Checks the compliance of Alibaba Cloud resources based on the specific requirements of NIST 800-53 Rev5.
Rule name | Code | Code description | Rule description |
required-tags | PT-2 | PT-2 Authority to Process Personally Identifiable Information SC-16 Transmission Of Security And Privacy Attributes | Checks whether all resources have a specified tag. If so, the evaluation result is Compliant. You can specify a maximum of ten tags. Tag keys and values are case-sensitive. You can specify only one tag value for a tag key. |
ack-cluster-control-plane-log-enable | CM-5 | CM-5 Access Restrictions for Change SI-4 System Monitoring AU-14 Session Audit AC-9 Previous Logon Notification SI-7 Software, Firmware, and Information Integrity AU-10 Non-repudiation AU-2 Event Logging AU-8 Time Stamps AU-3 Content Of Audit Records AC-6 Least Privilege AU-12 Audit Record Generation AC-4 Information Flow Enforcement | Checks whether the logs of the control plane components are enabled for each Container Service for Kubernetes (ACK) managed cluster. If so, the evaluation result is Compliant. This rule does not apply to unmanaged Kubernetes clusters. |
ack-cluster-encryption-enabled | SC-34 | SC-34 Non-Modifiable Executable Programs CP-9 System Backup SC-28 Protection of Information at Rest AU-9 Protection Of Audit Information IA-5 Authenticator Management | Checks whether Secret encryption is configured for each ACK Pro cluster. If so, the evaluation result is Compliant. This rule does not apply to non-professional managed clusters. |
ack-cluster-public-endpoint-check | AC-20 | AC-20 Use of External Systems SC-10 Network Disconnect SC-11 Trusted Path SC-21 Secure Name/Address Resolution Service (Recursive Or Caching Resolver) IA-9 Service Identification And Authentication AC-17 Remote Access CA-9 Internal System Connections SC-7 Boundary Protection IA-5 Authenticator Management AC-4 Information Flow Enforcement IA-3 Device Identification and Authentication | Checks whether public endpoints are configured for the API server in each ACK cluster. If so, the evaluation result is Compliant. |
ack-cluster-supported-version | SA-22 | SA-22 SI-2 Flaw Remediation | Checks whether the Kubernetes versions of ACK clusters are no longer supported. If the Kubernetes versions of ACK clusters are supported, the evaluation result is Compliant. |
ack-cluster-upgrade-latest-version | SA-22 | SA-22 SI-2 Flaw Remediation | Checks whether each ACK cluster is upgraded to the latest version. If so, the evaluation result is Compliant. |
adb-cluster-audit-log-enabled | CM-5 | CM-5 Access Restrictions for Change SI-4 System Monitoring AU-14 Session Audit AC-9 Previous Logon Notification SI-7 Software, Firmware, and Information Integrity AU-10 Non-repudiation AU-2 Event Logging AU-8 Time Stamps AU-3 Content Of Audit Records AC-6 Least Privilege AU-12 Audit Record Generation AC-4 Information Flow Enforcement | Checks whether the SQL explorer and audit feature is enabled for each AnalyticDB for MySQL cluster. If so, the evaluation result is Compliant. |
adb-cluster-log-backup-enabled | CP-9 | CP-9 System Backup SC-36 Distributed Processing And Storage SC-28 Protection of Information at Rest CP-10 SC-24 Fail In Known State | Checks whether the log backup feature is enabled for each AnalyticDB cluster. If so, the evaluation result is Compliant. |
adb-cluster-maintain-time-check | SA-22 | SA-22 SI-2 Flaw Remediation | Checks whether the maintenance period of each AnalyticDB cluster falls in a specified time range. If so, the evaluation result is Compliant. |
adb-public-access-check | AC-20 | AC-20 Use of External Systems AC-16 Security And Privacy Attributes AU-9 Protection Of Audit Information SC-7 Boundary Protection CA-3 Information Exchange AC-17 Remote Access IA-9 Service Identification And Authentication CA-9 Internal System Connections SC-38 Operations Security CM-12 Information Location SC-10 Network Disconnect AC-3 Access Enforcement CP-9 System Backup AC-4 Information Flow Enforcement AU-6 Audit Record Review, Analysis, And Reporting SC-2 Separation Of System And User Functionality IA-5 Authenticator Management SC-21 Secure Name/Address Resolution Service (Recursive Or Caching Resolver) SC-11 Trusted Path SC-20 Secure Name/Address Resolution Service(Authoritative Source) IA-3 Device Identification and Authentication | Checks whether Internet access is disabled for each AnalyticDB instance. If so, the evaluation result is Compliant. |
alb-instance-multi-zone | CP-7 | CP-7 Alternate Processing Site CP-9 System Backup AC-4 Information Flow Enforcement SC-36 Distributed Processing And Storage CP-6 Alternate Storage Site SC-6 Resource Availability SI-13 Predictable Failure Prevention SC-22 Architecture And Provisioning For Name/Address Resolution Service AU-5 Response To Audit Logging Process Failures SI-22 Information Diversity CP-2 Contingency Plan | Checks whether each Application Load Balancer (ALB) instance uses the multi-zone architecture. If so, the evaluation result is Compliant. If a failure occurs on an ALB instance when you deploy the instance in only one zone, business may be disrupted. |
api-gateway-group-domain-access-waf-or-waf3 | PL-8 | PL-8 SC-3 Security Function Isolation SC-7 Boundary Protection AC-4 Information Flow Enforcement | Checks whether the domain name bound to each API group in API Gateway is added to WAF or WAF 3.0. If so, the evaluation result is Compliant. |
api-gateway-group-enabled-ssl | SC-12 | SC-12 Cryptographic Key Establishment And Management AC-20 Use of External Systems IA-7 Cryptographic Module Authentication SC-10 Network Disconnect SC-11 Trusted Path SC-21 Secure Name/Address Resolution Service (Recursive Or Caching Resolver) SC-28 Protection of Information at Rest IA-9 Service Identification And Authentication AC-17 Remote Access SC-17 Public Key Infrastructure Certificates CA-9 Internal System Connections SC-13 Cryptographic Protection SC-23 Session Authenticity SC-7 Boundary Protection CM-3 Configuration Change Control IA-5 Authenticator Management AC-4 Information Flow Enforcement IA-3 Device Identification and Authentication | Checks whether an SSL certificate is specified for the custom domain of the API group of API Gateway If so, the evaluation result is Compliant. |
api-gateway-group-log-enabled | CM-5 | CM-5 Access Restrictions for Change SI-4 System Monitoring AU-14 Session Audit AC-9 Previous Logon Notification SI-7 Software, Firmware, and Information Integrity AU-10 Non-repudiation AU-2 Event Logging AU-8 Time Stamps AU-3 Content Of Audit Records AC-6 Least Privilege AU-12 Audit Record Generation AC-4 Information Flow Enforcement | Checks whether log storage is enabled for API groups of API Gateway. If so, the evaluation result is Compliant. |
api-group-custom-trace-enabled | CM-5 | CM-5 Access Restrictions for Change SI-4 System Monitoring AU-14 Session Audit AC-9 Previous Logon Notification AU-7 Audit Record Reduction And Report Generation SI-7 Software, Firmware, and Information Integrity AU-6 Audit Record Review, Analysis, And Reporting AC-17 Remote Access AU-9 Protection Of Audit Information AU-10 Non-repudiation RA-5 Vulnerability Monitoring And Scanning AU-2 Event Logging AU-8 Time Stamps AU-3 Content Of Audit Records AC-2 Account Management AC-6 Least Privilege AU-12 Audit Record Generation AC-4 Information Flow Enforcement | Checks whether the tracing analysis feature is enabled for each API group in API Gateway. If so, the evaluation result is Compliant. |
cdn-domain-https-enabled | SC-12 | SC-12 Cryptographic Key Establishment And Management AC-20 Use of External Systems IA-7 Cryptographic Module Authentication SC-10 Network Disconnect SC-11 Trusted Path SC-21 Secure Name/Address Resolution Service (Recursive Or Caching Resolver) SC-28 Protection of Information at Rest IA-9 Service Identification And Authentication AC-17 Remote Access SC-17 Public Key Infrastructure Certificates CA-9 Internal System Connections SC-13 Cryptographic Protection SC-23 Session Authenticity SC-7 Boundary Protection CM-3 Configuration Change Control IA-5 Authenticator Management AC-4 Information Flow Enforcement IA-3 Device Identification and Authentication | Checks whether HTTPS encryption is enabled for each domain name accelerated by Alibaba Cloud CDN. If so, the evaluation result is Compliant. |
cdn-domain-tls13-enabled | CP-9 | CP-9 System Backup SA-4 Acquisition Process CM-7 Least Functionality AC-17 Remote Access MA-4 SC-23 Session Authenticity SC-8 Transmission Confidentiality And Integrity IA-5 Authenticator Management IA-3 Device Identification and Authentication | Checks whether the Transport Layer Security (TLS) 1.3 protocol is enabled for each domain name accelerated by Alibaba Cloud CDN. If so, the evaluation result is Compliant. |
cms-created-rule-for-specified-product | SI-4 | SI-4 System Monitoring AU-7 Audit Record Reduction And Report Generation AU-6 Audit Record Review, Analysis, And Reporting AC-17 Remote Access AU-9 Protection Of Audit Information RA-5 Vulnerability Monitoring And Scanning AC-2 Account Management AC-4 Information Flow Enforcement | Checks whether at least one alert rule is configured in the CloudMonitor console for each Alibaba Cloud service of a specified namespace. If so, the evaluation result is Compliant. |
cr-repository-image-scanning-enabled | RA-5 | RA-5 Vulnerability Monitoring And Scanning | Checks whether the image scanning feature is enabled for a Container Registry instance. If so, the evaluation result is Compliant. |
cr-repository-immutablity-enable | PT-2 | PT-2 Authority to Process Personally Identifiable Information SC-16 Transmission Of Security And Privacy Attributes | Checks whether each Container Registry repository is configured to be immutable. If so, the evaluation result is Compliant. |
dts-instance-migration-job-ssl-enabled | CP-9 | CP-9 System Backup AC-17 Remote Access SC-8 Transmission Confidentiality And Integrity MA-4 SC-23 Session Authenticity IA-5 Authenticator Management IA-3 Device Identification and Authentication | Checks whether SSL secure connections are used for the source and destination databases of each migration task on a DTS instance. If so, the evaluation result is Compliant. This rule applies only to migration tasks. |
eci-containergroup-environment-no-specified-keys | SC-34 | SC-34 Non-Modifiable Executable Programs CP-9 System Backup IA-2 Identification And Authentication (Organizational Users) SC-28 Protection of Information at Rest AU-9 Protection Of Audit Information IA-5 Authenticator Management AC-2 Account Management | Checks whether the specified key is contained in the environment variable name of the container group of Elastic Container Instance (ECI). If the specified key is not contained in the environment variable name of the container group of ECI, the evaluation result is Compliant. The name of the input parameter is keys. The default value of the input parameter is AccessKey, AK, or AccessKeyID. |
ecs-disk-auto-snapshot-policy | CP-9 | CP-9 System Backup SC-36 Distributed Processing And Storage SC-28 Protection of Information at Rest CP-10 SC-24 Fail In Known State | Checks whether an automatic snapshot policy is specified for each ECS disk. If so, the evaluation result is Compliant. This rule does not apply to disks that are not in use, disks that do not support automatic snapshot policies, and non-persistent disks that are attached to the ACK cluster. |
ecs-in-use-disk-encrypted | SC-34 | SC-34 Non-Modifiable Executable Programs CP-9 System Backup SC-28 Protection of Information at Rest AU-9 Protection Of Audit Information IA-5 Authenticator Management | Checks whether the encryption feature is enabled for each ECS data disk that is in use. If so, the evaluation result is Compliant. |
ecs-disk-in-use | SI-12 | SI-12 Information Management And Retention SI-14 Non-Persistence AU-11 Audit Record Retention AU-4 Audit Log Storage Capacity AU-10 Non-repudiation | Checks whether each ECS data disk is attached to an ECS instance. If so, the evaluation result is Compliant. |
ecs-instance-meta-data-mode-check | SC-10 | SC-10 Network Disconnect SI-14 Non-Persistence AC-12 Session Termination IA-11 Re-Authentication AC-17 Remote Access AC-10 Concurrent Session Control SC-23 Session Authenticity AC-2 Account Management | Checks whether the security-enhanced mode is forcefully used when the metadata of each ECS instance is accessed. If so, the evaluation result is Compliant. |
ecs-instance-monitor-enabled | SI-4 | SI-4 System Monitoring AU-7 Audit Record Reduction And Report Generation AU-6 Audit Record Review, Analysis, And Reporting AC-17 Remote Access AU-9 Protection Of Audit Information RA-5 Vulnerability Monitoring And Scanning AC-2 Account Management AC-4 Information Flow Enforcement | Checks whether a CloudMonitor agent is installed on each running ECS instance, and the agent is running as expected. If so, the evaluation result is Compliant. This rule does not apply to ECS instances that are not running. |
ecs-instance-not-bind-key-pair | AC-3 | AC-3 Access Enforcement IA-8 Identification And Authentication (Non-Organizational Users) IA-2 Identification And Authentication (Organizational Users) IA-9 Service Identification And Authentication IA-4 Identifier Management IA-5 Authenticator Management AC-2 Account Management | Checks whether a Secure Shell (SSH) key pair is attached to an ECS instance. If no SSH keys is attached to an ECS instance, the evaluation result is Compliant. This rule applies to special scenarios where enterprises need to control access to ECS instances. |
ecs-instance-ram-role-attached | CM-5 | CM-5 Access Restrictions for Change AC-9 Previous Logon Notification IA-8 Identification And Authentication (Non-Organizational Users) IA-11 Re-Authentication SC-50 Software-Enforced Separation And Policy Enforcement AC-2 Account Management CA-3 Information Exchange AC-17 Remote Access IA-9 Service Identification And Authentication AC-24 Access Control Decisions IA-4 Identifier Management AC-3 Access Enforcement AU-6 Audit Record Review, Analysis, And Reporting SC-2 Separation Of System And User Functionality IA-5 Authenticator Management SC-34 Non-Modifiable Executable Programs IA-2 Identification And Authentication (Organizational Users) AC-7 Unsuccessful Logon Attempts AC-6 Least Privilege AC-4 Information Flow Enforcement | Checks whether a RAM role is assigned to each ECS instance. If so, the evaluation result is Compliant. |
ecs-instance-status-no-stopped | SA-3 | SA-3 System Development Life Cycle | Checks whether each ECS instance is in the Stopped state. If each ECS instance is not in the Stopped state, the evaluation result is Compliant. This rule does not apply to expired instances or instances that are in economical mode. |
ecs-instance-updated-security-vul | SA-22 | SA-22 RA-5 Vulnerability Monitoring And Scanning SI-2 Flaw Remediation | Checks whether unfixed vulnerabilities of a specified type or a specified level are detected by Security Center on an ECS instance. If so, the evaluation result is Compliant. This rule does not apply to ECS instances that are not running. |
ecs-security-group-not-used | CA-9 | CA-9 Internal System Connections SC-7 Boundary Protection IA-3 Device Identification and Authentication | Checks whether idle security groups exist. If no idle security group exists, which means at least one ECS instance is added to each security group, the evaluation result is Compliant. |
ecs-security-group-white-list-port-check | AC-20 | AC-20 Use of External Systems SC-10 Network Disconnect SC-11 Trusted Path SC-21 Secure Name/Address Resolution Service (Recursive Or Caching Resolver) IA-9 Service Identification And Authentication CM-7 Least Functionality AC-17 Remote Access SA-4 Acquisition Process CA-9 Internal System Connections SC-23 Session Authenticity SC-7 Boundary Protection SC-8 Transmission Confidentiality And Integrity IA-5 Authenticator Management AC-4 Information Flow Enforcement IA-3 Device Identification and Authentication | Checks whether each inbound rule in a security group allows access only from the ports in a specified range when the Authorization Object parameter of the inbound rule is set to 0.0.0.0/0. If so, the evaluation result is Compliant. This rule does not apply to the security groups that are used by cloud services or virtual network operators. |
eip-attached | AC-3 | AC-3 Access Enforcement AC-16 Security And Privacy Attributes PL-10 IA-4 Identifier Management CM-2 Baseline Configuration SC-16 Transmission Of Security And Privacy Attributes AC-4 Information Flow Enforcement | Checks whether each elastic IP address (EIP) is associated with an ECS instance or a NAT gateway and is idle. If each elastic IP address (EIP) is associated with an ECS instance or a NAT gateway and is not idle, the evaluation result is Compliant. |
elasticsearch-instance-enabled-data-node-encryption | SC-34 | SC-34 Non-Modifiable Executable Programs CP-9 System Backup SC-28 Protection of Information at Rest AU-9 Protection Of Audit Information IA-5 Authenticator Management | Checks whether the disk encryption feature is enabled for the data nodes of each Elasticsearch cluster. If so, the evaluation result is Compliant. |
elasticsearch-public-and-any-ip-access-check | AC-20 | AC-20 Use of External Systems SC-10 Network Disconnect SC-11 Trusted Path SC-21 Secure Name/Address Resolution Service (Recursive Or Caching Resolver) IA-9 Service Identification And Authentication AC-17 Remote Access CA-9 Internal System Connections SC-7 Boundary Protection IA-5 Authenticator Management AC-4 Information Flow Enforcement IA-3 Device Identification and Authentication | Checks whether each Elasticsearch instance denies access from public networks and does not allow access from all IP address. If so, the evaluation result is Compliant. |
elasticsearch-https-enabled | CP-9 | CP-9 System Backup SA-4 Acquisition Process CM-7 Least Functionality AC-17 Remote Access MA-4 SC-23 Session Authenticity SC-8 Transmission Confidentiality And Integrity IA-5 Authenticator Management IA-3 Device Identification and Authentication | Checks whether HTTPS is enabled for each Elasticsearch cluster. If so, the evaluation result is Compliant. |
ess-group-health-check | CP-7 | CP-7 Alternate Processing Site CP-9 System Backup AC-4 Information Flow Enforcement SC-36 Distributed Processing And Storage CP-6 Alternate Storage Site SI-13 Predictable Failure Prevention SC-22 Architecture And Provisioning For Name/Address Resolution Service AU-5 Response To Audit Logging Process Failures SI-22 Information Diversity CP-2 Contingency Plan | Checks whether the health check feature is enabled for the ECS instances of each scaling group. If so, the evaluation result is Compliant. |
ess-scaling-configuration-enabled-internet-check | SI-4 | SI-4 System Monitoring SC-7 Boundary Protection | Checks whether IPv4 addresses that can be assigned to ECS instances are specified for the scaling configurations. If the scaling configurations do not specify that IPv4 addresses can be assigned to ECS instances, the evaluation result is Compliant. |
ess-scaling-group-attach-slb | SI-22 | SI-22 Information Diversity SC-36 Distributed Processing And Storage SC-6 Resource Availability | Checks whether at least two vSwitches are associated with each scaling group. If so, the evaluation result is Compliant. |
fc-function-settings-check | SA-22 | SA-22 SI-2 Flaw Remediation | Checks whether the functions of Function Compute 2.0 meet the specified requirements. If so, the evaluation result is Compliant. |
fc-service-internet-access-disable | AC-20 | AC-20 Use of External Systems AC-16 Security And Privacy Attributes AU-9 Protection Of Audit Information SC-7 Boundary Protection CA-3 Information Exchange AC-17 Remote Access IA-9 Service Identification And Authentication CA-9 Internal System Connections SC-38 Operations Security CM-12 Information Location SC-10 Network Disconnect AC-3 Access Enforcement CP-9 System Backup AC-4 Information Flow Enforcement AU-6 Audit Record Review, Analysis, And Reporting SC-2 Separation Of System And User Functionality IA-5 Authenticator Management SC-21 Secure Name/Address Resolution Service (Recursive Or Caching Resolver) SC-11 Trusted Path SC-20 Secure Name/Address Resolution Service(Authoritative Source) IA-3 Device Identification and Authentication | Checks whether Internet access is disabled for Function Compute. If so, the evaluation result is Compliant. |
fc-service-log-enable | CM-5 | CM-5 Access Restrictions for Change SI-4 System Monitoring AU-14 Session Audit CP-7 Alternate Processing Site AC-9 Previous Logon Notification SI-7 Software, Firmware, and Information Integrity SC-36 Distributed Processing And Storage IR-4 CP-10 AU-10 Non-repudiation CP-6 Alternate Storage Site AU-2 Event Logging CP-2 Contingency Plan AU-8 Time Stamps AU-3 Content Of Audit Records AC-6 Least Privilege AU-12 Audit Record Generation AC-4 Information Flow Enforcement | Checks whether the logging feature is enabled for Function Compute. If so, the evaluation result is Compliant. |
fc-service-vpc-binding | AC-20 | AC-20 Use of External Systems SC-10 Network Disconnect SC-11 Trusted Path SC-21 Secure Name/Address Resolution Service (Recursive Or Caching Resolver) IA-9 Service Identification And Authentication AC-17 Remote Access CA-9 Internal System Connections SC-7 Boundary Protection IA-5 Authenticator Management AC-4 Information Flow Enforcement IA-3 Device Identification and Authentication | Checks whether the functions of a service can be invoked only in specific virtual private clouds (VPCs). If so. the evaluation result is Compliant. |
firewall-asset-open-protect | AC-20 | AC-20 Use of External Systems SC-10 Network Disconnect SC-11 Trusted Path SC-21 Secure Name/Address Resolution Service (Recursive Or Caching Resolver) IA-9 Service Identification And Authentication AC-17 Remote Access CA-9 Internal System Connections SC-7 Boundary Protection IA-5 Authenticator Management AC-4 Information Flow Enforcement IA-3 Device Identification and Authentication | Checks whether asset protection is enabled in Cloud Firewall. If so, the evaluation result is Compliant. This rule applies only to users that have activated the Cloud Firewall service. No detection data is available for users that have not activated the service or have used the service for free. |
kms-key-origin-not-external | SC-34 | SC-34 Non-Modifiable Executable Programs CP-9 System Backup SC-28 Protection of Information at Rest AU-9 Protection Of Audit Information IA-5 Authenticator Management | Checks whether the customer master key (CMK) of Key Management Service (KMS) belongs to Alibaba Cloud. If so, the evaluation result is Compliant. |
kms-key-state-not-pending-deletion | SC-12 | SC-12 Cryptographic Key Establishment And Management IA-7 Cryptographic Module Authentication SC-28 Protection of Information at Rest SC-17 Public Key Infrastructure Certificates SC-13 Cryptographic Protection SC-23 Session Authenticity CM-3 Configuration Change Control IA-5 Authenticator Management | Checks whether the status of a KMS CMK is set to pending deletion. If so, the evaluation result is Compliant. |
kms-secret-last-rotation-date-check | IA-10 | SIA-10 IA-2 Identification And Authentication (Organizational Users) AC-24 Access Control Decisions IA-5 Authenticator Management AC-2 Account Management | Checks whether the automatic rotation feature is enabled for KMS secrets and whether automatic rotation is performed based on the specified rotation period. If so, the evaluation result is Compliant. This rule does not apply to generic secrets because periodic key rotation cannot be enabled for a generic secret in KMS. |
kms-secret-rotation-enabled | IA-10 | IA-10 IA-2 Identification And Authentication (Organizational Users) AC-24 Access Control Decisions IA-5 Authenticator Management AC-2 Account Management | Checks whether the automatic rotation feature is enabled for KMS secrets. If so, the evaluation result is Compliant. This rule does not apply to a common key. |
mongodb-instance-backup-log-enabled | SI-12 | SI-12 Information Management And Retention SI-14 Non-Persistence CP-9 System Backup SC-36 Distributed Processing And Storage AU-11 Audit Record Retention AU-4 Audit Log Storage Capacity CP-10 AU-10 Non-repudiation SC-24 Fail In Known State | Checks whether the log backup feature is enabled for each ApsaraDB for MongoDB instance. If so, the evaluation result is Compliant. |
mongodb-instance-log-audit | CM-5 | CM-5 Access Restrictions for Change SI-4 System Monitoring AU-14 Session Audit AC-9 Previous Logon Notification SI-7 Software, Firmware, and Information Integrity AU-10 Non-repudiation AU-2 Event Logging AU-8 Time Stamps AU-3 Content Of Audit Records AC-6 Least Privilege AU-12 Audit Record Generation AC-4 Information Flow Enforcement | Checks whether the audit logging feature is enabled for each MongoDB instance. If so, the evaluation result is Compliant. |
nas-filesystem-access-point-enabled-ram | CM-12 | CM-12 Information Location AC-3 Access Enforcement SC-20 Secure Name/Address Resolution Service(Authoritative Source) AC-16 Security And Privacy Attributes CP-9 System Backup AU-6 Audit Record Review, Analysis, And Reporting CA-3 Information Exchange AU-9 Protection Of Audit Information SC-2 Separation Of System And User Functionality IA-5 Authenticator Management AC-4 Information Flow Enforcement SC-38 Operations Security | Checks whether a RAM policy is enabled for the access points of File Storage NAS (NAS) file systems. If so, the evaluation result is Compliant. |
nas-filesystem-access-point-root-directory-check | CM-12 | CM-12 Information Location AC-3 Access Enforcement SC-20 Secure Name/Address Resolution Service(Authoritative Source) AC-16 Security And Privacy Attributes CP-9 System Backup AU-6 Audit Record Review, Analysis, And Reporting CA-3 Information Exchange AU-9 Protection Of Audit Information SC-2 Separation Of System And User Functionality IA-5 Authenticator Management AC-4 Information Flow Enforcement SC-38 Operations Security | Checks whether the root directory of the access point of an NAS file system is specified as the default directory. If the default directory is not the root directory of the access point of a NAS file system, the evaluation result is Compliant. |
nas-filesystem-enable-backup-plan | CP-9 | CP-9 System Backup SC-36 Distributed Processing And Storage SC-28 Protection of Information at Rest CP-10 SC-24 Fail In Known State | Checks whether a backup plan is created for each File Storage NAS file system. If so, the evaluation result is Compliant. |
nas-filesystem-encrypt-type-check | SC-34 | SC-34 Non-Modifiable Executable Programs CP-9 System Backup SC-28 Protection of Information at Rest AU-9 Protection Of Audit Information IA-5 Authenticator Management | Checks whether the server-side encryption feature is enabled for the NAS file systems that you create. If so, the evaluation result is Compliant. |
oss-bucket-logging-enabled | CM-5 | CM-5 Access Restrictions for Change SI-4 System Monitoring AU-14 Session Audit AC-9 Previous Logon Notification SI-7 Software, Firmware, and Information Integrity AU-10 Non-repudiation AU-2 Event Logging AU-8 Time Stamps AU-3 Content Of Audit Records AC-6 Least Privilege AU-12 Audit Record Generation AC-4 Information Flow Enforcement | Checks whether the logging feature is enabled for each OSS bucket on the Logs page. If so, the evaluation result is Compliant. |
oss-bucket-only-https-enabled | CP-9 | CP-9 System Backup SA-4 Acquisition Process CM-7 Least Functionality AC-17 Remote Access MA-4 SC-23 Session Authenticity SC-8 Transmission Confidentiality And Integrity IA-5 Authenticator Management IA-3 Device Identification and Authentication | Checks whether the bucket policy of each OSS bucket allows read and write access over HTTPS and denies access over HTTP. If so, the evaluation result is Compliant. This rule does not apply to OSS buckets without a bucket policy. |
oss-bucket-policy-no-any-anonymous | CM-5 | CM-5 Access Restrictions for Change AC-9 Previous Logon Notification IA-8 Identification And Authentication (Non-Organizational Users) IA-11 Re-Authentication SC-50 Software-Enforced Separation And Policy Enforcement AU-9 Protection Of Audit Information AC-2 Account Management CA-3 Information Exchange AC-17 Remote Access IA-9 Service Identification And Authentication AC-24 Access Control Decisions IA-4 Identifier Management AC-3 Access Enforcement AU-6 Audit Record Review, Analysis, And Reporting IA-5 Authenticator Management SC-34 Non-Modifiable Executable Programs IA-2 Identification And Authentication (Organizational Users) AC-7 Unsuccessful Logon Attempts SA-17 AC-6 Least Privilege AC-4 Information Flow Enforcement | Checks whether read and write permissions are granted to each anonymous account. If read and write permissions are not granted to each anonymous account, the evaluation result is Compliant. If no policies are specified for OSS buckets, the evaluation result is Compliant. |
oss-bucket-public-read-prohibited | AC-20 | AC-20 Use of External Systems AC-16 Security And Privacy Attributes AU-9 Protection Of Audit Information SC-7 Boundary Protection CA-3 Information Exchange AC-17 Remote Access IA-9 Service Identification And Authentication CA-9 Internal System Connections SC-38 Operations Security CM-12 Information Location SC-10 Network Disconnect AC-3 Access Enforcement CP-9 System Backup AC-4 Information Flow Enforcement AU-6 Audit Record Review, Analysis, And Reporting SC-2 Separation Of System And User Functionality IA-5 Authenticator Management SC-21 Secure Name/Address Resolution Service (Recursive Or Caching Resolver) SC-11 Trusted Path SC-20 Secure Name/Address Resolution Service(Authoritative Source) IA-3 Device Identification and Authentication | Checks whether the ACL policy of each OSS bucket denies read access from the Internet. If so, the evaluation result is Compliant. |
oss-bucket-public-write-prohibited | AC-20 | AC-20 Use of External Systems AC-16 Security And Privacy Attributes AU-9 Protection Of Audit Information SC-7 Boundary Protection AU-16 Cross-Organizational Audit Logging CA-3 Information Exchange AC-17 Remote Access IA-9 Service Identification And Authentication CA-9 Internal System Connections SC-38 Operations Security CM-12 Information Location SC-10 Network Disconnect AC-3 Access Enforcement CP-9 System Backup AU-6 Audit Record Review, Analysis, And Reporting SC-2 Separation Of System And User Functionality IA-5 Authenticator Management SC-21 Secure Name/Address Resolution Service (Recursive Or Caching Resolver) SC-11 Trusted Path AU-7 Audit Record Reduction And Report Generation SC-20 Secure Name/Address Resolution Service(Authoritative Source) AC-4 Information Flow Enforcement IA-3 Device Identification and Authentication | Checks whether the bucket policy of each OSS bucket denies read and write access from the Internet. If so, the evaluation result is Compliant. |
oss-bucket-server-side-encryption-enabled | AU-7 | AU-7 Audit Record Reduction And Report Generation SC-34 Non-Modifiable Executable Programs CP-9 System Backup SC-28 Protection of Information at Rest AU-9 Protection Of Audit Information IA-5 Authenticator Management AU-16 Cross-Organizational Audit Logging | Checks whether server-side encryption is enabled for each OSS bucket. If so, the evaluation result is Compliant. |
oss-bucket-versioning-enabled | SC-21 | SC-21 Secure Name/Address Resolution Service (Recursive Or Caching Resolver) SC-34 Non-Modifiable Executable Programs SI-7 Software, Firmware, and Information Integrity SI-19 De-Identification SC-23 Session Authenticity SC-16 Transmission Of Security And Privacy Attributes AU-16 Cross-Organizational Audit Logging SC-20 Secure Name/Address Resolution Service(Authoritative Source) | Checks whether the versioning feature is enabled for an OSS bucket. If the versioning feature is disabled, data may fail to be restored when the data is overwritten or deleted. If the versioning feature is enabled for each OSS bucket, the evaluation result is Compliant. |
oss-default-encryption-kms | SC-34 | SC-34 Non-Modifiable Executable Programs CP-9 System Backup SC-28 Protection of Information at Rest AU-9 Protection Of Audit Information IA-5 Authenticator Management | Checks whether KMS-based server-side encryption is enabled for each OSS bucket. If so, the evaluation result is Compliant. |
oss-zrs-enabled | CP-7 | CP-7 Alternate Processing Site CP-9 System Backup AC-4 Information Flow Enforcement SC-36 Distributed Processing And Storage CP-6 Alternate Storage Site SC-6 Resource Availability SI-13 Predictable Failure Prevention SC-22 Architecture And Provisioning For Name/Address Resolution Service AU-5 Response To Audit Logging Process Failures SI-22 Information Diversity CP-2 Contingency Plan | Checks whether the zone-redundant storage (ZRS) feature is enabled for an OSS bucket. If the ZRS feature is disabled, OSS cannot provide consistent services and ensure data recovery when a data center becomes unavailable. If the ZRS feature is enabled for each OSS bucket, the evaluation result is Compliant. |
ots-instance-all-table-encrypted | SC-34 | SC-34 Non-Modifiable Executable Programs CP-9 System Backup SC-28 Protection of Information at Rest AU-9 Protection Of Audit Information IA-5 Authenticator Management | Checks whether the encryption feature is enabled for all tables on the Tablestore instance. If so, the evaluation result is Compliant. |
polardb-cluster-enabled-auditing | CM-5 | CM-5 Access Restrictions for Change SI-4 System Monitoring AU-14 Session Audit AC-9 Previous Logon Notification SI-7 Software, Firmware, and Information Integrity AU-10 Non-repudiation AU-2 Event Logging AU-8 Time Stamps AU-3 Content Of Audit Records AC-6 Least Privilege AU-12 Audit Record Generation AC-4 Information Flow Enforcement | Checks whether the SQL audit feature is enabled for each PolarDB cluster. If so, the evaluation result is Compliant. |
polardb-cluster-level-one-backup-retention | CP-9 | CP-9 System Backup SC-36 Distributed Processing And Storage SC-28 Protection of Information at Rest CP-10 SC-24 Fail In Known State | Checks whether the retention period for the level-1 backups of each PolarDB cluster is greater than or equal to a specified number of days. If so, the evaluation result is Compliant. Default value: 7. Unit: days. |
polardb-cluster-multi-zone | SI-22 | SI-22 Information Diversity SC-36 Distributed Processing And Storage SC-6 Resource Availability | Checks whether the hot standby cluster feature is enabled for each PolarDB cluster and data of the cluster is distributed across multiple zones. If so, the evaluation result is Compliant. |
polardb-dbversion-status-check | SA-22 | SA-22 SI-2 Flaw Remediation | Checks whether the minor version of each PolarDB database is stable. If so, the evaluation result is Compliant. |
ram-group-has-member-check | AC-3 | AC-3 Access Enforcement IA-8 Identification And Authentication (Non-Organizational Users) IA-2 Identification And Authentication (Organizational Users) AU-6 Audit Record Review, Analysis, And Reporting IA-9 Service Identification And Authentication AU-9 Protection Of Audit Information IA-4 Identifier Management SA-1 IA-5 Authenticator Management AC-6 Least Privilege AC-2 Account Management | Checks whether each RAM user group contains at least one RAM user. If so, the evaluation result is Compliant. |
ram-group-in-use-check | CM-5 | CM-5 Access Restrictions for Change AC-3 Access Enforcement IA-8 Identification And Authentication (Non-Organizational Users) IA-2 Identification And Authentication (Organizational Users) IA-9 Service Identification And Authentication IA-4 Identifier Management IA-5 Authenticator Management AC-2 Account Management | Checks whether a RAM user group includes at least one RAM user and at least one policy is attached to the RAM user group. If so, the evaluation result is Compliant. |
ram-policy-in-use-check | CM-5 | CM-5 Access Restrictions for Change AC-9 Previous Logon Notification IA-8 Identification And Authentication (Non-Organizational Users) IA-11 Re-Authentication SC-50 Software-Enforced Separation And Policy Enforcement AC-2 Account Management CA-3 Information Exchange AC-17 Remote Access IA-9 Service Identification And Authentication AC-24 Access Control Decisions IA-4 Identifier Management AC-3 Access Enforcement AU-6 Audit Record Review, Analysis, And Reporting IA-5 Authenticator Management SC-34 Non-Modifiable Executable Programs IA-2 Identification And Authentication (Organizational Users) AC-7 Unsuccessful Logon Attempts AC-6 Least Privilege AC-4 Information Flow Enforcement | Checks whether a policy is attached to at least one RAM user group, RAM role, or RAM user. If so, the evaluation result is Compliant. |
ram-policy-no-statements-with-admin-access-check | CM-5 | CM-5 Access Restrictions for Change AC-9 Previous Logon Notification IA-8 Identification And Authentication (Non-Organizational Users) IA-11 Re-Authentication SC-50 Software-Enforced Separation And Policy Enforcement AU-9 Protection Of Audit Information SC-7 Boundary Protection AC-2 Account Management CA-3 Information Exchange AC-17 Remote Access IA-9 Service Identification And Authentication SI-3 Malicious Code Protection AC-24 Access Control Decisions IA-4 Identifier Management AC-3 Access Enforcement AU-6 Audit Record Review, Analysis, And Reporting IA-5 Authenticator Management SC-34 Non-Modifiable Executable Programs IA-2 Identification And Authentication (Organizational Users) CM-7 Least Functionality AC-7 Unsuccessful Logon Attempts AC-6 Least Privilege AC-4 Information Flow Enforcement | Checks whether the Action and Resource parameters of each RAM user, RAM user group, and RAM role are not set to *. If so, the evaluation result is Compliant. An asterisk (*) indicates the super administrator permissions. |
ram-user-mfa-check | IA-2 | IA-2 Identification And Authentication (Organizational Users) | Checks whether MFA is enabled in the logon settings of each RAM user for which the console access feature is enabled. If so, the evaluation result is Compliant. |
rds-instance-sql-collector-retention | CM-5 | CM-5 Access Restrictions for Change SI-4 System Monitoring AU-14 Session Audit AC-9 Previous Logon Notification SI-7 Software, Firmware, and Information Integrity AU-10 Non-repudiation AU-2 Event Logging AU-8 Time Stamps AU-3 Content Of Audit Records AC-6 Least Privilege AU-12 Audit Record Generation AC-4 Information Flow Enforcement | Checks whether the SQL explorer and audit feature is enabled for each ApsaraDB RDS for MySQL instance and the number of days for which SQL audit logs can be retained is greater than or equal to a specified value. If so, the evaluation result is Compliant. The default period is 180 days. This rule does not apply to instances that do not support the SQL explorer and audit feature. |
rds-instance-enabled-log-backup | CP-9 | CP-9 System Backup SC-36 Distributed Processing And Storage SC-28 Protection of Information at Rest CP-10 SC-24 Fail In Known State | If the log backup feature is enabled for each ApsaraDB RDS instance, the evaluation result is Compliant. |
rds-instance-enabled-disk-encryption | SC-34 | SC-34 Non-Modifiable Executable Programs CP-9 System Backup SC-28 Protection of Information at Rest AU-9 Protection Of Audit Information IA-5 Authenticator Management | Checks whether disk encryption is enabled for each ApsaraDB RDS instance. If so, the evaluation result is Compliant. This rule does not apply to instances that use local disks or do not support disk encryption. |
rds-instance-enabled-tde | SC-34 | SC-34 Non-Modifiable Executable Programs CP-9 System Backup SC-28 Protection of Information at Rest AU-9 Protection Of Audit Information IA-5 Authenticator Management | Checks whether the Transparent Data Encryption (TDE) feature is enabled in the data security settings of each ApsaraDB RDS instance. If so, the evaluation result is Compliant. |
rds-multi-az-support | SI-22 | SI-22 Information Diversity SC-36 Distributed Processing And Storage SC-6 Resource Availability | Checks whether each ApsaraDB RDS instance uses the multi-zone architecture. If so, the evaluation result is Compliant. |
rds-public-connection-and-any-ip-access-check | AC-20 | AC-20 Use of External Systems AC-16 Security And Privacy Attributes AU-9 Protection Of Audit Information SC-7 Boundary Protection CA-3 Information Exchange AC-17 Remote Access IA-9 Service Identification And Authentication CA-9 Internal System Connections SC-38 Operations Security CM-12 Information Location SC-10 Network Disconnect AC-3 Access Enforcement CP-9 System Backup AC-4 Information Flow Enforcement AU-6 Audit Record Review, Analysis, And Reporting SC-2 Separation Of System And User Functionality IA-5 Authenticator Management SC-21 Secure Name/Address Resolution Service (Recursive Or Caching Resolver) SC-11 Trusted Path SC-20 Secure Name/Address Resolution Service(Authoritative Source) IA-3 Device Identification and Authentication | Checks whether a public IP address is used for the ApsaraDB RDS instance within your account or whether the whitelist is not enabled for all source IP addresses. If so, the evaluation result is Compliant. |
redis-instance-backup-log-enabled | CP-9 | CP-9 System Backup SC-36 Distributed Processing And Storage SC-28 Protection of Information at Rest CP-10 SC-24 Fail In Known State | Checks whether incremental backup is enabled for each ApsaraDB for Redis instance. If so, the evaluation result is Compliant. This rule applies only to Tair instances or instances of ApsaraDB for Redis Enhanced Edition (Tair). |
redis-instance-upgrade-latest-version | SA-22 | SA-22 SI-2 Flaw Remediation | Checks whether each ApsaraDB for Redis instance is upgraded to the latest minor version. If so, the evaluation result is Compliant. |
root-ak-check | CM-5 | CM-5 Access Restrictions for Change AC-3 Access Enforcement IA-8 Identification And Authentication (Non-Organizational Users) IA-2 Identification And Authentication (Organizational Users) IA-9 Service Identification And Authentication AC-17 Remote Access CM-7 Least Functionality AU-9 Protection Of Audit Information SI-3 Malicious Code Protection SC-7 Boundary Protection IA-4 Identifier Management IA-5 Authenticator Management AC-2 Account Management AC-6 Least Privilege AC-4 Information Flow Enforcement | Checks whether an AccessKey pair is created for each Alibaba Cloud account. If not, the evaluation result is Compliant. |
root-mfa-check | IA-2 | IA-2 Identification And Authentication (Organizational Users) | Checks whether multi-factor authentication (MFA) is enabled for each Alibaba Cloud account. If so, the evaluation result is Compliant. |
security-center-version-check | SI-4 | SI-4 System Monitoring AU-7 Audit Record Reduction And Report Generation AU-6 Audit Record Review, Analysis, And Reporting AC-17 Remote Access AU-9 Protection Of Audit Information RA-5 Vulnerability Monitoring And Scanning AC-2 Account Management AC-4 Information Flow Enforcement | Checks whether Security Center of Enterprise Edition or a more advanced edition is used. If so, the evaluation result is Compliant. |
slb-all-listener-servers-multi-zone | CP-7 | CP-7 Alternate Processing Site CP-9 System Backup AC-4 Information Flow Enforcement SC-36 Distributed Processing And Storage CP-6 Alternate Storage Site SC-6 Resource Availability SI-13 Predictable Failure Prevention SC-22 Architecture And Provisioning For Name/Address Resolution Service AU-5 Response To Audit Logging Process Failures SI-22 Information Diversity CP-2 Contingency Plan | Checks whether each SLB instance uses the multi-zone architecture and the resources of multiple zones are added to the server group that is used by all listeners of the SLB instance. If so, the evaluation result is Compliant. |
slb-all-listenter-tls-policy-check | CP-9 | CP-9 System Backup SA-4 Acquisition Process CM-7 Least Functionality AC-17 Remote Access MA-4 SC-13 Cryptographic Protection SC-23 Session Authenticity SC-8 Transmission Confidentiality And Integrity IA-5 Authenticator Management IA-3 Device Identification and Authentication | Checks whether the HTTPS listeners of each SLB instance use a specified security policy suite version. If so, the evaluation result is Compliant. This rule does not apply to SLB instances for which no HTTPS listener is configured. |
slb-instance-log-enabled | CM-5 | CM-5 Access Restrictions for Change SI-4 System Monitoring AU-14 Session Audit AC-9 Previous Logon Notification SI-7 Software, Firmware, and Information Integrity AU-10 Non-repudiation AU-2 Event Logging AU-8 Time Stamps AU-3 Content Of Audit Records AC-6 Least Privilege AU-12 Audit Record Generation AC-4 Information Flow Enforcement | Checks whether the access log feature is enabled for each SLB instance. If so, the evaluation result is Compliant. This rule does not apply to SLB instances for which Layer 7 monitoring is disabled. |
slb-listener-https-enabled | CP-9 | CP-9 System Backup SA-4 Acquisition Process CM-7 Least Functionality AC-17 Remote Access MA-4 SC-13 Cryptographic Protection SC-23 Session Authenticity SC-8 Transmission Confidentiality And Integrity IA-5 Authenticator Management IA-3 Device Identification and Authentication | Checks whether an HTTPS listener is enabled on the specified ports of each SLB instance. If so, the evaluation result is Compliant. This rule does not apply to SLB instances for which only a TCP or UDP listener is enabled. |
ssl-certificate-expired-check | SC-12 | SC-12 Cryptographic Key Establishment And Management IA-7 Cryptographic Module Authentication SC-28 Protection of Information at Rest SC-17 Public Key Infrastructure Certificates SC-13 Cryptographic Protection SC-23 Session Authenticity CM-3 Configuration Change Control IA-5 Authenticator Management | Checks whether the remaining validity periods of all SSL certificates are greater than the specified value. If so, the evaluation result is Compliant. Default value: 30. Unit: days. |
vpc-flow-logs-enabled | CM-5 | CM-5 Access Restrictions for Change SI-4 System Monitoring AU-14 Session Audit AC-9 Previous Logon Notification SI-7 Software, Firmware, and Information Integrity AU-10 Non-repudiation AU-2 Event Logging AU-8 Time Stamps AU-3 Content Of Audit Records AC-6 Least Privilege AU-12 Audit Record Generation AC-4 Information Flow Enforcement | Checks whether the flow log feature is enabled for each VPC. If so, the evaluation result is Compliant. |
vpc-network-acl-risky-ports-check | AC-20 | AC-20 Use of External Systems SC-10 Network Disconnect SC-11 Trusted Path SC-21 Secure Name/Address Resolution Service (Recursive Or Caching Resolver) IA-9 Service Identification And Authentication AC-17 Remote Access CA-9 Internal System Connections SC-7 Boundary Protection IA-5 Authenticator Management AC-4 Information Flow Enforcement IA-3 Device Identification and Authentication | Checks whether the destination IP address specified in the inbound rule for VPC access control is set to 0.0.0.0/0 and the specified port range does not contain a high-risk port. If so, the evaluation result is Compliant. |
vpc-network-acl-unused-check | AC-20 | AC-20 Use of External Systems SC-10 Network Disconnect SC-11 Trusted Path SC-21 Secure Name/Address Resolution Service (Recursive Or Caching Resolver) IA-9 Service Identification And Authentication AC-17 Remote Access CA-9 Internal System Connections SC-7 Boundary Protection IA-5 Authenticator Management AC-4 Information Flow Enforcement IA-3 Device Identification and Authentication | Checks whether at least one resource is associated with each network ACL. If so, the evaluation result is Compliant. |
vpc-routetable-destination-cidr-check | SC-3 | SC-3 Security Function Isolation AC-20 Use of External Systems SC-10 Network Disconnect SC-11 Trusted Path SC-21 Secure Name/Address Resolution Service (Recursive Or Caching Resolver) IA-9 Service Identification And Authentication AC-17 Remote Access CA-9 Internal System Connections SC-7 Boundary Protection IA-5 Authenticator Management AC-6 Least Privilege AC-4 Information Flow Enforcement IA-3 Device Identification and Authentication | Checks whether the destination CIDR block of the custom routes of a route table that is associated with a VPC is set to all CIDR blocks. If the destination CIDR block is not set to all CIDR blocks, the evaluation result is Compliant. |
vpn-ipsec-connection-status-check | SC-3 | SC-3 Security Function Isolation AC-4 Information Flow Enforcement SC-36 Distributed Processing And Storage PL-8 SC-7 Boundary Protection SI-22 Information Diversity SC-6 Resource Availability | Checks whether the IPsec-VPN connection is established. If so, the evaluation result is Compliant. |
waf3-instance-enabled-specified-defense-rules | AC-20 | AC-20 Use of External Systems SC-10 Network Disconnect SC-11 Trusted Path SC-21 Secure Name/Address Resolution Service (Recursive Or Caching Resolver) IA-9 Service Identification And Authentication AC-17 Remote Access CA-9 Internal System Connections SC-7 Boundary Protection IA-5 Authenticator Management AC-4 Information Flow Enforcement IA-3 Device Identification and Authentication | Checks whether rules for the specified protection scenario are enabled for a WAF 3.0 instance. If so, the evaluation result is Compliant. |