Rule name | Rule description | Requirement No. | Requirement description |
rds-instance-enabled-log-backup | Checks whether log backup is enabled for an ApsaraDB RDS instance. If so, the evaluation result is Compliant. | | The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives. The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate.
|
nas-filesystem-enable-backup-plan | Checks whether a backup plan is created for each File Storage NAS file system. If so, the evaluation result is Compliant. | | The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives. The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate.
|
oss-zrs-enabled | If the zone-redundant storage (ZRS) feature is disabled, Object Storage Service (OSS) cannot provide consistent services and ensure data recovery when a data center becomes unavailable. If the ZRS feature is enabled for each OSS bucket, the evaluation result is Compliant. | | The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives. The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate.
|
polardb-cluster-level-one-backup-retention | Checks whether the retention period for the level-1 backups of each PolarDB cluster is greater than or equal to a specified number of days. If so, the evaluation result is Compliant. Default value: 7. Unit: days. | | The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives. The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate.
|
api-gateway-group-log-enabled | Checks whether log storage is enabled for API groups of API Gateway. If so, the evaluation result is Compliant. | | The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives. The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events. The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures.
|
oss-bucket-versioning-enabled | If the versioning feature is disabled, data may fail to be restored when the data is overwritten or deleted. If the versioning feature is enabled, the evaluation result is Compliant. | | The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives. The entity identifies and maintains confidential information to meet the entity's objectives related to confidentiality. The entity disposes of confidential information to meet the entity's objectives related to confidentiality. The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate.
|
slb-instance-log-enabled | Checks whether the access log feature is enabled for each Server Load Balancer (SLB) instance. If so, the evaluation result is Compliant. This rule does not apply to SLB instances for which Layer 7 monitoring is disabled. | | The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives. COSO Principle 7: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events. The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures.
|
adb-cluster-log-backup-enabled | Checks whether the log backup feature is enabled for each AnalyticDB cluster. If so, the evaluation result is Compliant. | | The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives. The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate.
|
ecs-disk-auto-snapshot-policy | Checks whether an automatic snapshot policy is specified for each ECS disk. If so, the evaluation result is Compliant. | CC7.4 | The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate. |
actiontrail-trail-intact-enabled | Checks whether an active trail exists in ActionTrail and events of all types that are generated in all regions are tracked. If so, the evaluation result is Compliant. If the administrator of a resource directory has created a trail that applies to all members, the evaluation result is Compliant. | | The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives. COSO Principle 7: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities. The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events.
|
security-center-notice-config-check | Checks whether a notification method is specified for each notification item of Security Center. If so, the evaluation result is Compliant. | A1.2 | The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives. |
rds-instance-delete-protection-enabled | Checks whether the deletion protection feature is enabled for each RDS instance. If so, the evaluation result is Compliant. The rule does not take effect for subscription ApsaraDB RDS instances. | C1.1 | The entity identifies and maintains confidential information to meet the entity's objectives related to confidentiality. |
polardb-cluster-delete-protection-enabled | Checks whether the deletion protection feature is enabled for each PolarDB cluster. If so, the evaluation result is Compliant. This rule does not apply to clusters that use the subscription billing method. | C1.1 | The entity identifies and maintains confidential information to meet the entity's objectives related to confidentiality. |
kms-key-delete-protection-enabled | Checks whether the deletion protection feature is enabled for each customer master key (CMK) in KMS. If so, the evaluation result is Compliant. This rule does not apply to the CMK that is not enabled. This rule does not apply to a key if the key is a service key because a service key cannot be deleted. | C1.1 | The entity identifies and maintains confidential information to meet the entity's objectives related to confidentiality. |
ram-group-has-member-check | Checks whether each RAM user group contains at least one RAM user. If so, the evaluation result is Compliant. | | COSO Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized. The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity's objectives.
|
ram-group-in-use-check | Checks whether a RAM user group includes at least one RAM user and at least one policy is attached to the RAM user group. If so, the evaluation result is Compliant. | | COSO Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized. The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity's objectives.
|
ram-policy-in-use-check | Checks whether a policy is attached to at least one RAM user group, RAM role, or RAM user. If so, the evaluation result is Compliant. | CC1.3 | COSO Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. |
ram-policy-no-statements-with-admin-access-check | Checks whether the Action and Resource parameters of each RAM user, RAM user group, and RAM role are not set to *. If so, the evaluation result is Compliant. An asterisk (*) indicates the super administrator permissions. | | COSO Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized. The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity's objectives.
|
security-center-version-check | Checks whether Security Center of Enterprise Edition or a more advanced edition is used. If so, the evaluation result is Compliant. | CC3.1 CC6.6 CC6.8 CC7.1 CC7.2 CC7.3 CC7.4
| COSO Principle 6: The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. The entity implements logical access security measures to protect against threats from sources outside its system boundaries.#The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity's objectives. To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities. The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events. The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures. The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate.
|
firewall-asset-open-protect | Checks whether asset protection is enabled in Cloud Firewall. If so, the evaluation result is Compliant. This rule applies only to users that have purchased the Cloud Firewall service. No detection data is available for users that have not purchased the service or used it for free. | | COSO Principle 6: The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. The entity implements logical access security measures to protect against threats from sources outside its system boundaries. The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity's objectives.
|
security-center-concern-necessity-check | Checks whether a vulnerability scan for risks of a specified level is configured in the Security Center console. If so, the evaluation result is Compliant. | | COSO Principle 6: The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. The entity implements logical access security measures to protect against threats from sources outside its system boundaries. The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity's objectives.
|
security-center-defense-config-check | Checks whether a proactive defense of a specified type is enabled in the Security Center console. If so, the configuration is considered compliant. | | COSO Principle 6: The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. The entity implements logical access security measures to protect against threats from sources outside its system boundaries. The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity's objectives.
|
waf3-instance-enabled-specified-defense-rules | Checks whether rules for the specified protection scenario are enabled for a WAF 3.0 instance. If so, the evaluation result is Compliant. | | COSO Principle 6: The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. The entity implements logical access security measures to protect against threats from sources outside its system boundaries. The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity's objectives.
|
ecs-instance-enabled-security-protection | Allows you to install a CloudMonitor agent on an instance to provide security protection services. If a CloudMonitor agent is installed on an instance, the evaluation result is Compliant. This rule does not apply to ECS instances that are not running. | | COSO Principle 7: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities.
|
ram-user-mfa-check | Checks whether MFA is enabled in the logon settings of each RAM user for which the console access feature is enabled. If so, the evaluation result is Compliant. | | COSO Principle 7: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity's objectives. The entity implements logical access security measures to protect against threats from sources outside its system boundaries.
|
ecs-instance-monitor-enabled | Checks whether a CloudMonitor agent is installed on each running ECS instance, and the agent is running as expected. If so, the evaluation result is Compliant. This rule does not apply to ECS instances that are not running. | | COSO Principle 7: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities. The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events. The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures.
|
ack-running-cluster-node-monitorenabled | Checks whether the CloudMonitor agent is installed on all nodes in each Container Service for Kubernetes (ACK) cluster and whether the CloudMonitor agent runs as expected. If so, the evaluation result is Compliant. | | COSO Principle 7: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events.
|
vpc-flow-logs-enabled | Checks whether the flow log feature is enabled for each virtual private cloud (VPC). If so, the evaluation result is Compliant. | | COSO Principle 7: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. The entity implements logical access security measures to protect against threats from sources outside its system boundaries. The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures.
|
kms-secret-rotation-enabled | Checks whether the automatic rotation feature is enabled for KMS secrets. If so, the evaluation result is Compliant. This rule does not apply to a common key. | | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized.
|
ecs-running-instance-no-public-ip | Checks whether no public IPv4 addresses or elastic IP addresses (EIPs) are assigned to the ECS instances that are running. If so, the evaluation result is Compliant. | | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. The entity implements logical access security measures to protect against threats from sources outside its system boundaries.
|
oss-bucket-server-side-encryption-enabled | Checks whether server-side encryption is enabled for each OSS bucket. If so, the evaluation result is Compliant. | CC6.1 | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. |
oss-bucket-logging-enabled | Checks whether the logging feature is enabled for each OSS bucket on the Logs page. If so, the evaluation result is Compliant. | | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events.#The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures.
|
oss-bucket-public-read-prohibited | Checks whether the ACL policy of each OSS bucket denies read access from the Internet. If so, the evaluation result is Compliant. | CC6.1 | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. |
root-ak-check | Checks whether an AccessKey pair is created for each Alibaba Cloud account. If not, the evaluation result is Compliant. | | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized. The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity's objectives.
|
ecs-disk-encrypted | Checks whether disk encryption is enabled for each ECS instance. If so, the evaluation result is Compliant. | CC6.1 | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. |
kms-secret-last-rotation-date-check | Checks whether the automatic rotation feature is enabled for the KMS secrets and the automatic rotation is performed based on the specified rotation period. If so, the evaluation result is Compliant. This rule does not apply to generic secrets because periodic key rotation cannot be enabled for a generic secret in KMS. | CC6.1 | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. |
oss-bucket-only-https-enabled | Checks whether the bucket policy of each OSS bucket allows read and write access over HTTPS and denies access over HTTP. If so, the evaluation result is Compliant. This rule does not apply to OSS buckets that do not have a bucket policy. | | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives.
|
fc-service-internet-access-disable | Checks whether Internet access is disabled for Function Compute. If so, the evaluation result is Compliant. | CC6.1 | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. |
ssl-certificate-expired-check | Checks whether the remaining validity periods of all SSL certificates are greater than the specified value. If so, the evaluation result is Compliant. Default value: 30. Unit: days. | | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives.
|
nas-filesystem-encrypt-type-check | Checks whether the server-side encryption feature is enabled for the NAS file systems that you create. If so, the evaluation result is Compliant. | CC6.1 | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. |
elasticsearch-instance-enabled-data-node-encryption | Checks whether the disk encryption feature is enabled for the data nodes of each Elasticsearch cluster. If so, the evaluation result is Compliant. | CC6.1 | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. |
kms-key-state-not-pending-deletion | Checks whether the status of a KMS CMK is set to pending deletion. If so, the evaluation result is Compliant. | CC6.1 | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. |
adb-public-access-check | Checks whether Internet access is disabled for each AnalyticDB instance. If so, the evaluation result is Compliant. | CC6.1 | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. |
oss-bucket-public-write-prohibited | Checks whether the bucket policy of each OSS bucket denies read and write access from the Internet. If so, the evaluation result is Compliant. | CC6.1 | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. |
ram-user-ak-create-date-expired-check | Checks whether the interval between the time when the AccessKey pair of a RAM user was created and the time when the compliance check started is less than or equal to a specified number of days. If so, the evaluation result is Compliant. Default value: 90. Unit: days. | | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized. The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity's objectives.
|
elasticsearch-instance-enabled-public-check | If Internet access is disabled for an Elasticsearch cluster, the evaluation result is Compliant. | CC6.1 and CC6.6 | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. The entity implements logical access security measures to protect against threats from sources outside its system boundaries.
|
ram-password-policy-check | Checks whether the settings of password policies configured for each RAM user meet the specified values. If so, the evaluation result is Compliant. | | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives.#The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity's objectives. |
ecs-running-instances-in-vpc | Checks whether the ECS instance that is recommended resides in a VPC. If an ECS instance resides in a VPC, the evaluation result is Compliant. If you configure the required parameter and the VPC setting for the ECS instance matches the specified value, the evaluation result is Compliant. This rule does not apply to ECS instances that are not in the running state. | | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. The entity implements logical access security measures to protect against threats from sources outside its system boundaries.
|
alb-http-drop-invalid-header-enabled | Checks whether the Header actions are removed from the HTTP listeners of ALB instances. If so, the evaluation result is Compliant. | | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives.
|
rds-public-access-check | Checks whether no public endpoint is configured for each ApsaraDB RDS instance. If so, the evaluation result is Compliant. To prevent cyberattacks, we recommend that you do not configure direct access to RDS instances in production environments over the Internet. | | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. The entity implements logical access security measures to protect against threats from sources outside its system boundaries.
|
slb-listener-https-enabled | Checks whether an HTTPS listener is enabled on the specified ports of each SLB instance. If so, the evaluation result is Compliant. This rule does not apply to SLB instances for which only a TCP or UDP listener is enabled. | | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives.
|
ecs-security-group-white-list-port-check | Checks whether each inbound rule in a security group allows access only from the ports in a specified range when the Authorization Object parameter of the inbound rule is set to 0.0.0.0/0. If so, the evaluation result is Compliant. This rule does not apply to the security groups that are used by cloud services or VNOs. | | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. The entity implements logical access security measures to protect against threats from sources outside its system boundaries.
|
elasticsearch-instance-used-https-protocol | Checks whether HTTPS is enabled for each Elasticsearch cluster. If so, the evaluation result is Compliant. | | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives.
|
fc-service-vpc-binding | Checks whether the functions of a service can be invoked only in specific VPCs. If so. the evaluation result is Compliant. | | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. The entity implements logical access security measures to protect against threats from sources outside its system boundaries.
|
rds-instance-enabled-tde | Checks whether the Transparent Data Encryption (TDE) feature is enabled in the data security settings of each ApsaraDB RDS instance. If so, the evaluation result is Compliant. This rule does not apply to instance types or editions that do not support the TDE feature. | | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized.
|
ecs-security-group-risky-ports-check-with-protocol | Checks whether 0.0.0.0/0 is added to the IP address whitelist of each security group and risky ports are disabled. If so, the evaluation result is Compliant. If 0.0.0.0/0 is not added to the inbound IP address whitelist of a security group, the configuration is considered compliant regardless of whether high-risk ports are disabled. If a high-risk port is denied by an authorization policy with a higher priority, the evaluation result is Compliant. This rule does not apply to the security groups that are used by cloud services or VNOs. | | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. The entity implements logical access security measures to protect against threats from sources outside its system boundaries. The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events.
|
polardb-public-access-check | Checks whether 0.0.0.0/0 is added to the IP whitelist of each PolarDB instance. If not, the evaluation result is Compliant. | CC6.1 | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. |
polardb-cluster-address-no-public | Checks whether the Internet access is enabled for the endpoints of each PolarDB cluster. If not, the evaluation result is Compliant. | | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. The entity implements logical access security measures to protect against threats from sources outside its system boundaries.
|
eip-attached | Checks whether each EIP is attached to an ECS instance or a NAT gateway. If so, the evaluation result is Compliant. | CC6.2 | Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized. |
ram-user-login-check | Checks whether one of the console access and API access features is enabled for each RAM user. If so, the evaluation result is Compliant. | | Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized. The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity's objectives.
|
ram-user-no-policy-check | Checks whether a policy is attached to each RAM user. If so, the evaluation result is Compliant. We recommend that RAM users inherit permissions from RAM user groups or roles. | | Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized. The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity's objectives.
|
ram-user-group-membership-check | Checks whether each RAM user belongs to a RAM user group. If so, the evaluation result is Compliant. | | Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized. The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity's objectives.
|
ram-user-active-ak-check | If each RAM user does not have an active AccessKey pair, the evaluation result is Compliant. | | Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized. The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity's objectives.
|
ack-cluster-ram-authenticator-enabled | Checks whether the ack-ram-authenticator component is installed in each ACK cluster. If so, the evaluation result is Compliant. | CC6.3 | The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity's objectives. |
ecs-instance-ram-role-attached | Checks whether a RAM role is assigned to each ECS instance. If so, the evaluation result is Compliant. | CC6.3 | The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity's objectives. |
polardb-cluster-enabled-tde | Checks whether the TDE feature is enabled in the data security settings of each PolarDB cluster. If so, the evaluation result is Compliant. | CC6.6 | The entity implements logical access security measures to protect against threats from sources outside its system boundaries. |
api-gateway-api-auth-required | Checks whether the Alibaba Cloud app or a plug-in of a specific type is enabled to authenticate the APIs in API Gateway. If so, the evaluation result is Compliant. | CC6.6 | The entity implements logical access security measures to protect against threats from sources outside its system boundaries. |
api-gateway-group-domain-access-waf-or-waf3 | Checks whether the domain name bound to each API group in API Gateway is added to WAF or WAF 3.0. If so, the evaluation result is Compliant. | CC6.6 | The entity implements logical access security measures to protect against threats from sources outside its system boundaries. |
ess-scaling-configuration-enabled-internet-check | If the scaling configurations do not specify that IPv4 addresses can be assigned to ECS instances, the evaluation result is Compliant. | CC6.6 | The entity implements logical access security measures to protect against threats from sources outside its system boundaries. |
ecs-instance-updated-security-vul | Checks whether unfixed vulnerabilities of a specified type or a specified level are detected by Security Center on an ECS instance. This rule does not apply to ECS instances that are not running. | | The entity implements logical access security measures to protect against threats from sources outside its system boundaries. The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity's objectives. To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities. The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures.
|
ecs-all-enabled-security-protection | Checks whether the Security Center agent is installed on each ECS instance that belongs to the current account. If so, the evaluation result is Compliant. | CC6.6 | The entity implements logical access security measures to protect against threats from sources outside its system boundaries. |
slb-no-public-ip | Checks whether a public IP address is associated with each SLB instance. If not, the evaluation result is Compliant. If you do not want an SLB instance to access public networks, we recommend that you do not bind a public IP address to an SLB instance. If you want an SLB instance to access public networks, we recommend that you purchase an EIP and bind the EIP to the required SLB instance. EIPs provide more flexibility. You can also use an EIP bandwidth plan to reduce costs. | CC6.6 | The entity implements logical access security measures to protect against threats from sources outside its system boundaries. |
nat-risk-ports-check | Checks whether the specified high-risk ports are mapped by using the DNAT entries of NAT Gateway. | CC6.6 | The entity implements logical access security measures to protect against threats from sources outside its system boundaries. |
slb-aliyun-certificate-required | Checks whether each SLB instance uses certificates that are issued by Alibaba Cloud. If so, the evaluation result is Compliant. | CC6.7 | The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives. |
slb-all-listener-tls-policy-check | Checks whether the HTTPS listeners of each SLB instance use a specified security policy suite version. If so, the evaluation result is Compliant. This rule does not apply to SLB instances for which no HTTPS listener is configured. | CC6.7 | The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives. |
api-gateway-group-enabled-ssl | Checks whether an SSL certificate is specified for the custom domain of the API group of API Gateway If so, the evaluation result is Compliant. | CC6.7 | The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives. |
polardb-cluster-enabled-ssl | Checks whether the SSL encryption feature is enabled for each PolarDB cluster. If so, the evaluation result is Compliant. | CC6.7 | The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives. |
cdn-domain-tls13-enabled | Checks whether the Transport Layer Security (TLS) 1.3 protocol is enabled for each domain name accelerated by Alibaba Cloud CDN. If so, the evaluation result is compliant. | CC6.7 | The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives. |
dts-instance-sync-job-ssl-enabled | Checks whether SSL secure connections are used for the source and destination databases of each synchronization task on a Data Transmission Service (DTS) instance. If so, the evaluation result is Compliant. The rule takes effect only for synchronization tasks. | CC6.7 | The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives. |
ecs-instance-no-public-ip | Checks whether a public IPv4 address or an EIP is specified for each ECS instance. If not, the evaluation result is Compliant. | CC6.7 | The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives. |
cr-instance-public-access-check | Checks whether the public access portal is enabled for a Container Registry instance. If the public access portal is not enabled for the Container Registry instance, the evaluation result is Compliant. This rule applies to Container Registry Enterprise Edition instances. | CC6.7 | The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives. |
redis-instance-enabled-tls | Checks whether TSL or SSL encryption is enabled for each Redis instance. If so, the evaluation result is Compliant. | CC6.7 | The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives. |
security-center-image-vul-check | Checks whether the image scan feature is enabled in Security Center (SAS) and no image vulnerabilities that need to be fixed exist. If so, the evaluation result is Compliant. This rule does not apply when the image scan feature is disabled or no vulnerability information is found because no image scan is performed. | | The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity's objectives. To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities.
|
ack-cluster-node-monitorenabled | Checks whether a CloudMonitor agent is installed on all nodes in each ACK cluster and runs as expected. If so, the evaluation result is Compliant. | CC7.1 | To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities. |
fc-function-settings-check | Checks whether the functions of Function Compute 2.0 meet the specified requirements. If so, the evaluation result is Compliant. | CC7.2 | The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events. |
cms-created-rule-for-specified-product | Checks whether at least one alert rule is configured in the CloudMonitor console for each Alibaba Cloud service of a specified namespace. If so, the evaluation result is Compliant. | | The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events. The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures. The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate.
|
adb-cluster-audit-log-enabled | Checks whether the SQL explorer and audit feature is enabled for each AnalyticDB for MySQL cluster. If so, the evaluation result is Compliant. | CC7.3 | The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures. |
polardb-cluster-enabled-auditing | Checks whether the SQL audit feature is enabled for each PolarDB cluster. If so, the evaluation result is Compliant. | CC7.4 | The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate. |