All Products
Search
Document Center

Cloud Config:GovernanceCenterCompliancePractices

Last Updated:Oct 11, 2023

The GovernanceCenterCompliancePractices compliance package continuously checks the security of multi-account environments. This topic describes the rules that are provided in the BestPracticesForAccountGovernance compliance package.

Rule name

Description

oss-bucket-server-side-encryption-enabled

Checks whether the Encryption Method parameter of the server-side encryption feature is set to OSS-Managed for each Object Storage Service (OSS) bucket. If so, the evaluation result is Compliant.

oss-bucket-public-write-prohibited

Checks whether the access control list (ACL) policy of each OSS bucket denies read and write access from the Internet. If so, the evaluation result is Compliant.

oss-bucket-public-read-prohibited

Checks whether the ACL policy of each OSS bucket denies read access from the Internet. If so, the evaluation result is Compliant.

root-ak-check

Checks whether an AccessKey pair is created for each Alibaba Cloud account. If not, the evaluation result is Compliant.

root-mfa-check

Checks whether multi-factor authentication (MFA) is enabled for the current Alibaba Cloud account. If so, the evaluation result is Compliant.

ecs-disk-encrypted

Checks whether disk encryption is enabled for each ECS instance. If so, the evaluation result is Compliant.

sg-risky-ports-check

Checks whether a specified high-risk port exists in a specified port range when the Authorization Object parameter of each inbound rule in a security group is set to 0.0.0.0/0. If 0.0.0.0/0 is not added to the IP address whitelist of a security group, the evaluation result is Compliant regardless of whether high-risk ports are disabled. If the security groups are used by cloud services or virtual network operators, the evaluation result is Not Applicable.

sg-public-access-check

Checks whether the inbound authorization policy of each security group is set to Allow and the port range is set to -1/-1 or the authorized IP address is set to 0.0.0.0/0, or an authorization policy with a higher priority is configured. If so, the evaluation result is Compliant. If the security groups are used by cloud services or virtual network operators, the evaluation result is Not Applicable.

rds-instances-in-vpc

Checks whether the network type of each ApsaraDB RDS instance is set to VPC when the vpcIds parameter is not configured. If so, the evaluation result is Compliant. Checks whether the VPC where each ApsaraDB RDS instance resides is the same as a specified VPC when the vpcIds parameter is not configured. If so, the evaluation result is also Compliant. Separate multiple parameter values with commas (,).

rds-instance-enabled-tde

Checks whether the Transparent Data Encryption (TDE) feature is enabled in the data security settings of each ApsaraDB RDS instance. If so, the evaluation result is Compliant.

rds-public-access-check

Checks whether no public endpoint is configured for each RDS instance. If so, the evaluation result is Compliant. To prevent cyberattacks, we recommend that you do not configure direct access to RDS instances in production environments over the Internet.

ram-password-policy-check

Checks whether the settings of password policies configured for each RAM user meet the specified values. If so, the evaluation result is Compliant.

ram-user-ak-used-expired-check

Checks whether the time when the AccessKey pair of each RAM user was used is earlier than the specified number of days before the current day. If so, the evaluation result is Compliant. Default value: 90.

ecs-instance-deletion-protection-enabled

Checks whether the release protection feature is enabled for each ECS instance. If so, the evaluation result is Compliant.

slb-delete-protection-enabled

Checks whether the release protection feature is enabled for each Server Load Balancer (SLB) instance. If so, the evaluation result is Compliant.

root-has-specified-role

Checks whether each Alibaba Cloud account assumes a specified role. If so, the evaluation result is Compliant.

ram-user-mfa-check

Checks whether MFA is enabled in the logon settings of each RAM user for which the console access feature is enabled. If so, the evaluation result is Compliant.

slb-listener-https-enabled

Checks whether an HTTPS listener is enabled on the specified ports of each SLB instance. If so, the evaluation result is Compliant. If only a TCP or UDP listener is enabled on the specified ports of each SLB instance, the evaluation result is Not Applicable.

resource-region-limit

Checks whether each resource resides in a specified region. If so, the evaluation result is Compliant.

ram-user-last-login-expired-check

Checks whether each RAM user has logged on within the last 90 days. If so, the evaluation result is Compliant. If a RAM user has been updated within the last 90 days, the evaluation result is Compliant regardless of whether the RAM user has recently logged on. For RAM users that have no console access, the evaluation result is Not Applicable.

contains-tag

Checks whether each resource has a specified key-value pair. If so, the evaluation result is Compliant. The keys and values are case-sensitive. You can use asterisks (*) and question marks (?) as wildcard characters. You can enter multiple values and separate them with commas (,). If one of the key-value pairs is matched, the evaluation result is Compliant.

required-tags

Checks whether all resources have a specified tag. If so, the evaluation result is Compliant. You can specify a maximum of six tags. The keys and values are case-sensitive. Each tag supports only one value.

oss-bucket-logging-enabled

Checks whether the logging feature is enabled for each OSS bucket on the Logs page. If so, the evaluation result is Compliant.