The governance health check feature can continuously monitor the IT governance conditions in the cloud and provide governance guidance. This helps optimize your IT governance configurations in the cloud and reduces risks. After you enable this feature, the system automatically checks the members in the resource directory of your enterprise. This way, you can identify governance deficiencies and potential risks at the earliest opportunity.

Enable the governance health check feature

Before you can use the governance health check feature, you must enable the feature.

  1. Log on to the Cloud Governance Center console.
  2. In the left-side navigation pane, click Overview.
  3. On the page that appears, click Health Checks for Governance.
  4. In the Governance Maturity section of the Health Checks for Governance tab, click Activate Service.
    Then, the system performs the following operations:
    • Activate Cloud Config.
    • Create a global account group in Cloud Config. The default name of the global account group is enterprise. If a global account group already exists, the existing global account group is overwritten.
      Note Do not delete the existing global account group. Otherwise, exceptions may occur in subsequent checks.
    • Enable the CloudGovernanceCenter_Evaluation compliance package.

After you enable the governance health check feature, Cloud Governance Center checks the resources of you Alibaba Cloud account. Data is collected from multiple Alibaba Cloud services. Therefore, you can view the check result one day after a governance health check is performed.

View statistics about a governance health check

After a governance health check is completed, you can view the statistics about each check item.

  1. Click Health Checks for Governance.
  2. In the Governance Maturity section of the Health Checks for Governance tab, view the check result.
    • If the check result is Good, all check items are normal. In this case, you do not need to perform governance operations.
    • If the check result is Average or Risky, all check items cannot meet the requirements. We recommend that you govern risky items.
  3. In the Governance Maturity section, click Download Report to download a file that contains the detailed check data to your local server.
  4. In the Optimize Governance section, view the risky items.
    For more information, see Check item.
  5. Click the check item whose governance data you want to view.
  6. In the panel that appears, view the governance guidance and go to the console as prompted to govern the check item.

Check item

After you enable the governance health check feature, Cloud Governance Center checks the governance health status in the cloud once a day. The following table describes the health check items that are supported by Cloud Governance Center.

Level 1 category Level 2 category Check item Description References
Security of Identities and Permissions Risks for Identity Management RAM users that are idle (no logon or use) for 90 days Check whether to retain RAM users that are not used to log on to the Alibaba Cloud Management Console or used by applications for more than 90 days. To reduce security risks, we recommend that you delete RAM users that are authorized for temporary use or excessive RAM users. Delete a RAM user
RAM users that are used in personnel and program access scenarios The permissions of a RAM user that is accessed by applications are different from the permissions of a RAM user that is used to log on to an Alibaba Cloud service console. We recommend that you create different RAM users for application access and console logons and grant different permissions to the RAM users based on the best practices. This prevents your business from being interrupted due to excessive permissions or expired permissions. Create a RAM user
RAM users for whom the MFA feature is not enabled Multi-factor authentication (MFA) is an easy-to-use and effective authentication method. In addition to the username and password, MFA provides an extra layer of protection. To enhance the security of your accounts, we recommend that you enable one of the following MFA devices: virtual MFA devices and Universal 2nd Factor (U2F) security keys. Enable an MFA device for a RAM user
AccessKey pairs that are idle for more than 90 days within your Alibaba Cloud account An Alibaba Cloud account has full access permissions on the Alibaba Cloud resources of the account. If the AccessKey pair of the account is leaked, the assets of the account may be exposed to high security risks. We recommend that you create RAM users based on the principle of least privilege (PoLP), use RAM users to perform daily operations, and use the AccessKey pair of a RAM user to call API operations. If an AccessKey pair is created for an Alibaba Cloud account, check whether the AccessKey pair is in use before you delete the AccessKey pair. This prevents your business from being interrupted due to the deletion of the AccessKey pair. Create an AccessKey pair for a RAM user
AccessKey pairs that are idle for more than 90 days within a RAM user To reduce security risks, we recommend that you create a small number of AccessKey pairs, and delete AccessKey pairs that are not used for a long period of time. This prevents your enterprise information and business data from being exposed to high security risks due to AccessKey pair leaks. The check item helps you identify RAM users that have not been used for more than 90 days and obtain the AccessKey pairs of the RAM users. Disable an AccessKey pair of a RAM user
AccessKey pairs that have not been regularly rotated for 180 days within a RAM user To reduce the risk of AccessKey pair leaks, we recommend that you rotate AccessKey pairs that have been used for more than 180 days at the earliest opportunity. You can use a RAM user to create a maximum of two AccessKey pairs. Rotate AccessKey pairs of a RAM user
AccessKey pairs that are leaked If an employee of an enterprise uploads source code that cannot be disclosed to platforms such as GitHub, the AccessKey pairs of the enterprise in the source code may be leaked. To check the source code stored on the platforms in real time, the AccessKey leak detection feature uses the threat intelligence collection system and network crawlers. In most cases, source code is accidentally uploaded and disclosed by employees of an enterprise. Security Center checks whether the source code contains AccessKey pairs. If AccessKey pairs are detected, Security Center generates alerts in real time. This helps reduce the risks that may be caused by data leaks. Detection of AccessKey pair leaks
Permission Management Risk RAM users or RAM roles that have the permissions to manage Alibaba Cloud resources In most cases, the high-risk AdministratorAccess and FullAccess policies are attached to administrators. We recommend that you attach the policies to only a few RAM users, or do not use the policies. Before you delete RAM users, check whether the RAM users to which the polices are attached are in use. This prevents your business from being interrupted due to the deletion of the RAM users. Create a custom policy
RAM users or RAM roles to which the ram:* policy is attached The ram:* policy is similar to high-risk polices that are attached to administrators. We recommend that you attach the policy to only a few RAM users, or do not use the policies. Before you delete RAM users, check whether the RAM users to which the policy is attached are in use. This prevents your business from being interrupted due to the deletion of the RAM users. Create a custom policy
RAM users or RAM roles to which the bss:* policy is attached The bss:* policy is similar to high-risk polices that are attached to administrators. We recommend that you attach the policy to only a few RAM users, or do not use the policies. Before you delete RAM users, check whether the policy is attached to the RAM users. This prevents your business from being interrupted due to the deletion of the RAM users. Create a custom policy
Disabled SSO method Whether RAM SSO is used to log on to the console within the previous 30 days We recommend that you use the single sign-on (SSO) method to manage the user logons and identities of your enterprise. This way, the system can identify the permissions in the cloud based on the identity provider (IdP) group to which your enterprise belongs, or based on a specific user attribute. This prevents the system from creating or managing duplicate users and reduces the workload of user synchronization. Scenarios of SSO
Monitoring and Audit Analysis Risks for the Loss of Operation Logs Whether an ActionTrail trail is used to track read and write events recorded in audit logs We recommend that you enable trails for all regions. The trails can be used for subsequent monitoring and analysis. In most cases, you must obtain audit logs that are retained for an extended period of time to resolve internal O&M issues. You can use the audit logs to troubleshoot, analyze, and identify the root causes of the issues. The possible causes include a suspected leak of AccessKey pairs, unexpected downtime, unplanned resource changes, illegal operations that are performed by unauthorized users, troubleshooting operations, tracks for the lifecycles of resources, and remote logons. Create a single-account trail
Whether ActionTrail records the management events of all regions in a centralized manner We recommend that you enable trails for all regions. The trails can be used for subsequent monitoring and analysis. In most cases, you must obtain audit logs that are retained for an extended period of time to resolve internal O&M issues. You can use the audit logs to troubleshoot, analyze, and identify the root causes of the issues. The possible causes include a suspected leak of AccessKey pairs, unexpected downtime, unplanned resource changes, illegal operations that are performed by unauthorized users, troubleshooting operations, tracks for the lifecycles of resources, and remote logons. Guarantee the security of events for auditing
Whether ActionTrail logs are retained for a minimum of 180 days By default, ActionTrail records the events that occurred within your Alibaba Cloud account in the previous 90 days. We recommend that you enable the audit log delivery feature. This ensures that audit logs can be retained for persistent storage and used for subsequent monitoring and analysis. In most cases, you must obtain audit logs that are retained for an extended period of time to resolve internal O&M issues. You can use the audit logs to troubleshoot, analyze, and identify the root causes of the issues. The possible causes include a suspected leak of AccessKey pairs, unexpected downtime, unplanned resource changes, illegal operations that are performed by unauthorized users, troubleshooting operations, tracks for the lifecycles of resources, and remote logons. Guarantee the security of events for auditing