All Products
Search
Document Center

Cloud Config:RMiTComplianceCheck

Last Updated:Oct 11, 2023

Based on the common IT-risk control standards of the Malaysian financial industry, the RMiTComplianceCheck compliance package continuously checks the compliance of IT systems on the cloud. This topic describes the rules that are provided in the RMiTComplianceCheck compliance package.

Rule name

Description

actiontrail-trail-intact-enabled

Checks whether an active trail exists in ActionTrail and the events of all types that are generated in all regions are tracked. If so, the evaluation result is Compliant. If the administrator of each resource directory has created a trail that applies to all member accounts, the evaluation result is also Compliant.

actiontrail-enabled

Checks whether a trail is enabled in ActionTrail. If so, the evaluation result is Compliant.

oss-encryption-byok-check

Checks whether a custom Key Management Service (KMS) key is used to encrypt the data of each Object Storage Service (OSS) bucket. If so, the evaluation result is Compliant.

ecs-disk-auto-snapshot-policy

Checks whether an automatic snapshot policy is specified for each ECS disk. If so, the evaluation result is Compliant.

ecs-disk-encrypted

Checks whether disk encryption is enabled for each ECS instance. If so, the evaluation result is Compliant.

ecs-instance-no-public-ip

Checks whether a public IPv4 address or EIP is specified for each ECS instance. If not, the evaluation result is Compliant.

ecs-instances-in-vpc

Checks whether the network type of each ECS instance is set to VPC if you do not configure the vpcIds parameter. If so, the evaluation result is Compliant. Checks whether the VPC where each ECS instance resides is the same as a specified VPC if you configure the vpcIds parameter. If so, the evaluation result is also Compliant. Separate multiple parameter values with commas (,).

slb-aliyun-certificate-required

Checks whether each Server Load Balancer (SLB) instance uses certificates that are issued by Alibaba Cloud. If so, the evaluation result is Compliant.

slb-server-certificate-expired

Checks whether the certificate of each SLB instance is valid. If so, the evaluation result is Compliant.

slb-delete-protection-enabled

Checks whether the release protection feature is enabled for each SLB instance. If so, the evaluation result is Compliant.

slb-listener-https-enabled

Checks whether an HTTPS listener is enabled on the specified ports of each SLB instance. If so, the evaluation result is Compliant. If only a TCP or UDP listener is enabled on the specified ports of each SLB instance, the evaluation result is Not Applicable.

ram-group-has-member-check

Checks whether each RAM user group contains at least one RAM user. If so, the evaluation result is Compliant.

ram-password-policy-check

Checks whether the settings of password policies configured for each RAM user meet the specified values. If so, the evaluation result is Compliant.

ram-policy-no-statements-with-admin-access-check

Checks whether both the Resource and Action parameters of each RAM user, RAM user group, and RAM role are set to *. If not, the evaluation result is Compliant. If both parameters are set to *, the identity has the super administrator permissions.

root-ak-check

Checks whether an AccessKey pair is created for each Alibaba Cloud account. If not, the evaluation result is Compliant.

ram-user-group-membership-check

Checks whether each RAM user belongs to a RAM user group. If so, the evaluation result is Compliant.

ram-user-mfa-check

Checks whether multi-factor authentication (MFA) is enabled in the logon settings of each RAM user for which the console access feature is enabled. If so, the evaluation result is Compliant.

ram-user-no-policy-check

Checks whether a policy is attached to each RAM user. If so, the evaluation result is Compliant. We recommend that RAM users inherit permissions from RAM user groups or roles.

ram-user-last-login-expired-check

Checks whether each RAM user has logged on within the last 90 days. If so, the evaluation result is Compliant. If a RAM user has been updated within the last 90 days, the evaluation result is Compliant regardless of whether the RAM user has recently logged on. For RAM users that have no console access, the evaluation result is Not Applicable.

rds-public-access-check

Checks whether no public endpoint is configured for each RDS instance. If so, the evaluation result is Compliant. To prevent cyberattacks, we recommend that you do not configure direct access to RDS instances in production environments over the Internet.

rds-event-log-enabled

Checks whether the event history feature is enabled for each RDS instance. If so, the evaluation result is Compliant.

rds-multi-az-support

Checks whether each RDS instance uses the multi-zone architecture. If so, the evaluation result is Compliant.

rds-instance-enabled-tde

Checks whether the Transparent Data Encryption (TDE) feature is enabled in the data security settings of each RDS instance. If so, the evaluation result is Compliant.

oss-bucket-logging-enabled

Checks whether the logging feature is enabled for each OSS bucket on the Logs page. If so, the evaluation result is Compliant.

oss-bucket-anonymous-prohibited

Checks whether a bucket policy is configured for each OSS bucket whose Bucket ACL parameter is set to Public Read/Write, and no read or write permissions are granted to anonymous accounts in the authorization policy. If so, the evaluation result is Compliant. This rule does not apply to OSS buckets whose Bucket ACL parameter is set to Private.

oss-bucket-server-side-encryption-enabled

Checks whether the Encryption Method parameter of the server-side encryption feature is set to OSS-Managed for each OSS bucket. If so, the evaluation result is Compliant.

oss-default-encryption-kms

Checks whether KMS-based server-side encryption is enabled for each OSS bucket. If so, the evaluation result is Compliant.

oss-bucket-versioning-enabled

Checks whether versioning is enabled for each OSS bucket. If so, the evaluation result is Compliant. If versioning is disabled, data cannot be recovered when it is overwritten or deleted.

vpc-flow-logs-enabled

Checks whether the flow log feature is enabled for each virtual private cloud (VPC). If so, the evaluation result is Compliant.

vpn-ipsec-connection-status-check

Checks whether the IPsec-VPN connection is established. If so, the evaluation result is Compliant.

waf-instance-logging-enabled

Checks whether the log collection feature is enabled for each domain name that is protected by Web Application Firewall (WAF). If so, the evaluation result is Compliant.

oss-bucket-only-https-enabled

Checks whether the bucket policy of each OSS bucket allows read and write operations over HTTPS and denies access over HTTP. If so, the evaluation result is Compliant. For OSS buckets without a bucket policy, the evaluation result is Not Applicable.

sg-public-access-check

Checks whether the inbound authorization policy of each security group is set to Allow and the port range is set to -1/-1 or the authorized IP address is set to 0.0.0.0/0, or an authorization policy with a higher priority is configured. If so, the evaluation result is Compliant. If the security groups are used by cloud services or virtual network operators, the evaluation result is Not Applicable.

kms-key-rotation-enabled

Checks whether the automatic rotation feature is enabled for each customer master key (CMK) in KMS. If so, the evaluation result is Compliant.

elasticsearch-instance-in-vpc

Checks whether the network type of each Elasticsearch cluster is set to VPC when the vpcIds parameter is not configured. If so, the evaluation result is Compliant. Checks whether the VPC where each Elasticsearch cluster resides is the same as a specified VPC when the vpcIds parameter is not configured. If so, the evaluation result is also Compliant.