Queries the results of check items by type or name.
Debugging
Request parameters
| Parameter | Type | Required | Example | Description |
|---|---|---|---|---|
| Action | String | Yes | DescribeRiskCheckResult | The operation that you want to perform. Set the value to DescribeRiskCheckResult. |
| SourceIp | String | No | 1.2.3.4 | The source IP address of the request. |
| Lang | String | No | zh | The natural language of the request and response. Valid values:
|
| GroupId | Long | No | 1 | The type ID of the check item. Valid values:
|
| CurrentPage | Integer | No | 1 | The number of the page to return. |
| RiskLevel | String | No | high | The risk level of the check item. Valid values:
|
| Status | String | No | pass | The status of the check item to return. Valid values:
|
| ItemIds.N | RepeatList | No | 1 | The ID of the check item. For more information, see the table that follows the Response parameters table. |
| AssetType | String | No | RDS | The type of the Alibaba Cloud service. For more information, see the table that follows the Response parameters table. |
| Name | String | No | Cloud platform - Multi-factor authentication configuration of Alibaba Cloud accounts | The name of the check item. For more information, see the table that follows the Response parameters table. |
| PageSize | Integer | No | 100 | The number of entries to return on each page. The number of entries on each page is 20 by default. If the PageSize parameter value is empty, 20 entries are returned per page by default.
Note We recommend that you set the PageSize parameter to a value that is not empty.
|
Response parameters
| Parameter | Type | Example | Description |
|---|---|---|---|
| Count | Integer | 10 | The number of entries returned on the current page. |
| CurrentPage | Integer | 1 | The page number of the returned page. |
| List | Array of RiskCheckResultForDisplay | The information about the check item. |
|
| AffectedCount | Integer | 0 | The number of affected assets. |
| CheckTime | Long | 1543991525000 | The time when the last check was performed. |
| ItemId | Long | 1 | The ID of the check item. For more information, see the table that follows the Response parameters table. |
| RemainingTime | Integer | 0 | The estimated time when the next check is performed. |
| RepairStatus | String | disabled | Indicates whether a solution is provided to fix the vulnerabilities detected under the specified check item. Valid values:
|
| RiskAssertType | String | ECS | The type of the affected asset. |
| RiskItemResources | Array of RiskItemResource | The details of the check item. |
|
| ContentResource | Json | { "type": "link", "value": "Risk: multi-factor authentication is disabled\n", "url": "https://***.aliyun.com/#/secure\n" } | The content of the check item. |
| ResourceName | String | bestPractice | The title in the details of the check item. Valid values:
|
| RiskLevel | String | high | The risk level of the check item. Valid values:
|
| Sort | Integer | 1 | The sequence number of the check result. The check items are sorted based on the sequence number. |
| StartStatus | String | enabled | Indicates whether the check item is supported by the Alibaba Cloud service. Valid values:
|
| Status | String | pass | The status of the check item. Valid values:
|
| TaskId | Long | 647189 | The ID of the check task. |
| Title | String | Cloud platform - Multi-factor authentication (MFA) configuration of Alibaba Cloud accounts | The name of the check item. |
| Type | String | Identity authentication and permissions | The type of the check item. Valid values:
|
| PageCount | Integer | 20 | The total number of pages returned. |
| PageSize | Integer | 10 | The number of entries returned on each page. |
| RequestId | String | AD271C07-4ACE-413D-AA9B-F14FD3B7717F | The ID of the request. |
| TotalCount | Integer | 12 | The total number of entries returned. |
The following table lists IDs, names, types, risk levels, Alibaba Cloud service types, and descriptions of all check items of Alibaba Cloud service configuration assessment.
| ItemId (check item ID) |
Name (check item name) |
GroupId (check item type) |
RiskLevel (risk level) |
AssetType (Alibaba Cloud service type) |
Description |
|---|---|---|---|---|---|
| 1 |
ActionTrail - log audit |
3: log audit |
medium |
ActionTrail |
Checks whether you activated ActionTrail to record operations logs on the cloud and save the logs to Object Storage Service (OSS) buckets. |
| 2 |
RDS - Database security policies |
4: data security |
medium |
RDS |
Checks whether you enabled the Secure Sockets Layer (SSL), Transparent Data Encryption (TDE), and SQL audit functions for each ApsaraDB for RDS instance. |
| 3 |
Alibaba Cloud account security - MFA |
1: identity authentication and permissions |
high |
RAM |
Checks whether you enabled MFA for your Alibaba Cloud account. |
| 4 |
Alibaba Cloud Security - back-to-origin configurations of Anti-DDoS Pro or Anti-DDoS Premium |
2: network access control |
high |
DDoS |
Checks whether the actual IP addresses of backend servers are hidden after you use Anti-DDoS Pro or Anti-DDoS Premium. If the actual IP addresses are hidden, attackers cannot directly access the actual IP addresses. To hide the actual IP addresses, you can configure access control policies. For example, if the actual IP addresses are the IP addresses of the Server Load Balancer (SLB) instances, you can configure SLB whitelists on the SLB instances. If the IP addresses are the IP addresses of Elastic Compute Service (ECS) instances, you can configure security group rules for the ECS instances. You can configure access control policies to allow only access requests from back-to-origin IP addresses of Anti-DDoS Pro or Anti-DDoS Premium. |
| 5 |
RDS - whitelist configurations |
2: network access control |
high |
RDS |
Checks whether the whitelist of an ApsaraDB for RDS instance contains the CIDR block 0.0.0.0/0. If the whitelist contains the 0.0.0.0/0 CIDR block, all IP addresses are allowed to access the ApsaraDB for RDS instance. To prevent security risks, we recommend that you configure RDS whitelists to allow only requests from specific IP addresses. |
| 6 |
SLB - high-risk ports |
2: network access control |
high |
SLB |
Checks whether SLB is configured to forward requests from high-risk ports to the Internet. |
| 7 |
Alibaba Cloud Security - back-to-origin configurations of Web Application Firewall (WAF) |
2: network access control |
high |
WAF |
Checks whether the actual IP addresses of backend servers are hidden after you use WAF. If the actual IP addresses are hidden, attackers cannot directly access the actual IP addresses. To hide the actual IP addresses, you can configure access control policies. For example, if the actual IP addresses are the IP addresses of the SLB instances, you can configure SLB whitelists on the SLB instances. If the IP addresses are the IP addresses of ECS instances, you can configure security group rules for the ECS instances. You can configure access control policies to allow only access requests from back-to-origin IP addresses of WAF. |
| 8 |
Alibaba Cloud Security - Security Center agent status |
6: basic security protection |
high |
ECS |
Checks whether the Security Center agent on the ECS instance remains online to provide protection. |
| 12 |
OSS - bucket permissions |
4: data security |
high |
OSS |
Checks whether the ACL of any of your OSS buckets is public-read or public-read-write. The public-read-write or public-read ACL allows users to read or write the data in your OSS buckets without authorization. To ensure data security, we recommend that you set the ACL of all your buckets to private. |
| 13 |
Security Center - AccessKey leak detection |
5: monitoring and alerting |
medium |
RAM |
Checks whether AccessKey leak detection is enabled. API credentials (AccessKey pairs) are unique and important identity credentials for Alibaba Cloud users to call the API operations of a specific Alibaba Cloud service and access the required cloud resources. We recommend that you enable AccessKey leak detection to prevent AccessKey leaks. |
| 14 |
ApsaraDB for MongoDB - whitelist configurations |
2: network access control |
high |
MongoDB |
Checks whether whitelists are enabled for ApsaraDB for MongoDB instances. If whitelists are enabled and the whitelists are empty or contain the 0.0.0.0/0 CIDR block, the requests from all IP addresses are allowed. In this case, security risks may occur. We recommend that you configure the whitelist to allow only access requests from trusted IP addresses. |
| 15 |
RAM - RAM user MFA |
1: identity authentication and permissions |
medium |
RAM |
Checks whether MFA is enabled for RAM users. |
| 16 |
OSS - log record configurations |
4: data security |
medium |
OSS |
Checks whether the log record feature is enabled for all OSS buckets. When you access OSS, a large number of access logs are generated. After you enable and configure the log record feature for a bucket, an object with a specific prefix is generated on an hourly basis to record access logs of the bucket. To analyze the access logs, you can use Alibaba Cloud Data Lake Analytics (DLA) or build a Spark cluster. You can configure lifecycle rules for the bucket to convert the storage class of log objects to Archive for long-term archiving. |
| 17 |
OSS - cross-region replication configurations |
4: data security |
low |
OSS |
Checks whether cross-region replication (CRR) is enabled for all OSS buckets. CRR enables the automatic and asynchronous replication of objects across buckets in different OSS data centers (regions). CRR synchronizes operations such as creation, overwriting, and deletion of objects from the source bucket to the destination bucket. CRR meets data replication requirements of users, and provides an ideal cross-region disaster recovery method for buckets. Objects in the destination bucket are replicas of objects in the source bucket. Each object in the source bucket has the same name, content, and metadata as the replica in the destination bucket. These include the creation time, owner, user-defined metadata, and access control lists (ACLs). |
| 18 |
RDS - backup configurations |
4: data security |
medium |
RDS |
Checks whether database backup is enabled for ApsaraDB for RDS instances. We recommend that you enable data backup for RDS instances and perform a data backup task on a daily basis. |
| 19 |
ApsaraDB for Redis - whitelist configurations |
2: network access control |
high |
Redis |
Checks the whitelist configurations of ApsaraDB for Redis. |
| 20 |
ECS - SSH key pairs |
1: identity authentication and permissions |
medium |
ECS |
Checks whether SSH key pair-based logon is enabled for the ECS instances. |
| 21 |
SLB - health status |
5: monitoring and alerting |
low |
SLB |
Checks whether SLB backend servers are available. |
| 22 |
PolarDB - whitelist configurations |
2: network access control |
medium |
PolarDB |
Checks whether the whitelist of a PolarDB cluster contains the CIDR block 0.0.0.0/0. If the whitelist contains the 0.0.0.0/0 CIDR block, all IP addresses are allowed to access the PolarDB cluster. To prevent security risks, we recommend that you configure whitelists to allow only requests from specific IP addresses. |
| 23 |
AnalyticDB for PostgreSQL - whitelist configurations |
2: network access control |
medium |
PostgreSQL |
Checks whether the whitelist of an AnalyticDB for PostgreSQL instance contains the CIDR block 0.0.0.0/0. If the whitelist contains the 0.0.0.0/0 CIDR block, all IP addresses are allowed to access the AnalyticDB for PostgreSQL instance. To prevent security risks, we recommend that you configure whitelists to allow only requests from specific IP addresses. |
| 24 |
ECS - disk encryption |
4: data security |
low |
ECS |
Checks whether disk encryption is enabled. Disk encryption allows you to meet security or regulatory compliance requirements. |
| 25 |
SLB - whitelist configurations |
2: network access control |
medium |
SLB |
Checks the SLB whitelist configurations. We recommend that you configure whitelists for non-HTTP and non-HTTPS services, and that you do not add 0.0.0.0/0 to the whitelists. |
| 26 |
SLB - certificate expiration |
5: monitoring and alerting |
medium |
SLB |
Checks whether the SLB certificate is expired. |
| 27 |
ECS - automatic snapshot policies |
4: data security |
medium |
ECS |
Checks whether automatic snapshot is enabled for ECS instances. |
| 28 |
SSL certificates - validity check |
4: data security |
medium |
SSL |
Checks whether the SSL certificate is within its validity period. |
| 30 |
OSS - bucket server-side encryption |
4: data security |
low |
OSS |
Checks whether server-side encryption is enabled for OSS buckets. |
| 31 |
OSS - bucket hotlink protection |
2: network access control |
low |
OSS |
Checks whether hotlink protection is configured for OSS buckets. |
| 32 |
RDS - cross-region backup configurations |
4: data security |
low |
RDS |
Checks whether cross-region backup is enabled for ApsaraDB for RDS instances. |
| 33 |
ApsaraDB for MongoDB - backup configurations |
4: data security |
medium |
MongoDB |
Checks whether data backup is enabled for ApsaraDB for MongoDB instances. |
| 34 |
ApsaraDB for MongoDB - log audit |
3: log audit |
medium |
MongoDB |
Checks whether log audit is enabled for ApsaraDB for MongoDB instances. |
| 35 |
ApsaraDB for MongoDB - SSL certificate |
4: data security |
medium |
MongoDB |
Checks whether SSL certificate checks are enabled for ApsaraDB for MongoDB instances. |
| 36 |
Cloud Monitor - Cloud Monitor agent status |
5: monitoring alerts |
medium |
CloudMonitor |
Checks whether the Cloud Monitor agent is running as expected. |
| 37 |
ECS - security group policies |
2: network access control |
medium |
ECS |
Checks the ECS security group rules. |
| 38 |
VPC - DNAT rules |
2: network access control |
medium |
VPC |
Checks the open ports that are based on the DNAT rules in VPCs. |
| 39 |
Redis - backup configurations |
4: data security |
medium |
Redis |
Checks whether data backup is enabled for ApsaraDB for Redis instances. |
| 40 |
Container Registry - repository permission configurations |
4: data security |
high |
CR |
Checks whether permissions are correctly configured for the repository in Container Registry. |
| 41 |
Container Registry - security scan |
6: basic security protection |
low |
CR |
Checks whether security scan is enabled for Container Registry. |
| 42 |
SLB - access log configurations |
3: log audit |
medium |
SLB |
Checks whether the access log feature is configured for SLB instances. |
| 43 |
Redis - log audit configurations |
3: log audit |
low |
Redis |
Checks the log audit configurations of ApsaraDB for Redis instances. |
| 44 |
OSS - authorization policies |
1: identity authentication and permissions |
medium |
OSS |
Checks whether correct authorization policies are enabled for OSS. |
| 46 |
PolarDB - backup configurations |
4: data security |
medium |
PolarDB |
Checks whether data backup is enabled for PolarDB. |
| 47 |
PolarDB - SQL Explorer |
3: log audit |
medium |
PolarDB |
Checks whether SQL Explorer is enabled for PolarDB clusters. |
| 49 |
Alibaba Cloud account security - AccessKey pair |
1: identity authentication and permissions |
medium |
RAM |
Checks whether the AccessKey pair is enabled for your Alibaba Cloud account. |
| 51 |
CDN - real-time log push |
3: log audit |
medium |
CDN |
Checks whether the real-time log push feature is enabled for CDN. |
| 52 |
ApsaraDB for Redis - SSL certificate |
4: data security |
medium |
Redis |
Checks whether SSL certificates are enabled for ApsaraDB for Redis instances. |
Examples
Sample requests
http(s)://[Endpoint]/? Action=DescribeRiskCheckResult
&GroupId=1
&RiskLevel=high
&PageSize=100
&<Common request parameters>Sample success responses
XML format
<DescribeRiskCheckResultResponse>
<TotalCount>12</TotalCount>
<RequestId>AD271C07-4ACE-413D-AA9B-F14FD3B7717F</RequestId>
<PageCount>20</PageCount>
<PageSize>10</PageSize>
<CurrentPage>1</CurrentPage>
<List>
<Status>pass</Status>
<CheckTime>1543991525000</CheckTime>
<TaskId>647189</TaskId>
<RemainingTime>0</RemainingTime>
<Title>Cloud platform - Multi-factor authentication configuration of Alibaba Cloud accounts</Title>
<ItemId>1</ItemId>
<RiskAssertType>ECS</RiskAssertType>
<Type>Identity authentication and permissions</Type>
<StartStatus>enabled</StartStatus>
<AffectedCount>0</AffectedCount>
<Sort>1</Sort>
<RepairStatus>disabled</RepairStatus>
<RiskLevel>high</RiskLevel>
<RiskItemResources>
<ContentResource>{ "type": "link", "value": "Risk: multi-factor authentication is disabled\n", "url": "https://***.aliyun.com/#/secure\n" }</ContentResource>
<ResourceName>bestPractice</ResourceName>
</RiskItemResources>
</List>
<Count>10</Count>
</DescribeRiskCheckResultResponse>JSON format
{
"TotalCount": "12",
"RequestId": "AD271C07-4ACE-413D-AA9B-F14FD3B7717F",
"PageCount": "20",
"PageSize": "10",
"CurrentPage": "1",
"List": {
"Status": "pass",
"CheckTime": "1543991525000",
"TaskId": "647189",
"RemainingTime": "0",
"Title": "Cloud platform - Multi-factor authentication configuration of Alibaba Cloud accounts",
"ItemId": "1",
"RiskAssertType": "ECS",
"Type": "Identity authentication and permissions",
"StartStatus": "enabled",
"AffectedCount": "0",
"Sort": "1",
"RepairStatus": "disabled",
"RiskLevel": "high",
"RiskItemResources": {
"ContentResource": "{ \"type\": \"link\", \"value\": \"Risk: multi-factor authentication is disabled\\n\", \"url\": \"https://***.aliyun.com/#/secure\\n\" }",
"ResourceName": "bestPractice"
}
},
"Count": "10"
}Error codes
For a list of error codes, visit the API Error Center.