Cloud Governance Center:Lens Assessment

Specialized Detection: Lens

Check Item

Description

Container Build

ACK cluster is deployed in a single zone

Regional clusters provide cross-zone disaster recovery. An ACK cluster is considered compliant if its nodes are distributed across three or more zones.

Container Build

Cost management suite is not enabled for the ACK cluster

Traditional methods lack effective cost insight and control in cloud-native scenarios. The cost management suite provides features such as resource waste checks and cost prediction. An ACK cluster is not considered a best practice if the cost management suite is not enabled.

Container Build

ACK cluster does not use a stable version

An ACK cluster is considered non-compliant if it is not upgraded to the latest version.

Container Build

Deletion protection is not enabled for the ACK cluster

An ACK cluster is considered non-compliant if deletion protection is not enabled.

Container Build

Encryption at rest for Secrets is not configured for the ACK cluster

Encryption at rest for Secrets uses a key that you create in Key Management Service (KMS) to encrypt Kubernetes Secrets. This improves the security of sensitive information. An ACK Pro cluster is considered non-compliant if it does not use Alibaba Cloud KMS for encryption at rest for Secrets.

Container Build

ACK cluster does not use ack-ram-authenticator for RAM-based authentication

The ack-ram-authenticator component uses the native Kubernetes Webhook Token authentication method to authenticate API server requests through Resource Access Management (RAM). In Single Sign-On (SSO) role integration scenarios, it allows for more secure auditing of API server access requests from different users assuming the same role. An ACK cluster is considered non-compliant if the ack-ram-authenticator component is not enabled.

Container Build

ACK cluster does not use policy governance to restrict privileged container configurations

Enabling policy governance helps security O&M personnel better use container security policies. An ACK cluster is considered non-compliant if no policy management is enabled.

Container Build

ACK cluster does not use RRSA for pod-level access permission isolation for cloud resources

RRSA isolates OpenAPI permissions at the pod level within a cluster. This provides fine-grained control over cloud resource access and reduces security risks. An ACK cluster that does not have the RRSA feature enabled is considered "non-compliant".

Container Build

API server audit logs are not enabled for the ACK cluster

In a Kubernetes cluster, API server audit logs help cluster administrators record or trace the daily operations of different users. This is a critical part of cluster security O&M. An ACK cluster is considered non-compliant if API server audit logs are not enabled.

Container Build

Control plane component logs are not enabled for the ACK cluster

Collect logs from the ACK control plane to a Log Project in Simple Log Service (SLS) in your account. This simplifies O&M auditing and troubleshooting. An ACK cluster is considered non-compliant if control plane component logs are not enabled.

Container Build

Container Intelligence Service (CIS) cluster configuration assessment is not enabled for the ACK cluster

CIS helps you discover potential risks in your cluster, such as remaining cloud resource quotas and key Kubernetes resource usage levels. It helps you troubleshoot risks and fix issues based on recommended solutions. An ACK cluster is considered non-compliant if CIS cluster configuration assessment is not enabled.

Container Build

Cluster security configuration assessment is not enabled for the ACK cluster

The configuration inspection feature scans Workload configurations in a cluster for security risks and generates an inspection report. An ACK cluster is considered 'non-compliant' if security configuration inspection is not enabled.

Container Build

Intra-container operation audit logs are not enabled for the ACK cluster

The intra-container operation audit feature lets you audit commands executed by members of your organization or applications after entering a container. An ACK cluster is considered non-compliant if intra-container operation audit logs are not enabled.

Container Build

ACK cluster does not use a managed node pool

A managed node pool can automatically perform some node O&M operations, such as automatically fixing important Common Vulnerabilities and Exposures (CVE) and some faults. This reduces your node O&M workload. An ACK cluster is considered non-compliant if the managed node pool feature is not enabled.

Container Build

Auto Scaling is not enabled for the ACK cluster node pool

Auto Scaling launches pay-as-you-go instances on demand to automatically and cost-effectively scale your elastic computing resources. An ACK cluster is considered "non-compliant" if the node pool Auto Scaling feature is disabled.

Container Build

ACK cluster is a managed cluster of the Basic Edition

ACK managed clusters are available in Basic and Pro editions. The Pro edition offers enhanced reliability, security, and scheduling capabilities compared to the Basic edition, making it more suitable for running large-scale services in a production environment. Using a managed cluster that is not the Pro edition is considered non-compliant.

Container Build

The number of backend servers for the CoreDNS service in the ACK cluster is 0

If the number of backend servers for CoreDNS in an ACK cluster is 0, service discovery will completely fail. This causes inter-service communication within the cluster to be interrupted, such as microservice calls and database access. Applications will be unable to resolve addresses by service name, directly impacting business availability. It also poses a stability risk to the cluster. An ACK cluster is considered non-compliant if the number of backend servers for its CoreDNS service is 0.

Container Build

The backend of the API Server SLB instance in the ACK cluster is in an abnormal state

An abnormal backend state for the API Server Server Load Balancer (SLB) instance in an ACK cluster will interrupt control plane communication. This will cause a complete failure of cluster management. Clients, such as kubectl, will be unable to access the API server, preventing operations such as deploying applications or viewing status. An ACK cluster is considered non-compliant if the backend of its API Server SLB instance is in an abnormal state.

Container Build

The listener configuration of the SLB port bound to the API Server in the ACK cluster is abnormal

An abnormal listener configuration for the SLB port bound to the API Server in an ACK cluster will interrupt API service access. Clients, such as kubectl, will be unable to connect to the cluster, and O&M operations will completely fail. An ACK cluster is considered non-compliant if the listener configuration of the SLB port bound to its API Server is abnormal.

Container Build

The SLB instance bound to the API Server in the ACK cluster does not exist

If an ACK cluster API Server is not bound to an SLB instance, the API service will lack a traffic entry point. External clients, such as kubectl, will be unable to access the API Server through the load balancer, and cluster management will be completely interrupted. An ACK cluster is considered non-compliant if the SLB instance bound to its API Server does not exist.

Container Build

The SLB instance bound to the API Server in the ACK cluster is in an abnormal state

An abnormal state for the SLB instance bound to the API Server in an ACK cluster will cause API service traffic forwarding to fail. Clients, such as kubectl, will be unable to establish a stable connection, and cluster management will be completely blocked. An ACK cluster is considered non-compliant if the SLB instance bound to its API Server is in an abnormal state.

Container Build

The Kubelet component version on an ACK cluster node is older than the control plane version

If the Kubelet component version on an ACK cluster node is older than the control plane version, it can cause compatibility issues. The control plane, such as the API Server, may be unable to communicate properly with the older Kubelet due to new features or protocol upgrades. This can lead to abnormal node status, pod scheduling failures, or nodes being marked as unavailable. An ACK cluster is considered non-compliant if the Kubelet component version on any of its nodes is older than the control plane version.

Container Build

The scaling configuration of an ACK cluster node pool is unavailable

If the scaling configuration of an ACK cluster node pool is unavailable, the cluster cannot automatically adjust the number of nodes. It will be unable to scale out during high-load periods, leading to resource exhaustion, pod scheduling failures, or service interruptions. An ACK cluster is considered non-compliant if the scaling configuration of any of its node pools is unavailable.

Container Build

ACK cluster inspection: A node pool scaling group is unavailable.

If an ACK cluster node pool scaling group is unavailable, the cluster loses all auto scaling capabilities. The cluster cannot dynamically scale out during high loads, which can lead to node resource exhaustion, pod scheduling failures, or service response delays. This state is considered "non-compliant".

Container Build

The security group of an ACK cluster node pool is unavailable

If the security group of an ACK cluster node pool is unavailable, network access rules will become invalid. Communication between cluster components, such as between the kubelet and the API Server or service discovery between pods, may be interrupted due to blocked ports or missing rules. An ACK cluster is considered non-compliant if the security group of any of its node pools is unavailable.

Container Build

The vSwitch of an ACK cluster node pool is unavailable

If the vSwitch of an ACK cluster node pool is unavailable, network communication between nodes will be interrupted. Pods and services will be unable to interact across nodes, leading to service discovery failures or data transmission stalls. An ACK cluster is considered non-compliant if the vSwitch of any of its node pools is unavailable.

Container Build

An APIService in the ACK cluster is unavailable

If an APIService in an ACK cluster is unavailable, extended API functions will fail. Custom resources, such as CustomResourceDefinitions (CRDs), will be unable to communicate with the control plane. This can cause management anomalies in components that rely on extended APIs, such as Operators and service meshes. An ACK cluster is considered non-compliant if any of its APIServices are unavailable.

Container Build

An abnormal CoreDNS pod exists in the ACK cluster

The presence of an abnormal CoreDNS pod in an ACK cluster will lead to unstable DNS resolution services. Communication between services using domain names may time out or fail, causing application call interruptions. An ACK cluster is considered non-compliant if it has an abnormal CoreDNS pod.

Container Build

The status of elastic components in the ACK cluster is abnormal

An abnormal state in an ACK cluster's elasticity component will cause mechanisms such as automatic scaling and automatic fault recovery to fail. During high-load periods, the inability to dynamically scale out will lead to resource bottlenecks, service response delays, or interruptions. An ACK cluster is considered non-compliant if any of its elasticity components are in an abnormal state.

Container Build

The billing method of a LoadBalancer service in the ACK cluster is inconsistent with the actual instance

A mismatch between the billing method of a LoadBalancer service in an ACK cluster and the actual instance will cause billing anomalies. This may lead to unexpected charges, such as being billed on a pay-as-you-go basis when a subscription was expected, or accidental resource releases. An ACK cluster is considered non-compliant if the billing method of a LoadBalancer service is inconsistent with the actual instance.

Container Build

The certificate instance ID of a LoadBalancer service in the ACK cluster is inconsistent with the actual instance

A mismatch between the certificate instance ID of a LoadBalancer service in an ACK cluster and the actually bound certificate will cause the TLS configuration to fail. This can lead to HTTPS service connection rejections or security warnings, interrupting user access. An ACK cluster is considered non-compliant if the certificate instance ID of a LoadBalancer service is inconsistent with the actual instance.

Container Build

CoreDNS in the ACK cluster has only one replica

A single-replica configuration for CoreDNS in an ACK cluster eliminates high availability. If the pod fails, the DNS service will be completely interrupted, causing domain name resolution for services within the cluster to fail and blocking communication between applications. An ACK cluster is considered non-compliant if its CoreDNS has only one replica.

Machine Learning

ECS instance is not prohibited from being assigned a public IP address

Prevent ECS instances from being directly exposed to the public network to reduce the risk of attack. Access the Internet through a NAT Gateway or a load balancer. An ECS instance is considered non-compliant if it is assigned a public IP address.

Machine Learning

Security group inbound rule is set to 0.0.0.0/0 and any port

Do not allow all IP addresses (0.0.0.0/0) to access any port in a security group rule. Access must be restricted to specific IP ranges and ports. A security group is considered non-compliant if an inbound rule is set to 0.0.0.0/0 and does not specify a port.

Machine Learning

Security group exposes vulnerable ports (22, 3389, etc.) to the public network

Security group rules must not allow public network access to vulnerable ports, such as SSH (22) and Remote Desktop Protocol (RDP) (3389), to prevent network attacks and unauthorized access. A security group that exposes these ports to the public network is non-compliant.

Machine Learning

ACK cluster does not use a stable version

An ACK cluster is considered non-compliant if it is not upgraded to the latest version.

Machine Learning

OSS resource does not use a multi-zone architecture

An OSS bucket is non-compliant if zone-redundant storage is not enabled.

Machine Learning

Release protection is not enabled for an ECS resource

An ECS instance is considered non-compliant if release protection is not enabled.

Machine Learning

Versioning is not enabled for an OSS bucket

If versioning is not enabled for an OSS bucket, data cannot be recovered if it is overwritten or deleted. An OSS bucket without versioning is considered non-compliant.

Machine Learning

No backup plan is created for the NAS file system

To prevent business impact from data loss or damage in a NAS file system, regularly back up all directories and files in your General-purpose NAS file system using Cloud Backup. Cloud Backup lets you configure flexible backup policies to back up data to the cloud. You can view and restore data at any time. A NAS file system is considered compliant if a backup plan is created for it.

Machine Learning

Encryption at rest for Secrets is not configured for an ACK cluster

Encryption at rest for Secrets uses a key that you create in KMS to encrypt Kubernetes Secrets. This improves the security of sensitive information. An ACK Pro cluster is considered non-compliant if it does not use Alibaba Cloud KMS for encryption at rest for Secrets.

Machine Learning

Flow log recording is not enabled for the VPC

VPC provides the flow log feature to record inbound and outbound traffic for elastic network interfaces (ENIs) within a VPC. This helps you check access control rules, monitor network traffic, and troubleshoot network issues. A VPC is considered "compliant" if the flow log feature is enabled.

Machine Learning

Server-side encryption is not enabled for the OSS bucket

OSS protects data at rest with server-side encryption. This feature is ideal for applications that require high security or compliance for file storage. An OSS bucket is considered compliant if server-side encryption with KMS or OSS-managed encryption is enabled.

Machine Learning

No route is set for a custom CIDR block in the VPC

You can create a custom route table in a VPC, add custom route entries to it, and then bind the custom route table to a vSwitch to control its traffic. This allows for more flexible network management. A custom CIDR block in a VPC is considered compliant if its associated route table contains at least one route for an IP address within the CIDR block.

Machine Learning

The image used by an ECS instance is not regularly updated and hardened

Regularly updating images ensures the operating system and software have the latest security patches. This practice reduces the risk of attacks, keeps servers at peak performance, and allows for quick startups during rapid deployment or recovery. An image used by an ECS instance is compliant if it is less than a specified number of days old. The default for this parameter is 180 days.

Machine Learning

Secure access is not set in the OSS bucket policy

HTTPS is more secure than HTTP. An OSS bucket is compliant if its access policy requires HTTPS for read and write operations, or denies access over HTTP. An OSS bucket with an empty access policy is considered not applicable.

Machine Learning

RAM policy is not enabled for a NAS file storage endpoint

An access point policy is a custom authorization policy from Alibaba Cloud NAS for access point clients. These policies let you grant permissions to different Resource Access Management (RAM) users or RAM roles in your account. For example, you can grant read/write mount access or permission to access file system resources as the root user. This provides more granular control and flexible permission management. An NAS file storage access point is considered compliant if a RAM policy is enabled for it.

Machine Learning

ECS instance is not granted an instance RAM role

An instance RAM role is a RAM role granted to an ECS instance. This role is a service role for Elastic Compute Service. With an instance RAM role, you can obtain a Security Token Service (STS) token from within an ECS instance without configuring an AccessKey. You can then use the token to call the APIs of other cloud products. This process improves security because the temporary identity credentials can only be obtained from within the instance and no AccessKey configuration is required. This protects your Alibaba Cloud account's AccessKey and enables fine-grained control and permission management through Resource Access Management (RAM). An ECS instance that is granted an instance RAM role is considered "compliant".

Machine Learning

CloudMonitor agent is not installed on a running ECS instance

The host monitoring service of Cloud Monitor uses the CloudMonitor agent to monitor the operating system of your hosts. Install the agent to collect operating system-level metrics and set alert rules for important metrics. This helps you track the status of your hosts. A running ECS instance is considered 'compliant' if the CloudMonitor agent is installed and running on it. This rule does not apply to instances that are not running. They are considered 'not applicable'.

Machine Learning

Encryption is not set for the NAS file system

If your file storage requires high security or compliance, enable the server-side encryption feature. Once server-side encryption is enabled, NAS encrypts data stored in the file system. When you access the data, NAS automatically decrypts it. An encrypted NAS file system is considered compliant.

Machine Learning

Security Center protection is not enabled for a running ECS instance

Security Center provides mitigation capabilities, such as asset information collection, threat discovery, intrusion detection, and compliance baselines. It uses these capabilities to collect and analyze various logs and data to monitor and detect potential security threats on servers. The Security Center plugin provides security protection services to a host. A host with the plugin installed is considered "compliant". This rule does not apply to instances that are not in a running state. They are considered "not applicable".

Machine Learning

Log storage is not enabled for the OSS bucket

Accessing Object Storage Service (OSS) generates many access logs. The log storage feature saves these logs as hourly log files to a specified bucket based on a fixed naming convention. You can analyze these stored logs using Alibaba Cloud Simple Log Service or by setting up a Spark cluster. Enabling log storage for an OSS bucket in Log Management is considered a compliant practice.

Machine Learning

An ACK version that is under maintenance is not used

The Kubernetes community releases a minor version about every 4 months. Use a version that is still under maintenance. Expired cluster versions pose security threats and stability risks. After a cluster version expires, it no longer receives new features, bug fixes, or timely and valid technical support. This creates a risk of being unable to fix security vulnerabilities. An ACK cluster is considered "compliant" if its version is still under maintenance.

Machine Learning

ACK cluster should not have a public network endpoint

Public endpoints are vulnerable to network attacks. Use access control to better restrict access permissions. In addition, transferring sensitive data over the public network can violate compliance requirements. An ACK cluster without a public network connection endpoint is considered "compliant".

Network Services

EIP resource is idle

An EIP is considered non-compliant if it is not attached to a resource instance and was created more than 7 days ago.

Network Services

VPN instance does not use a multi-zone architecture

For existing single-tunnel instances, enable zone redundancy in the console and configure dual tunnels to connect to the peer. Using a single-tunnel instance for a VPN is non-compliant.

Network Services

NLB instance does not use a multi-zone architecture

Configure Network Load Balancer instances for multi-zone deployment to ensure disaster recovery. A single-zone Network Load Balancer instance is considered non-compliant.

Network Services

EIP resource is in an abnormal running state

Checks for abnormal EIP resources. An EIP is considered "non-compliant" if it is disabled or inactive.

Network Services

Abnormal NAT Gateway processing load

This check examines the resource usage of the NAT Gateway during an inspection period. It monitors concurrent connections, new connections, traffic processing rate, and overloaded SNAT source ports. This helps assess if the current resource configuration meets business needs and identifies network risks from insufficient resources. A resource is considered non-compliant if, during the last inspection period, it triggered a "NAT session limit exceeded and connection dropped" event, a "NAT new session limit exceeded" alert, or an "SNAT source port allocation failed" alert. The resource is also non-compliant if the traffic processing rate of the NAT instance is too high.

Network Services

Abnormal VPN service load

This check evaluates the VPN service level during the inspection period. It counts how often bandwidth and BGP dynamic routing propagation limits are exceeded. This helps assess the health of the VPN service and identify network threats caused by insufficient resources. An instance is considered non-compliant if the number of SSL-VPN connections is too high, the server-side client CIDR block for the SSL VPN has insufficient addresses, or an alert was triggered during the last inspection period because the BGP dynamic route or VPN bandwidth limit was exceeded.

Network Services

Abnormal ALB virtual IP processing load

This check examines the load on the ALB virtual IP during an inspection period. It assesses the load on sessions, connections, QPS, and bandwidth. This helps evaluate if the current resource configuration meets business needs and identifies network risks caused by insufficient resources. A resource is considered non-compliant if an alert was triggered in the last inspection period for any of these issues: new connection loss due to an exceeded ALB session limit, a sudden increase in failed connections, an exceeded QPS limit, or packet loss due to an exceeded bandwidth limit.

Network Services

Abnormal NLB virtual IP processing load

This check inspects the load on the Network Load Balancer (NLB) virtual IP address from new and concurrent connections during the inspection period. This helps you evaluate if the current resource configuration meets business needs and identify network risks from insufficient resources. The item is considered non-compliant if an alert for a sudden increase in failed NLB connections, dropped new connections, new connections exceeding the limit, or concurrent connections exceeding the limit was triggered during the last inspection period.

Network Services

Abnormal BGP connection state for VBR resource

Checks the running status of the leased line's Border Gateway Protocol (BGP) connection during the inspection epoch. It counts the frequency of abnormal events on the dedicated connection port. This helps monitor the quality of the carrier's leased line and promptly identify stability threats. If a BGP connection failure occurs during the most recent inspection interval, the status is considered "non-compliant".

Network Services

The CLB processing high-water mark is abnormal.

This check examines the load on the CLB during the inspection period, including the load on sessions, connections, and bandwidth. This helps you assess if the current resource configuration meets business needs and identify network risks from insufficient capacity. A resource is considered non-compliant if an alert was triggered during the last inspection period for any of the following issues: packet loss because the CLB bandwidth limit was exceeded, new connections were dropped because the session limit was exceeded, or a sharp increase in failed connections.

Network Services

Risk in TR routing configuration

The Basic Edition TR route table has used 80% of its route entry quota. If the quota is exceeded, new routes cannot be loaded into the route table, which can cause network connectivity issues.

Network Services

Health check is not configured for VBR

A static route on the VBR points to an on-premises environment, but a health check is not configured. If the leased line fails, an automatic switchover cannot occur. This configuration is non-compliant if a health check is not configured for the CEN instance or the VBR uplink.

Network Services

VBR lacks redundancy

Checks the integrity of VBR redundant configurations to detect stability threats in leased line scenarios. A configuration is considered non-compliant if redundant lines are not configured for some or all CIDR blocks from a VPC to a VBR, or from a TransitRouter (TR) in a Cloud Enterprise Network (CEN) to a VBR.

Network Services

Express Connect circuit has an abnormal port

Verifies the status of physical dedicated connection ports during each inspection epoch. It counts abnormal Border Gateway Protocol (BGP) connections to help monitor the carrier's leased line quality and promptly detect stability threats. If an alert for a port or link failure was triggered during the last inspection epoch, the item is considered "non-compliant".

Network Services

Abnormal EIP bandwidth usage

This check reviews EIP bandwidth usage during an inspection period. It counts how often bandwidth utilization is high or packet loss occurs from exceeding bandwidth limits. This data helps assess if the current bandwidth meets business needs and detects network threats from insufficient bandwidth. An EIP is considered "non-compliant" if it triggered a pre-alert for nearing the public bandwidth limit or a packet loss alert during the last inspection period. This applies even if no other abnormalities were detected for the EIP.

Network Services

Abnormal cross-region bandwidth usage

This check monitors bandwidth usage on your Cloud Enterprise Network (CEN) inter-region connections. It helps you assess if your current bandwidth meets business needs. It also detects network threats from insufficient bandwidth. The check counts the frequency of high bandwidth utilization and packet loss from exceeded bandwidth limits. This finding is reported if a specific event occurred during the last inspection epoch. The event was either an alert for packet loss on an inter-region connection, or packet loss in a traffic rerouting queue due to bandwidth throttling.

Data Protection

SQL audit logs are not enabled for a high-specification database instance

Audit logs provide a complete record of database operations and access. These records help troubleshoot O&M failures and meet cybersecurity regulations in China and financial regulatory requirements in Europe and Southeast Asia. A threat is present if SQL Audit is not enabled for a high-specification data instance. A high-specification instance is defined as an instance with 4 cores and 8 GB of memory or more, or an instance that belongs to an account in the finance industry.

Data Protection

Security audit is not enabled for a high-specification database instance

Security Audit protects data assets by scanning database instances for threats such as data exfiltration, SQL injection, abnormal access, and database downloads. A high-specification instance is considered a threat if Security Audit is not enabled. A high-specification instance has 4 cores and 8 GB of memory or more, or generates more than 100 GB of full SQL logs per day.

Data Protection

Unified security collaboration is not enabled for a high-specification database instance

Security Collaboration applies methods such as lock-free operations and batch processing during database changes. This feature promotes standard development practices and prevents non-standard operations from affecting database stability. A high-specification instance is an instance with 4 cores and 8 GB of memory or more.

Data Protection

Geo-disaster recovery is not enabled for the database instance

A regional outage or failure can make your database unavailable. Check if a data synchronization task is created for a specific database instance. Go to the Data Synchronization page in the DTS console or use the API to check.

Data Protection

The number of slow SQL statements for the database instance is too high

Finding slow SQL statements is a common and effective method for identifying database performance issues. SQL statements with high CPU usage, long running times, high I/O usage, or a high number of scanned rows can be considered slow SQL statements. Besides running slowly, slow SQL statements can also lock resources. This affects the performance of other SQL statements, increases CPU and system load, and can cause service instability. A database instance is considered at risk if it has more than 100 slow SQL statements within the last 24 hours. This detection rule does not apply to instances without account credentials or to instances with fewer than 50 Queries Per Second (QPS).

Data Protection

Sensitive data protection is not enabled for a high-specification database instance

Enabling sensitive data protection provides dynamic security protection for sensitive data. This prevents sensitive data leakage and avoids compliance risks.

Data Protection

Cross-region backup is not enabled for the database instance

Databases are at risk of data loss during a regional outage or failure. To check the status of the cross-region backup feature for a database instance, go to the Backup and Recovery page from the Instance Details page in the Database Engine console, or query the status using an API.