The security pillars of Alibaba Cloud Well-Architectured Framework help you regulate and implement security from all aspects, such as network, identity, host, and data, and continuously detect and respond to threats. The compliance package template provides the mappings between the security pillars of Alibaba Cloud Well-Architectured Framework and Cloud Config rule templates. This topic describes the default rules in the best practices for the security pillars of Alibaba Cloud Well-Architectured Framework.
Rule name | Description |
Checks whether an active trail exists in ActionTrail and the events of all types that are generated in all regions are tracked. If so, the evaluation result is Compliant. If the administrator of each resource directory has created a trail that applies to all member accounts, the evaluation result is also Compliant. | |
Checks whether the maintenance period of each AnalyticDB cluster falls in a specified time range. If so, the evaluation result is Compliant. | |
Checks whether Internet access is disabled for each AnalyticDB instance. If so, the evaluation result is Compliant. | |
If the domain name bound to each API group in API Gateway is added to WAF or WAF 3.0, the evaluation result is Compliant. | |
If an SSL certificate is specified for the custom domain of the API group of API Gateway, the evaluation result is Compliant. | |
If the disk is in the In Use state, the evaluation result is Compliant. This rule does not apply to the disks whose creation time is within the specified number of days. The default number of days is 7. | |
If the encryption feature is enabled for each ECS data disk that is in use, the evaluation result is Compliant. | |
Allows you to install a CloudMonitor agent on an instance to provide security protection services. If a CloudMonitor agent is installed on an instance, the evaluation result is Compliant. This rule does not apply to ECS instances that are not running. | |
Checks whether a RAM role is assigned to each ECS instance. If so, the evaluation result is Compliant. | |
Checks whether each ECS instance is in the Stopped state. If not, the evaluation result is Compliant. | |
Checks whether unfixed vulnerabilities of a specified type or a specified level are detected by Security Center on an ECS instance. This rule does not apply to ECS instances that are not running. | |
If no parameter is set, the system checks whether the network type of each ECS instance is set to VPC. If you specify the required parameter, the system checks whether the VPC where ECS instances reside matches the specified setting. If so, the evaluation result is Compliant. Separate multiple parameter values with commas (,). | |
Checks whether no public IPv4 addresses or elastic IP addresses are assigned to the ECS instances that are running. If so, the evaluation result is Compliant. | |
If no idle security group exists, which means at least one ECS instance is added to each security group, the evaluation result is Compliant. | |
Checks whether 0.0.0.0/0 is added to the IP address whitelist of each security group and high-risk ports are disabled. If so, the evaluation result is Compliant. If the inbound CIDR block is not set to 0.0.0.0/0, the evaluation result is Compliant even if the port range includes the specified high-risk ports. If a high-risk port is denied by an authorization policy with a higher priority, the evaluation result is Compliant. This rule does not apply to Alibaba Cloud services other than ECS or security groups that are used by virtual network operators (VNOs). | |
Checks whether each inbound rule in a security group allows access only from the ports in a specified range when the Authorization Object parameter of the inbound rule is set to 0.0.0.0/0. If so, the evaluation result is Compliant. This rule does not apply to the security groups that are used by cloud services or VNOs. | |
Checks whether the disk encryption feature is enabled for the data nodes of each Elasticsearch instance. If so, the evaluation result is Compliant. | |
Checks whether the VPC where each Elasticsearch cluster resides is in a specified VPC range. If so, the evaluation result is Compliant. Checks whether each Elasticsearch cluster resides in a VPC. If so, the evaluation result is also Compliant. | |
If the scaling configurations do not specify that IPv4 addresses can be assigned to ECS instances, the evaluation result is Compliant. | |
If Internet access is disabled for Function Compute, the evaluation result is Compliant. | |
If the functions of the service can be invoked only in specific VPCs, the evaluation result is Compliant. | |
Checks whether the customer master key (CMK) of Key Management Service (KMS) belongs to Alibaba Cloud. If so, the evaluation result is Compliant. | |
Checks whether the automatic rotation feature is enabled for the CMKs in KMS. If so, the evaluation result is Compliant. | |
If the status of a CMK in use is not set to pending deletion, the evaluation result is Compliant. | |
Checks whether the automatic rotation feature is enabled for KMS secrets. If so, the evaluation result is Compliant. | |
If the server-side encryption feature is enabled for the NAS file systems that you create, the evaluation result of the rule is Compliant. | |
Checks whether the logging feature is enabled for each Object Storage Service (OSS) bucket on the Logs page. If so, the evaluation result is Compliant. | |
Checks whether the bucket policy of each OSS bucket allows read and write operations over HTTPS and denies access over HTTP. If so, the evaluation result is Compliant. For OSS buckets without a bucket policy, the evaluation result is Not Applicable. | |
If no read and write permissions are granted to anonymous accounts, the evaluation result is Compliant. If no policies are specified for OSS buckets, the evaluation result is Compliant. | |
Checks whether the access control list (ACL) policy of each OSS bucket denies read access from the Internet. If so, the evaluation result is Compliant. | |
Checks whether the ACL policy of each OSS bucket denies read and write access from the Internet. If so, the evaluation result is Compliant. | |
Checks whether the Encryption Method parameter of the server-side encryption feature is set to OSS-Managed for each OSS bucket. If so, the evaluation result is Compliant. | |
If versioning is disabled, data cannot be recovered when it is overwritten or deleted. If versioning is enabled, the evaluation result is Compliant. | |
Checks whether a custom KMS key is used to encrypt the data of each OSS bucket. If so, the evaluation result is Compliant. | |
If the encryption feature is enabled for all tables on the Tablestore instance, the evaluation result is Compliant. | |
Checks whether each RAM user group contains at least one RAM user. If so, the evaluation result is Compliant. | |
Checks whether the settings of password policies configured for each RAM user meet the specified values. If so, the evaluation result is Compliant. | |
If the Action parameter of RAM users, RAM user groups, and RAM roles is not set to an asterisk (*), which indicates the super administrator permission, the evaluation result is Compliant. | |
Checks whether the time when the AccessKey pair of each RAM user was created is earlier than the specified number of days before the check time. If so, the evaluation result is Compliant. Default value: 90. | |
Checks whether the time when the AccessKey pair of each RAM user was used is earlier than the specified number of days before the current day. If so, the evaluation result is Compliant. Default value: 90. | |
Checks whether each RAM user belongs to a RAM user group. If so, the evaluation result is Compliant. | |
Checks whether MFA is enabled in the logon settings of each RAM user for which the console access feature is enabled. If so, the evaluation result is Compliant. | |
If the RAM role does not have the administrator permissions, the administrator permissions of a cloud service, or the permissions that are inherited from a user group, the configuration is considered compliant. | |
Checks whether the Transparent Data Encryption (TDE) feature is enabled in the data security settings of each ApsaraDB RDS instance. If so, the evaluation result is Compliant. | |
Checks whether the SQL explorer and audit feature is enabled for each ApsaraDB RDS for MySQL instance and whether the number of days for which SQL audit logs can be retained is greater than or equal to a specified number of days. If so, the evaluation result is Compliant. Default value: 180. | |
Checks whether Internet access is enabled for the ApsaraDB RDS instances of your account and the 0.0.0.0/0 CIDR block is added to the whitelist. If the conditions evaluate to true, the evaluation result is Incompliant. | |
Checks whether an AccessKey pair is created for each Alibaba Cloud account. If not, the evaluation result is Compliant. | |
Checks whether multi-factor authentication (MFA) is enabled for the current Alibaba Cloud account. If so, the evaluation result is Compliant. | |
Checks whether Security Center of Enterprise Edition or a more advanced edition is used. If so, the evaluation result is Compliant. | |
Checks whether the access log feature is enabled for each CLB instance. If so, the evaluation result is Compliant. This rule does not apply to CLB instances for which Layer 7 monitoring is disabled. | |
Checks whether an HTTPS listener is enabled on the specified ports of each SLB instance. If so, the evaluation result is Compliant. If only a TCP or UDP listener is enabled on the specified ports of each SLB instance, the evaluation result is Not Applicable. | |
Checks whether the flow log feature is enabled for each virtual private cloud (VPC). If so, the evaluation result is Compliant. | |
Checks whether the log collection feature is enabled for each domain name that is protected by Web Application Firewall (WAF). If so, the evaluation result is Compliant. |