Based on the common IT-risk control standards of the Malaysian financial industry, the RMiTComplianceCheck compliance package continuously checks the compliance of IT systems on the cloud. This topic describes the rules that are provided in the RMiTComplianceCheck compliance package.
Rule name | Description |
Checks whether an active trail exists in ActionTrail and the events of all types that are generated in all regions are tracked. If so, the evaluation result is Compliant. If the administrator of each resource directory has created a trail that applies to all member accounts, the evaluation result is also Compliant. | |
Checks whether a trail is enabled in ActionTrail. If so, the evaluation result is Compliant. | |
Checks whether a custom Key Management Service (KMS) key is used to encrypt the data of each Object Storage Service (OSS) bucket. If so, the evaluation result is Compliant. | |
Checks whether an automatic snapshot policy is specified for each ECS disk. If so, the evaluation result is Compliant. | |
Checks whether disk encryption is enabled for each ECS instance. If so, the evaluation result is Compliant. | |
Checks whether a public IPv4 address or EIP is specified for each ECS instance. If not, the evaluation result is Compliant. | |
Checks whether the network type of each ECS instance is set to VPC if you do not configure the vpcIds parameter. If so, the evaluation result is Compliant. Checks whether the VPC where each ECS instance resides is the same as a specified VPC if you configure the vpcIds parameter. If so, the evaluation result is also Compliant. Separate multiple parameter values with commas (,). | |
Checks whether each Server Load Balancer (SLB) instance uses certificates that are issued by Alibaba Cloud. If so, the evaluation result is Compliant. | |
Checks whether the certificate of each SLB instance is valid. If so, the evaluation result is Compliant. | |
Checks whether the release protection feature is enabled for each SLB instance. If so, the evaluation result is Compliant. | |
Checks whether an HTTPS listener is enabled on the specified ports of each SLB instance. If so, the evaluation result is Compliant. If only a TCP or UDP listener is enabled on the specified ports of each SLB instance, the evaluation result is Not Applicable. | |
Checks whether each RAM user group contains at least one RAM user. If so, the evaluation result is Compliant. | |
Checks whether the settings of password policies configured for each RAM user meet the specified values. If so, the evaluation result is Compliant. | |
Checks whether both the Resource and Action parameters of each RAM user, RAM user group, and RAM role are set to *. If not, the evaluation result is Compliant. If both parameters are set to *, the identity has the super administrator permissions. | |
Checks whether an AccessKey pair is created for each Alibaba Cloud account. If not, the evaluation result is Compliant. | |
Checks whether each RAM user belongs to a RAM user group. If so, the evaluation result is Compliant. | |
Checks whether multi-factor authentication (MFA) is enabled in the logon settings of each RAM user for which the console access feature is enabled. If so, the evaluation result is Compliant. | |
Checks whether a policy is attached to each RAM user. If so, the evaluation result is Compliant. We recommend that RAM users inherit permissions from RAM user groups or roles. | |
Checks whether each RAM user has logged on within the last 90 days. If so, the evaluation result is Compliant. If a RAM user has been updated within the last 90 days, the evaluation result is Compliant regardless of whether the RAM user has recently logged on. For RAM users that have no console access, the evaluation result is Not Applicable. | |
Checks whether no public endpoint is configured for each RDS instance. If so, the evaluation result is Compliant. To prevent cyberattacks, we recommend that you do not configure direct access to RDS instances in production environments over the Internet. | |
Checks whether the event history feature is enabled for each RDS instance. If so, the evaluation result is Compliant. | |
Checks whether each RDS instance uses the multi-zone architecture. If so, the evaluation result is Compliant. | |
Checks whether the Transparent Data Encryption (TDE) feature is enabled in the data security settings of each RDS instance. If so, the evaluation result is Compliant. | |
Checks whether the logging feature is enabled for each OSS bucket on the Logs page. If so, the evaluation result is Compliant. | |
Checks whether a bucket policy is configured for each OSS bucket whose Bucket ACL parameter is set to Public Read/Write, and no read or write permissions are granted to anonymous accounts in the authorization policy. If so, the evaluation result is Compliant. This rule does not apply to OSS buckets whose Bucket ACL parameter is set to Private. | |
Checks whether the Encryption Method parameter of the server-side encryption feature is set to OSS-Managed for each OSS bucket. If so, the evaluation result is Compliant. | |
Checks whether KMS-based server-side encryption is enabled for each OSS bucket. If so, the evaluation result is Compliant. | |
Checks whether versioning is enabled for each OSS bucket. If so, the evaluation result is Compliant. If versioning is disabled, data cannot be recovered when it is overwritten or deleted. | |
Checks whether the flow log feature is enabled for each virtual private cloud (VPC). If so, the evaluation result is Compliant. | |
Checks whether the IPsec-VPN connection is established. If so, the evaluation result is Compliant. | |
Checks whether the log collection feature is enabled for each domain name that is protected by Web Application Firewall (WAF). If so, the evaluation result is Compliant. | |
Checks whether the bucket policy of each OSS bucket allows read and write operations over HTTPS and denies access over HTTP. If so, the evaluation result is Compliant. For OSS buckets without a bucket policy, the evaluation result is Not Applicable. | |
Checks whether the inbound authorization policy of each security group is set to Allow and the port range is set to -1/-1 or the authorized IP address is set to 0.0.0.0/0, or an authorization policy with a higher priority is configured. If so, the evaluation result is Compliant. If the security groups are used by cloud services or virtual network operators, the evaluation result is Not Applicable. | |
Checks whether the automatic rotation feature is enabled for each customer master key (CMK) in KMS. If so, the evaluation result is Compliant. | |
Checks whether the network type of each Elasticsearch cluster is set to VPC when the vpcIds parameter is not configured. If so, the evaluation result is Compliant. Checks whether the VPC where each Elasticsearch cluster resides is the same as a specified VPC when the vpcIds parameter is not configured. If so, the evaluation result is also Compliant. |