規則名稱 | 規則描述 | 建議項編號 | 建議項說明 |
RDS執行個體開啟記錄備份 | RDS執行個體開啟記錄備份,視為“合規”。 | | The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives. The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate.
|
為NAS檔案系統建立備份計劃 | 為NAS檔案系統建立備份計劃,視為“合規”。 | | The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives. The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate.
|
OSS儲存空間開啟同城冗餘儲存 | 如果沒有開啟同城冗餘儲存,會導致當出現某個機房不可用時,OSS服務無法提供一致性服務,影響資料恢複目標。OSS儲存空間開啟同城冗餘儲存,視為“合規”。 | | The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives. The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate.
|
PolarDB叢集的資料一級備份保留周期滿足指定要求 | PolarDB叢集一級備份保留周期大於等於指定天數,視為“合規”。參數預設值7天。 | | The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives. The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate.
|
為API分組設定調用日誌儲存 | API Gateway中API分組設定了調用日誌儲存,視為“合規”。 | | The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives. The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events. The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures.
|
OSS儲存空間開啟版本控制 | 如果沒有開啟版本控制,會導致資料被覆蓋或刪除時無法恢複。如果開啟版本控制,則視為“合規”。 | | The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives. The entity identifies and maintains confidential information to meet the entity's objectives related to confidentiality. The entity disposes of confidential information to meet the entity's objectives related to confidentiality. The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate.
|
SLB執行個體開啟訪問日誌 | SLB傳統型Server Load Balancer執行個體開啟訪問日誌,視為“合規”。未啟用7層監聽的執行個體不支援開啟訪問日誌,視為“不適用”。 | | The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives. COSO Principle 7: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events. The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures.
|
ADB叢集開啟記錄備份 | ADB叢集開啟記錄備份,視為“合規”。 | | The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives. The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate.
|
ECS磁碟設定自動快照策略 | ECS磁碟設定了自動快照策略,視為“合規”。 | CC7.4 | The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate. |
開啟Action Trail全量日誌跟蹤 | Action Trail中存在開啟狀態的跟蹤,且跟蹤全部地區和全部事件類型,視為“合規”。如果是資來源目錄成員帳號,當管理員有建立應用到所有成員帳號的跟蹤時,視為“合規”。 | | The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives. COSO Principle 7: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities. The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events.
|
Security Center通知專案已設定通知方式 | Security Center通知專案均已設定通知方式,視為“合規”。 | A1.2 | The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives. |
RDS執行個體開啟刪除保護 | RDS執行個體開啟刪除保護,視為“合規”。付費類型為訂用帳戶的執行個體不支援該功能,視為“不適用”。 | C1.1 | The entity identifies and maintains confidential information to meet the entity's objectives related to confidentiality. |
PolarDB叢集開啟刪除保護 | PolarDB叢集開啟刪除保護,視為“合規”。預付費類型的叢集視為“不適用”。 | C1.1 | The entity identifies and maintains confidential information to meet the entity's objectives related to confidentiality. |
KMS主要金鑰開啟刪除保護 | KMS主要金鑰開啟刪除保護,視為“合規”。如果密鑰狀態非啟用中,視為“不適用”,如果密鑰為服務密鑰,由於本身不可刪除,視為“不適用”。 | C1.1 | The entity identifies and maintains confidential information to meet the entity's objectives related to confidentiality. |
RAM使用者組非空 | RAM使用者組至少包含一個RAM使用者,視為“合規”。 | | COSO Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized. The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity's objectives.
|
不存在閑置的RAM使用者組 | RAM使用者組至少包含一個RAM使用者且綁定了至少一個RAM權限原則,視為“合規”。 | | COSO Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized. The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity's objectives.
|
不存在閑置的RAM權限原則 | RAM權限原則至少綁定一個RAM使用者組、RAM角色或RAM使用者,視為“合規”。 | CC1.3 | COSO Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. |
不存在超級管理員 | RAM使用者、RAM使用者組、RAM角色均未擁有Resource為*且Action為*的超級管理員權限,視為“合規”。 | | COSO Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized. The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity's objectives.
|
使用Security Center企業版 | 使用Security Center企業版或者更進階別的版本,視為“合規”。 | CC3.1 CC6.6 CC6.8 CC7.1 CC7.2 CC7.3 CC7.4
| COSO Principle 6: The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. The entity implements logical access security measures to protect against threats from sources outside its system boundaries.#The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity's objectives. To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities. The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events. The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures. The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate.
|
Cloud Firewall中資產開啟保護 | Cloud Firewall中資產開啟保護,視為“合規”。本規則只對Cloud Firewall付費使用者有效,未開通Cloud Firewall或者免費使用者資產無檢測資料。 | | COSO Principle 6: The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. The entity implements logical access security measures to protect against threats from sources outside its system boundaries. The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity's objectives.
|
在Security Center設定指定等級的漏洞掃描 | 在Security Center設定指定風險等級的漏洞掃描,視為“合規”。 | | COSO Principle 6: The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. The entity implements logical access security measures to protect against threats from sources outside its system boundaries. The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity's objectives.
|
在Security Center開啟指定類型的主動防禦 | 在雲安全中開啟了參數指定的主動防禦類型,視為“合規”。 | | COSO Principle 6: The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. The entity implements logical access security measures to protect against threats from sources outside its system boundaries. The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity's objectives.
|
WAF3執行個體開啟指定防護規則 | WAF3.0執行個體開啟指定防護情境的規則,視為“合規”。 | | COSO Principle 6: The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. The entity implements logical access security measures to protect against threats from sources outside its system boundaries. The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity's objectives.
|
運行中的ECS執行個體開啟Security Center防護 | 通過在主機上安裝Security Center外掛程式,提供主機的安全防護服務。如果有安裝Security Center外掛程式,則視為“合規”。非運行中狀態的執行個體不適用本規則,視為“不適用”。 | | COSO Principle 7: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities.
|
RAM使用者開啟MFA | 開啟控制台訪問功能的RAM使用者登入設定中必須開啟多因素認證或者已啟用MFA,視為“合規”。 | | COSO Principle 7: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity's objectives. The entity implements logical access security measures to protect against threats from sources outside its system boundaries.
|
運行中的ECS執行個體安裝了CloudMonitor外掛程式 | 運行中的ECS執行個體安裝CloudMonitor外掛程式而且外掛程式狀態為運行中,視為“合規”。非運行中狀態的執行個體不適用本規則,視為“不適用”。 | | COSO Principle 7: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities. The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events. The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures.
|
ACK叢集運行中節點安裝CloudMonitor外掛程式 | ACK叢集運行中節點均安裝了CloudMonitor外掛程式,且監控運行狀態正常,視為“合規”。 | | COSO Principle 7: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events.
|
VPC開啟流日誌記錄 | VPC已開啟流日誌(Flowlog)記錄功能,視為“合規”。 | | COSO Principle 7: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. The entity implements logical access security measures to protect against threats from sources outside its system boundaries. The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures.
|
Key Management Service設定憑據自動輪轉 | Key Management Service中的憑據設定自動輪轉,視為“合規”。如果密鑰類型為普通密鑰,視為“不適用”。 | | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized.
|
運行中的ECS執行個體未綁定公網地址 | 運行中的ECS執行個體沒有直接綁定IPv4公網IP或Elastic IP Address,視為“合規”。 | | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. The entity implements logical access security measures to protect against threats from sources outside its system boundaries.
|
OSS儲存空間開啟服務端加密 | OSS儲存空間開啟服務端OSS完全託管加密,視為“合規”。 | CC6.1 | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. |
OSS儲存空間開啟日誌轉存 | OSS儲存空間的日誌管理中開啟日誌轉存,視為“合規”。 | | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events.#The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures.
|
OSS儲存空間ACL禁止公用讀取 | OSS儲存空間的ACL策略禁止公用讀取,視為“合規”。 | CC6.1 | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. |
阿里雲帳號不存在AccessKey | 阿里雲帳號不存在任何狀態的AccessKey,視為“合規”。 | | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized. The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity's objectives.
|
ECS資料磁碟開啟加密 | ECS資料磁碟已開啟加密,視為“合規”。 | CC6.1 | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. |
KMS憑據成功輪轉 | KMS憑據開啟自動輪轉並且根據設定的輪轉周期成功進行了輪轉,視為“合規”。通用憑據不支援在KMS直接配置周期性輪轉,視為“不適用”。 | CC6.1 | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. |
OSS儲存空間權限原則設定安全訪問 | OSS儲存空間權限原則中包含了讀寫操作的訪問方式設定為HTTPS,或者拒絕訪問的訪問方式設定為HTTP,視為“合規”。權限原則為空白的OSS儲存空間,視為“不適用”。 | | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives.
|
Function Compute服務禁止訪問公網 | Function Compute服務設定了禁止訪問公網,視為“合規”。 | CC6.1 | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. |
SSL認證到期檢測 | SSL認證到期時間剩餘天數大於參數指定的天數,視為”合規“。參數預設值為30天。 | | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives.
|
NAS檔案系統設定了加密 | NAS檔案系統設定了加密,視為“合規”。 | CC6.1 | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. |
Elasticsearch執行個體資料節點開啟雲端硬碟加密 | Elasticsearch執行個體資料節點開啟雲端硬碟加密,視為“合規”。 | CC6.1 | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. |
KMS主要金鑰未設定為待刪除 | KMS主要金鑰未設定為待刪除,視為“合規”。 | CC6.1 | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. |
ADB叢集未開啟公網 | ADB執行個體未開啟公網訪問,視為“合規”。 | CC6.1 | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. |
OSS儲存空間ACL禁止公用讀寫 | OSS儲存空間的ACL策略禁止公用讀寫,視為“合規”。 | CC6.1 | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. |
RAM使用者的AccessKey在指定時間內輪換 | RAM使用者的AccessKey建立時間距離檢查時間不超過指定天數,視為“合規”。預設值:90天。 | | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized. The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity's objectives.
|
Elasticsearch執行個體未開啟公網訪問 | Elasticsearch執行個體未開啟公網訪問,視為“合規”。 | CC6.1、CC6.6 | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. The entity implements logical access security measures to protect against threats from sources outside its system boundaries.
|
RAM使用者密碼策略符合要求 | RAM使用者密碼策略中各項配置滿足參數設定的值,視為“合規”。 | | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives.#The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity's objectives. |
運行中的ECS執行個體在專用網路 | 阿里雲推薦購買的ECS放在VPC裡面。如果ECS有歸屬VPC,則視為“合規”。如果指定參數,則檢查ECS執行個體的專用網路執行個體在指定參數範圍內,視為“合規”。非運行中的ECS執行個體視為“不適用”。 | | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. The entity implements logical access security measures to protect against threats from sources outside its system boundaries.
|
ALB執行個體HTTP監聽設定移除Header的轉寄功能 | ALB負載平衡運行中的HTTP監聽設定了刪除Header的轉寄動作,視為“合規”。 | | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives.
|
RDS執行個體禁止配置公網地址 | RDS執行個體未配置公網地址,視為“合規”。生產環境的RDS執行個體不推薦配置公網直接存取,容易被駭客攻擊。 | | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. The entity implements logical access security measures to protect against threats from sources outside its system boundaries.
|
SLB開啟HTTPS監聽 | SLB在指定連接埠上開啟HTTPS協議的監聽,視為“合規”。如果SLB執行個體只開啟TCP或者UDP協議的監聽,視為“不適用”。 | | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives.
|
安全性群組非白名單連接埠入網設定有效 | 除指定的白名單連接埠外,其餘連接埠不能有授權原則設定為允許而且來源為0.0.0.0/0的入方向規則,視為“合規”。雲產品或虛商所使用的安全性群組不適用本規則,視為“不適用”。 | | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. The entity implements logical access security measures to protect against threats from sources outside its system boundaries.
|
Elasticsearch執行個體使用HTTPS傳輸協議 | Elasticsearch執行個體使用HTTPS傳輸協議,視為“合規”。 | | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives.
|
函數服務設定為僅允許指定VPC調用 | 函數服務設定為僅允許指定VPC調用,視為“合規”。 | | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. The entity implements logical access security measures to protect against threats from sources outside its system boundaries.
|
RDS執行個體開啟TDE加密 | RDS執行個體的資料安全性設定開啟TDE加密,視為“合規”。不支援TDE加密的執行個體規格或版本視為“不適用”。 | | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized.
|
安全性群組指定協議不允許對全部網段開啟風險連接埠 | 當安全性群組入網網段設定為0.0.0.0/0時,指定協議的連接埠範圍不包含指定風險連接埠,視為“合規”。若入網網段未設定為0.0.0.0/0時,即使連接埠範圍包含指定的風險連接埠,也視為“合規”。如果檢測到的風險連接埠被優先順序更高的授權策略拒絕,視為“合規”。雲產品或虛商所使用的安全性群組視為“不適用”。 | | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. The entity implements logical access security measures to protect against threats from sources outside its system boundaries. The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events.
|
PolarDB執行個體IP白名單禁止設定為全網段 | PolarDB執行個體IP白名單未設定為0.0.0.0/0,視為“合規”。 | CC6.1 | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. |
PolarDB叢集的所有串連地址都未開啟公網 | PolarDB叢集的所有串連地址都未開啟公網,視為“合規”。 | | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. The entity implements logical access security measures to protect against threats from sources outside its system boundaries.
|
檢測閑置Elastic IP Address | 彈性公網已綁定到ECS或者NAT執行個體,非閑置狀態,視為“合規”。 | CC6.2 | Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized. |
RAM使用者訪問設定人員和程式分離 | RAM使用者未同時開啟控制台訪問和API調用訪問,視為“合規”。 | | Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized. The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity's objectives.
|
不直接授權給RAM使用者 | RAM使用者沒有直接綁定權限原則,視為“合規”。推薦RAM使用者從RAM組或角色繼承許可權。 | | Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized. The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity's objectives.
|
RAM使用者歸屬使用者組 | 所有RAM使用者均歸屬於RAM使用者組,視為“合規”。 | | Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized. The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity's objectives.
|
RAM使用者不存在啟用狀態的密鑰 | RAM使用者不存在啟用狀態的密鑰,視為“合規”。 | | Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized. The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity's objectives.
|
ACK叢集安裝ack-ram-authenticator組件基於RAM進行請求認證 | ACK叢集安裝ack-ram-authenticator組件,實現基於RAM的鑒權,視為“合規”。 | CC6.3 | The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity's objectives. |
ECS執行個體被授予執行個體RAM角色 | ECS執行個體被授予了執行個體RAM角色,視為“合規”。 | CC6.3 | The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity's objectives. |
PolarDB叢集開啟TDE | PolarDB叢集開啟TDE,視為“合規”。 | CC6.6 | The entity implements logical access security measures to protect against threats from sources outside its system boundaries. |
API Gateway中配置API安全認證 | API Gateway中配置API安全認證為阿里雲APP或者使用指定的外掛程式類型,視為“合規”。 | CC6.6 | The entity implements logical access security measures to protect against threats from sources outside its system boundaries. |
API Gateway中API分組綁定網域名稱接入WAF或者WAF3.0 | API Gateway中的API分組綁定的網域名稱接入了WAF或者WAF3.0,視為“合規”。 | CC6.6 | The entity implements logical access security measures to protect against threats from sources outside its system boundaries. |
Auto Scaling配置中未設定分配公網IPv4地址 | Auto Scaling配置中未設定分配公網IPv4地址,視為“合規”。 | CC6.6 | The entity implements logical access security measures to protect against threats from sources outside its system boundaries. |
運行中的ECS執行個體無待修複漏洞 | ECS執行個體在Security Center無指定類型和等級的待修複漏洞,視為“合規”。非運行中狀態的執行個體不適用本規則,視為“不適用”。 | | The entity implements logical access security measures to protect against threats from sources outside its system boundaries. The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity's objectives. To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities. The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures.
|
帳號下所有ECS執行個體已安裝Security Center代理 | 帳號下所有ECS執行個體均已安裝Security Center代理,視為“合規”。 | CC6.6 | The entity implements logical access security measures to protect against threats from sources outside its system boundaries. |
SLB執行個體未綁定公網IP | SLB執行個體未綁定公網IP,視為“合規”。如果沒有公網需求,建議SLB執行個體不要直接綁定公網IP地址。如果有公網需求,建議購買EIP並和相關SLB執行個體進行綁定,使用EIP更加靈活、同時可使用共用頻寬降低成本。 | CC6.6 | The entity implements logical access security measures to protect against threats from sources outside its system boundaries. |
NAT Gateway不允許映射指定的風險連接埠 | NAT GatewayDNAT映射連接埠不包含指定的風險連接埠,視為“合規”。 | CC6.6 | The entity implements logical access security measures to protect against threats from sources outside its system boundaries. |
SLB使用認證為阿里雲簽發 | SLB使用認證為阿里雲簽發,視為“合規”。 | CC6.7 | The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives. |
SLB執行個體的HTTPS監聽使用指定的安全性原則套件 | SLB執行個體的所有HTTPS類型監聽使用參數指定的安全性原則套件版本,視為“合規”。未設定HTTPS類型監聽的SLB執行個體,視為“不適用”。 | CC6.7 | The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives. |
API Gateway中API分組的自訂網域名設定了SSL認證 | API Gateway中的API分組綁定自訂網域名並且設定了SSL認證,視為“合規”。 | CC6.7 | The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives. |
PolarDB叢集設定SSL加密 | PolarDB叢集設定了SSL加密,視為“合規”。 | CC6.7 | The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives. |
CDN網域名稱開啟TLS13版本檢測 | 檢測CDN網域名稱是否啟用TLS1.3,啟用視為“合規”。 | CC6.7 | The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives. |
DTS同步任務源庫和目標庫使用SSL安全連結 | DTS執行個體下同步任務源庫和目標庫均使用SSL安全連結,視為“合規”。任務類型為非同步類型的DTS執行個體不適用本規則,視為“不適用”。 | CC6.7 | The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives. |
ECS執行個體禁止綁定公網地址 | ECS執行個體沒有直接綁定IPv4公網IP或Elastic IP Address,視為“合規”。 | CC6.7 | The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives. |
Container Registry執行個體未開啟公網訪問入口 | Container Registry執行個體未開啟公網訪問入口,視為“合規”,適用於企業版。 | CC6.7 | The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives. |
Redis執行個體設定TLS或SSL加密 | Redis執行個體設定TLS或SSL加密,視為“合規”。 | CC6.7 | The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives. |
Security Center無待修複的鏡像漏洞 | Security Center開啟鏡像掃描且無待修複的鏡像漏洞,視為“合規”。未開啟或未執行鏡像掃描時無法擷取漏洞資訊,視為“不適用”。 | | The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity's objectives. To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities.
|
ACK叢集節點安裝CloudMonitor外掛程式 | ACK叢集節點均已安裝CloudMonitor外掛程式,且外掛程式運行狀態正常,視為“合規”。 | CC7.1 | To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities. |
Function Compute中函數設定滿足參數指定要求 | Function Compute2.0中的函數設定滿足參數指定的要求,視為“合規”。 | CC7.2 | The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events. |
為指定雲產品設定CloudMonitor警示規則 | 在CloudMonitor為指定命名空間的雲端服務設定了至少一條警示規則,視為“合規”。 | | The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events. The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures. The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate.
|
ADB叢集開啟SQL審計日誌 | ADB叢集開啟SQL審計日誌,視為“合規”。 | CC7.3 | The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures. |
PolarDB叢集開啟SQL審計 | PolarDB叢集SQL審計狀態為開啟,視為“合規”。 | CC7.4 | The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate. |