Compliance packages dynamically and continuously monitor the compliance of your resources and notify you of resource non-compliance at the earliest opportunity. This topic describes the check items of the 12 compliance packages that are provided by Cloud Config.

CISComplianceCheck

CIS stands for Center for Internet Security. The CISComplianceCheck compliance package dynamically and continuously monitors your resources to check whether the resources are compliant with the CIS Controls that are stipulated by CIS. For more information about CIS, visit CIS. If your resources are compliant with the CIS Controls, network security risks can be reduced.

The CIS Controls are a set of 20 control points or objectives designed to help enterprises safeguard their systems and data. The following table describes the check items of the CISComplianceCheck compliance package.
Item Description
Accounts The compliance package checks the passwords set for and permission policies attached to Alibaba Cloud accounts and RAM users.
Networks The compliance package checks the network ownership, security group configurations, traffic monitoring configurations, and whether ports are open for instances.
Instances The compliance package checks the details of disk encryption, system updates, and endpoint protection, and whether ports are open for instances.
Object Storage Service (OSS) buckets The compliance package checks the configurations of read and write permissions, secure transmission, and content encryption for OSS buckets.
Databases The compliance package checks the connection types, data encryption configurations, and audit configurations of databases.

ClassifiedProtectionPreCheck

The ClassifiedProtectionPreCheck compliance package dynamically and continuously monitors your resources to check whether the resources are compliant with Multi-Level Protection Scheme (MLPS) 2.0 Level 3. This allows you to perform self-service checks to pass the compliance evaluation of classified protection.

The following table describes the check items of the ClassifiedProtectionPreCheck compliance package.
Item Description
Network types The compliance package checks whether the network types of Elastic Compute Service (ECS) instances and database instances are virtual private clouds (VPCs). If an instance resides in a VPC, and the VPC is included in the VPCs indicated by the relevant rule parameter, the instance configuration is considered compliant.
Protection configurations The compliance package checks whether the IP address allowlists of ECS instances and database instances are set to 0.0.0.0/0 and whether encryption is enabled for each ECS data disk.
OSS buckets The compliance package checks whether OSS buckets are accessed in read-only mode and whether zone-redundant storage and server-side encryption by using OSS-managed keys are enabled.
Bandwidths The compliance package checks whether the bandwidths of Server Load Balancer (SLB) instances and elastic IP addresses reach the specified lower limits.

BestPracticesForOSS

Various customers store important business data in OSS buckets. If bucket configurations are non-compliant, business risks such as data leaks or loss may be brought about. The BestPracticesForOSS compliance package dynamically and continuously monitors the compliance of your OSS buckets and notifies you of non-compliance at the earliest opportunity.

The following table describes the check items of the BestPracticesForOSS compliance package.
Item Description
Read and write permissions The compliance package globally checks whether the access control lists (ACLs) of OSS buckets are set to public-read or public-read-write.
Protection configurations The compliance package checks whether object encryption and hotlink protection are enabled for OSS buckets. This helps improve data security.
Zone-redundant storage The compliance package checks whether zone-redundant storage is enabled for OSS buckets.

BestPracticesForNetwork

The BestPracticesForNetwork compliance package dynamically and continuously checks the network architecture, workloads, and security configurations for compliance issues. The compliance package also notifies you of non-compliance at the earliest opportunity.

The following table describes the check items of the BestPracticesForNetwork compliance package.
Item Description
Resource quotas of workloads The compliance package checks the resource quotas of workloads to ensure service continuity. If the resource quotas of workloads cannot reach the lower limits required by business peaks, the service may be interrupted during peak hours.
Network architecture The compliance package checks the network architecture to ensure business isolation from the Internet. If network configurations are inappropriate, the business system may be exposed to the Internet, and attacks over the Internet or data leaks may occur.
Real-time monitoring The compliance package checks whether real-time monitoring is enabled for networks to ensure that network errors can be identified at the earliest opportunity. This prevents potential business risks.

BestPracticesForAccountGovernance

The BestPracticesForAccountGovernance compliance package performs comprehensive compliance checks on Alibaba Cloud accounts and RAM users to help you identify and mitigate systematic risks in advance.

The following table describes the check items of the BestPracticesForAccountGovernance compliance package.
Item Description
Logons of Alibaba Cloud accounts or RAM users The compliance package checks the validity periods of the passwords set for Alibaba Cloud accounts and RAM users and whether multi-factor authentication (MFA) is enabled for them.
Security configurations The compliance package checks whether invalid RAM users, user groups, or permission policies exist, and whether key pairs are created for Alibaba Cloud accounts.
Authorization The compliance package checks whether policies are attached to RAM users and whether full permissions on Alibaba Cloud services are granted.

BestPracticesForDataBase

The BestPracticesForDataBase compliance package continuously checks the compliance of ApsaraDB RDS, ApsaraDB for Redis, ApsaraDB for MongoDB, and PolarDB instances in terms of encryption and access control. This helps prevent data leaks.

The following table describes the check items of the BestPracticesForDataBase compliance package.
Item Description
Validity periods The compliance package checks the validity periods of database instances.
Protection configurations The compliance package checks whether release protection is enabled and IP address allowlists are set to 0.0.0.0/0 for database instances.
Network types The compliance package checks whether the network types of database instances are VPCs and whether the specified VPCs are included in the expected value of the relevant rule parameter.

BestPracticesForECS

The BestPracticesForECS compliance package continuously checks the compliance of ECS instances in terms of statuses, security configurations, protection configurations, and snapshot configurations. This prevents the risks of business interruption and out-of-control costs.

The following table describes the check items of the BestPracticesForECS compliance package.
Item Description
Status The compliance package checks the status of ECS instances.
Security configurations The compliance package checks the validity periods and security groups of ECS instances.
Protection configurations The compliance package checks whether release protection and disk encryption are enabled for ECS instances.
Snapshot configurations The compliance package checks whether automatic snapshot policies are configured, whether automatic locking is enabled, and whether the retention periods of automatic snapshots meet the requirements for the disks of ECS instances.

RMiTComplianceCheck

The RMiTComplianceCheck compliance package checks the compliance of cloud IT systems based on the Risk Management in Technology (RMiT) framework for financial institutions in Malaysia.

The following table describes the check items of the RMiTComplianceCheck compliance package.
Item Description
Accounts The compliance package checks the passwords, permission policies, and logons of RAM users, and whether MFA is enabled for the RAM users.
SLB instances The compliance package checks whether release protection and HTTPS listeners are enabled for SLB instances, and whether the certificates issued by Alibaba Cloud are valid.
ECS instances The compliance package checks whether the network types of ECS instances are VPCs, whether disk encryption is enabled for the ECS instances, and whether the ECS instances are bound to public IPv4 addresses.
OSS buckets The compliance package checks whether server-side encryption by using Key Management Service (KMS), default server-side encryption, and log storage are enabled for OSS buckets.
ApsaraDB RDS instances The compliance package checks whether historical event logging and transparent data encryption (TDE) are enabled for ApsaraDB RDS instances and whether the instances support multi-zone deployment.
ActionTrail trails The compliance package checks whether an enabled ActionTrail trail exists and whether the trail records all types of event logs.

GovernanceCenterCompliancePractices

By using the GovernanceCenterCompliancePractices compliance package, you can configure and enable rules for all member accounts of your resource directory in a centralized manner in the Cloud Governance Center console. This prevents the basic configurations of Cloud Governance Center and the resource structure that is created in Cloud Governance Center from being modified. This also ensures the security of the multi-account environment.

BestPracticesForSecurityGroups

The BestPracticesForSecurityGroups compliance package continuously monitors the compliance of your security groups based on security group rules. This reduces security risks.

BestPracticesForOceanBase

The BestPracticesForOceanBase compliance package continuously monitors the compliance of your OceanBase resources based on the BestPracticesForSecurityGroups compliance package.

BestPracticesForResourceStability

The BestPracticesForResourceStability compliance package monitors the stability of cloud resources from the following six dimensions: high-availability infrastructure, capacity protection, change management, monitoring management, backup management, and fault isolation. This helps you detect risks at the earliest opportunity and improve the stability and O&M efficiency of your cloud resources.