT entries of NAT Gateway. | ||
vpc-network-acl-risky-ports-check | Checks whether the destination IP address specified in the inbound rule for VPC access control is set to 0.0.0.0/0 and the specified port range does not contain a high-risk port. If so, the evaluation result is Compliant. | ||
slb-all-listener-enabled-acl | Checks whether the access control feature is configured for the listeners of each SLB instance. If so, the evaluation result is Compliant. This rule does not apply to SLB instances for which no listeners are configured. | ||
alb-all-listener-enabled-acl | Checks whether the access control feature is enabled for all listeners of each ALB instance. If so, the evaluation result is Compliant. This rule does not apply to SLB instances for which no listeners are configured. | ||
slb-acl-public-access-check | Checks whether the ACL of each SLB instance does not include 0.0.0.0/0. If so, the evaluation result is Compliant. | ||
oss-authorization-policy-ip-limit-enabled | Checks whether the read or write permission of OSS buckets is set to private or the authorization policies of OSS buckets include specific IP whitelists. If so, the evaluation result is Compliant. | ||
use-ddos-instance-for-security-protection | 7.1.3.3 | Network attacks should be watch at critical network nodes. | Checks whether Anti-DDoS is used to prevent DDoS attacks. If so, the evaluation result is Compliant. |
use-cloud-fire-wall-for-security-protection | Checks whether Cloud Firewall is used to protect your network boundary. If so, the evaluation result is Compliant. | ||
security-center-version-check | 7.1.3.4 | Check whether your system can detect and remove malicious code on critical network nodes and whether your system can update the malicious code prevention mechanism in a timely manner. | Checks whether Security Center of Enterprise Edition or a more advanced edition is used. If so, the evaluation result is Compliant. |
security-center-defense-config-check | Checks whether a proactive defense of a specified type is enabled in the Security Center console. If so, the evaluation result is Compliant. | ||
waf3-instance-enabled-specified-defense-rules | Checks whether rules for the specified protection scenario are enabled for a WAF 3.0 instance. If so, the evaluation result is Compliant. | ||
use-waf-instance-for-security-protection | Checks whether Web Application Firewall (WAF) is used to protect your website or application. If so, the evaluation result is Compliant. | ||
actiontrail-trail-intact-enabled | 7.1.3.5 7.1.4.3 | 7.1.3.5 b) Provide the event date, event time, user, event type, whether the event is successful, and other information relevant to the audit in the audit record. 7.1.4.3 b) Provide the event date, event time, user, event type, whether the event is successful, and other information relevant to the audit in the audit record. | Checks whether an active trail exists in ActionTrail and events of all types that are generated in all regions are tracked. If so, the evaluation result is Compliant. If the administrator of a resource directory has created a trail that applies to all members, the evaluation result is Compliant. |
rds-instance-enabled-auditing | Checks whether the SQL explorer and audit feature is enabled for each ApsaraDB RDS instance. If so, the evaluation result is Compliant. | ||
adb-cluster-audit-log-enabled | Checks whether the SQL explorer and audit feature is enabled for each AnalyticDB for MySQL cluster. If so, the evaluation result is Compliant. | ||
vpc-flow-logs-enabled | Checks whether the flow log feature is enabled for each VPC. If so, the evaluation result is Compliant. | ||
ram-password-policy-check | 7.1.4.1 | b) Handle logon failures, and configure relevant features to automatically close sessions, limit logon abuse, and log out when sessions time out. | Checks whether the settings of password policies configured for each RAM user meet the specified values. If so, the evaluation result is Compliant. |
ram-user-last-login-expired-check | 7.1.4.2 | c) Delete or disable redundant and expired accounts, and disable shared accounts. d) Apply the principle of least privilege to administrators to ensure privilege separation. | Checks whether each RAM user logged on to the system at least once within the previous 90 days. If so, the evaluation result is Compliant. If a RAM user was updated within the previous 90 days, the evaluation result is considered compliant regardless of whether the RAM user recently logged on to the system. The rule does not apply to the RAM users for which console access is disabled. |
ram-policy-in-use-check | Checks whether a policy is attached to at least one RAM user group, RAM role, or RAM user. If so, the evaluation result is Compliant. | ||
ram-group-has-member-check | Checks whether each RAM user group contains at least one RAM user. If so, the evaluation result is Compliant. | ||
ram-user-no-policy-check | Checks whether a policy is attached to each RAM user. If so, the evaluation result is Compliant. We recommend that RAM users inherit permissions from RAM user groups or roles. | ||
ram-user-ak-used-expired-check | Checks whether the duration between the date when the AccessKey pair of each RAM user was last used and the current date is less than a specified number of days. If so, the evaluation result is Compliant. Default value: 90. Unit: days. | ||
ram-policy-no-statements-with-admin-access-check | Checks whether the Action and Resource parameters of each RAM user, RAM user group, and RAM role are not set to *. If so, the evaluation result is Compliant. An asterisk (*) indicates the super administrator permissions. | ||
ram-user-login-check | Checks whether one of the console access and API access features is enabled for each RAM user. If so, the evaluation result is Compliant. | ||
ecs-instance-enabled-security-protection | 7.1.4.4 | e) Detect possible known vulnerabilities, and fix the vulnerabilities after full testing and evaluation. | Allows you to install a CloudMonitor agent on an instance to provide security protection services. Checks whether a Security Center agent is installed on each ECS instance. If so, the evaluation result is Compliant. This rule does not apply to ECS instances that are not running. |
ecs-instance-updated-security-vul | Checks whether unfixed vulnerabilities of a specified type or a specified level are detected by Security Center on an ECS instance. This rule does not apply to ECS instances that are not running. | ||
ecs-disk-auto-snapshot-policy | 7.1.4.8 | a) Provide the required features to back up and restore important local data. b) Provide the required features to back up important data to a remote destination site in real time over communication networks. | Checks whether an automatic snapshot policy is specified for each ECS disk. If so, the evaluation result is Compliant. This rule does not apply to disks that are not in use, disks that do not support automatic snapshot policies, and non-persistent disks that are attached to the ACK cluster. |
