This topic describes the managed rules that are provided in the CISComplianceCheck compliance package template.
| Rule | Description |
|---|---|
| ecs-in-use-disk-encrypted | If encryption is enabled for each Elastic Compute Service (ECS) data disk that is in use, the evaluation result is compliant. |
| ecs-available-disk-encrypted | If encryption is enabled for each ECS data disk that is to be mounted, the evaluation result is compliant. |
| ecs-instances-in-vpc | If you do not specify the vpcIds parameter, the system checks whether the network type of each ECS instance is set to VPC. If yes, the evaluation result is compliant. If you specify the vpcIds parameter, the system checks whether the VPC in which ECS instances reside matches the specified setting. If yes, the evaluation result is compliant. |
| oss-bucket-server-side-encryption-enabled | If server-side encryption is enabled for each OSS bucket, the evaluation result is compliant. |
| sg-risky-ports-check | If 0.0.0.0/0 is added to the IP address whitelist of each security group and ports 22 and 3389 are disabled, the evaluation result is compliant. |
| ram-user-mfa-check | If multi-factor authentication (MFA) is enabled for each RAM user, the evaluation result is compliant. |
| root-ak-check | If no AccessKey pairs exist in each Alibaba Cloud account, the evaluation result is compliant. |
| root-mfa-check | If MFA is enabled for each Alibaba Cloud account, the evaluation result is compliant. |
| ram-password-policy-check | If the settings of password policies configured for each RAM user meet the specified values, the evaluation result is compliant. |
| ram-policy-no-statements-with-admin-access-check | If the Action parameter of each RAM user, RAM user group, and RAM role is not set
to *, the evaluation result is compliant. * indicates the super administrator permissions.
|
| ram-user-no-policy-check | If no policies are attached to each RAM user, the evaluation result is compliant. |
| oss-bucket-logging-enabled | If the log storage feature is enabled for each OSS bucket, the evaluation result is compliant. |
| oss-encryption-byok-check | If the specified customer master key (CMK) managed by Key Management Service (KMS) is used to encrypt each Object Storage Service (OSS) bucket, the evaluation result is compliant. |
| rds-instance-enabled-auditing | If the SQL audit feature is enabled for each ApsaraDB RDS instance, the evaluation result is compliant. |
| rds-instance-sql-collector-retention | If the SQL audit feature is enabled for each ApsaraDB RDS for MySQL instance and SQL audit logs are retained for a period longer than or equal to that specified by the input parameter, the evaluation result is compliant. |
| rds-postgresql-parameter-log-connections | If the log_connections parameter of each ApsaraDB RDS for PostgreSQL database is set to on, the evaluation result is compliant. |
| rds-postgresql-parameter-log-disconnections | If the log_disconnections parameter of each ApsaraDB RDS for PostgreSQL database is set to on, the evaluation result is compliant. |
| rds-postgresql-parameter-log-duration | If the log_duration parameter of each ApsaraDB RDS for PostgreSQL database is set to on, the evaluation result is compliant. |
| oss-bucket-anonymous-prohibited | If the access control list (ACL) of each OSS bucket is set to private, the evaluation result is compliant. Alternatively, if an authorization policy is specified for OSS buckets that allow public-read access or public-read-write access and no read/write permissions are granted to anonymous accounts in the authorization policy, the evaluation result is compliant. |
| oss-bucket-only-https-enabled | If the permission policy of each OSS bucket includes settings that allow HTTPS requests and deny HTTP requests, the evaluation result is compliant. |
| oss-bucket-authorize-specified-ip | If the read or write permissions of each OSS bucket are set to private or the permission policy of each OSS bucket includes the required IP whitelists, the evaluation result is compliant. |
| oss-bucket-public-write-prohibited | If the ACL of each OSS bucket denies read and write access from the Internet, the evaluation result is compliant. |
| oss-bucket-public-read-prohibited | If the ACL of each OSS bucket denies read access from the Internet, the evaluation result is compliant. |
| ecs-all-enabled-security-protection | If the Security Center agent is installed on each ECS instance, the evaluation result is compliant. |
| ecs-all-updated-security-vul | If the vulnerabilities that are identified by Security Center on each ECS instance are fixed, the evaluation result is compliant. |
| vpc-secondary-cidr-route-check | If the related route table includes at least one entry that indicates the routing information of IP addresses for a custom VPC CIDR block, the evaluation result is compliant. |
| ram-user-last-login-expired-check | If each RAM user logs on to the system at least once in the last 90 days, the evaluation result is compliant. If no logon record exists for a RAM user, the system checks the update time. If the last update time is not more than 90 days before the current time, the evaluation result is compliant. |
| ram-user-ak-create-date-expired-check | If the period between the time when the AccessKey pair of a RAM user is created and the time when the compliance evaluation starts is shorter than or equal to that specified by the input parameter, the evaluation result is compliant. |
| vpc-flow-logs-enabled | If the flow log feature is enabled for each VPC, the evaluation result is compliant. |
| rds-instance-enabled-tde | If the Transparent Data Encryption (TDE) feature is enabled in the data security settings of each ApsaraDB RDS instance, the evaluation result is compliant. |
| rds-instance-enabled-ssl | If the SSL certificate feature is enabled in the data security settings of each ApsaraDB RDS instance, the evaluation result is compliant. |
| actiontrail-trail-intact-enabled | If an active trail exists in ActionTrail and the events of all types that are generated in all regions are tracked, the evaluation result is compliant. |
| waf-instance-logging-enabled | If the log collection feature is enabled for each domain name that is protected by Web Application Firewall (WAF), the evaluation result is compliant. |
| ack-cluster-network-type-check | If the Terway network plug-in is used on each Container Service for Kubernetes (ACK) cluster, the evaluation result is compliant. |
| ack-cluster-public-endpoint-check | If no public IP addresses and ports are configured for the Kubernetes API server in each ACK cluster, the evaluation result is compliant. |
| ack-cluster-node-monitorenabled | If the CloudMonitor agent is installed on all nodes in each ACK cluster and run as expected, the evaluation result is compliant. |
| security-center-notice-config-check | If a notification method is specified for each notification item detected by Security Center, the evaluation result is compliant. |
| security-center-version-check | If Security Center Enterprise Edition or a more advanced edition is used, the evaluation result is compliant. |