This topic describes the background information, scenarios, and default rules of the PCIDSSDataSecurityStandard compliance package.
Background information
The Payment Card Industry Data Security Standard (PCI DSS) is a data security standard that is used by the payment card industry to help card holders improve the data security of their payment cards. Payment card organizations use the standard to provide globally consistent data security measures. The standard provides a set of technologies to protect the data of card holders and operation baselines.
Based on the PCI DSS V4.0 baseline, compliance packages that are created from the template can protect account data and provide specific suggestions and compliance checks based on cloud resource usage and management.
For more information about the PCI DSS, visit the official PCI DSS website.
Scenarios
The PCIDSSDataSecurityStandard compliance package is suitable for the financial industry and enterprises that have high requirements for data security.
Rules
A compliance package template provides a common framework. You can use the template to efficiently create compliance packages that meet your requirements in specific business scenarios. If a resource is evaluated as compliant by using a rule, the resource meets only the compliance requirements of the rule. The resource may not be compliant with legal or regulatory requirements, or industry standards.
Rule name | Description |
Checks whether the log collection feature is enabled for each domain name that is protected by Web Application Firewall (WAF). If so, the evaluation result is Compliant. | |
Checks whether the flow log feature is enabled for each virtual private cloud (VPC). If so, the evaluation result is Compliant. | |
Checks whether an API group of API Gateway is bound to each custom domain name and the domain name is added to WAF. If so, the evaluation result is Compliant. | |
Checks whether a specified protection feature is enabled for each domain name that is protected by WAF. If so, the evaluation result is Compliant. | |
Checks whether the inbound authorization policy of each security group is set to Allow and the port range is set to -1/-1 or the authorized IP address is set to 0.0.0.0/0, or an authorization policy with a higher priority is configured. If so, the evaluation result is Compliant. If the security groups are used by cloud services or virtual network operators, the evaluation result is Not Applicable. | |
Checks whether 0.0.0.0/0 is added to the IP address whitelist of each security group and high-risk ports are disabled. If so, the evaluation result is Compliant. If 0.0.0.0/0 is not added to the IP address whitelist of a security group, the evaluation result is Compliant regardless of whether high-risk ports are disabled. If a high-risk port is denied by an authorization policy with a higher priority, the evaluation result is Compliant. If the security groups are used by cloud services or virtual network operators, the evaluation result is Not Applicable. | |
Checks whether each inbound rule in a security group allows access only from the ports in a specified range when the Authorization Object parameter of the inbound rule is set to 0.0.0.0/0. If so, the evaluation result is Compliant. If the security groups are used by cloud services or virtual network operators, the evaluation result is Not Applicable. | |
Checks whether a bucket policy is configured for each Object Storage Service (OSS) bucket whose Bucket ACL parameter is set to Public Read/Write, and no read or write permissions are granted to anonymous accounts in the authorization policy. If so, the evaluation result is Compliant. This rule does not apply to OSS buckets whose Bucket ACL parameter is set to Private. | |
Checks whether a public IPv4 address or EIP is specified for each ECS instance. If not, the evaluation result is Compliant. | |
Checks whether Internet access is enabled for each ApsaraDB RDS instance and the 0.0.0.0/0 CIDR block is added to the whitelist. If so, the evaluation result is Non-compliant. | |
Checks whether Internet access is enabled and any Internet access is allowed for each PolarDB instance. If so, the evaluation result is Non-compliant. | |
Checks whether the protection feature is enabled for each asset in Cloud Firewall. If so, the evaluation result is Compliant. This rule is applicable only to users that have purchased the Cloud Firewall service. For users that have not purchased the service or used it for free, the evaluation result is Compliant. | |
Checks whether the Security Center agent is installed in each ECS instance. If so, the evaluation result is Compliant. The Security Center agent helps protect the security of ECS instances. This rule does not apply to ECS instances that are not running. | |
Checks whether Security Center of Enterprise Edition or a more advanced edition is used. If so, the evaluation result is Compliant. | |
Checks whether unfixed vulnerabilities of a specified type or a specified level are detected by Security Center on an ECS instance. This rule does not apply to ECS instances that are not running. | |
Checks whether the SQL explorer and audit feature is enabled. If so, the evaluation result is Compliant. | |
Checks whether an active trail exists in ActionTrail and the events of all types that are generated in all regions are tracked. If so, the evaluation result is Compliant. If the administrator of each resource directory has created a trail that applies to all member accounts, the evaluation result is also Compliant. | |
Checks whether the SQL explorer and audit feature is enabled for each ApsaraDB RDS for MySQL instance and whether the number of days for which SQL audit logs can be retained is greater than or equal to a specified number of days. If so, the evaluation result is Compliant. Default value: 180. | |
Checks whether the auto snapshots of ECS instances are retained for a period longer than or equal to the specified number of days. If so, the evaluation result is Compliant. Default value: 7. | |
Checks whether the retention period for the level-1 backups of each PolarDB cluster is greater than or equal to a specified number of days. If so, the evaluation result is Compliant. Default value: 7. | |
Checks whether the Transparent Data Encryption (TDE) feature is enabled in the data security settings of each PolarDB cluster. If so, the evaluation result is Compliant. | |
Checks whether the automatic rotation feature is enabled for Key Management Service (KMS) secrets. If so, the evaluation result is Compliant. | |
Checks whether the automatic rotation feature is enabled for the customer master keys (CMKs) in KMS. If so, the evaluation result is Compliant. | |
Checks whether the deletion protection feature is enabled for each KMS CMK. If so, the evaluation result is Compliant. | |
Checks whether a custom KMS key is used to encrypt the data of each OSS bucket. If so, the evaluation result is Compliant. | |
Checks whether a custom key is used to enable TDE for each ApsaraDB RDS instance. If so, the evaluation result is Compliant. | |
Checks whether a custom key is used to enable TDE for each ApsaraDB for Redis instance. If so, the evaluation result is Compliant. | |
Checks whether HTTPS encryption is enabled for each domain name accelerated by Alibaba Cloud CDN. If so, the evaluation result is Compliant. | |
Checks whether the request method of each API that allows Internet access in API Gateway is set to HTTPS. If so, the evaluation result is Compliant. For APIs that allow only internal access, the evaluation result is Not Applicable. | |
Checks whether HTTPS is enabled for each Elasticsearch instance. If so, the evaluation result is Compliant. | |
Checks whether the bucket policy of each OSS bucket allows read and write operations over HTTPS and denies access over HTTP. If so, the evaluation result is Compliant. For OSS buckets without a bucket policy, the evaluation result is Not Applicable. | |
Checks whether the HTTPS listeners of each Server Load Balanced (SLB) instance use a specified security policy suite version. If so, the evaluation result is Compliant. For SLB instances without HTTPS listeners, the evaluation result is Not Applicable. | |
Checks whether each Function Compute function is bound to a custom domain name and HTTPS is enabled for the function. If so, the evaluation result is Compliant. | |
Checks whether the Security Center agent is installed in each ECS instance that belongs to the current account. If so, the evaluation result is Compliant. | |
Checks whether a vulnerability scan for risks of a specified level is configured in the Security Center console. If so, the evaluation result is Compliant. | |
Checks whether a notification method is specified for each notification item of Security Center. If so, the evaluation result is Compliant. | |
Checks whether the maintenance period of each RDS instance matches one of the specified time ranges. If so, the evaluation result is Compliant. If the peak hours of your business overlap with the maintenance period, your business may be affected. | |
Checks whether the maintenance period of each PolarDB cluster matches one of the specified time ranges. If so, the evaluation result is Compliant. If the peak hours of your business overlap with the maintenance period, your business may be affected. | |
Checks whether a policy that meets specified conditions and includes the permissions that are inherited from a specified user group is attached to each RAM user. If not, the evaluation result is Compliant. If a RAM user owns administrator permissions, the evaluation result is Non-compliant. | |
Checks whether both the Resource and Action parameters of each RAM user, RAM user group, and RAM role are set to *. If not, the evaluation result is Compliant. If both parameters are set to *, the identity has the super administrator permissions. | |
Checks whether the time when the AccessKey pair of each RAM user was created is earlier than the specified number of days before the check time. If so, the evaluation result is Compliant. Default value: 90. | |
Checks whether each RAM user belongs to a RAM user group. If so, the evaluation result is Compliant. | |
Checks whether one of the console access and API access features is enabled for each RAM user. If so, the evaluation result is Compliant. | |
Checks whether an AccessKey pair is created for each Alibaba Cloud account. If not, the evaluation result is Compliant. | |
Checks whether the single sign-on (SSO) feature is enabled for each RAM user. If so, the evaluation result is Compliant. | |
Checks whether the time when the AccessKey pair of each RAM user was used is earlier than the specified number of days before the current day. If so, the evaluation result is Compliant. Default value: 90. | |
Checks whether each RAM user has logged on within the last 90 days. If so, the evaluation result is Compliant. If a RAM user has been updated within the last 90 days, the evaluation result is Compliant regardless of whether the RAM user has recently logged on. For RAM users that have no console access, the evaluation result is Not Applicable. | |
Checks whether each policy is attached to at least one RAM user group, RAM role, or RAM user. If so, the evaluation result is Compliant. | |
Checks whether each RAM user group contains at least one RAM user. If so, the evaluation result is Compliant. | |
Checks whether the settings of password policies configured for each RAM user meet the specified values. If so, the evaluation result is Compliant. | |
Checks whether multi-factor authentication (MFA) is enabled for the current Alibaba Cloud account. If so, the evaluation result is Compliant. | |
Checks whether MFA is enabled in the logon settings of each RAM user for which the console access feature is enabled. If so, the evaluation result is Compliant. | |
Checks whether a leaked AccessKey pair is detected in the Security Center console. If not, the evaluation result is Compliant. | |
Checks whether the SQL audit feature is enabled for each PolarDB cluster. If so, the evaluation result is Compliant. | |
Checks whether the log backup feature is enabled for each ApsaraDB RDS instance. If so, the evaluation result is Compliant. If log backup is disabled, lost local logs cannot be recovered. | |
Checks whether a backup plan is created for each Apsara File Storage NAS file system. If so, the evaluation result is Compliant. | |
Checks whether the retention period for the level-1 backups of each PolarDB cluster is greater than or equal to a specified number of days. If so, the evaluation result is Compliant. Default value: 30. If log backup is not enabled or the backup retention period is less than the specified number of days, the evaluation result is Non-compliant. | |
Checks whether the zone-redundant storage (ZRS) feature is enabled for each OSS bucket. If so, the evaluation result is Compliant. If the ZRS feature is disabled, OSS cannot provide consistent services and ensure data recovery when a data center becomes unavailable. | |
Checks whether data encryption is enabled for each Logstore in Simple Log Service. If so, the evaluation result is Compliant. | |
Checks whether the Encryption Method parameter of the server-side encryption feature is set to OSS-Managed for each OSS bucket. If so, the evaluation result is Compliant. | |
Checks whether the event history feature is enabled for each ApsaraDB RDS instance. If so, the evaluation result is Compliant. | |
Checks whether the value of the | |
Checks whether the name of the operating system for each ECS instance appears in a specified whitelist or does not appear in a specified blacklist. If so, the evaluation result is Compliant. Enterprises can standardize the operating system version within the enterprises, and upgrade the operating systems that are no longer maintained in time to prevent security vulnerabilities. | |
Checks whether the CloudMonitor agent is installed in each running ECS instance, and the agent is running as expected. If so, the evaluation result is Compliant. This rule does not apply to ECS instances that are not running. | |
Checks whether at least one alert rule is configured in the CloudMonitor console for each Alibaba Cloud service of a specified namespace. If so, the evaluation result is Compliant. | |
Checks whether disk encryption is enabled for each ECS instance. If so, the evaluation result is Compliant. | |
Checks whether disk encryption is enabled for each ApsaraDB RDS instance. If so, the evaluation result is Compliant. |