Queries the check results of cloud service configurations by check item type or name.
Operation description
This operation is phased out. You can use the ListCheckResult operation.
Debugging
Authorization information
The following table shows the authorization information corresponding to the API. The authorization information can be used in the Action policy element to grant a RAM user or RAM role the permissions to call this API operation. Description:
- Operation: the value that you can use in the Action element to specify the operation on a resource.
- Access level: the access level of each operation. The levels are read, write, and list.
- Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
- The required resource types are displayed in bold characters.
- If the permissions cannot be granted at the resource level,
All Resourcesis used in the Resource type column of the operation.
- Condition Key: the condition key that is defined by the cloud service.
- Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.
| Operation | Access level | Resource type | Condition key | Associated operation |
|---|---|---|---|---|
| yundun-sas:DescribeRiskCheckResult | get |
|
| none |
Request parameters
| Parameter | Type | Required | Description | Example |
|---|---|---|---|---|
| SourceIp | string | No | The source IP address of the request. | 1.2.XX.XX |
| Lang | string | No | The language of the content within the request and response. Default value: zh. Valid values:
| zh |
| GroupId | long | No | The type of the check item that you want to query. Valid values:
Note
If you do not specify this parameter, all types of check items are queried.
| 1 |
| CurrentPage | integer | No | The number of the page to return. Default value: 1. | 1 |
| RiskLevel | string | No | The risk level of the check item that you want to query. Valid values:
| high |
| Status | string | No | The status of the check results. Valid values:
| pass |
| AssetType | string | No | The cloud service whose configuration check results you want to query. For more information about the check items for the cloud service, see the check item table in the "Response parameters" section of this topic. | RDS |
| Name | string | No | The name of the check item. For more information about the check item, see the check item table in the "Response parameters" section of this topic. | ALB_NetWorkAccessControl |
| PageSize | integer | No | The number of entries to return on each page. Default value: 20. | 20 |
| QueryFlag | string | No | Specifies whether the check item is supported by the edition of Security Center that you purchase. Valid values:
| enabled |
| ItemIds | array | No | An array that consists of the IDs of check items. For more information about the check item, see the check item table in the "Response parameters" section of this topic. | |
| string | No | An array that consists of the IDs of check items. For more information about the check item, see the check item table in the "Response parameters" section of this topic. | 15 |
Response parameters
The following table describes the information about the check items that are supported by the configuration assessment feature. The information includes the ID, name, type, risk level, and supported service of each check item.
| ItemId (check item ID) | Name (check item name) | GroupId (check item type) | RiskLevel (risk level) | AssetType (Alibaba Cloud service) | Description |
|---|---|---|---|---|---|
| 1 | ActionTrail - logging | 3: log audit | medium | ActionTrail | Checks whether ActionTrail is used to record operation logs on the cloud and save the logs to Object Storage Service (OSS) buckets. |
| 2 | ApsaraDB RDS - database security policies | 4: data security | medium | RDS | Checks whether the SSL encryption, Transparent Data Encryption (TDE), and SQL Audit features are enabled for each ApsaraDB RDS instance. |
| 3 | Alibaba Cloud account security - MFA | 1: identity authentication and permissions | high | RAM | Checks whether multi-factor authentication (MFA) is enabled for the Alibaba Cloud account to which you are logged on. |
| 4 | Alibaba Cloud Security - Back-to-origin configurations of Anti-DDoS Pro or Anti-DDoS Premium | 2: network access control | high | DDoS | Checks whether actual IP addresses of backend servers are hidden after you use Anti-DDoS Pro or Anti-DDoS Premium. If the actual IP addresses are hidden, attackers cannot directly access the backend servers. To hide the actual IP addresses, you can configure access control policies. For example, if you want to hide the IP addresses of Server Load Balancer (SLB) instances, you can configure SLB whitelists on the SLB instances. If you want to hide the IP addresses of Elastic Compute Service (ECS) instances, you can configure security group rules for the ECS instances. All these policies allow access from only back-to-origin IP addresses of Anti-DDoS Pro or Anti-DDoS Premium. |
| 5 | ApsaraDB RDS - whitelist configurations | 2: network access control | high | RDS | Checks whether a whitelist of an ApsaraDB RDS instance contains the CIDR block 0.0.0.0/0. If the whitelist contains the CIDR block, all IP addresses are allowed to access the ApsaraDB RDS instance. For security purposes, we recommend that you configure RDS whitelists to allow access from only specified IP addresses. |
| 6 | SLB - open ports | 2: network access control | high | SLB | Checks whether SLB is configured to forward requests from high-risk ports to the Internet. |
| 7 | Alibaba Cloud Security - back-to-origin configuration checks for WAF | 2: network access control | high | WAF | Checks whether the actual IP addresses of backend servers are hidden after you use Web Application Firewall (WAF). If the actual IP addresses are hidden, attackers cannot directly access the backend servers. To hide the actual IP addresses, you can configure access control policies. For example, if you want to hide the IP addresses of SLB instances, you can configure SLB whitelists on the SLB instances. If you want to hide the IP addresses of ECS instances, you can configure security group rules for the ECS instances. All these policies allow access from only back-to-origin IP addresses of WAF. |
| 8 | Alibaba Cloud Security - agent status | 6: basic security protection | high | ECS | Checks whether the Security Center agent on your ECS instance is always online and provides protection. |
| 12 | OSS - bucket permissions | 4: data security | high | OSS | Checks whether the access control list (ACL) of any of your OSS buckets is public-read or public-read-write. The public-read or public-read-write ACL allows users to read or write the data in your OSS buckets without authentication. To ensure data security, we recommend that you set the ACL of all your buckets to private. |
| 13 | Security Center - detection of AccessKey pair leaks | 5: monitoring and alerting | medium | RAM | Checks whether detection of AccessKey pair leaks is enabled. API credentials, also AccessKey pairs, are unique and important identity credentials. We recommend that you enable the detection to prevent AccessKey pair leaks. |
| 14 | ApsaraDB for MongoDB - whitelist configurations | 2: network access control | high | MongoDB | Checks whether whitelists are enabled for ApsaraDB for MongoDB instances. If whitelists are enabled and a whitelist is empty or contains the 0.0.0.0/0 CIDR block, the requests from all IP addresses are allowed. In this case, security risks may occur. We recommend that you specify trusted IP addresses in a whitelist to allow access from only the specified IP addresses. |
| 15 | RAM - MFA configuration for RAM users | 1: identity authentication and permissions | medium | RAM | Checks whether MFA is enabled for RAM users. |
| 16 | OSS - logging | 4: data security | medium | OSS | Checks whether the logging feature is enabled for all OSS buckets. A large number of logs are generated when OSS resources are accessed. After you enable and configure logging for a bucket, OSS generates log objects every hour based on predefined naming conventions and then stores the log objects in a specified bucket. You can use Alibaba Cloud Data Lake Analytics (DLA) or build a Spark cluster to analyze the logs. You can configure lifecycle rules for a bucket to convert the storage class of log objects to Archive for long-term archiving. |
| 17 | OSS - cross-region replication | 4: data security | low | OSS | Checks whether cross-region replication (CRR) is enabled for all OSS buckets. CRR automatically and asynchronously replicates objects across OSS buckets in different regions. CRR allows you to synchronize operations, such as the create, overwrite, and delete operations on objects, from a source bucket to a destination bucket. This feature can meet your requirements for geo-disaster recovery and data replication. Objects in the destination bucket are extra duplicates of objects in the source bucket. They have the same names, content, and metadata, such as the creation time, owner, user metadata, and ACL. |
| 18 | ApsaraDB RDS - database backup | 4: data security | medium | RDS | Checks whether database backup is enabled for ApsaraDB RDS instances. We recommend that you enable database backup for ApsaraDB RDS instances and perform a data backup task on a daily basis. |
| 19 | ApsaraDB for Redis - whitelist configurations | 2: network access control | high | Redis | Checks access control configurations of ApsaraDB for Redis instances. |
| 20 | ECS - public key authentication | 1: identity authentication and permissions | medium | ECS | Checks whether SSH key pair-based logon is enabled for ECS instances. |
| 21 | SLB - health status | 5: monitoring and alerting | low | SLB | Checks the health status of SLB instances. |
| 22 | PolarDB - whitelist configurations | 2: network access control | medium | PolarDB | Checks whether a whitelist of a PolarDB cluster contains the CIDR block 0.0.0.0/0. If the whitelist contains the CIDR block, all IP addresses are allowed to access the PolarDB cluster. For security purposes, we recommend that you configure whitelists to allow access from only specified IP addresses. |
| 23 | AnalyticDB for PostgreSQL - whitelist configurations | 2: network access control | medium | PostgreSQL | Checks whether a whitelist of an AnalyticDB for PostgreSQL instance contains the CIDR block 0.0.0.0/0. If the whitelist contains the CIDR block, all IP addresses are allowed to access the AnalyticDB for PostgreSQL instance. For security purposes, we recommend that you configure whitelists to allow access from only specified IP addresses. |
| 24 | ECS - storage encryption | 4: data security | low | ECS | Checks whether disk encryption is enabled. Disk encryption allows you to meet security or regulatory compliance requirements. |
| 25 | SLB - whitelist configurations | 2: network access control | medium | SLB | Checks the whitelist configurations of SLB instances. We recommend that you configure whitelists for non-HTTP and non-HTTPS services. We recommend that you do not add 0.0.0.0/0 to the whitelists. |
| 26 | SLB - certificate validity checks | 5: monitoring and alerting | medium | SLB | Checks whether an SLB certificate has expired. |
| 27 | ECS - automatic snapshot policies | 4: data security | medium | ECS | Checks whether automatic snapshot policies are enabled for ECS instances. |
| 28 | Certificate Management Service - validity checks | 4: data security | medium | SSL | Checks whether an SSL certificate is within its validity period. |
| 30 | OSS - bucket server-side encryption | 4: data security | low | OSS | Checks whether server-side encryption is enabled for OSS buckets. |
| 31 | OSS - bucket hotlink protection | 2: network access control | low | OSS | Checks whether hotlink protection is configured for OSS buckets. |
| 32 | ApsaraDB RDS - cross-region backup configurations | 4: data security | low | RDS | Checks whether cross-region backup is configured for ApsaraDB RDS instances. |
| 33 | ApsaraDB for MongoDB - backup configurations | 4: data security | medium | MongoDB | Checks whether data backup is enabled for ApsaraDB for MongoDB instances. |
| 34 | ApsaraDB for MongoDB - log audit | 3: log audit | medium | MongoDB | Checks whether log audit is enabled for ApsaraDB for MongoDB instances. |
| 35 | ApsaraDB for MongoDB - SSL encryption | 4: data security | medium | MongoDB | Checks whether SSL certificate checks are enabled for ApsaraDB for MongoDB instances. |
| 36 | CloudMonitor - agent status | 5: monitoring and alerting | medium | CloudMonitor | Checks whether the status of the CloudMonitor agent is normal. |
| 37 | ECS - security group policies | 2: network access control | medium | ECS | Checks the security group policies of ECS instances. |
| 38 | VPC - DNAT management port mapping | 2: network access control | medium | VPC | Checks whether a virtual private cloud (VPC) destination network address translation (DNAT) rule is configured to map management ports to the Internet. |
| 39 | ApsaraDB for Redis - backup configurations | 4: data security | medium | Redis | Checks whether data backup is enabled for ApsaraDB for Redis instances. |
| 40 | Container Registry - repository permission configurations | 4: data security | high | CR | Checks whether repository permissions are correctly configured in Container Registry. |
| 41 | Container Registry - security scans | 6: basic security protection | low | CR | Checks whether security scan is enabled in Container Registry. |
| 42 | SLB - logging | 3: log audit | medium | SLB | Checks whether access logging is configured for SLB instances. |
| 43 | ApsaraDB for Redis - log audit | 3: log audit | low | Redis | Checks whether log audit is configured for ApsaraDB for Redis instances. |
| 44 | OSS - authorization policies | 1: identity authentication and permissions | medium | OSS | Checks whether authorization policies are correctly configured in OSS. |
| 46 | PolarDB - backup configurations | 4: data security | medium | PolarDB | Checks whether data backup is enabled for PolarDB clusters. |
| 47 | PolarDB - SQL Explorer | 3: log audit | medium | PolarDB | Checks whether SQL Explorer is enabled for PolarDB clusters. |
| 49 | Alibaba Cloud account security - AccessKey pair | 1: identity authentication and permissions | medium | RAM | Checks whether the AccessKey pair of your Alibaba Cloud account is enabled. |
| 51 | Alibaba Cloud CDN - real-time log push feature | 3: log audit | medium | CDN | Checks whether real-time log push is enabled in Alibaba Cloud CDN. |
| 52 | ApsaraDB for Redis - SSL encryption | 4: data security | medium | Redis | Checks whether SSL certificates are used for ApsaraDB for Redis instances. |
Examples
Sample success responses
JSONformat
{
"CurrentPage": 1,
"RequestId": "AD271C07-4ACE-413D-AA9B-F14FD3B7717F",
"PageSize": 20,
"TotalCount": 12,
"PageCount": 20,
"Count": 10,
"List": [
{
"RiskLevel": "high",
"Status": "pass",
"Type": "Log audit",
"Sort": 1,
"RepairStatus": "disabled",
"RemainingTime": 0,
"ItemId": 1,
"StartStatus": "enabled",
"AffectedCount": 0,
"RiskAssertType": "ECS",
"Title": "RDS - Whitelist Configuration",
"TaskId": 15384933,
"CheckTime": 1639429164000,
"RiskItemResources": [
{
"ContentResource": {
"key": "{\"type\":\"link\",\"url\":\"https://help.aliyun.com/document_detail/28635.html\",\"value\":\"https://help.aliyun.com/document_detail/28635.html\"}"
},
"ResourceName": "bestPractice"
}
]
}
]
}Error codes
| HTTP status code | Error code | Error message | Description |
|---|---|---|---|
| 400 | NoPermission | no permission | - |
| 403 | NoPermission | caller has no permission | You are not authorized to do this operation. |
| 500 | ServerError | ServerError | - |
For a list of error codes, visit the Service error codes.
Change history
| Change time | Summary of changes | Operation |
|---|
No change history