This topic describes the managed rules that are provided in the RMiTComplianceCheck compliance package template.
Rule name | Description |
---|---|
actiontrail-trail-intact-enabled | If an active trail exists in ActionTrail and the events of all types that are generated in all regions are tracked, the evaluation result is compliant. |
actiontrail-enabled | If at least one active trail exists in ActionTrail, the evaluation result is compliant. |
oss-encryption-byok-check | If the specified customer master key (CMK) managed by Key Management Service (KMS) is used to encrypt each Object Storage Service (OSS) bucket, the evaluation result is compliant. |
ecs-disk-auto-snapshot-policy | If an automatic snapshot policy is specified for each Elastic Compute Service (ECS) data disk, the evaluation result is compliant. |
ecs-disk-encrypted | If encryption is enabled for each ECS data disk, the evaluation result is compliant. |
ecs-instance-no-public-ip | If no public IPv4 addresses are associated with each ECS instance, the evaluation result is compliant. |
ecs-instances-in-vpc | If you do not specify the vpcIds parameter, the system checks whether the network type of each ECS instance is set to VPC. If yes, the evaluation result is compliant. If you specify the vpcIds parameter, the system checks whether the VPC in which ECS instances reside matches the specified setting. If yes, the evaluation result is compliant. |
slb-aliyun-certificate-required | If each Server Load Balancer (SLB) instance uses certificates that are issued by Alibaba Cloud, the evaluation result is compliant. |
slb-server-certificate-expired | If the certificates used by each SLB instance are valid, the evaluation result is compliant. |
slb-delete-protection-enabled | If the release protection feature is enabled for each SLB instance, the evaluation result is compliant. |
slb-listener-https-enabled | If ports 80 and 8080 are used by the HTTPS listeners of each SLB instance, the evaluation result is compliant. |
ram-group-has-member-check | If each RAM user group contains one or more RAM users, the evaluation result is compliant. |
ram-password-policy-check | If the settings of password policies configured for each RAM user meet the specified values, the evaluation result is compliant. |
ram-policy-no-statements-with-admin-access-check | If the Action parameter is not set to * in the policies attached to each RAM user, RAM user group, and RAM role, the evaluation result is compliant. * indicates the super administrator permissions. |
root-ak-check | If no AccessKey pairs exist in each Alibaba Cloud account, the evaluation result is compliant. |
ram-user-group-membership-check | If each RAM user belongs to a RAM user group, the evaluation result is compliant. |
ram-user-mfa-check | If multi-factor authentication (MFA) is enabled for each RAM user, the evaluation result is compliant. |
ram-user-no-policy-check | If no policies are attached to each RAM user, the evaluation result is compliant. |
ram-user-last-login-expired-check | If each RAM user logs on to the system at least once in the last 90 days, the evaluation result is compliant. If no logon record exists for a RAM user, the system checks the update time. If the last update time is not more than 90 days before the current time, the evaluation result is compliant. |
rds-public-access-check | If 0.0.0.0/0 is not added to the IP address whitelist of each ApsaraDB RDS instance, the evaluation result is compliant. |
rds-event-log-enabled | If the event history feature is enabled for each ApsaraDB RDS instance, the evaluation result is compliant. |
rds-multi-az-support | If ApsaraDB RDS instances are deployed across multiple zones, the evaluation result is compliant. |
rds-instance-enabled-tde | If the Transparent Data Encryption (TDE) feature is enabled in the data security settings of each ApsaraDB RDS instance, the evaluation result is compliant. |
oss-bucket-logging-enabled | If the log storage feature is enabled for each OSS bucket, the evaluation result is compliant. |
oss-bucket-anonymous-prohibited | If the access control list (ACL) of each OSS bucket is set to private and no read/write permissions are granted to anonymous accounts in the authorization policy of each OSS bucket, the evaluation result is compliant. |
oss-bucket-server-side-encryption-enabled | If server-side encryption is enabled for each OSS bucket, the evaluation result is compliant. |
oss-default-encryption-kms | If server-side encryption by using KMS is enabled for each OSS bucket, the evaluation result is compliant. |
oss-bucket-versioning-enabled | If the versioning feature is enabled for each OSS bucket, the evaluation result is compliant. |
vpc-flow-logs-enabled | If the flow log feature is enabled for each VPC, the evaluation result is compliant. |
vpn-ipsec-connection-status-check | If the IPsec-VPN connection is established, the evaluation result is compliant. |
waf-instance-logging-enabled | If the log collection feature is enabled for each domain name that is protected by Web Application Firewall (WAF), the evaluation result is compliant. |
oss-bucket-only-https-enabled | If the permission policy of each OSS bucket includes settings that allow HTTPS requests and deny HTTP requests, the evaluation result is compliant. |
sg-public-access-check | If the inbound authorization policy of each security group is set to Allow and you set the port range to -1/-1 or the authorized IP address to 0.0.0.0/0, the evaluation result is compliant. |
kms-key-rotation-enabled | If automatic rotation is enabled for CMKs managed by KMS, the evaluation result is compliant. |
elasticsearch-instance-in-vpc | If you do not specify the vpcIds parameter, the system checks whether the network type of each Elasticsearch instance is set to VPC. If yes, the evaluation result is compliant. If you specify the vpcIds parameter, the system checks whether the VPC in which Elasticsearch instances reside matches the specified setting. If yes, the evaluation result is compliant. |