Compliance packages dynamically and continuously monitor the compliance of your resources and notify you of non-compliant resource at the earliest opportunity. This topic describes the check items of 24 compliance packages that are provided by Cloud Config.
BestPracticesForNetworkAndDataSecurity
The BestPracticesForNetworkAndDataSecurity compliance package performs a full-scale check from multiple aspects, such as the network architecture and data security. This ensures that the system and data are properly configured and protected and reduces network and data leak risks. If your resources are compliant with the requirements, network security risks can be reduced.
The following table describes the check items of the BestPracticesForNetworkAndDataSecurity compliance package.
Item | Description |
Account | The compliance package checks the passwords set for and permission policies attached to Alibaba Cloud accounts and Resource Access Management (RAM) users. |
Network | The compliance package checks the network ownership, security group configurations, traffic monitoring configurations, and whether ports are open for instances. |
Instance | The compliance package checks the details of disk encryption, system updates, and endpoint protection, and whether ports are open for instances. |
Object Storage Service (OSS) bucket | The compliance package checks the configurations of read and write permissions, secure transmission, and content encryption for OSS buckets. |
Database | The compliance package checks the connection types, data encryption configurations, and audit configurations of databases. |
ClassifiedProtectionPreCheck
The ClassifiedProtectionPreCheck compliance package dynamically and continuously monitors your resources to check whether the resources are compliant with Multi-Level Protection Scheme (MLPS) 2.0 Level 3. This allows you to perform self-service checks to pass the compliance evaluation of classified protection. For more information about MLPS 2.0, see What is MLPS 2.0?
The following table describes the check items of the ClassifiedProtectionPreCheck compliance package.
Item | Description |
Network type | The compliance package checks whether the network types of Elastic Compute Service (ECS) instances and database instances are virtual private clouds (VPCs). If an instance resides in a VPC, and the VPC is included in the expected value of the relevant rule parameter, the instance configuration is considered compliant. |
Protection configurations | The compliance package checks whether the IP address whitelists of ECS instances and database instances are set to 0.0.0.0/0 and whether encryption is enabled for each ECS data disk. |
OSS bucket | The compliance package checks whether OSS buckets are accessed in read-only mode and whether zone-redundant storage and server-side encryption by using OSS-managed keys are enabled. |
Bandwidth | The compliance package checks whether the bandwidths of Server Load Balancer (SLB) instances and elastic IP addresses reach the specified lower limits. |
BestPracticesForOSS
Various customers store important business data in OSS buckets. If bucket configurations do not meet security protection requirements, business risks such as data leaks or loss may be brought about. The BestPracticesForOSS compliance package dynamically and continuously monitors the compliance of your OSS buckets and notifies you of non-compliance at the earliest opportunity.
The following table describes the check items of the BestPracticesForOSS compliance package.
Item | Description |
Read and write permissions | The compliance package globally checks whether the access control lists (ACLs) of OSS buckets are set to public-read or public-read-write. |
Protection configurations | The compliance package checks whether object encryption and hotlink protection are enabled for OSS buckets. This helps improve data security. |
Zone-redundant storage | The compliance package checks whether zone-redundant storage is enabled for OSS buckets. |
BestPracticesForLoadBalancer
The BestPracticesForLoadBalancer compliance package checks whether the following items are exposed to risks: public network and whitelist settings of Classic Load Balancer (CLB) and Application Load Balancer (ALB) instances, cross-zone disaster recovery capabilities, instance renewal and expiration, and change management.
The following table describes the check items of the BestPracticesForLoadBalancer compliance package.
Item | Description |
Resource quotas of workloads | The compliance package checks the resource quotas of workloads to ensure service continuity. If the resource quotas of workloads cannot reach the lower limits required by business peaks, the service may be interrupted during peak hours. |
Network architecture | The compliance package checks the network architecture to ensure business isolation from the Internet. If network configurations are inappropriate, the business system may be exposed to the Internet, and attacks over the Internet or data leaks may occur. |
Real-time monitoring | The compliance package checks whether real-time monitoring is enabled for networks to ensure that network errors can be identified at the earliest opportunity. This prevents potential business risks. |
ResourceProtectionOnBestPractices
The ResourceProtectionOnBestPractices compliance package checks whether protection features are enabled for Alibaba Cloud services such as ECS and ApsaraDB RDS.
The following table describes the check items of the ResourceProtectionOnBestPractices compliance package.
Item | Description |
Logon of Alibaba Cloud accounts or RAM users | The compliance package checks the validity periods of the passwords set for Alibaba Cloud accounts and RAM users and whether multi-factor authentication (MFA) is enabled for them. |
Security configurations | The compliance package checks whether invalid RAM users, user groups, or permission policies exist, and whether key pairs are created for Alibaba Cloud accounts. |
Authorization | The compliance package checks whether policies are attached to RAM users and whether full permissions on Alibaba Cloud services are granted. |
BestPracticesForIdentityAndPermissions
The BestPracticesForIdentityAndPermissions compliance package checks the settings and usage of AccessKey pairs, Alibaba Cloud accounts, and RAM users.
BestPracticesForDataBase
The BestPracticesForDataBase compliance package continuously checks the compliance of ApsaraDB RDS, ApsaraDB for Redis, ApsaraDB for MongoDB, and PolarDB instances in terms of encryption and access control. This helps prevent data leaks.
The following table describes the check items of the BestPracticesForDataBase compliance package.
Item | Description |
Validity period | The compliance package checks the validity periods of database instances. |
Protection configurations | The compliance package checks whether release protection is enabled and IP address whitelists are set to 0.0.0.0/0 for database instances. |
Network type | The compliance package checks whether the network types of database instances are VPCs and whether the specified VPCs are included in the expected value of the relevant rule parameter. |
BestPracticesForECS
The BestPracticesForECS compliance package continuously checks the compliance of ECS instances in terms of status, security configurations, protection configurations, and snapshot configurations. This prevents the risks of business interruption and out-of-control costs.
The following table describes the check items of the BestPracticesForECS compliance package.
Item | Description |
Status | The compliance package checks the status of ECS instances. |
Security configurations | The compliance package checks the validity periods and security groups of ECS instances. |
Protection configurations | The compliance package checks whether release protection and disk encryption are enabled for ECS instances. |
Snapshot configurations | The compliance package checks whether automatic snapshot policies are configured, whether automatic locking is enabled, and whether the retention periods of automatic snapshots meet the requirements for the disks of ECS instances. |
RMiTComplianceCheck
The RMiTComplianceCheck compliance package checks the compliance of cloud IT systems based on the Risk Management in Technology (RMiT) framework for financial institutions in Malaysia.
The following table describes the check items of the RMiTComplianceCheck compliance package.
Item | Description |
Account | The compliance package checks the passwords, permission policies, and logons of RAM users, and whether MFA is enabled for the RAM users. |
SLB instance | The compliance package checks whether release protection and HTTPS listeners are enabled for SLB instances, and whether the certificates issued by Alibaba Cloud are valid. |
ECS instance | The compliance package checks whether the network types of ECS instances are VPCs, whether disk encryption is enabled for the ECS instances, and whether the ECS instances are bound to public IPv4 addresses. |
OSS bucket | The compliance package checks whether server-side encryption by using Key Management Service (KMS), default server-side encryption, and log storage are enabled for OSS buckets. |
ApsaraDB RDS instance | The compliance package checks whether historical event logging and transparent data encryption (TDE) are enabled for ApsaraDB RDS instances and whether the instances support multi-zone deployment. |
ActionTrail trail | The compliance package checks whether an enabled ActionTrail trail exists and whether the trail records all types of event logs. |
GovernanceCenterCompliancePractices
By using the GovernanceCenterCompliancePractices compliance package, you can configure and enable rules for all member accounts of your resource directory in a centralized manner in the Cloud Governance Center console. This prevents the basic configurations of Cloud Governance Center and the resource structure that is created in Cloud Governance Center from being modified. This also ensures the security of the multi-account environment.
BestPracticesForSecurityGroups
The BestPracticesForSecurityGroups compliance package continuously monitors the compliance of your security groups based on security group rules. This reduces security risks.
BestPracticesForOceanBase
The BestPracticesForOceanBase compliance package continuously monitors the compliance of your OceanBase resources based on the BestPracticesForSecurityGroups compliance package.
BestPracticesForResourceStability
The BestPracticesForResourceStability compliance package monitors the stability of cloud resources from the following six dimensions: high-availability infrastructure, capacity protection, change management, monitoring management, backup management, and fault isolation. This helps you detect risks at the earliest opportunity and improve the stability and O&M efficiency of your cloud resources.
PCIDSSDataSecurityStandard
Compliance packages that are created from the PCIDSSDataSecurityStandard template are based on the Payment Card Industry Data Security Standard (PCI DSS) V4.0 baseline to protect account data and provide suggestions and compliance checks based on cloud resource usage and management.
GxPComplianceCheckForEU11
GxP EU Annex 11 guidelines apply to computerized systems used in the European Union (EU), especially to computerized systems used by enterprises and organizations in pharmacy, biotechnology, and medical device industries. Based on the Annex 11 baseline standards for account data protection, the GxPComplianceCheckForEU11 compliance package provides optional compliance evaluation in terms of resource usage and control in the cloud.
BestPracticeForMultiZoneArchitecture
A workload that uses the multi-zone architecture provides high data reliability. If the primary zone fails, the system can immediately restore your business.
BestPracticesForInternetAccess
To meet the requirements for Internet security, costs, permissions, and monitoring, the IT management team of an enterprise always deploys secure Internet egress in a centralized manner. This prevents Internet access from being enabled for Alibaba Cloud resources on which no limits are set. This reduces the security risks that may be caused by cyber attacks and data leaks.
BestPracticeForIdleResourceDetection
You can use a compliance package that is created from the BestPracticeForIdleResourceDetection template to check whether the purchased resources of Alibaba Cloud services are idle. The Alibaba Cloud services include Elastic IP Address (EIP), Internet Shared Bandwidth, VPC, and VPN Gateway. If resources are not used after the resources are purchased, this may result in resource waste. We recommend that you identify idle resources and use the resources at the earliest opportunity.
CNGMPComplianceCheck
Enterprises and organizations that use computerized systems in the pharmaceutical manufacturing industry must comply with the guidelines on computerized systems in the Good Manufacturing Practice (GMP) for Drugs standard when cloud services are used.
BestPracticesForWAFSecurityPillar
The security pillars of Alibaba Cloud Well-Architectured Framework help you regulate and implement security from all aspects, such as network, identity, host, and data, and continuously detect and respond to threats.
BestPracticesForChangeManagement
The best practices for change management help you check the stability of cloud resources from the perspective of change management. This helps identify potential risks in advance and improve stability and O&M efficiency.
BestPracticesForResourceExpirationReminders
The best practices for sending resource expiration reminders help you check the stability of cloud resources from the perspective of resource expiration risks. This helps identify potential risks in advance and improve stability and O&M efficiency.
BestPracticesForEnablingResourceBackup
The best practices for enabling resource backup help you check whether the resource backup feature is enabled for cloud services such as ApsaraDB for Redis, PolarDB, and ApsaraDB RDS. If this feature is not enabled, we recommend that you identify this issue and manage the feature at the earliest opportunity.
BestPracticesForRedis
The best practices for ApsaraDB for Redis help you check whether each ApsaraDB for Redis instance meets the requirements and whether the following items are exposed to risks: settings of audit logs, public networks, and whitelists, cross-zone disaster recovery capabilities, instance renewal and expiration, and change management. This ensures that you can use ApsaraDB for Redis as expected and ensures system stability and security.