You can quickly try out the compliance package after you enable the service. It provides best practice checks for cloud resource management and administration. This topic describes the default rules in QuickStartCompliancePack.
Rule Name | Rule Description |
An Alibaba Cloud account is compliant if it does not have an AccessKey in any state. An AccessKey for an Alibaba Cloud account has excessive permissions that cannot be restricted. If this AccessKey is leaked, the consequences can be severe. Instead, use an AccessKey that belongs to a Resource Access Management (RAM) user and configure appropriate access control. | |
An account is compliant if an active trail is enabled in ActionTrail to monitor all regions and all event types. For a member account in a resource directory, the account is also compliant if an administrator creates a trail that applies to all member accounts. | |
An Alibaba Cloud account is compliant if MFA is enabled. Enable MFA for your Alibaba Cloud account to mitigate the risk of unauthorized access. | |
An ECS instance is compliant if no public IPv4 address or Elastic IP Address is directly attached to it. | |
An OSS bucket is compliant if its access control list (ACL) is not set to public-read. The public-read permission increases the risk of data leaks. To prevent this, disable the permission. | |
Do not grant super administrator (Admin) permissions to RAM users | A configuration is compliant if no Resource Access Management (RAM) user, RAM user group, or RAM role has administrative permissions for all actions on all resources. We recommend granting only the minimum required permissions. Do not grant administrative permissions for all actions on all resources to any RAM user, RAM user group, or RAM role. |
A RAM user is compliant if MFA is enabled for secondary authentication at logon. | |
Rotate the AccessKeys of RAM users within a specified period | A RAM user is compliant if their AccessKey was created or last used within a specified number of days. The default value is 90 days. |
A RAM user is compliant if they have at most one active AccessKey that is older than a specified number of days. A RAM user should have at most one active AccessKey. During rotation, a user can temporarily have two. | |
Ensure the whitelist of an RDS instance with a public IP address is not open to all sources | An RDS instance is compliant if it either does not have a public IP address or its whitelist is not set to allow access from all source IP addresses. |