Queries the results of check items by type or name.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter Type Required Example Description
Action String Yes DescribeRiskCheckResult

The operation that you want to perform.

Set the value toDescribeRiskCheckResult.

SourceIp String No 1.2.3.4

The source IP address of the request.

Lang String No zh

The natural language of the request and response. Valid values:

  • zh: Chinese
  • en: English
GroupId Long No 1

The type ID of the check item. Valid values:

  • 1: identity authentication and permissions
  • 2: network access control
  • 3: log audit
  • 4: data security
  • 5: monitoring and alerting
  • 6: basic security protection
CurrentPage Integer No 1

The number of the page to return.

RiskLevel String No high

The risk level of the check item. Valid values:

  • high: high severity
  • medium: medium severity
  • low: low severity
Status String No pass

The status of the check item to return. Valid values:

  • pass: The item passed the check.
  • failed: The item failed to pass the check.
  • running: The check on the item is running.
  • waiting: The check on the item is waiting to be run.
  • ignored: The check item is ignored.
  • falsePositive: The check result is marked as a false positive.
ItemIds.N RepeatList No 1

The ID of the check item. For more information, see the table that follows the Response parameters table.

AssetType String No RDS

The type of the Alibaba Cloud service. For more information, see the table that follows the Response parameters table.

Name String No Cloud platform - Multi-factor authentication configuration of Alibaba Cloud accounts

The name of the check item. For more information, see the table that follows the Response parameters table.

PageSize Integer No 100

The number of entries to return on each page. The number of entries on each page is 20 by default. If the PageSize parameter value is empty, 20 entries are returned per page by default.

Note We recommend that you set the PageSize parameter to a value that is not empty.

Response parameters

Parameter Type Example Description
Count Integer 10

The number of entries returned on the current page.

CurrentPage Integer 1

The page number of the returned page.

List Array of RiskCheckResultForDisplay

The information about the check item.

AffectedCount Integer 0

The number of affected assets.

CheckTime Long 1543991525000

The time when the last check was performed.

ItemId Long 1

The ID of the check item. For more information, see the table that follows the Response parameters table.

RemainingTime Integer 0

The estimated time when the next check is performed.

RepairStatus String disabled

Indicates whether a solution is provided to fix the vulnerabilities detected under the specified check item. Valid values:

  • enabled: yes
  • disabled: no
RiskAssertType String ECS

The type of the affected asset.

RiskItemResources Array of RiskItemResource

The details of the check item.

ContentResource Json { "type": "link", "value": "Risk: multi-factor authentication is disabled\n", "url": "https://***.aliyun.com/#/secure\n" }

The content of the check item.

ResourceName String bestPractice

The title in the details of the check item. Valid values:

  • bestPractice: description of the check
  • influence: risks
  • suggestion: solutions
  • helpResource: references
RiskLevel String high

The risk level of the check item. Valid values:

  • high: high severity
  • medium: medium severity
  • low: low severity
Sort Integer 1

The sequence number of the check result. The check items are sorted based on the sequence number.

StartStatus String enabled

Indicates whether the check item is supported by the Alibaba Cloud service. Valid values:

  • enabled: supported.
  • disable: not supported.
Status String pass

The status of the check item. Valid values:

  • pass: The item passed the check.
  • failed: The item failed to pass the check.
  • running: The check on the item is running.
  • waiting: The check on the item is waiting to be run.
  • ignored: The check item is ignored.
  • falsePositive: The check result is marked as a false positive.
TaskId Long 647189

The ID of the check task.

Title String Cloud platform - Multi-factor authentication (MFA) configuration of Alibaba Cloud accounts

The name of the check item.

Type String Identity authentication and permissions

The type of the check item. Valid values:

  • Identity authentication and permissions
  • Network access control
  • Log audit
  • Data security
  • Monitoring and alerting
  • Basic security protection
PageCount Integer 20

The total number of pages returned.

PageSize Integer 10

The number of entries returned on each page.

RequestId String AD271C07-4ACE-413D-AA9B-F14FD3B7717F

The ID of the request.

TotalCount Integer 12

The total number of entries returned.

The following table lists IDs, names, types, risk levels, Alibaba Cloud service types, and descriptions of all check items of Alibaba Cloud service configuration assessment.

ItemId (check item ID)

Name (check item name)

GroupId (check item type)

RiskLevel (risk level)

AssetType (Alibaba Cloud service type)

Description

1

ActionTrail - log audit

3: log audit

medium

ActionTrail

Checks whether you activated ActionTrail to record operations logs on the cloud and save the logs to Object Storage Service (OSS) buckets.

2

RDS - Database security policies

4: data security

medium

RDS

Checks whether you enabled the Secure Sockets Layer (SSL), Transparent Data Encryption (TDE), and SQL audit functions for each ApsaraDB for RDS instance.

3

Alibaba Cloud account security - MFA

1: identity authentication and permissions

high

RAM

Checks whether you enabled MFA for your Alibaba Cloud account.

4

Alibaba Cloud Security - back-to-origin configurations of Anti-DDoS Pro or Anti-DDoS Premium

2: network access control

high

DDoS

Checks whether the actual IP addresses of backend servers are hidden after you use Anti-DDoS Pro or Anti-DDoS Premium. If the actual IP addresses are hidden, attackers cannot directly access the actual IP addresses. To hide the actual IP addresses, you can configure access control policies. For example, if the actual IP addresses are the IP addresses of the Server Load Balancer (SLB) instances, you can configure SLB whitelists on the SLB instances. If the IP addresses are the IP addresses of Elastic Compute Service (ECS) instances, you can configure security group rules for the ECS instances. You can configure access control policies to allow only access requests from back-to-origin IP addresses of Anti-DDoS Pro or Anti-DDoS Premium.

5

RDS - whitelist configurations

2: network access control

high

RDS

Checks whether the whitelist of an ApsaraDB for RDS instance contains the CIDR block 0.0.0.0/0. If the whitelist contains the 0.0.0.0/0 CIDR block, all IP addresses are allowed to access the ApsaraDB for RDS instance. To prevent security risks, we recommend that you configure RDS whitelists to allow only requests from specific IP addresses.

6

SLB - high-risk ports

2: network access control

high

SLB

Checks whether SLB is configured to forward requests from high-risk ports to the Internet.

7

Alibaba Cloud Security - back-to-origin configurations of Web Application Firewall (WAF)

2: network access control

high

WAF

Checks whether the actual IP addresses of backend servers are hidden after you use WAF. If the actual IP addresses are hidden, attackers cannot directly access the actual IP addresses. To hide the actual IP addresses, you can configure access control policies. For example, if the actual IP addresses are the IP addresses of the SLB instances, you can configure SLB whitelists on the SLB instances. If the IP addresses are the IP addresses of ECS instances, you can configure security group rules for the ECS instances. You can configure access control policies to allow only access requests from back-to-origin IP addresses of WAF.

8

Alibaba Cloud Security - Security Center agent status

6: basic security protection

high

ECS

Checks whether the Security Center agent on the ECS instance remains online to provide protection.

12

OSS - bucket permissions

4: data security

high

OSS

Checks whether the ACL of any of your OSS buckets is public-read or public-read-write. The public-read-write or public-read ACL allows users to read or write the data in your OSS buckets without authorization. To ensure data security, we recommend that you set the ACL of all your buckets to private.

13

Security Center - AccessKey leak detection

5: monitoring and alerting

medium

RAM

Checks whether AccessKey leak detection is enabled. API credentials (AccessKey pairs) are unique and important identity credentials for Alibaba Cloud users to call the API operations of a specific Alibaba Cloud service and access the required cloud resources. We recommend that you enable AccessKey leak detection to prevent AccessKey leaks.

14

ApsaraDB for MongoDB - whitelist configurations

2: network access control

high

MongoDB

Checks whether whitelists are enabled for ApsaraDB for MongoDB instances. If whitelists are enabled and the whitelists are empty or contain the 0.0.0.0/0 CIDR block, the requests from all IP addresses are allowed. In this case, security risks may occur. We recommend that you configure the whitelist to allow only access requests from trusted IP addresses.

15

RAM - RAM user MFA

1: identity authentication and permissions

medium

RAM

Checks whether MFA is enabled for RAM users.

16

OSS - log record configurations

4: data security

medium

OSS

Checks whether the log record feature is enabled for all OSS buckets. When you access OSS, a large number of access logs are generated. After you enable and configure the log record feature for a bucket, an object with a specific prefix is generated on an hourly basis to record access logs of the bucket. To analyze the access logs, you can use Alibaba Cloud Data Lake Analytics (DLA) or build a Spark cluster. You can configure lifecycle rules for the bucket to convert the storage class of log objects to Archive for long-term archiving.

17

OSS - cross-region replication configurations

4: data security

low

OSS

Checks whether cross-region replication (CRR) is enabled for all OSS buckets. CRR enables the automatic and asynchronous replication of objects across buckets in different OSS data centers (regions). CRR synchronizes operations such as creation, overwriting, and deletion of objects from the source bucket to the destination bucket. CRR meets data replication requirements of users, and provides an ideal cross-region disaster recovery method for buckets. Objects in the destination bucket are replicas of objects in the source bucket. Each object in the source bucket has the same name, content, and metadata as the replica in the destination bucket. These include the creation time, owner, user-defined metadata, and access control lists (ACLs).

18

RDS - backup configurations

4: data security

medium

RDS

Checks whether database backup is enabled for ApsaraDB for RDS instances. We recommend that you enable data backup for RDS instances and perform a data backup task on a daily basis.

19

ApsaraDB for Redis - whitelist configurations

2: network access control

high

Redis

Checks the whitelist configurations of ApsaraDB for Redis.

20

ECS - SSH key pairs

1: identity authentication and permissions

medium

ECS

Checks whether SSH key pair-based logon is enabled for the ECS instances.

21

SLB - health status

5: monitoring and alerting

low

SLB

Checks whether SLB backend servers are available.

22

PolarDB - whitelist configurations

2: network access control

medium

PolarDB

Checks whether the whitelist of a PolarDB cluster contains the CIDR block 0.0.0.0/0. If the whitelist contains the 0.0.0.0/0 CIDR block, all IP addresses are allowed to access the PolarDB cluster. To prevent security risks, we recommend that you configure whitelists to allow only requests from specific IP addresses.

23

AnalyticDB for PostgreSQL - whitelist configurations

2: network access control

medium

PostgreSQL

Checks whether the whitelist of an AnalyticDB for PostgreSQL instance contains the CIDR block 0.0.0.0/0. If the whitelist contains the 0.0.0.0/0 CIDR block, all IP addresses are allowed to access the AnalyticDB for PostgreSQL instance. To prevent security risks, we recommend that you configure whitelists to allow only requests from specific IP addresses.

24

ECS - disk encryption

4: data security

low

ECS

Checks whether disk encryption is enabled. Disk encryption allows you to meet security or regulatory compliance requirements.

25

SLB - whitelist configurations

2: network access control

medium

SLB

Checks the SLB whitelist configurations. We recommend that you configure whitelists for non-HTTP and non-HTTPS services, and that you do not add 0.0.0.0/0 to the whitelists.

26

SLB - certificate expiration

5: monitoring and alerting

medium

SLB

Checks whether the SLB certificate is expired.

27

ECS - automatic snapshot policies

4: data security

medium

ECS

Checks whether automatic snapshot is enabled for ECS instances.

28

SSL certificates - validity check

4: data security

medium

SSL

Checks whether the SSL certificate is within its validity period.

30

OSS - bucket server-side encryption

4: data security

low

OSS

Checks whether server-side encryption is enabled for OSS buckets.

31

OSS - bucket hotlink protection

2: network access control

low

OSS

Checks whether hotlink protection is configured for OSS buckets.

32

RDS - cross-region backup configurations

4: data security

low

RDS

Checks whether cross-region backup is enabled for ApsaraDB for RDS instances.

33

ApsaraDB for MongoDB - backup configurations

4: data security

medium

MongoDB

Checks whether data backup is enabled for ApsaraDB for MongoDB instances.

34

ApsaraDB for MongoDB - log audit

3: log audit

medium

MongoDB

Checks whether log audit is enabled for ApsaraDB for MongoDB instances.

35

ApsaraDB for MongoDB - SSL certificate

4: data security

medium

MongoDB

Checks whether SSL certificate checks are enabled for ApsaraDB for MongoDB instances.

36

Cloud Monitor - Cloud Monitor agent status

5: monitoring alerts

medium

CloudMonitor

Checks whether the Cloud Monitor agent is running as expected.

37

ECS - security group policies

2: network access control

medium

ECS

Checks the ECS security group rules.

38

VPC - DNAT rules

2: network access control

medium

VPC

Checks the open ports that are based on the DNAT rules in VPCs.

39

Redis - backup configurations

4: data security

medium

Redis

Checks whether data backup is enabled for ApsaraDB for Redis instances.

40

Container Registry - repository permission configurations

4: data security

high

CR

Checks whether permissions are correctly configured for the repository in Container Registry.

41

Container Registry - security scan

6: basic security protection

low

CR

Checks whether security scan is enabled for Container Registry.

42

SLB - access log configurations

3: log audit

medium

SLB

Checks whether the access log feature is configured for SLB instances.

43

Redis - log audit configurations

3: log audit

low

Redis

Checks the log audit configurations of ApsaraDB for Redis instances.

44

OSS - authorization policies

1: identity authentication and permissions

medium

OSS

Checks whether correct authorization policies are enabled for OSS.

46

PolarDB - backup configurations

4: data security

medium

PolarDB

Checks whether data backup is enabled for PolarDB.

47

PolarDB - SQL Explorer

3: log audit

medium

PolarDB

Checks whether SQL Explorer is enabled for PolarDB clusters.

49

Alibaba Cloud account security - AccessKey pair

1: identity authentication and permissions

medium

RAM

Checks whether the AccessKey pair is enabled for your Alibaba Cloud account.

51

CDN - real-time log push

3: log audit

medium

CDN

Checks whether the real-time log push feature is enabled for CDN.

52

ApsaraDB for Redis - SSL certificate

4: data security

medium

Redis

Checks whether SSL certificates are enabled for ApsaraDB for Redis instances.

Examples

Sample requests

http(s)://[Endpoint]/? Action=DescribeRiskCheckResult
&GroupId=1
&RiskLevel=high
&PageSize=100
&<Common request parameters>

Sample success responses

XML format

<DescribeRiskCheckResultResponse>
      <TotalCount>12</TotalCount>
      <RequestId>AD271C07-4ACE-413D-AA9B-F14FD3B7717F</RequestId>
      <PageCount>20</PageCount>
      <PageSize>10</PageSize>
      <CurrentPage>1</CurrentPage>
      <List>
            <Status>pass</Status>
            <CheckTime>1543991525000</CheckTime>
            <TaskId>647189</TaskId>
            <RemainingTime>0</RemainingTime>
            <Title>Cloud platform - Multi-factor authentication configuration of Alibaba Cloud accounts</Title>
            <ItemId>1</ItemId>
            <RiskAssertType>ECS</RiskAssertType>
            <Type>Identity authentication and permissions</Type>
            <StartStatus>enabled</StartStatus>
            <AffectedCount>0</AffectedCount>
            <Sort>1</Sort>
            <RepairStatus>disabled</RepairStatus>
            <RiskLevel>high</RiskLevel>
            <RiskItemResources>
                  <ContentResource>{   "type": "link",   "value": "Risk: multi-factor authentication is disabled\n",   "url": "https://***.aliyun.com/#/secure\n" }</ContentResource>
                  <ResourceName>bestPractice</ResourceName>
            </RiskItemResources>
      </List>
      <Count>10</Count>
</DescribeRiskCheckResultResponse>

JSON format

{
    "TotalCount": "12",
    "RequestId": "AD271C07-4ACE-413D-AA9B-F14FD3B7717F",
    "PageCount": "20",
    "PageSize": "10",
    "CurrentPage": "1",
    "List": {
            "Status": "pass",
            "CheckTime": "1543991525000",
            "TaskId": "647189",
            "RemainingTime": "0",
            "Title": "Cloud platform - Multi-factor authentication configuration of Alibaba Cloud accounts",
            "ItemId": "1",
            "RiskAssertType": "ECS",
            "Type": "Identity authentication and permissions",
            "StartStatus": "enabled",
            "AffectedCount": "0",
            "Sort": "1",
            "RepairStatus": "disabled",
            "RiskLevel": "high",
            "RiskItemResources": {
                "ContentResource": "{   \"type\": \"link\",   \"value\": \"Risk: multi-factor authentication is disabled\\n\",   \"url\": \"https://***.aliyun.com/#/secure\\n\" }",
                "ResourceName": "bestPractice"
            }
    },
    "Count": "10"
}

Error codes

For a list of error codes, visit the API Error Center.