This topic describes the default rules in ComplianceCheckOnTrainingArchitectureOfGPUAIModel. These rules check your architecture design for AI model training on GPUs to ensure that core resources, such as ECS, NAS, and OSS, meet your training requirements.
Rule name | Rule description |
An ACK cluster is compliant if it does not have a public endpoint. | |
An ACK cluster is compliant if it is upgraded to the latest version. | |
An ACK cluster is compliant if its version is still under maintenance. | |
Encryption at rest is configured for Secrets in the ACK cluster | An ACK cluster is compliant if encryption at rest is configured for its Secrets. This rule is not applicable to ACK Basic clusters. |
The CloudMonitor agent is installed on running ECS instances | A running ECS instance is compliant if the CloudMonitor agent is installed and running on it. This rule does not apply to instances that are not running. |
Security Center protection is enabled for running ECS instances | An instance is compliant if the Security Center plugin is installed to provide security protection. This rule does not apply to instances that are not running. |
An ECS instance is compliant if deletion protection is enabled. | |
The image used by the ECS instance was created within the specified number of days | An ECS instance is compliant if the number of days since its image was created is less than the specified value. The default value is 180 days. |
An ECS instance is compliant if it is not in the Stopped state. This rule does not apply to expired instances or instances with Economical Mode enabled. | |
An ECS instance is compliant if it is not directly assigned a public IPv4 address or an Elastic IP Address. | |
An ECS instance is compliant if an instance RAM role is attached to it. | |
An ECS instance is compliant if no SSH key pair is attached to it. This rule applies to scenarios where enterprises have special access control requirements for instances. | |
A security group is compliant if an inbound rule with an Allow policy does not have both the port range set to -1/-1 and the source set to 0.0.0.0/0. The security group is also compliant if a higher-priority rule denies such access. This rule does not apply to security groups used by Alibaba Cloud services or virtual server providers. | |
The security group does not open risky ports to all networks for a specified protocol | A security group is compliant if its inbound rules from 0.0.0.0/0 do not open risky ports for a specified protocol. This reduces the risk of brute-force attacks on logon passwords. The security group is also compliant if a higher-priority rule denies access to these risky ports. This rule does not apply to security groups used by Alibaba Cloud services or virtual server providers. The default risky ports are 22 and 3389. |
A RAM policy is enabled for the NAS file storage access point | A NAS file storage access point is compliant if a RAM policy is enabled for it. |
A NAS file system is compliant if a backup plan is created for it. | |
The root directory of the NAS file storage access point is not set to the default directory | A file storage access point is compliant if its root directory is not set to the default directory. |
A NAS file system is compliant if encryption is configured. | |
The ACL of the OSS bucket does not allow public-read-write access | An OSS bucket is compliant if its access control list (ACL) does not allow public-read-write access. If you grant public-read-write permissions on an OSS bucket, anyone can write data to it. This exposes you to the risk of malicious data injection. Disable this permission. |
An OSS bucket is compliant if its ACL does not allow public-read access. The public-read permission increases the risk of data leaks over the Internet. Disable this permission. | |
The ACL of the OSS bucket does not allow public-read-write access | An OSS bucket is compliant if its ACL does not allow public-read-write access. If you grant public-read-write permissions on an OSS bucket, anyone can write data to it. This exposes you to the risk of malicious data injection. Disable this permission. |
An OSS bucket is compliant if zone-redundant storage is enabled. This ensures data availability and durability if a data center becomes unavailable and helps you meet your data restoration objectives. | |
An OSS bucket is compliant if server-side encryption with OSS-managed keys or KMS-managed keys is enabled. | |
An OSS bucket is compliant if log storage is enabled in Log Management for the bucket. | |
Server-side encryption with KMS is enabled for the OSS bucket | An OSS bucket is compliant if server-side encryption with KMS-managed keys is enabled. |
An OSS bucket is compliant if versioning is enabled. This allows data to be recovered after it is overwritten or deleted. This rule does not apply if a data retention policy is enabled. | |
The access policy of the OSS bucket is configured for secure access | An OSS bucket is compliant if its access policy requires HTTPS for read and write operations or denies access over HTTP. This rule does not apply to OSS buckets that have an empty access policy. |
A VPC is compliant if its associated route table contains at least one route for an IP address within the custom CIDR block. | |
A VPC is compliant if the flow log feature is enabled. | |
The number of available IP addresses in the vSwitch is greater than the specified value | A vSwitch is compliant if its available IP address count is greater than the specified value. |