This topic describes the managed rules that are provided in the GovernanceCenterCompliancePractices compliance package template.
Rule name | Description |
---|---|
oss-bucket-server-side-encryption-enabled | If server-side encryption is enabled for each Object Storage Service (OSS) bucket, the evaluation result is compliant. |
oss-bucket-public-read-prohibited | If the access control list (ACL) of each OSS bucket denies read access from the Internet, the evaluation result is compliant. |
oss-bucket-public-write-prohibited | If the ACL of each OSS bucket denies read and write access from the Internet, the evaluation result is compliant. |
root-ak-check | If no AccessKey pairs exist in each Alibaba Cloud account, the evaluation result is compliant. |
root-mfa-check | If multi-factor authentication (MFA) is enabled for each Alibaba Cloud account, the evaluation result is compliant. |
ecs-disk-encrypted | If encryption is enabled for each Elastic Compute Service (ECS) data disk, the evaluation result is compliant. |
sg-risky-ports-check | If 0.0.0.0/0 is added to the IP address whitelist of each security group and ports 22 and 3389 are disabled, the evaluation result is compliant. |
sg-public-access-check | If the inbound authorization policy of each security group is set to Allow and you set the port range to -1/-1 or the authorized IP address to 0.0.0.0/0, the evaluation result is compliant. |
rds-instances-in-vpc | If you do not specify the vpcIds parameter, the system checks whether the network type of each ApsaraDB RDS instance is set to Virtual Private Cloud (VPC). If yes, the evaluation result is compliant. If you specify the vpcIds parameter, the system checks whether the VPC in which ApsaraDB RDS instances reside matches the specified setting. If yes, the evaluation result is compliant. |
rds-instance-enabled-tde | If the Transparent Data Encryption (TDE) feature is enabled in the data security settings of each ApsaraDB RDS instance, the evaluation result is compliant. |
rds-public-access-check | If 0.0.0.0/0 is not added to the IP address whitelist of each ApsaraDB RDS instance, the evaluation result is compliant. |
ram-password-policy-check | If the settings of password policies configured for each RAM user meet the specified values, the evaluation result is compliant. |
ram-user-ak-used-expired-check | If the period between the time when each RAM user last used the AccessKey pair and the current time is less than the specified period, the evaluation result is compliant. |
ecs-instance-deletion-protection-enabled | If the release protection feature is enabled for each ECS instance, the evaluation result is compliant. |
slb-delete-protection-enabled | If the release protection feature is enabled for each Server Load Balancer (SLB) instance, the evaluation result is compliant. |
root-has-specified-role | If each Alibaba Cloud account assumes a specified role, the evaluation result is compliant. |
ram-user-mfa-check | If MFA is enabled for each RAM user, the evaluation result is compliant. |
slb-listener-https-enabled | If ports 80 and 8080 are used by HTTPS listeners of each SLB instance, the evaluation result is compliant. |
resource-region-limit | If each resource resides in the specified region, the evaluation result is compliant. |
ram-user-last-login-expired-check | If each RAM user logs on to the system at least once in the last 90 days, the evaluation result is compliant. If no logon record exists for a RAM user, the system checks the update time. If the last update time is not more than 90 days before the current time, the evaluation result is compliant. |
contains-tag | If each resource has one of the tag values specified for a tag key, the evaluation result is compliant. |
required-tags | If each resource has all the specified tags, the evaluation result is compliant. You can add a maximum of six tags to each resource. |
oss-bucket-logging-enabled | If the log storage feature is enabled for each OSS bucket, the evaluation result is compliant. |