All Products
Search
Document Center

Security Center:DescribeRiskCheckResult

Last Updated:Feb 20, 2024

Queries the check results of cloud service configurations by check item type or name.

Operation description

This operation is phased out. You can use the ListCheckResult operation.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer.

Authorization information

The following table shows the authorization information corresponding to the API. The authorization information can be used in the Action policy element to grant a RAM user or RAM role the permissions to call this API operation. Description:

  • Operation: the value that you can use in the Action element to specify the operation on a resource.
  • Access level: the access level of each operation. The levels are read, write, and list.
  • Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
    • The required resource types are displayed in bold characters.
    • If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
  • Condition Key: the condition key that is defined by the cloud service.
  • Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.
OperationAccess levelResource typeCondition keyAssociated operation
yundun-sas:DescribeRiskCheckResultRead
  • All Resources
    *
    none
none

Request parameters

ParameterTypeRequiredDescriptionExample
SourceIpstringNo

The source IP address of the request.

1.2.XX.XX
LangstringNo

The language of the content within the request and response. Default value: zh. Valid values:

  • zh: Chinese
  • en: English
zh
GroupIdlongNo

The type of the check item that you want to query. Valid values:

  • 1: identity authentication and permissions
  • 2: network access control
  • 3: log audit
  • 4: data security
  • 5: monitoring and alerting
  • 6: basic security protection
Note If you do not specify this parameter, all types of check items are queried.
1
CurrentPageintegerNo

The number of the page to return. Default value: 1.

1
RiskLevelstringNo

The risk level of the check item that you want to query. Valid values:

  • high
  • medium
  • low
high
StatusstringNo

The status of the check results. Valid values:

  • pass
  • failed
  • running
  • waiting
  • ignored
  • falsePositive
pass
AssetTypestringNo

The cloud service whose configuration check results you want to query. For more information about the check items for the cloud service, see the check item table in the "Response parameters" section of this topic.

RDS
NamestringNo

The name of the check item. For more information about the check item, see the check item table in the "Response parameters" section of this topic.

ALB_NetWorkAccessControl
PageSizeintegerNo

The number of entries to return on each page. Default value: 20.

20
QueryFlagstringNo

Specifies whether the check item is supported by the edition of Security Center that you purchase. Valid values:

  • enabled: yes
  • disabled: no
enabled
ItemIdsarrayNo

An array that consists of the IDs of check items. For more information about the check item, see the check item table in the "Response parameters" section of this topic.

stringNo

An array that consists of the IDs of check items. For more information about the check item, see the check item table in the "Response parameters" section of this topic.

15

Response parameters

ParameterTypeDescriptionExample
object

The data returned.

CurrentPageinteger

The page number of the returned page.

1
RequestIdstring

The ID of the request, which is used to locate and troubleshoot issues.

AD271C07-4ACE-413D-AA9B-F14FD3B7717F
PageSizeinteger

The number of entries returned per page. Default value: 20.

20
TotalCountinteger

The total number of entries returned.

12
PageCountinteger

The total number of pages returned.

20
Countinteger

The number of entries returned on the current page.

10
Listobject []

The check items.

RiskLevelstring

The risk level of the check item. Valid values:

  • high
  • medium
  • low
high
Statusstring

The status of the check results. Valid values:

  • pass
  • failed
  • running
  • waiting
  • ignored
  • falsePositive
pass
Typestring

The type of the check item. Valid values:

  • Identity authentication and permissions
  • Network access control
  • Log audit
  • Data security
  • Monitoring and alerting
  • Basic security protection
Log audit
Sortinteger

The sequence number in the check results. The check items are sorted based on the sequence number.

1
RepairStatusstring

Indicates whether the risks that are detected based on the check item can be fixed. Valid values:

  • enabled: yes
  • disabled: no
disabled
RemainingTimeinteger

The time when the next check will be performed.

0
ItemIdlong

The ID of the check item. For more information about the check item, see the check item table in the "Response parameters" section of this topic.

1
StartStatusstring

Indicates whether the check item is supported by the edition of Security Center that you purchase. Valid values:

  • enabled: yes
  • disable: no
enabled
AffectedCountinteger

The number of affected assets.

0
RiskAssertTypestring

The type of the affected assets.

ECS
Titlestring

The name of the check item.

RDS - Whitelist Configuration
TaskIdlong

The ID of the check task.

15384933
CheckTimelong

The timestamp when the last check was performed. Unit: milliseconds.

1639429164000
RiskItemResourcesobject []

An array that consists of the details about the check item.

ContentResourceobject

The details about the check results.

any

An array that consists of the details of the check results.

{"type":"link","url":"https://help.aliyun.com/document_detail/28635.html","value":"https://help.aliyun.com/document_detail/28635.html"}
ResourceNamestring

The title in the details. Valid values:

  • bestPractice: description
  • influence: risk
  • suggestion: solution
  • helpResource: reference
bestPractice

The following table describes the information about the check items that are supported by the configuration assessment feature. The information includes the ID, name, type, risk level, and supported service of each check item.

ItemId (check item ID)Name (check item name)GroupId (check item type)RiskLevel (risk level)AssetType (Alibaba Cloud service)Description
1ActionTrail - logging3: log auditmediumActionTrailChecks whether ActionTrail is used to record operation logs on the cloud and save the logs to Object Storage Service (OSS) buckets.
2ApsaraDB RDS - database security policies4: data securitymediumRDSChecks whether the SSL encryption, Transparent Data Encryption (TDE), and SQL Audit features are enabled for each ApsaraDB RDS instance.
3Alibaba Cloud account security - MFA1: identity authentication and permissionshighRAMChecks whether multi-factor authentication (MFA) is enabled for the Alibaba Cloud account to which you are logged on.
4Alibaba Cloud Security - Back-to-origin configurations of Anti-DDoS Pro or Anti-DDoS Premium2: network access controlhighDDoSChecks whether actual IP addresses of backend servers are hidden after you use Anti-DDoS Pro or Anti-DDoS Premium. If the actual IP addresses are hidden, attackers cannot directly access the backend servers. To hide the actual IP addresses, you can configure access control policies. For example, if you want to hide the IP addresses of Server Load Balancer (SLB) instances, you can configure SLB whitelists on the SLB instances. If you want to hide the IP addresses of Elastic Compute Service (ECS) instances, you can configure security group rules for the ECS instances. All these policies allow access from only back-to-origin IP addresses of Anti-DDoS Pro or Anti-DDoS Premium.
5ApsaraDB RDS - whitelist configurations2: network access controlhighRDSChecks whether a whitelist of an ApsaraDB RDS instance contains the CIDR block 0.0.0.0/0. If the whitelist contains the CIDR block, all IP addresses are allowed to access the ApsaraDB RDS instance. For security purposes, we recommend that you configure RDS whitelists to allow access from only specified IP addresses.
6SLB - open ports2: network access controlhighSLBChecks whether SLB is configured to forward requests from high-risk ports to the Internet.
7Alibaba Cloud Security - back-to-origin configuration checks for WAF2: network access controlhighWAFChecks whether the actual IP addresses of backend servers are hidden after you use Web Application Firewall (WAF). If the actual IP addresses are hidden, attackers cannot directly access the backend servers. To hide the actual IP addresses, you can configure access control policies. For example, if you want to hide the IP addresses of SLB instances, you can configure SLB whitelists on the SLB instances. If you want to hide the IP addresses of ECS instances, you can configure security group rules for the ECS instances. All these policies allow access from only back-to-origin IP addresses of WAF.
8Alibaba Cloud Security - agent status6: basic security protectionhighECSChecks whether the Security Center agent on your ECS instance is always online and provides protection.
12OSS - bucket permissions4: data securityhighOSSChecks whether the access control list (ACL) of any of your OSS buckets is public-read or public-read-write. The public-read or public-read-write ACL allows users to read or write the data in your OSS buckets without authentication. To ensure data security, we recommend that you set the ACL of all your buckets to private.
13Security Center - detection of AccessKey pair leaks5: monitoring and alertingmediumRAMChecks whether detection of AccessKey pair leaks is enabled. API credentials, also AccessKey pairs, are unique and important identity credentials. We recommend that you enable the detection to prevent AccessKey pair leaks.
14ApsaraDB for MongoDB - whitelist configurations2: network access controlhighMongoDBChecks whether whitelists are enabled for ApsaraDB for MongoDB instances. If whitelists are enabled and a whitelist is empty or contains the 0.0.0.0/0 CIDR block, the requests from all IP addresses are allowed. In this case, security risks may occur. We recommend that you specify trusted IP addresses in a whitelist to allow access from only the specified IP addresses.
15RAM - MFA configuration for RAM users1: identity authentication and permissionsmediumRAMChecks whether MFA is enabled for RAM users.
16OSS - logging4: data securitymediumOSSChecks whether the logging feature is enabled for all OSS buckets. A large number of logs are generated when OSS resources are accessed. After you enable and configure logging for a bucket, OSS generates log objects every hour based on predefined naming conventions and then stores the log objects in a specified bucket. You can use Alibaba Cloud Data Lake Analytics (DLA) or build a Spark cluster to analyze the logs. You can configure lifecycle rules for a bucket to convert the storage class of log objects to Archive for long-term archiving.
17OSS - cross-region replication4: data securitylowOSSChecks whether cross-region replication (CRR) is enabled for all OSS buckets. CRR automatically and asynchronously replicates objects across OSS buckets in different regions. CRR allows you to synchronize operations, such as the create, overwrite, and delete operations on objects, from a source bucket to a destination bucket. This feature can meet your requirements for geo-disaster recovery and data replication. Objects in the destination bucket are extra duplicates of objects in the source bucket. They have the same names, content, and metadata, such as the creation time, owner, user metadata, and ACL.
18ApsaraDB RDS - database backup4: data securitymediumRDSChecks whether database backup is enabled for ApsaraDB RDS instances. We recommend that you enable database backup for ApsaraDB RDS instances and perform a data backup task on a daily basis.
19ApsaraDB for Redis - whitelist configurations2: network access controlhighRedisChecks access control configurations of ApsaraDB for Redis instances.
20ECS - public key authentication1: identity authentication and permissionsmediumECSChecks whether SSH key pair-based logon is enabled for ECS instances.
21SLB - health status5: monitoring and alertinglowSLBChecks the health status of SLB instances.
22PolarDB - whitelist configurations2: network access controlmediumPolarDBChecks whether a whitelist of a PolarDB cluster contains the CIDR block 0.0.0.0/0. If the whitelist contains the CIDR block, all IP addresses are allowed to access the PolarDB cluster. For security purposes, we recommend that you configure whitelists to allow access from only specified IP addresses.
23AnalyticDB for PostgreSQL - whitelist configurations2: network access controlmediumPostgreSQLChecks whether a whitelist of an AnalyticDB for PostgreSQL instance contains the CIDR block 0.0.0.0/0. If the whitelist contains the CIDR block, all IP addresses are allowed to access the AnalyticDB for PostgreSQL instance. For security purposes, we recommend that you configure whitelists to allow access from only specified IP addresses.
24ECS - storage encryption4: data securitylowECSChecks whether disk encryption is enabled. Disk encryption allows you to meet security or regulatory compliance requirements.
25SLB - whitelist configurations2: network access controlmediumSLBChecks the whitelist configurations of SLB instances. We recommend that you configure whitelists for non-HTTP and non-HTTPS services. We recommend that you do not add 0.0.0.0/0 to the whitelists.
26SLB - certificate validity checks5: monitoring and alertingmediumSLBChecks whether an SLB certificate has expired.
27ECS - automatic snapshot policies4: data securitymediumECSChecks whether automatic snapshot policies are enabled for ECS instances.
28Certificate Management Service - validity checks4: data securitymediumSSLChecks whether an SSL certificate is within its validity period.
30OSS - bucket server-side encryption4: data securitylowOSSChecks whether server-side encryption is enabled for OSS buckets.
31OSS - bucket hotlink protection2: network access controllowOSSChecks whether hotlink protection is configured for OSS buckets.
32ApsaraDB RDS - cross-region backup configurations4: data securitylowRDSChecks whether cross-region backup is configured for ApsaraDB RDS instances.
33ApsaraDB for MongoDB - backup configurations4: data securitymediumMongoDBChecks whether data backup is enabled for ApsaraDB for MongoDB instances.
34ApsaraDB for MongoDB - log audit3: log auditmediumMongoDBChecks whether log audit is enabled for ApsaraDB for MongoDB instances.
35ApsaraDB for MongoDB - SSL encryption4: data securitymediumMongoDBChecks whether SSL certificate checks are enabled for ApsaraDB for MongoDB instances.
36CloudMonitor - agent status5: monitoring and alertingmediumCloudMonitorChecks whether the status of the CloudMonitor agent is normal.
37ECS - security group policies2: network access controlmediumECSChecks the security group policies of ECS instances.
38VPC - DNAT management port mapping2: network access controlmediumVPCChecks whether a virtual private cloud (VPC) destination network address translation (DNAT) rule is configured to map management ports to the Internet.
39ApsaraDB for Redis - backup configurations4: data securitymediumRedisChecks whether data backup is enabled for ApsaraDB for Redis instances.
40Container Registry - repository permission configurations4: data securityhighCRChecks whether repository permissions are correctly configured in Container Registry.
41Container Registry - security scans6: basic security protectionlowCRChecks whether security scan is enabled in Container Registry.
42SLB - logging3: log auditmediumSLBChecks whether access logging is configured for SLB instances.
43ApsaraDB for Redis - log audit3: log auditlowRedisChecks whether log audit is configured for ApsaraDB for Redis instances.
44OSS - authorization policies1: identity authentication and permissionsmediumOSSChecks whether authorization policies are correctly configured in OSS.
46PolarDB - backup configurations4: data securitymediumPolarDBChecks whether data backup is enabled for PolarDB clusters.
47PolarDB - SQL Explorer3: log auditmediumPolarDBChecks whether SQL Explorer is enabled for PolarDB clusters.
49Alibaba Cloud account security - AccessKey pair1: identity authentication and permissionsmediumRAMChecks whether the AccessKey pair of your Alibaba Cloud account is enabled.
51Alibaba Cloud CDN - real-time log push feature3: log auditmediumCDNChecks whether real-time log push is enabled in Alibaba Cloud CDN.
52ApsaraDB for Redis - SSL encryption4: data securitymediumRedisChecks whether SSL certificates are used for ApsaraDB for Redis instances.

Examples

Sample success responses

JSONformat

{
  "CurrentPage": 1,
  "RequestId": "AD271C07-4ACE-413D-AA9B-F14FD3B7717F",
  "PageSize": 20,
  "TotalCount": 12,
  "PageCount": 20,
  "Count": 10,
  "List": [
    {
      "RiskLevel": "high",
      "Status": "pass",
      "Type": "Log audit",
      "Sort": 1,
      "RepairStatus": "disabled",
      "RemainingTime": 0,
      "ItemId": 1,
      "StartStatus": "enabled",
      "AffectedCount": 0,
      "RiskAssertType": "ECS",
      "Title": "RDS - Whitelist Configuration",
      "TaskId": 15384933,
      "CheckTime": 1639429164000,
      "RiskItemResources": [
        {
          "ContentResource": {
            "key": "{\"type\":\"link\",\"url\":\"https://help.aliyun.com/document_detail/28635.html\",\"value\":\"https://help.aliyun.com/document_detail/28635.html\"}"
          },
          "ResourceName": "bestPractice"
        }
      ]
    }
  ]
}

Error codes

HTTP status codeError codeError messageDescription
400NoPermissionno permission-
403NoPermissioncaller has no permissionYou are not authorized to do this operation.
500ServerErrorServerError-

For a list of error codes, visit the Service error codes.

Change history

Change timeSummary of changesOperation
No change history