DescribeRiskCheckResult - API Reference| Alibaba Cloud Documentation Center

Queries the results of check items by type or name.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters


Parameter	Type	Required	Example	Description
Action	String	Yes	DescribeRiskCheckResult	The operation that you want to perform. Set the value to DescribeRiskCheckResult.
SourceIp	String	No	1.2.3.4	The source IP address of the request.
Lang	String	No	zh	The natural language of the request and response. Valid values: zh: Chinese en: English
GroupId	Long	No	21000	The type ID of the check item. Valid values: 1: identity authentication and permissions 2: network access control 3: log auditing 4: data security 5: monitoring alert 6: basic security protection
CurrentPage	Integer	No	1	The number of the page to return.
RiskLevel	String	No	high	The risk level of the check item. Valid values: high medium low
Status	String	No	pass	The status of the check task to return. Valid values: pass failed running waiting ignored falsePositive
ItemIds.N	RepeatList	No	sde***	The ID of the check item. For more information about the description of the check item ID, see the check item table in the "Response parameters" section of this topic.
AssetType	String	No	RDS	The type of the cloud service. For more information about the description of the cloud service type, see the check item table in the "Response parameters" section of this topic.
Name	String	No	Cloud platform - Two-factor authentication configuration of Alibaba Cloud account	The name of the check item. For more information about the description of the check item name, see the check item table in the "Response parameters" section of this topic.
PageSize	Integer	No	10	The number of entries to return on each page.

Response parameters


Parameter	Type	Example	Description
Count	Integer	10	The number of entries returned on the current page.
CurrentPage	Integer	1	The page number of the returned page.
List	Array		The information about the check item.
AffectedCount	Integer	0	The amount of affected assets.
CheckTime	Long	1543991525000	The time when the last check was performed.
ItemId	Long	1	The ID of the check item. For more information about the description of the check item ID, see the check item table in the "Response parameters" section of this topic.
RemainingTime	Integer	0	The time when the next check will be performed.
RepairStatus	String	disabled	Indicates whether a solution is provided to fix the threats detected under the specified check item. Valid values: enabled: Yes disabled: No
RiskAssertType	String	ECS	The type of the affected asset.
RiskItemResources	Array		The detailed information about the check item.
ContentResource	Json	{ "type": "link", "value": ""Risk: multi-factor authentication is disabled\n", "url": "https://***.aliyun.com/#/secure\n" }	The content of the check item.
ResourceName	String	bestPractice	The title of the content. Valid values: bestPractice: description influence: risks suggestion: solution helpResource: reference
RiskLevel	String	high	The risk level of the check item returned. Valid values: high medium low
Sort	Integer	1	The sequence number of the check result. The check items are sorted based the sequence number.
StartStatus	String	enabled	Indicates whether the check item is supported by the specified cloud service. Valid values: enabled: supported disable: unsupported
Status	String	pass	The status of the check task returned. Valid values: pass failed running waiting ignored falsePositive
TaskId	Long	647189	The ID of the check task.
Title	String	Cloud platform - Two-factor authentication configuration of Alibaba Cloud account	The name of the check item.
Type	String	Identity authentication and permissions	The type of the check item. Valid values: Identity authentication and permissions Network access control Log auditing Data security Monitoring alert Basic security protection
PageCount	Integer	20	The total number of pages returned.
PageSize	Integer	10	The number of entries returned per page.
RequestId	String	AD271C07-4ACE-413D-AA9B-F14FD3B7717F	The ID of the request.
TotalCount	Integer	12	The total number of returned entries.

The following table lists the check items supported by the cloud platform, including the ID, name, type, risk level, service type, and description.


ID	Name	Type	Risk level	Service type	Description
1	Action Trail - Logging Configuration	3: log auditing	medium	ActionTrail	Checks whether you enable ActionTrail to record operations logs on the cloud and save the logs to Object Storage Service (OSS) buckets.
2	RDS - Database Security Policy	4: data security	medium	RDS	Checks whether you enable Secure Sockets Layer (SSL), Transparent Data Encryption (TDE), and SQL audit services for each ApsaraDB for RDS instance.
3	Cloud Platform - Account's Two-Factor Authentication Configuration	1: identity authentication and permissions	high	RAM	Checks whether multi-factor authentication (MFA) is enabled for the account used to log on to the Alibaba Cloud Management Console.
4	Cloud Security - Anti-DDoS Pro or Anti-DDoS Premium Back-to-origin Configuration	2: network access control	high	DDoS	Checks whether actual IP addresses of backend servers are hidden after you use Anti-DDoS Pro or Anti-DDoS Premium. If the actual IP addresses are hidden, this prevents attackers from bypassing Anti-DDoS Pro or Anti-DDoS Premium and directly accessing the actual IP addresses. To hide the actual IP addresses, you can configure whitelist policies, for example, when the actual IP addresses are the IP addresses of the Server Load Balancer (SLB) instances. When the IP addresses are the IP addresses of Elastic Compute Service (ECS) instances, you can configure access control policies for ECS security groups. All these policies allow access from only back-to-origin IP addresses of Anti-DDoS Pro or Anti-DDoS Premium. </note>
5	RDS - Whitelist Configuration	2: network access control	high	RDS	Checks whether the RDS access control policy is set to 0.0.0.0/0, which allows requests from all IP addresses. We recommend that you restrict the access scope to a specific range of IP addresses rather than exposing database services to the Internet.
6	SLB - High Risk Port Exposure	2: network access control	high	SLB	Checks whether SLB forwards requests from high-risk ports to the Internet.
7	Cloud Security - WAF Back-to-origin Configuration	2: network access control	high	WAF	Checks whether actual IP addresses of backend servers are hidden after you use WAF. If the actual IP addresses are hidden, this prevents attackers from bypassing WAF and directly accessing the actual IP addresses. To hide the actual IP addresses, you can configure whitelist policies, for example, when the actual IP addresses are the IP addresses of the Server Load Balancer (SLB) instances. When the IP addresses are the IP addresses of Elastic Compute Service (ECS) instances, you can configure access control policies for ECS security groups. All these allow access from only back-to-origin IP addresses of WAF.
8	Cloud Security - Agent Online Status	6: basic security protection	high	ECS	Checks whether the Security Center agent on the ECS instance is always online and provides protection.
12	OSS - Bucket Access Permissions	4: data security	high	OSS	Checks whether all OSS buckets allow public read/write or public read. If yes, the check fails.
13	Cloud Security - AccessKey Leak	5: monitoring alert	medium	RAM	Checks whether you enable the AccessKey leak prevention function. If no, the check fails.
14	Mongodb - Whitelist Configuration	2: network access control	high	MongoDB	Checks whether the whitelist is configured for the ApsaraDB for MongDB instance. If the whitelist is enabled and set to 0.0.0.0/0, which allows accesses from all devices, the check fails.
15	RAM - Users MFA Configuration	1: identity authentication and permissions	medium	RAM	Checks whether the RAM user has two-factor authentication enabled.
16	OSS - Logging Configuration	4: data security	medium	OSS	Checks whether you enable the logging function for all OSS buckets. If no, the check fails.
17	OSS - Cross-Region Replication Configuration	4: data security	low	OSS	Checks whether cross-region replication is enabled for all OSS buckets. If no, the check fails.
18	RDS - Backup Configuration	4: data security	medium	RDS	Checks whether the database backup function is enabled. If no, the check fails.
19	Redis - Whitelist Configuration	2: network access control	high	Redis	Checks access control configurations of the ApsaraDB for Redis instance.
20	ECS - SSH Key Pairs	1: identity authentication and permissions	medium	ECS	Checks whether key pair-based logon is enabled for the ECS instance.
21	SLB - Health Status	5: monitoring alert	low	SLB	Checks the health status of the SLB instance.
22	POLARDB - Whitelist Configuration	2: network access control	medium	POLARDB	Checks the whitelist configured for the Apsara PolarDB instance. If the whitelist is enabled and set to 0.0.0.0/0, which allows accesses from all devices, the check fails.
23	AnalyticDB for PostgreSQL - Whitelist Configuration	2: network access control	medium	PostgreSQL	Checks the whitelist of the AnalyticDB for PostgreSQL instance. If the whitelist is enabled and set to 0.0.0.0/0, which allows accesses from all devices, the check fails.
24	ECS - Disk Encryption	4: data security	low	ECS	Checks whether disk encryption is enabled. If no, the check fails.
25	SLB - Whitelist Configuration	2: network access control	medium	SLB	Checks the SLB whitelist configuration. If the whitelist is enabled and set to 0.0.0.0/0, which allows accesses from all devices, the check fails.
26	SLB - Certificate Expiration	5: monitoring alert	medium	SLB	Checks whether the SLB certificate has expired.
27	ECS - Automatic Snapshot Policy	4 (data security)	medium	ECS	Checks whether automatic snapshot policies are enabled for the ECS instance.
28	SSL Certificates - Expiration Check	4: data security	medium	SSL	Checks whether the SSL certificate is within its validity period.
30	OSS - Server Side Encryption	4: data security	low	OSS	Checks whether server-side encryption is enabled for OSS buckets.
31	OSS - Hotlinking Protection	2: network access control	low	OSS	Checks whether hotlink protection is configured for OSS buckets.
32	RDS - Cross Region Backup Configuration	4: data security	low	RDS	Checks whether cross-region backup is configured for the RDS instance.
33	MongoDB - Backup Configuration	4: data security	medium	MongoDB	Checks whether you enable the backup feature for the ApsaraDB for MongoDB instance.
34	MongoDB - Logging Configuration	3: log auditing	medium	MongoDB	Checks whether you enable log auditing for the ApsaraDB for MongoDB instance.
35	MongoDB - Enable SSL Encryption	4: data security	medium	MongoDB	Checks whether you enable the SSL certificate check function for the ApsaraDB for MongoDB instance.
36	CloudMonitor - Host Monitoring Plugin	5: monitoring alert	medium	CloudMonitor	Checks whether the status of the Cloud Monitor agent is normal.
37	ECS - Security Groups Setting	2: network access control	medium	ECS	Checks the ECS security group policies.
38	VPC - DNAT Rules	2: network access control	medium	VPC	Checks whether a VPC DNAT rule is configured to map management ports to the Internet.
39	Redis - Backup Configuration	4: data security	medium	Redis	Checks whether you enable the backup function for the ApsaraDB for Redis instance.
40	Container Registry - Repository Visibility Settings	4: data security	high	CR	Checks whether permissions are correctly configured for the repository in Container Registry.
41	Container Registry - Image Security Scan	6: basic security protection	low	CR	Checks whether you enable the image security scan function for Container Registry.
42	SLB - Access Logging Configuration	3: log auditing	medium	SLB	Checks whether you configure access logging for the SLB instance.
43	Redis - Audit Log	3: log auditing	low	Redis	Checks whether log auditing is configured for the ApsaraDB for Redis instance.
44	OSS - Bucket policy	1: identity authentication and permissions	medium	OSS	Checks whether you configure the correct authorization policy for OSS.
46	POLARDB - Backup Configuration	4: data security	medium	POLARDB	Checks whether you enable the backup function for the Apsara PolarDB instance.
47	POLARDB - SQL Explorer	3: log auditing	medium	POLARDB	Check whether you enable SQL Explorer for the Apsara PolarDB instance.
48	Account - AccessKey Existence Check	1: identity authentication and permissions	medium	RAM	Checks whether you enable the AccessKey pair of your Alibaba Cloud account.
50	CDN - Real-time Logging	3: log auditing	medium	CDN	Checks whether you enable real-time log push for CDN.
51	Redis - Enable SSL Encryption	4: data security	medium	Redis	Checks whether ApsaraDB for Redis uses SSL certificates.

Examples

Sample requests

http(s)://[Endpoint]/? Action=DescribeRiskCheckResult
&GroupId=1
&RiskLevel=high
&<Common request parameters>

Sample success responses

XML format

<DescribeRiskCheckResultResponse>
      <TotalCount>12</TotalCount>
      <RequestId>AD271C07-4ACE-413D-AA9B-F14FD3B7717F</RequestId>
      <PageCount>20</PageCount>
      <PageSize>10</PageSize>
      <CurrentPage>1</CurrentPage>
      <List>
            <Status>pass</Status>
            <CheckTime>1543991525000</CheckTime>
            <TaskId>647189</TaskId>
            <RemainingTime>0</RemainingTime>
            <Title>Cloud platform - Two-factor authentication configuration of Alibaba Cloud account</Title>
            <ItemId>1</ItemId>
            <RiskAssertType>ECS</RiskAssertType>
            <Type> identity authentication and permissions </Type>
            <StartStatus>enabled</StartStatus>
            <AffectedCount>0</AffectedCount>
            <Sort>1</Sort>
            <RepairStatus>disabled</RepairStatus>
            <RiskLevel>high</RiskLevel>
            <RiskItemResources>
                  <ContentResource>{   "type": "link",   "value": "Risk: Multi-factor authentication is disabled\n",   "url": "https://***.aliyun.com/#/secure\n" }</ContentResource>
                  <ResourceName>bestPractice</ResourceName>
            </RiskItemResources>
      </List>
      <Count>10</Count>
</DescribeRiskCheckResultResponse>

JSON format

{
    "TotalCount": "12",
    "RequestId": "AD271C07-4ACE-413D-AA9B-F14FD3B7717F",
    "PageCount": "20",
    "PageSize": "10",
    "CurrentPage": "1",
    "List": {
            "Status": "pass",
            "CheckTime": "1543991525000",
            "TaskId": "647189",
            "RemainingTime": "0",
            "Title":"Cloud platform - Two-factor authentication configuration of Alibaba Cloud account",
            "ItemId": "1",
            "RiskAssertType": "ECS",
            "Type":"Identity authentication and permissions",
            "StartStatus": "enabled",
            "AffectedCount": "0",
            "Sort": "1",
            "RepairStatus": "disabled",
            "RiskLevel": "high",
            "RiskItemResources": {
                "ContentResource": "{ \" type\": \" link\", \" value\": \"Rrisk: Multi-factor authentication is disabled \\n\"," url ": " https:// bucket*. aliyun.com/#/secure\\n\ " }",
                "ResourceName": "bestPractice"
            }
    },
    "Count": "10"
}

Error codes

For a list of error codes, visit the API Error Center.