ComplianceCheckForISO-27001 refers to the security management standards in Appendix A of ISO/IEC 27001:2013 and provides specific recommended compliance tests in terms of risk detection and governance of cloud resources to help your organization implement, maintain, and continuously improve information security management. This topic describes the default rules that are provided in the ComplianceCheckForISO-27001 compliance package.
Rule name | Rule description | Requirement No. | Requirement description |
Checks whether one of the console access and API access features is enabled for each RAM user. If so, the evaluation result is Compliant. | A.6.1.2 | Segregation of duties | |
Checks whether a policy is attached to each RAM user. If so, the evaluation result is Compliant. We recommend that RAM users inherit permissions from RAM user groups or roles. | A.6.1.2 | Segregation of duties | |
Checks whether each RAM user group includes at least one RAM user and at least one policy is attached to the RAM user group. If so, the evaluation result is Compliant. |
|
| |
Checks whether each RAM user group contains at least one RAM user. If so, the evaluation result is Compliant. |
|
| |
Checks whether the Action parameter of each RAM user, RAM user group, and RAM role is not set to *. If so, the evaluation result is Compliant. An asterisk (*) indicates the super administrator permissions. |
|
| |
Checks whether each policy is attached to at least one RAM user group, RAM role, or RAM user. If so, the evaluation result is Compliant. |
|
| |
Allows you to install a CloudMonitor agent on an instance to provide security protection services. If a CloudMonitor agent is installed on an instance, the evaluation result is Compliant. This rule does not apply to ECS instances that are not running. |
|
| |
Checks whether all resources have a specified tag. If so, the evaluation result is Compliant. You can specify a maximum of ten tags. Tag keys and values are case-sensitive. You can specify only one tag value for a tag key. |
|
| |
Checks whether related resources are associated with Elastic Compute Service (ECS) instances and whether resource information is consistent with resource group information if the related resources inherit the resource group to which the ECS instances belong. If so, the evaluation result is Compliant. This rule does not apply to related resources that are not associated with ECS instances. |
|
| |
Checks whether the resource group of each resource is not a default resource group. If so, the evaluation result is Compliant. If a resource has no resource group, the evaluation result is Not Applicable. |
|
| |
Checks whether an AccessKey pair is created for each Alibaba Cloud account. If not, the evaluation result is Compliant. |
|
| |
Checks whether a policy is attached to each RAM user. If so, the evaluation result is Compliant. We recommend that RAM users inherit permissions from RAM user groups or roles. |
|
| |
Checks whether Internet access is enabled for each Elasticsearch cluster. If so, the evaluation result is Compliant. |
|
| |
Checks whether the bucket policy of each OSS bucket denies read and write access from the Internet. If so, the evaluation result is Compliant. |
|
| |
Checks whether Internet access is disabled for Function Compute. If so, the evaluation result is Compliant. |
|
| |
Checks whether the ECS instance that is recommended resides in a virtual private cloud (VPC). If an ECS instance resides in a VPC, the evaluation result is Compliant. If you configure the required parameter and the VPC setting for the ECS instance matches the specified value, the evaluation result is Compliant. This rule does not apply to ECS instances that are not in the running state. |
|
| |
Checks whether Internet access is disabled for each AnalyticDB instance. If so, the evaluation result is Compliant. |
|
| |
Checks whether no public endpoint is configured for each RDS instance. If so, the evaluation result is Compliant. To prevent cyberattacks, we recommend that you do not configure direct access to RDS instances in production environments over the Internet. |
|
| |
Checks whether a public endpoint is configured for the API server in each Container Service for Kubernetes (ACK) cluster. If not, the evaluation result is Compliant. |
|
| |
Checks whether the security-enhanced mode is forcibly used when the metadata of each ECS instance is accessed. If so, the evaluation result is Compliant. |
|
| |
Checks whether the functions of a service can be invoked only in specific VPCs. If so. the evaluation result is Compliant. |
|
| |
Checks whether the ACL policy of each OSS bucket denies read access from the Internet. If so, the evaluation result is Compliant. |
|
| |
Checks whether no public IPv4 addresses or elastic IP addresses are assigned to the ECS instances that are running. If so, the evaluation result is Compliant. |
|
| |
Checks whether the Internet access is enabled for the endpoints of each PolarDB cluster. If not, the evaluation result is Compliant. |
|
| |
Checks whether multi-factor authentication (MFA) is enabled for each Alibaba Cloud account. If so, the evaluation result is Compliant. |
|
| |
Checks whether MFA is enabled in the logon settings of each RAM user for which the console access feature is enabled. If so, the evaluation result is Compliant. |
|
| |
Checks whether Security Center of Enterprise Edition or a more advanced edition is used. If so, the evaluation result is Compliant. |
|
| |
Checks whether the automatic rotation feature is enabled for Key Management Service (KMS) secrets. If so, the evaluation result is Compliant. This rule does not apply to a common key. |
|
| |
Checks whether the automatic rotation feature is enabled for the KMS secrets and the automatic rotation is performed based on the specified rotation period. If so, the evaluation result is Compliant. This rule does not apply to generic secrets because periodic key rotation cannot be enabled for a generic secret in KMS. |
|
| |
Checks whether the settings of password policies that are configured for each RAM user meet specified values. If so, the evaluation result is Compliant. |
|
| |
Checks whether the interval between the time when the AccessKey pair of a RAM user was created and the time when the compliance check started is less than or equal to a specified number of days. If so, the evaluation result is Compliant. Default value: 90. Unit: days. |
|
| |
Checks whether an active trail exists in ActionTrail and events of all types that are generated in all regions are tracked. If so, the evaluation result is Compliant. If the administrator of a resource directory has created a trail that applies to all members, the evaluation result is Compliant. |
|
| |
Checks whether the Transparent Data Encryption (TDE) feature is enabled in the data security settings of each ApsaraDB RDS instance. If so, the evaluation result is Compliant. This rule does not apply to instance types or editions that do not support the TDE feature. | A.10.1.1 | Policy on the use of cryptographic controls | |
Checks whether the bucket policy of each OSS bucket allows read and write access over HTTPS and denies access over HTTP. If so, the evaluation result is Compliant. This rule does not apply to OSS buckets that do not have a bucket policy. |
|
| |
Checks whether server-side encryption is enabled for each OSS bucket. If so, the evaluation result is Compliant. |
|
| |
Checks whether each Server Load Balancer (SLB) instance uses certificates that are issued by Alibaba Cloud. If so, the evaluation result is Compliant. |
|
| |
Checks whether the server-side encryption feature is enabled for the File Storage NAS (NAS) file systems that you create. If so, the evaluation result is Compliant. | A.10.1.1 | Policy on the use of cryptographic controls | |
Checks whether disk encryption is enabled for each ECS instance. If so, the evaluation result is Compliant. | A.10.1.1 | Policy on the use of cryptographic controls | |
Checks whether the disk encryption feature is enabled for the data nodes of each Elasticsearch instance. If so, the evaluation result is Compliant. | A.10.1.1 | Policy on the use of cryptographic controls | |
Checks whether the TDE feature is enabled in the data security settings of each PolarDB cluster. If so, the evaluation result is Compliant. | A.10.1.1 | Policy on the use of cryptographic controls | |
Checks whether the encryption feature is enabled for all tables on the Tablestore instance. If so, the evaluation result is Compliant. | A.10.1.1 | Policy on the use of cryptographic controls | |
Checks whether encryption is enabled for each MaxCompute project. If so, the evaluation result is Compliant. This rule does not apply to a project that is frozen. | A.10.1.1 | Policy on the use of cryptographic controls | |
Checks whether the automatic rotation feature is enabled for the customer master keys (CMKs) in KMS. If so, the evaluation result is Compliant. This rule does not apply to a service key. This rule does not apply to a Bring Your Own Key (BYOK). |
|
| |
Checks whether the status of a KMS CMK is set to pending deletion. If so, the evaluation result is Compliant. |
|
| |
Checks whether the remaining validity periods of all SSL certificates are greater than the specified value. If so, the evaluation result is compliant. Default value: 30. Unit: day. |
|
| |
Checks whether the maintenance period of each PolarDB cluster matches one of the specified time ranges. If so, the evaluation result is Compliant. If the peak hours of your business overlap with the maintenance period, your business may be affected. | A.12.1.2 | Change management | |
Checks whether the maintenance period of each RDS instance matches one of the specified time ranges. If so, the evaluation result is Compliant. If the peak hours of your business overlap with the maintenance period, your business may be affected. | A.12.1.2 | Change management | |
Checks whether the snapshot creation time that you specified for each automatic snapshot policy falls in a specified time range. If so, the evaluation result is Compliant. When a snapshot is being created for an Elastic Block Storage (EBS) device, the I/O performance of the device degrades by up to 10%. This can result in a transient I/O speed decrease. We recommend that you create automatic snapshots during off-peak hours. | A.12.1.2 | Change management | |
Checks whether the functions of Function Compute 2.0 meet the specified requirements. If so, the evaluation result is Compliant. | A.12.1.3 | Capacity management | |
Checks whether the number of available IP addresses of each vSwitch is greater than a specified value. If so, the evaluation result is Compliant. | A.12.1.3 | Capacity management | |
Checks whether an automatic snapshot policy is specified for each ECS disk. If so, the evaluation result is Compliant. | A.12.3.1 | Information backup | |
Checks whether a backup plan is created for each File Storage NAS file system. If so, the evaluation result is Compliant. | A.12.3.1 | Information backup | |
Checks whether the log backup feature is enabled for each AnalyticDB cluster. If so, the evaluation result is Compliant. | A.12.3.1 | Information backup | |
Checks whether log backup is enabled for an ApsaraDB RDS instance. If so, the evaluation result is Compliant. | A.12.3.1 | Information backup | |
Checks whether incremental backup is enabled for each ApsaraDB for Redis instance. If so, the evaluation result is Compliant. This rule applies only to Tair instances or instances of ApsaraDB for Redis Enhanced Edition (Tair). | A.12.3.1 | Information backup | |
Checks whether the ZRS feature is enabled for each OSS bucket. If so, the evaluation result is Compliant. If the zone-redundant storage (ZRS) feature is disabled, Object Storage Service (OSS) cannot provide consistent services and ensure data recovery when a data center becomes unavailable. |
|
| |
Checks whether the retention period for the level-1 backups of each PolarDB cluster is greater than or equal to a specified number of days. If so, the evaluation result is Compliant. Default value: 7. | A.12.3.1 | Information backup | |
Checks whether the versioning feature is enabled for an OSS bucket. If the versioning feature is disabled, data may fail to be restored when the data is overwritten or deleted. If the versioning feature is enabled, the evaluation result is Compliant. |
|
| |
Checks whether the access log feature is enabled for each SLB instance. If so, the evaluation result is Compliant. This rule does not apply to SLB instances for which Layer 7 monitoring is disabled. |
|
| |
Checks whether the flow log feature is enabled for each VPC. If so, the evaluation result is Compliant. |
|
| |
Checks whether log storage is enabled for API groups of API Gateway. If so, the evaluation result is Compliant. | A.12.4.1 | Event logging | |
Checks whether the logging feature is enabled for each OSS bucket on the Logs page. If so, the evaluation result is Compliant. | A.12.4.1 | Event logging | |
Checks whether the SQL audit feature is enabled for each PolarDB cluster. If so, the evaluation result is Compliant. |
|
| |
Checks whether the retention period for the level-1 backups of each PolarDB cluster is greater than or equal to a specified number of days. If so, the evaluation result is Compliant. Default value: 30. Unit: days. If log backup is not enabled or the backup retention period is less than the specified number of days, the evaluation result is Non-compliant. | A.12.4.2 | Protection of log information | |
Checks whether unfixed vulnerabilities of a specified type or a specified level are detected by Security Center on an ECS instance. This rule does not apply to ECS instances that are not running. | A.12.6.1 | Management of technical vulnerabilities | |
Checks whether 0.0.0.0/0 is added to the IP address whitelist of each security group and risky ports are disabled. If so, the evaluation result is Compliant. Checks whether 0.0.0.0/0 is not added to the IP address whitelist of each security group. If so, the evaluation result is Compliant regardless of whether risky ports are disabled. Checks whether a risky port is denied by an authorization policy with a higher priority. If so, the evaluation result is Compliant. This rule does not apply to Alibaba Cloud services other than ECS or security groups that are used by virtual network operators (VNOs). |
|
| |
Checks whether 0.0.0.0/0 is added to the IP whitelist of each PolarDB instance. If not, the evaluation result is Compliant. |
|
| |
Checks whether the SSL encryption feature is enabled for each PolarDB cluster. If so, the evaluation result is Compliant. |
|
| |
Checks whether the Transport Layer Security (TLS) 1.3 protocol is enabled for each domain name accelerated by Alibaba Cloud CDN. If so, the evaluation result is compliant. |
|
| |
Checks whether SSL secure connections are used for the source and destination databases of each synchronization task on a DTS instance. If so, the evaluation result is Compliant. This rule applies only to synchronization tasks. | A.13.2.1 | Information transfer policies and procedures | |
Checks whether each Function Compute function is bound to a custom domain name and a specified version of TLS is enabled for the function. If so, the evaluation result is Compliant. |
|
| |
Checks whether an HTTPS listener is enabled on the specified ports of each SLB instance. If so, the evaluation result is Compliant. This rule does not apply to SLB instances for which only a TCP or UDP listener is enabled. |
|
| |
Checks whether a CloudMonitor agent is installed on all nodes in each ACK cluster and runs as expected. If so, the evaluation result is Compliant. |
|
| |
Checks whether a CloudMonitor agent is installed on each running ECS instance, and the agent is running as expected. If so, the evaluation result is Compliant. This rule does not apply to ECS instances that are not running. |
|
| |
Checks whether a notification method is specified for each notification item of Security Center. If so, the evaluation result is compliant. | A.16.1.2 | Reporting information security events | |
Checks whether the IPsec-VPN connection is established. If so, the evaluation result is Compliant. | A.17.1.2 | Implementing information security continuity | |
Checks whether the release protection feature is enabled for each SLB instance. If so, the evaluation result is Compliant. | A.17.1.2 | Implementing information security continuity | |
Checks whether the health check feature is enabled for the ECS instances of each scaling group. If so, the evaluation result is Compliant. |
|
| |
Checks whether each ApsaraDB RDS instance uses the multi-zone architecture. If so, the evaluation result is Compliant. |
|
| |
Checks whether the deletion protection feature is enabled for each PolarDB cluster. If so, the evaluation result is Compliant. This rule does not apply to clusters that use the subscription billing method. | A.17.1.2 | Implementing information security continuity | |
Checks whether the release protection feature is enabled for each ACK cluster. If so, the evaluation result is Compliant. | A.17.1.2 | Implementing information security continuity | |
Checks whether the hot standby cluster feature is enabled for each PolarDB cluster and data of the cluster is distributed across multiple zones. If so, the evaluation result is Compliant. |
|
| |
Checks whether at least two vSwitches are associated with each scaling group. If so, the evaluation result is Compliant. | A.17.2.1 | Availability of information processing facilities | |
Checks whether each ALB instance uses the multi-zone architecture. If so, the evaluation result is Compliant. If a failure occurs on an ALB instance when you deploy the instance in only one zone, business may be disrupted. | A.17.2.1 | Availability of information processing facilities | |
Checks whether region-level ACK clusters whose nodes are distributed across three or more zones are used. | A.17.2.1 | Availability of information processing facilities | |
Checks whether the health check feature is enabled for all listeners and forwarding rules of each ALB instance. If so, the evaluation result is Compliant. | A.17.2.1 | Availability of information processing facilities |