Compliance packages dynamically and continuously monitor the compliance of your resources and notify you of resource non-compliance at the earliest opportunity. This topic describes the check items of the eight compliance packages that are provided by Cloud Config.
CIS stands for Center for Internet Security. The CISComplianceCheck compliance package dynamically and continuously monitors your resources to check whether the resources are compliant with the CIS Controls that are stipulated by CIS. For more information about CIS, visit CIS. If your resources are compliant with the CIS Controls, network security risks can be reduced.
|Accounts||Checks the passwords set for and permission policies attached to Alibaba Cloud accounts and RAM users.|
|Networks||Checks the network ownership, security group configurations, traffic monitoring configurations, and whether ports are open for instances.|
|Instances||Checks the details of disk encryption, system updates, and endpoint protection, and whether ports are open for instances.|
|Object Storage Service (OSS) buckets||Checks the configurations of read and write permissions, secure transmission, and content encryption for OSS buckets.|
|Databases||Checks the connection types, data encryption configurations, and audit configurations of databases.|
The ClassifiedProtectionPreCheck compliance package dynamically and continuously monitors your resources to check whether the resources are compliant with Multi-Level Protection Scheme (MLPS) 2.0 Level 3. This allows you to perform self-service checks to pass the compliance evaluation of classified protection. For more information about MLPS 2.0, see MLPS 2.0.
|Network types||Checks whether the network types of Elastic Compute Service (ECS) instances and database instances are virtual private clouds (VPCs). If an instance resides in a VPC, and the VPC is included in the expected value of the relevant rule parameter, the instance configuration is considered compliant.|
|Protection configurations||Checks whether the IP address whitelists of ECS instances and database instances are set to 0.0.0.0/0 and whether encryption is enabled for each ECS data disk.|
|OSS buckets||Checks whether OSS buckets are accessed in read-only mode and whether zone-redundant storage and server-side encryption by using OSS-managed keys are enabled.|
|Bandwidths||Checks whether the bandwidths of Server Load Balancer (SLB) instances and elastic IP addresses reach the specified lower limits.|
Various customers store important business data in OSS buckets. Therefore, if bucket configurations are non-compliant, business risks such as data leaks or loss may be brought about. The BestPracticesForOSS compliance package dynamically and continuously monitors the compliance of your OSS buckets and notifies you of non-compliance at the earliest opportunity.
|Read/write permissions||Globally checks whether the access control lists (ACLs) of OSS buckets are set to public read or public read and write.|
|Protection configurations||Checks whether object encryption and hotlink protection are enabled for OSS buckets. This helps improve data security.|
|Zone-redundant storage||Checks whether zone-redundant storage is enabled for OSS buckets.|
The BestPracticesForNetwork compliance package dynamically and continuously checks the network architecture, workloads, and security configurations for compliance issues. The compliance package also notifies you of non-compliance at the earliest opportunity.
|Resource quotas of workloads||Checks the resource quotas of workloads to ensure service continuity. If the resource quotas of workloads cannot reach the lower limits required by business peaks, the service may be interrupted during peak hours.|
|Network architecture||Checks the network architecture to ensure business isolation from the Internet. If network configurations are inappropriate, the business system may be exposed to the Internet, and attacks over the Internet and data leaks may occur.|
|Real-time monitoring||Checks whether real-time monitoring is enabled for networks to ensure that network errors can be identified at the earliest opportunity. This prevents potential business risks.|
The BestPracticesForAccountGovernance compliance package performs comprehensive compliance checks on Alibaba Cloud accounts and RAM users to help you identify systematic risks in advance and prevent the risks.
|Logons of Alibaba Cloud accounts or RAM users||Checks the validity periods of the passwords set for Alibaba Cloud accounts and RAM users and whether multi-factor authentication (MFA) is enabled for them.|
|Security configurations||Checks whether invalid RAM users, user groups, or permission policies exist, and whether key pairs are created for Alibaba Cloud accounts.|
|Authorization||Checks whether permission policies are attached to RAM users and whether full permissions on Alibaba Cloud services are granted.|
The BestPracticesForDataBase compliance package continuously checks the compliance of ApsaraDB RDS, ApsaraDB for Redis, ApsaraDB for MongoDB, and PolarDB instances in terms of encryption and access control. This helps prevent data leaks.
|Validity periods||Checks the validity periods of database instances.|
|Protection configurations||Checks whether release protection is enabled and IP address whitelists are set to 0.0.0.0/0 for database instances.|
|Network types||Checks whether the network types of database instances are VPCs and whether the specified VPCs are included in the expected value of the relevant rule parameter.|
The BestPracticesForECS compliance package continuously checks the compliance of ECS instances in terms of statuses, security configurations, protection configurations, and snapshot configurations. This prevents the risks of business interruption and out-of-control costs.
|Statuses||Checks the statuses of ECS instances.|
|Security configurations||Checks the validity periods and security groups of ECS instances.|
|Protection configurations||Checks whether release protection and disk encryption are enabled for ECS instances.|
|Snapshot configurations||Checks whether automatic snapshot policies are configured, whether automatic locking is enabled, and whether the retention periods of automatic snapshots meet the requirements for the disks of ECS instances.|
The RMiTComplianceCheck compliance package checks the compliance of cloud IT systems based on the Risk Management in Technology (RMiT) framework for financial institutions in Malaysia.
|Accounts||Checks the passwords, permission policies, and logons of RAM users, and whether MFA is enabled for the RAM users.|
|SLB instances||Checks whether release protection and HTTPS listeners are enabled for SLB instances, and whether the certificates issued by Alibaba Cloud are valid.|
|ECS instances||Checks whether the network types of ECS instances are VPCs, whether disk encryption is enabled for the ECS instances, and whether the ECS instances are bound to public IPv4 addresses.|
|OSS buckets||Checks whether server-side encryption by using Key Management Service (KMS), default server-side encryption, and log storage are enabled for OSS buckets.|
|ApsaraDB RDS instances||Checks whether historical event logging and transparent data encryption (TDE) are enabled for ApsaraDB RDS instances and whether the instances support multi-zone deployment.|
|ActionTrail trails||Checks whether an enabled ActionTrail trail exists and whether the trail records all types of event logs.|