在制药领域中使用计算机化系统的企业和组织,在用云过程中需要满足中国GMP附录《计算机化系统》标准。本合规包模板提供了标准细则与阿里云的产品设置的对应关系。本文为您介绍中国GMP附录合规包中的默认规则。
规则名称 | 规则描述 | 建议项编号 | 建议项说明 |
操作审计中存在开启状态的跟踪,且跟踪全部地域和全部事件类型,视为“合规”。如果是资源目录成员账号,当管理员有创建应用到所有成员账号的跟踪时,视为“合规”。 |
| Risk management must span the entire lifecycle of a computerized system. Patient safety, data integrity, and product quality must be taken into account. As a quality risk management, risk management must be applied to confirm the required verification scope and control level of data integrity based on your written risk evaluation result. A computerized system must record the identity of each operator that inputs or verifies core data. Only authorized operators can modify inputted data. Each time an operator modifies an existing core data piece, the operation must be approved and the reason for the modification must be recorded. An enterprise can build a tracking system to audit data in a computerized system based on the result of risk evaluation. This way, data inputs and modifications can be recorded. You must develop an operation guide on how to process system failures or damages. You can verify the content of the operation guide if necessary. All incidents, including system failures and data faults must be recorded and evaluated. You must investigate major incidents, identify the root causes of the incidents, and take the required corrective measures and preventive measures. | |
使用云安全中心企业版或者更高级别的版本,视为“合规”。 |
| Risk management must span the entire lifecycle of a computerized system. Patient safety, data integrity, and product quality must be taken into account. As a quality risk management, risk management must be applied to confirm the required verification scope and control level of data integrity based on your written risk evaluation result. You must develop an operation guide on how to process system failures or damages. You can verify the content of the operation guide if necessary. All incidents, including system failures and data faults must be recorded and evaluated. You must investigate major incidents, identify the root causes of the incidents, and take the required corrective measures and preventive measures. | |
通过在主机上安装云安全中心插件,提供主机的安全防护服务。如果有安装云安全中心插件,视为“合规”。非运行中状态的实例不适用本规则,视为“不适用”。 | 4.7 | You must build an inventory that includes the details of all computerized systems and specifies the details of the features that are related to the quality management of pharmaceutical manufacturing. The inventory must be updated at the earliest opportunity. | |
ECS实例在云安全中心无指定类型和等级的待修复漏洞,视为“合规”。非运行中状态的实例不适用本规则,视为“不适用”。 | 4.7 | You must build an inventory that includes the details of all computerized systems and specifies the details of the features that are related to the quality management of pharmaceutical manufacturing. The inventory must be updated at the earliest opportunity. | |
ECS实例状态不是已停止状态,视为“合规”。 | 4.7 | You must build an inventory that includes the details of all computerized systems and specifies the details of the features that are related to the quality management of pharmaceutical manufacturing. The inventory must be updated at the earliest opportunity. | |
弹性公网已绑定到ECS或者NAT实例,非闲置状态,视为“合规”。 | 4.7 | You must build an inventory that includes the details of all computerized systems and specifies the details of the features that are related to the quality management of pharmaceutical manufacturing. The inventory must be updated at the earliest opportunity. | |
检查闲置安全组,安全组绑定的ECS实例数量大于0,视为“合规”。 | 4.7 | You must build an inventory that includes the details of all computerized systems and specifies the details of the features that are related to the quality management of pharmaceutical manufacturing. The inventory must be updated at the earliest opportunity. | |
RDS实例开启日志备份,视为“合规”。 |
| When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected. If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security by using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard. You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
PolarDB集群日志备份保留周期大于等于指定天数,视为“合规”。参数默认值30天。未开启日志备份或备份保留周期小于指定天数,视为“不合规”。 |
| When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected. If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security by using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard. You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
Redis实例开启增量备份,视为“合规”。本规则只适用于类型为Tair的实例,非Tair类型的实例,视为“不适用”。 |
| When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected. If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security by using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard. You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
Elasticsearch实例开启了自动备份,视为“合规”。 |
| When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected. If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security by using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard. You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
ADB集群开启日志备份,视为“合规”。 |
| When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected. If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security by using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard. You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
MongoDB实例开启日志备份,视为“合规”。 |
| When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected. If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security by using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard. You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
为NAS文件系统创建备份计划,视为“合规”。 |
| When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected. If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security by using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard. You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
ECS磁盘设置了自动快照策略,视为“合规”。 |
| When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected. If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security by using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard. You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
OceanBase集群开启数据库备份,视为“合规”。 |
| When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected. If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security by using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard. You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
如果没有开启版本控制,会导致数据被覆盖或删除时无法恢复。如果开启版本控制则,视为“合规”。 |
| When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected. If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security by using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard. You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
如果没有开启同城冗余存储,会导致当出现某个机房不可用时,OSS服务无法提供一致性服务,影响数据恢复目标。OSS存储空间开启同城冗余存储,视为“合规”。 |
| When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected. If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security by using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard. You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
DTS实例下同步任务源库和目标库均使用SSL安全链接,视为“合规”。任务类型为非同步类型的DTS实例不适用本规则,视为“不适用”。 |
| When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected. | |
DTS实例下迁移任务源库和目标库均使用SSL安全链接,视为“合规”。任务类型为非迁移类型的DTS实例不适用本规则,视为“不适用”。 |
| When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected. | |
检测CDN域名是否启用TLS1.3,启用,视为“合规”。 |
| When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected. | |
Elasticsearch实例使用HTTPS传输协议,视为“合规”。 |
| When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected. | |
函数计算函数绑定到自定义域名且开启TLS指定版本,视为“合规”。 |
| When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected. | |
PolarDB集群设置了SSL加密,视为“合规”。 |
| When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected. | |
Redis实例设置SSL加密,视为“合规”。 |
| When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected. | |
API网关中开启公网访问的API请求方式设置为HTTPS,视为“合规”。只限制内网调用的API不适用此规则,视为“不适用”。 |
| When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected. | |
RDS实例的数据安全性设置开启SSL证书,视为“合规”。 |
| When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected. | |
使用中的ECS数据磁盘已开启加密,视为“合规”。 | 5.19 | If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security by using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard. | |
RDS实例的数据安全性设置开启TDE加密,视为“合规”。 | 5.19 | If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security by using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard. | |
VPN连接使用的加密算法不为None,视为“合规”。 | 5.19 | If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security by using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard. | |
Elasticsearch实例数据节点开启云盘加密,视为“合规”。 | 5.19 | If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security by using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard. | |
PolarDB集群开启TDE,视为“合规”。 | 5.19 | If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security by using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard. | |
Redis实例使用自定义密钥开启TDE加密,视为“合规”。 | 5.19 | If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security by using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard. | |
日志服务日志库设置了数据加密,视为“合规”。 | 5.19 | If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security by using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard. | |
ECS自动快照策略设置快照保留天数大于设置的天数,视为“合规”。默认值:7天。 | 5.19 | If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security by using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard. | |
RDS实例开启删除保护,视为“合规”。付费类型为包年包月的实例不支持该功能,视为“不适用”。 |
| Changes in a computerized system must be performed based on a predefined operation guide. The operation guide must include the procedures for evaluating, validating, reviewing, approving, and performing changes. Changes in a computerized system must be approved by some owners of the computerized system. The details of the changes must be recorded. Major changes must be validated. You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
PolarDB集群开启删除保护,视为“合规”。预付费类型的集群,视为“不适用”。 |
| Changes in a computerized system must be performed based on a predefined operation guide. The operation guide must include the procedures for evaluating, validating, reviewing, approving, and performing changes. Changes in a computerized system must be approved by some owners of the computerized system. The details of the changes must be recorded. Major changes must be validated. You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
ECS实例开启释放保护,视为“合规”。 |
| Changes in a computerized system must be performed based on a predefined operation guide. The operation guide must include the procedures for evaluating, validating, reviewing, approving, and performing changes. Changes in a computerized system must be approved by some owners of the computerized system. The details of the changes must be recorded. Major changes must be validated. You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
HBase集群开启删除保护,视为“合规”。预付费类型的集群,视为“不适用”。 |
| Changes in a computerized system must be performed based on a predefined operation guide. The operation guide must include the procedures for evaluating, validating, reviewing, approving, and performing changes. Changes in a computerized system must be approved by some owners of the computerized system. The details of the changes must be recorded. Major changes must be validated. You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
MongoDB实例开启释放保护,视为“合规”。预付费类型的实例,视为“不适用”。 |
| Changes in a computerized system must be performed based on a predefined operation guide. The operation guide must include the procedures for evaluating, validating, reviewing, approving, and performing changes. Changes in a computerized system must be approved by some owners of the computerized system. The details of the changes must be recorded. Major changes must be validated. You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
Redis实例开启释放保护,视为“合规”。预付费类型的实例,视为“不适用”。 |
| Changes in a computerized system must be performed based on a predefined operation guide. The operation guide must include the procedures for evaluating, validating, reviewing, approving, and performing changes. Changes in a computerized system must be approved by some owners of the computerized system. The details of the changes must be recorded. Major changes must be validated. You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
SLB实例开启释放保护,视为“合规”。 |
| Changes in a computerized system must be performed based on a predefined operation guide. The operation guide must include the procedures for evaluating, validating, reviewing, approving, and performing changes. Changes in a computerized system must be approved by some owners of the computerized system. The details of the changes must be recorded. Major changes must be validated. You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
运行中的ECS实例安装云监控插件而且插件状态为运行中,视为“合规”。非运行中状态的实例不适用本规则,视为“不适用”。 | 5.21 | You must develop an operation guide on how to process system failures or damages. You can verify the content of the operation guide if necessary. All incidents, including system failures and data faults must be recorded and evaluated. You must investigate major incidents, identify the root causes of the incidents, and take the required corrective measures and preventive measures. | |
RDS实例开启历史事件日志,视为“合规”。 | 5.16 | A computerized system must record the identity of each operator that inputs or verifies core data. Only authorized operators can modify inputted data. Each time an operator modifies an existing core data piece, the operation must be approved and the reason for the modification must be recorded. An enterprise can build a tracking system to audit data in a computerized system based on the result of risk evaluation. This way, data inputs and modifications can be recorded. | |
阿里云账号开启MFA,视为“合规”。 | 5.14 | Only authorized operators can input or modify data. You can take the following measures to prevent unauthorized operators from inputting data: keys, encryption cards, individual passwords, and limited access to computers. You must develop a guideline on how to authorize, cancel authorization, change authorization, and change individual passwords when an operator needs to input or modify data. You can also configure a feature for the existing system to record system access attempts from unauthorized operators. If the process cannot be manually controlled due to some by-design issues of the system, a written document that describes how to record operational logs and take physical isolation measures must be provided. This ensures that only authorized operators can perform the required operations. | |
开启控制台访问功能的RAM用户登录设置中必须开启多因素认证或者已启用MFA,视为“合规”。 | 5.14 | Only authorized operators can input or modify data. You can take the following measures to prevent unauthorized operators from inputting data: keys, encryption cards, individual passwords, and limited access to computers. You must develop a guideline on how to authorize, cancel authorization, change authorization, and change individual passwords when an operator needs to input or modify data. You can also configure a feature for the existing system to record system access attempts from unauthorized operators. If the process cannot be manually controlled due to some by-design issues of the system, a written document that describes how to record operational logs and take physical isolation measures must be provided. This ensures that only authorized operators can perform the required operations. | |
OSS存储空间的ACL策略禁止公共读写,视为“合规”。 | 5.14 | Only authorized operators can input or modify data. You can take the following measures to prevent unauthorized operators from inputting data: keys, encryption cards, individual passwords, and limited access to computers. You must develop a guideline on how to authorize, cancel authorization, change authorization, and change individual passwords when an operator needs to input or modify data. You can also configure a feature for the existing system to record system access attempts from unauthorized operators. If the process cannot be manually controlled due to some by-design issues of the system, a written document that describes how to record operational logs and take physical isolation measures must be provided. This ensures that only authorized operators can perform the required operations. | |
OSS Bucket授权策略中未授予匿名账号任何读写权限,视为“合规”。若OSS Bucket未设置任何授权策略,视为“合规”。 | 5.14 | Only authorized operators can input or modify data. You can take the following measures to prevent unauthorized operators from inputting data: keys, encryption cards, individual passwords, and limited access to computers. You must develop a guideline on how to authorize, cancel authorization, change authorization, and change individual passwords when an operator needs to input or modify data. You can also configure a feature for the existing system to record system access attempts from unauthorized operators. If the process cannot be manually controlled due to some by-design issues of the system, a written document that describes how to record operational logs and take physical isolation measures must be provided. This ensures that only authorized operators can perform the required operations. | |
ECS实例被授予了实例RAM角色,视为“合规”。 | 5.14 | Only authorized operators can input or modify data. You can take the following measures to prevent unauthorized operators from inputting data: keys, encryption cards, individual passwords, and limited access to computers. You must develop a guideline on how to authorize, cancel authorization, change authorization, and change individual passwords when an operator needs to input or modify data. You can also configure a feature for the existing system to record system access attempts from unauthorized operators. If the process cannot be manually controlled due to some by-design issues of the system, a written document that describes how to record operational logs and take physical isolation measures must be provided. This ensures that only authorized operators can perform the required operations. | |
函数计算服务配置了服务角色,视为“合规”。避免因暴露阿里云账号密钥,造成安全风险。 | 5.14 | Only authorized operators can input or modify data. You can take the following measures to prevent unauthorized operators from inputting data: keys, encryption cards, individual passwords, and limited access to computers. You must develop a guideline on how to authorize, cancel authorization, change authorization, and change individual passwords when an operator needs to input or modify data. You can also configure a feature for the existing system to record system access attempts from unauthorized operators. If the process cannot be manually controlled due to some by-design issues of the system, a written document that describes how to record operational logs and take physical isolation measures must be provided. This ensures that only authorized operators can perform the required operations. | |
启用ACK集群的RRSA功能,视为“合规”。RRSA功能可以在集群内实现Pod维度的OpenAPI权限隔离,从而实现云资源访问权限的细粒度隔离,降低安全风险。 | 5.14 | Only authorized operators can input or modify data. You can take the following measures to prevent unauthorized operators from inputting data: keys, encryption cards, individual passwords, and limited access to computers. You must develop a guideline on how to authorize, cancel authorization, change authorization, and change individual passwords when an operator needs to input or modify data. You can also configure a feature for the existing system to record system access attempts from unauthorized operators. If the process cannot be manually controlled due to some by-design issues of the system, a written document that describes how to record operational logs and take physical isolation measures must be provided. This ensures that only authorized operators can perform the required operations. | |
RAM用户未同时开启控制台访问和API调用访问,视为“合规”。 | 5.14 | Only authorized operators can input or modify data. You can take the following measures to prevent unauthorized operators from inputting data: keys, encryption cards, individual passwords, and limited access to computers. You must develop a guideline on how to authorize, cancel authorization, change authorization, and change individual passwords when an operator needs to input or modify data. You can also configure a feature for the existing system to record system access attempts from unauthorized operators. If the process cannot be manually controlled due to some by-design issues of the system, a written document that describes how to record operational logs and take physical isolation measures must be provided. This ensures that only authorized operators can perform the required operations. | |
MSE集群开放公网访问时开启鉴权,视为“合规”。未开启公网访问时,视为“合规”。 | 5.14 | Only authorized operators can input or modify data. You can take the following measures to prevent unauthorized operators from inputting data: keys, encryption cards, individual passwords, and limited access to computers. You must develop a guideline on how to authorize, cancel authorization, change authorization, and change individual passwords when an operator needs to input or modify data. You can also configure a feature for the existing system to record system access attempts from unauthorized operators. If the process cannot be manually controlled due to some by-design issues of the system, a written document that describes how to record operational logs and take physical isolation measures must be provided. This ensures that only authorized operators can perform the required operations. | |
RAM用户AccessKey的最后使用时间距今天数小于参数设置的天数,视为“合规”。默认值:90天。 | 5.14 | Only authorized operators can input or modify data. You can take the following measures to prevent unauthorized operators from inputting data: keys, encryption cards, individual passwords, and limited access to computers. You must develop a guideline on how to authorize, cancel authorization, change authorization, and change individual passwords when an operator needs to input or modify data. You can also configure a feature for the existing system to record system access attempts from unauthorized operators. If the process cannot be manually controlled due to some by-design issues of the system, a written document that describes how to record operational logs and take physical isolation measures must be provided. This ensures that only authorized operators can perform the required operations. | |
RAM用户密码策略中各项配置满足参数设置的值,视为“合规”。 | 5.14 | Only authorized operators can input or modify data. You can take the following measures to prevent unauthorized operators from inputting data: keys, encryption cards, individual passwords, and limited access to computers. You must develop a guideline on how to authorize, cancel authorization, change authorization, and change individual passwords when an operator needs to input or modify data. You can also configure a feature for the existing system to record system access attempts from unauthorized operators. If the process cannot be manually controlled due to some by-design issues of the system, a written document that describes how to record operational logs and take physical isolation measures must be provided. This ensures that only authorized operators can perform the required operations. | |
如果RAM用户在最近90天有登录行为,视为“合规”。如果RAM用户的最近登录时间为空,则检查更新时间,当更新时间小于等于90天时,视为“合规”。未开启控制台访问的用户,视为“不适用”。 | 5.14 | Only authorized operators can input or modify data. You can take the following measures to prevent unauthorized operators from inputting data: keys, encryption cards, individual passwords, and limited access to computers. You must develop a guideline on how to authorize, cancel authorization, change authorization, and change individual passwords when an operator needs to input or modify data. You can also configure a feature for the existing system to record system access attempts from unauthorized operators. If the process cannot be manually controlled due to some by-design issues of the system, a written document that describes how to record operational logs and take physical isolation measures must be provided. This ensures that only authorized operators can perform the required operations. | |
RAM用户下AccessKey的创建时间距离检查时间不超过指定天数,视为“合规”。默认值:90天。 | 5.14 | Only authorized operators can input or modify data. You can take the following measures to prevent unauthorized operators from inputting data: keys, encryption cards, individual passwords, and limited access to computers. You must develop a guideline on how to authorize, cancel authorization, change authorization, and change individual passwords when an operator needs to input or modify data. You can also configure a feature for the existing system to record system access attempts from unauthorized operators. If the process cannot be manually controlled due to some by-design issues of the system, a written document that describes how to record operational logs and take physical isolation measures must be provided. This ensures that only authorized operators can perform the required operations. | |
Redis实例开启审计日志,视为“合规”。不支持开启审计日志的相关版本实例,视为“不适用”。 | 5.16 | A computerized system must record the identity of each operator that inputs or verifies core data. Only authorized operators can modify inputted data. Each time an operator modifies an existing core data piece, the operation must be approved and the reason for the modification must be recorded. An enterprise can build a tracking system to audit data in a computerized system based on the result of risk evaluation. This way, data inputs and modifications can be recorded. | |
MongoDB实例开启审计日志,视为“合规”。 | 5.16 | A computerized system must record the identity of each operator that inputs or verifies core data. Only authorized operators can modify inputted data. Each time an operator modifies an existing core data piece, the operation must be approved and the reason for the modification must be recorded. An enterprise can build a tracking system to audit data in a computerized system based on the result of risk evaluation. This way, data inputs and modifications can be recorded. | |
OSS存储空间的日志管理中开启日志转存,视为“合规”。 | 5.16 | A computerized system must record the identity of each operator that inputs or verifies core data. Only authorized operators can modify inputted data. Each time an operator modifies an existing core data piece, the operation must be approved and the reason for the modification must be recorded. An enterprise can build a tracking system to audit data in a computerized system based on the result of risk evaluation. This way, data inputs and modifications can be recorded. | |
已接入WAF2.0进行防护的域名均开启日志采集,视为“合规”。 | 5.16 | A computerized system must record the identity of each operator that inputs or verifies core data. Only authorized operators can modify inputted data. Each time an operator modifies an existing core data piece, the operation must be approved and the reason for the modification must be recorded. An enterprise can build a tracking system to audit data in a computerized system based on the result of risk evaluation. This way, data inputs and modifications can be recorded. | |
RDS Mysql类型实例开启SQL审计且日志保留天数大于等于指定值,视为“合规”。默认值:180天。 | 5.16 | A computerized system must record the identity of each operator that inputs or verifies core data. Only authorized operators can modify inputted data. Each time an operator modifies an existing core data piece, the operation must be approved and the reason for the modification must be recorded. An enterprise can build a tracking system to audit data in a computerized system based on the result of risk evaluation. This way, data inputs and modifications can be recorded. | |
ADB集群开启SQL审计日志,视为“合规”。 | 5.16 | A computerized system must record the identity of each operator that inputs or verifies core data. Only authorized operators can modify inputted data. Each time an operator modifies an existing core data piece, the operation must be approved and the reason for the modification must be recorded. An enterprise can build a tracking system to audit data in a computerized system based on the result of risk evaluation. This way, data inputs and modifications can be recorded. | |
SLB传统型负载均衡实例开启访问日志,视为“合规”。未启用7层监听的实例不支持开启访问日志,视为“不适用”。 | 5.16 | A computerized system must record the identity of each operator that inputs or verifies core data. Only authorized operators can modify inputted data. Each time an operator modifies an existing core data piece, the operation must be approved and the reason for the modification must be recorded. An enterprise can build a tracking system to audit data in a computerized system based on the result of risk evaluation. This way, data inputs and modifications can be recorded. | |
RDS实例为多可用区实例,视为“合规”。 | 5.20 | You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
Redis实例为多可用区实例,视为“合规”。 | 5.20 | You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
SLB实例为多可用区实例,视为“合规”。 | 5.20 | You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
ALB实例为多可用区实例,视为“合规”。如果只选择了一个可用区,当这个可用区出现故障时,会影响ALB实例,进而影响业务稳定性。 | 5.20 | You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
使用多可用区的MongoDB实例,视为“合规”。 | 5.20 | You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
弹性伸缩组关联至少两个交换机,视为“合规”。 | 5.20 | You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
终端节点服务配置多个可用区,视为“合规”。 | 5.20 | You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
PolarDB集群开启存储热备集群,数据分布在多个可用区,视为“合规”。 | 5.20 | You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
SLB负载均衡的虚拟服务器组挂载资源分布在多个可用区,视为“合规”。虚拟服务器组无挂载任何资源时不适用本规则,视为“不适用”。 | 5.20 | You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. | |
ALB负载均衡的服务器组挂载资源分布在多个可用区,视为“合规”。ALB服务器组无挂载任何资源时不适用本规则,视为“不适用”。 | 5.20 | You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity. |