Queries the results of check items by type or name.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter Type Required Example Description
Action String Yes DescribeRiskCheckResult

The operation that you want to perform.

Set the value to DescribeRiskCheckResult.

SourceIp String No 1.2.3.4

The source IP address of the request.

Lang String No zh

The natural language of the request and response. Valid values:

  • zh: Chinese
  • en: English
GroupId Long No 21000

The type ID of the check item. Valid values:

  • 1: identity authentication and permissions
  • 2: network access control
  • 3: log auditing
  • 4: data security
  • 5: monitoring alert
  • 6: basic security protection
CurrentPage Integer No 1

The number of the page to return.

RiskLevel String No high

The risk level of the check item. Valid values:

  • high
  • medium
  • low
Status String No pass

The status of the check task to return. Valid values:

  • pass
  • failed
  • running
  • waiting
  • ignored
  • falsePositive
ItemIds.N RepeatList No sde***

The ID of the check item. For more information about the description of the check item ID, see the check item table in the "Response parameters" section of this topic.

AssetType String No RDS

The type of the cloud service. For more information about the description of the cloud service type, see the check item table in the "Response parameters" section of this topic.

Name String No Cloud platform - Two-factor authentication configuration of Alibaba Cloud account

The name of the check item. For more information about the description of the check item name, see the check item table in the "Response parameters" section of this topic.

PageSize Integer No 10

The number of entries to return on each page.

Response parameters

Parameter Type Example Description
Count Integer 10

The number of entries returned on the current page.

CurrentPage Integer 1

The page number of the returned page.

List Array

The information about the check item.

AffectedCount Integer 0

The amount of affected assets.

CheckTime Long 1543991525000

The time when the last check was performed.

ItemId Long 1

The ID of the check item. For more information about the description of the check item ID, see the check item table in the "Response parameters" section of this topic.

RemainingTime Integer 0

The time when the next check will be performed.

RepairStatus String disabled

Indicates whether a solution is provided to fix the threats detected under the specified check item. Valid values:

  • enabled: Yes
  • disabled: No
RiskAssertType String ECS

The type of the affected asset.

RiskItemResources Array

The detailed information about the check item.

ContentResource Json { "type": "link", "value": ""Risk: multi-factor authentication is disabled\n", "url": "https://***.aliyun.com/#/secure\n" }

The content of the check item.

ResourceName String bestPractice

The title of the content. Valid values:

  • bestPractice: description
  • influence: risks
  • suggestion: solution
  • helpResource: reference
RiskLevel String high

The risk level of the check item returned. Valid values:

  • high
  • medium
  • low
Sort Integer 1

The sequence number of the check result. The check items are sorted based the sequence number.

StartStatus String enabled

Indicates whether the check item is supported by the specified cloud service. Valid values:

  • enabled: supported
  • disable: unsupported
Status String pass

The status of the check task returned. Valid values:

  • pass
  • failed
  • running
  • waiting
  • ignored
  • falsePositive
TaskId Long 647189

The ID of the check task.

Title String Cloud platform - Two-factor authentication configuration of Alibaba Cloud account

The name of the check item.

Type String Identity authentication and permissions

The type of the check item. Valid values:

  • Identity authentication and permissions
  • Network access control
  • Log auditing
  • Data security
  • Monitoring alert
  • Basic security protection
PageCount Integer 20

The total number of pages returned.

PageSize Integer 10

The number of entries returned per page.

RequestId String AD271C07-4ACE-413D-AA9B-F14FD3B7717F

The ID of the request.

TotalCount Integer 12

The total number of returned entries.

The following table lists the check items supported by the cloud platform, including the ID, name, type, risk level, service type, and description.

ID

Name

Type

Risk level

Service type

Description

1

Action Trail - Logging Configuration

3: log auditing

medium

ActionTrail

Checks whether you enable ActionTrail to record operations logs on the cloud and save the logs to Object Storage Service (OSS) buckets.

2

RDS - Database Security Policy

4: data security

medium

RDS

Checks whether you enable Secure Sockets Layer (SSL), Transparent Data Encryption (TDE), and SQL audit services for each ApsaraDB for RDS instance.

3

Cloud Platform - Account's Two-Factor Authentication Configuration

1: identity authentication and permissions

high

RAM

Checks whether multi-factor authentication (MFA) is enabled for the account used to log on to the Alibaba Cloud Management Console.

4

Cloud Security - Anti-DDoS Pro or Anti-DDoS Premium Back-to-origin Configuration

2: network access control

high

DDoS

Checks whether actual IP addresses of backend servers are hidden after you use Anti-DDoS Pro or Anti-DDoS Premium. If the actual IP addresses are hidden, this prevents attackers from bypassing Anti-DDoS Pro or Anti-DDoS Premium and directly accessing the actual IP addresses. To hide the actual IP addresses, you can configure whitelist policies, for example, when the actual IP addresses are the IP addresses of the Server Load Balancer (SLB) instances. When the IP addresses are the IP addresses of Elastic Compute Service (ECS) instances, you can configure access control policies for ECS security groups. All these policies allow access from only back-to-origin IP addresses of Anti-DDoS Pro or Anti-DDoS Premium. </note>

5

RDS - Whitelist Configuration

2: network access control

high

RDS

Checks whether the RDS access control policy is set to 0.0.0.0/0, which allows requests from all IP addresses. We recommend that you restrict the access scope to a specific range of IP addresses rather than exposing database services to the Internet.

6

SLB - High Risk Port Exposure

2: network access control

high

SLB

Checks whether SLB forwards requests from high-risk ports to the Internet.

7

Cloud Security - WAF Back-to-origin Configuration

2: network access control

high

WAF

Checks whether actual IP addresses of backend servers are hidden after you use WAF. If the actual IP addresses are hidden, this prevents attackers from bypassing WAF and directly accessing the actual IP addresses. To hide the actual IP addresses, you can configure whitelist policies, for example, when the actual IP addresses are the IP addresses of the Server Load Balancer (SLB) instances. When the IP addresses are the IP addresses of Elastic Compute Service (ECS) instances, you can configure access control policies for ECS security groups. All these allow access from only back-to-origin IP addresses of WAF.

8

Cloud Security - Agent Online Status

6: basic security protection

high

ECS

Checks whether the Security Center agent on the ECS instance is always online and provides protection.

12

OSS - Bucket Access Permissions

4: data security

high

OSS

Checks whether all OSS buckets allow public read/write or public read. If yes, the check fails.

13

Cloud Security - AccessKey Leak

5: monitoring alert

medium

RAM

Checks whether you enable the AccessKey leak prevention function. If no, the check fails.

14

Mongodb - Whitelist Configuration

2: network access control

high

MongoDB

Checks whether the whitelist is configured for the ApsaraDB for MongDB instance. If the whitelist is enabled and set to 0.0.0.0/0, which allows accesses from all devices, the check fails.

15

RAM - Users MFA Configuration

1: identity authentication and permissions

medium

RAM

Checks whether the RAM user has two-factor authentication enabled.

16

OSS - Logging Configuration

4: data security

medium

OSS

Checks whether you enable the logging function for all OSS buckets. If no, the check fails.

17

OSS - Cross-Region Replication Configuration

4: data security

low

OSS

Checks whether cross-region replication is enabled for all OSS buckets. If no, the check fails.

18

RDS - Backup Configuration

4: data security

medium

RDS

Checks whether the database backup function is enabled. If no, the check fails.

19

Redis - Whitelist Configuration

2: network access control

high

Redis

Checks access control configurations of the ApsaraDB for Redis instance.

20

ECS - SSH Key Pairs

1: identity authentication and permissions

medium

ECS

Checks whether key pair-based logon is enabled for the ECS instance.

21

SLB - Health Status

5: monitoring alert

low

SLB

Checks the health status of the SLB instance.

22

POLARDB - Whitelist Configuration

2: network access control

medium

POLARDB

Checks the whitelist configured for the Apsara PolarDB instance. If the whitelist is enabled and set to 0.0.0.0/0, which allows accesses from all devices, the check fails.

23

AnalyticDB for PostgreSQL - Whitelist Configuration

2: network access control

medium

PostgreSQL

Checks the whitelist of the AnalyticDB for PostgreSQL instance. If the whitelist is enabled and set to 0.0.0.0/0, which allows accesses from all devices, the check fails.

24

ECS - Disk Encryption

4: data security

low

ECS

Checks whether disk encryption is enabled. If no, the check fails.

25

SLB - Whitelist Configuration

2: network access control

medium

SLB

Checks the SLB whitelist configuration. If the whitelist is enabled and set to 0.0.0.0/0, which allows accesses from all devices, the check fails.

26

SLB - Certificate Expiration

5: monitoring alert

medium

SLB

Checks whether the SLB certificate has expired.

27

ECS - Automatic Snapshot Policy

4 (data security)

medium

ECS

Checks whether automatic snapshot policies are enabled for the ECS instance.

28

SSL Certificates - Expiration Check

4: data security

medium

SSL

Checks whether the SSL certificate is within its validity period.

30

OSS - Server Side Encryption

4: data security

low

OSS

Checks whether server-side encryption is enabled for OSS buckets.

31

OSS - Hotlinking Protection

2: network access control

low

OSS

Checks whether hotlink protection is configured for OSS buckets.

32

RDS - Cross Region Backup Configuration

4: data security

low

RDS

Checks whether cross-region backup is configured for the RDS instance.

33

MongoDB - Backup Configuration

4: data security

medium

MongoDB

Checks whether you enable the backup feature for the ApsaraDB for MongoDB instance.

34

MongoDB - Logging Configuration

3: log auditing

medium

MongoDB

Checks whether you enable log auditing for the ApsaraDB for MongoDB instance.

35

MongoDB - Enable SSL Encryption

4: data security

medium

MongoDB

Checks whether you enable the SSL certificate check function for the ApsaraDB for MongoDB instance.

36

CloudMonitor - Host Monitoring Plugin

5: monitoring alert

medium

CloudMonitor

Checks whether the status of the Cloud Monitor agent is normal.

37

ECS - Security Groups Setting

2: network access control

medium

ECS

Checks the ECS security group policies.

38

VPC - DNAT Rules

2: network access control

medium

VPC

Checks whether a VPC DNAT rule is configured to map management ports to the Internet.

39

Redis - Backup Configuration

4: data security

medium

Redis

Checks whether you enable the backup function for the ApsaraDB for Redis instance.

40

Container Registry - Repository Visibility Settings

4: data security

high

CR

Checks whether permissions are correctly configured for the repository in Container Registry.

41

Container Registry - Image Security Scan

6: basic security protection

low

CR

Checks whether you enable the image security scan function for Container Registry.

42

SLB - Access Logging Configuration

3: log auditing

medium

SLB

Checks whether you configure access logging for the SLB instance.

43

Redis - Audit Log

3: log auditing

low

Redis

Checks whether log auditing is configured for the ApsaraDB for Redis instance.

44

OSS - Bucket policy

1: identity authentication and permissions

medium

OSS

Checks whether you configure the correct authorization policy for OSS.

46

POLARDB - Backup Configuration

4: data security

medium

POLARDB

Checks whether you enable the backup function for the Apsara PolarDB instance.

47

POLARDB - SQL Explorer

3: log auditing

medium

POLARDB

Check whether you enable SQL Explorer for the Apsara PolarDB instance.

48

Account - AccessKey Existence Check

1: identity authentication and permissions

medium

RAM

Checks whether you enable the AccessKey pair of your Alibaba Cloud account.

50

CDN - Real-time Logging

3: log auditing

medium

CDN

Checks whether you enable real-time log push for CDN.

51

Redis - Enable SSL Encryption

4: data security

medium

Redis

Checks whether ApsaraDB for Redis uses SSL certificates.

Examples

Sample requests

http(s)://[Endpoint]/? Action=DescribeRiskCheckResult
&GroupId=1
&RiskLevel=high
&<Common request parameters>

Sample success responses

XML format

<DescribeRiskCheckResultResponse>
      <TotalCount>12</TotalCount>
      <RequestId>AD271C07-4ACE-413D-AA9B-F14FD3B7717F</RequestId>
      <PageCount>20</PageCount>
      <PageSize>10</PageSize>
      <CurrentPage>1</CurrentPage>
      <List>
            <Status>pass</Status>
            <CheckTime>1543991525000</CheckTime>
            <TaskId>647189</TaskId>
            <RemainingTime>0</RemainingTime>
            <Title>Cloud platform - Two-factor authentication configuration of Alibaba Cloud account</Title>
            <ItemId>1</ItemId>
            <RiskAssertType>ECS</RiskAssertType>
            <Type> identity authentication and permissions </Type>
            <StartStatus>enabled</StartStatus>
            <AffectedCount>0</AffectedCount>
            <Sort>1</Sort>
            <RepairStatus>disabled</RepairStatus>
            <RiskLevel>high</RiskLevel>
            <RiskItemResources>
                  <ContentResource>{   "type": "link",   "value": "Risk: Multi-factor authentication is disabled\n",   "url": "https://***.aliyun.com/#/secure\n" }</ContentResource>
                  <ResourceName>bestPractice</ResourceName>
            </RiskItemResources>
      </List>
      <Count>10</Count>
</DescribeRiskCheckResultResponse>

JSON format

{
    "TotalCount": "12",
    "RequestId": "AD271C07-4ACE-413D-AA9B-F14FD3B7717F",
    "PageCount": "20",
    "PageSize": "10",
    "CurrentPage": "1",
    "List": {
            "Status": "pass",
            "CheckTime": "1543991525000",
            "TaskId": "647189",
            "RemainingTime": "0",
            "Title":"Cloud platform - Two-factor authentication configuration of Alibaba Cloud account",
            "ItemId": "1",
            "RiskAssertType": "ECS",
            "Type":"Identity authentication and permissions",
            "StartStatus": "enabled",
            "AffectedCount": "0",
            "Sort": "1",
            "RepairStatus": "disabled",
            "RiskLevel": "high",
            "RiskItemResources": {
                "ContentResource": "{ \" type\": \" link\", \" value\": \"Rrisk: Multi-factor authentication is disabled \\n\"," url ": " https:// bucket*. aliyun.com/#/secure\\n\ " }",
                "ResourceName": "bestPractice"
            }
    },
    "Count": "10"
}

Error codes

For a list of error codes, visit the API Error Center.