You can configure and enable protection rules provided by Cloud Config for all member accounts of your resource directory in a centralized manner in the Cloud Governance Center console. This prevents the basic configurations of Cloud Governance Center and the resource structure that is created in Cloud Governance Center from being modified. This also ensures the security of the multi-account environment.

Protection rules

You can enable the following types of protection rules based on your business requirements:

  • Required rules: basic protection rules. The required rules are automatically enabled and cannot be disabled.
  • Recommended rules: security compliance rules. We recommend that you enable the recommended rules. You can enable or disable the recommended rules based on your business requirements.
  • Optional rules: You can enable or disable the optional rules based on your business requirements. After an optional rule is enabled, you can disable the optional rule.
Rule name Rule description Effective node Purpose Type
The server-side OSS-managed encryption feature is enabled for the OSS bucket that is specified for Cloud Governance Center to store audit logs. If server-side encryption is enabled for the Object Storage Service (OSS) bucket that is specified for Cloud Governance Center to store audit logs, the configuration is considered compliant. Log archive account Compliance evaluation Required rule
The OSS bucket that is specified for Cloud Governance Center to store audit logs denies the public read/write access. If the ACL of the OSS bucket that is specified for Cloud Governance Center to store audit logs is not public-read-write, the configuration is considered compliant. Log archive account Compliance evaluation Required rule
None of Alibaba Cloud accounts in the resource directory have AccessKey pairs. If no AccessKey pairs are created for the Alibaba Cloud accounts in the resource directory, the configuration is considered compliant. Resource directory Identity authentication Required rule
The MFA feature is enabled for all Alibaba Cloud accounts in the resource directory. If multi-factor authentication (MFA) is enabled for the Alibaba Cloud accounts in the resource directory, the configuration is considered compliant. Resource directory Identity authentication Required rule
A role that is specified to provide services exists in Cloud Governance Center. If a service-linked role of Cloud Governance Center is created, the configuration is considered compliant. Log archive account Cloud Governance Center Required rule
Encryption is enabled for all data disks of the ECS instance. If encryption is enabled for all the data disks of each Elastic Compute Service (ECS) instance, the configuration is considered compliant. Resource directory Data security Recommended rule
Not all networks are allowed access to high-risk ports of the security group. If port 22 and port 3389 are disabled when 0.0.0.0/0 is added to the inbound IP address whitelist of a security group, the configuration is considered compliant. Resource directory Network security Recommended rule
The network access settings of the security group are valid. If the port range -1/-1 and the authorized CIDR block 0.0.0.0/0 are not specified when the inbound authorization policy of a security group is set to Allow, the configuration is considered compliant. Resource directory Network security Recommended rule
The public read/write permissions are not granted on all OSS buckets. If the ACL of each OSS bucket is not public-read-write, the configuration is considered compliant. Resource directory Data security Recommended rule
An ApsaraDB RDS instance in a virtual private cloud (VPC) is used. If you do not configure the vpcIds parameter, the system checks whether the network type of each ApsaraDB RDS instance is set to VPC. If the network type of each ApsaraDB RDS instance is set to VPC, the configuration is considered compliant. If you configure the vpcIds parameter, the system checks whether the VPC in which each ApsaraDB RDS instance resides matches the configurations. If the VPC in which each ApsaraDB RDS instance resides matches the configurations, the configuration is considered compliant. Separate multiple VPC IDs with commas (,). Resource directory Manage resources Recommended rule
TDE encryption is enabled for the RDS instance. If the Transparent Data Encryption (TDE) feature is enabled in the data security settings of each ApsaraDB RDS instance, the configuration is considered compliant. Resource directory Data security Recommended rule
The whitelist of an ApsaraDB RDS instance does not include all CIDR blocks. If 0.0.0.0/0 is not added to the IP address whitelist of each ApsaraDB RDS instance, the configuration is considered compliant. Resource directory Data security Recommended rule
The password policy of the RAM user meets the requirements. If the password policy for each RAM user meets the requirements, the configuration is considered compliant. Resource directory Identity authentication Recommended rule
The RAM user does not have idle AccessKey pairs. If the period of time between the most recent point in time when a RAM user used an AccessKey pair and the current time is less than the specified period of time, the configuration is considered compliant. Default value: 90. Unit: days. Resource directory Identity authentication Recommended rule
The release protection feature is enabled for the ECS instance. If the release protection feature is enabled for each ECS instance, the configuration is considered compliant. Resource directory Manage resources Recommended rule
The release protection feature is enabled for the Server Load Balancer (SLB) instance. If the release protection feature is enabled for each SLB instance, the configuration is considered compliant. Resource directory Manage resources Recommended rule
The server-side OSS-managed encryption feature is enabled for OSS buckets. If server-side encryption is enabled for each OSS bucket, the configuration is considered compliant. Resource directory Data security Optional rule
The log storage feature is enabled for OSS buckets. If the log storage feature is enabled for each OSS bucket, the configuration is considered compliant. Resource directory Data security Optional rule
The MFA feature is enabled for all RAM users. If MFA is enabled for each RAM user, the configuration is considered compliant. Resource directory Identity authentication Optional rule
A resource must have at least one of the specified tags. The value parameter can be set to multiple tag values. If the tag of a resource contains one of the tag values, the configuration is considered compliant. Resource directory Manage resources Optional rule
A resource must have all specified tags. If a resource has all specified tags, the configuration is considered compliant. You can specify up to six tags. Resource directory Manage resources Optional rule
The HTTPS listening feature is enabled for the SLB instance. If port 80 and port 8080 are specified for the HTTPS listeners of each SLB instance, the configuration is considered compliant. Resource directory Manage resources Optional rule
The resource belongs to the specified region. If each resource resides in the specified region, the configuration is considered compliant. Resource directory Manage resources Optional rule
The RAM user has logged on within the specified period of time. If each RAM user logs on to the system at least once in the previous 90 days, the configuration is considered compliant. If no logon record exists for a RAM user, the system checks the update time. If the previous update time is not more than 90 days before the current time, the configuration is considered compliant. This rule does not take effect for the RAM users for which console access is disabled. Resource directory Identity authentication Optional rule

Run the protection rule initialization task

You can run the protection rule initialization task to enable the required rules and recommended rules.

  1. Log on to the Cloud Governance Center console.
  2. In the left-side navigation pane, click Initialization Tasks.
  3. On the Initialization Tasks page, click Initialization task for guardrails.
  4. Click Start.
  5. View the required rules and click Create.
    For more information about the required rules, see the description of required rules in Protection rules.
  6. Wait until the required rules are enabled. Then, click Next.
  7. Select the recommended rules that you want to enable and click Create.
    For more information about the recommended rules, see the description of recommended rules in Protection rules.
  8. After the recommended rules are enabled, click OK.
  9. Click Close.

Enable optional rules

You can enable optional rules based on your business requirements.

  1. In the left-side navigation pane, choose Management and Governance > Compliance Auditing > Guardrails.
  2. In the protection rule list, click the optional rule that you want to enable.
  3. On the Guardrail details tab, turn on the switch.

View compliance evaluation results

After protection rules are enabled, you can view the evaluation results of specified resources based on the rules.

  1. In the left-side navigation pane, choose Management and Governance > Compliance Auditing > Guardrails.
  2. In the Risk column of the protection rule list, check the evaluation result of each rule.
  3. Click the name of a rule. Then, click the Result tab to view the evaluation result for each resource.