DescribeRiskCheckResult Deprecation & ListCheckResult Migration - Security Center

Queries the check results of cloud service configurations by check item type or name.

Operation description

This operation is phased out. You can use the ListCheckResult operation.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.
API: The API that you can call to perform the action.
Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.
Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.
- For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.
- For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.
Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.
Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

yundun-sas:DescribeRiskCheckResult

get

*All Resource

*

None

Request parameters

Parameter	Type	Required	Description	Example
SourceIp	string	No	The source IP address of the request.	1.2.XX.XX
Lang	string	No	The language of the content within the request and response. Default value: zh. Valid values: zh: Chinese en: English	zh
GroupId	integer	No	The type of the check item that you want to query. Valid values: 1: identity authentication and permissions 2: network access control 3: log audit 4: data security 5: monitoring and alerting 6: basic security protection Note If you do not specify this parameter, all types of check items are queried.	1
CurrentPage	integer	No	The number of the page to return. Default value: 1.	1
RiskLevel	string	No	The risk level of the check item that you want to query. Valid values: high medium low	high
Status	string	No	The status of the check results. Valid values: pass failed running waiting ignored falsePositive	pass
AssetType	string	No	The cloud service whose configuration check results you want to query. For more information about the check items for the cloud service, see the check item table in the "Response parameters" section of this topic.	RDS
Name	string	No	The name of the check item. For more information about the check item, see the check item table in the "Response parameters" section of this topic.	ALB_NetWorkAccessControl
PageSize	integer	No	The number of entries to return on each page. Default value: 20.	20
QueryFlag	string	No	Specifies whether the check item is supported by the edition of Security Center that you purchase. Valid values: enabled: yes disabled: no	enabled
ItemIds	array	No	An array that consists of the IDs of check items. For more information about the check item, see the check item table in the "Response parameters" section of this topic.	1
	string	No	An array that consists of the IDs of check items. For more information about the check item, see the check item table in the "Response parameters" section of this topic.	15

Response elements

Element	Type	Description	Example
	object	The data returned.
CurrentPage	integer	The page number of the returned page.	1
RequestId	string	The ID of the request, which is used to locate and troubleshoot issues.	AD271C07-4ACE-413D-AA9B-F14FD3B7717F
PageSize	integer	The number of entries returned per page. Default value: 20.	20
TotalCount	integer	The total number of entries returned.	12
PageCount	integer	The total number of pages returned.	20
Count	integer	The number of entries returned on the current page.	10
List	array<object>	The check items.
	array<object>
RiskLevel	string	The risk level of the check item. Valid values: high medium low	high
Status	string	The status of the check results. Valid values: pass failed running waiting ignored falsePositive	pass
Type	string	The type of the check item. Valid values: Identity authentication and permissions Network access control Log audit Data security Monitoring and alerting Basic security protection	Log audit
Sort	integer	The sequence number in the check results. The check items are sorted based on the sequence number.	1
RepairStatus	string	Indicates whether the risks that are detected based on the check item can be fixed. Valid values: enabled: yes disabled: no	disabled
RemainingTime	integer	The time when the next check will be performed.	0
ItemId	integer	The ID of the check item. For more information about the check item, see the check item table in the "Response parameters" section of this topic.	1
StartStatus	string	Indicates whether the check item is supported by the edition of Security Center that you purchase. Valid values: enabled: yes disable: no	enabled
AffectedCount	integer	The number of affected assets.	0
RiskAssertType	string	The type of the affected assets.	ECS
Title	string	The name of the check item.	RDS - Whitelist Configuration
TaskId	integer	The ID of the check task.	15384933
CheckTime	integer	The timestamp when the last check was performed. Unit: milliseconds.	1639429164000
RiskItemResources	array<object>	An array that consists of the details about the check item.
	array<object>
ContentResource	object	The details about the check results.	{ "type": "link", "value": "Multi-factor authentication is not enabled, which poses a risk\n", "url": "https://***.aliyun.com/#/secure\n" }
	any	An array that consists of the details of the check results.	{ "type": "link", "url": "https://*.aliyun.com/abc.html", "value": "https://*.aliyun.com/abc.html" }
ResourceName	string	The title in the details. Valid values: bestPractice: description influence: risk suggestion: solution helpResource: reference	bestPractice

The following table describes the information about the check items that are supported by the configuration assessment feature. The information includes the ID, name, type, risk level, and supported service of each check item.

ItemId (check item ID)	Name (check item name)	GroupId (check item type)	RiskLevel (risk level)	AssetType (Alibaba Cloud service)	Description
1	ActionTrail - logging	3: log audit	medium	ActionTrail	Checks whether ActionTrail is used to record operation logs on the cloud and save the logs to Object Storage Service (OSS) buckets.
2	ApsaraDB RDS - database security policies	4: data security	medium	RDS	Checks whether the SSL encryption, Transparent Data Encryption (TDE), and SQL Audit features are enabled for each ApsaraDB RDS instance.
3	Alibaba Cloud account security - MFA	1: identity authentication and permissions	high	RAM	Checks whether multi-factor authentication (MFA) is enabled for the Alibaba Cloud account to which you are logged on.
4	Alibaba Cloud Security - Back-to-origin configurations of Anti-DDoS Pro or Anti-DDoS Premium	2: network access control	high	DDoS	Checks whether actual IP addresses of backend servers are hidden after you use Anti-DDoS Pro or Anti-DDoS Premium. If the actual IP addresses are hidden, attackers cannot directly access the backend servers. To hide the actual IP addresses, you can configure access control policies. For example, if you want to hide the IP addresses of Server Load Balancer (SLB) instances, you can configure SLB whitelists on the SLB instances. If you want to hide the IP addresses of Elastic Compute Service (ECS) instances, you can configure security group rules for the ECS instances. All these policies allow access from only back-to-origin IP addresses of Anti-DDoS Pro or Anti-DDoS Premium.
5	ApsaraDB RDS - whitelist configurations	2: network access control	high	RDS	Checks whether a whitelist of an ApsaraDB RDS instance contains the CIDR block 0.0.0.0/0. If the whitelist contains the CIDR block, all IP addresses are allowed to access the ApsaraDB RDS instance. For security purposes, we recommend that you configure RDS whitelists to allow access from only specified IP addresses.
6	SLB - open ports	2: network access control	high	SLB	Checks whether SLB is configured to forward requests from high-risk ports to the Internet.
7	Alibaba Cloud Security - back-to-origin configuration checks for WAF	2: network access control	high	WAF	Checks whether the actual IP addresses of backend servers are hidden after you use Web Application Firewall (WAF). If the actual IP addresses are hidden, attackers cannot directly access the backend servers. To hide the actual IP addresses, you can configure access control policies. For example, if you want to hide the IP addresses of SLB instances, you can configure SLB whitelists on the SLB instances. If you want to hide the IP addresses of ECS instances, you can configure security group rules for the ECS instances. All these policies allow access from only back-to-origin IP addresses of WAF.
8	Alibaba Cloud Security - agent status	6: basic security protection	high	ECS	Checks whether the Security Center agent on your ECS instance is always online and provides protection.
12	OSS - bucket permissions	4: data security	high	OSS	Checks whether the access control list (ACL) of any of your OSS buckets is public-read or public-read-write. The public-read or public-read-write ACL allows users to read or write the data in your OSS buckets without authentication. To ensure data security, we recommend that you set the ACL of all your buckets to private.
13	Security Center - detection of AccessKey pair leaks	5: monitoring and alerting	medium	RAM	Checks whether detection of AccessKey pair leaks is enabled. API credentials, also AccessKey pairs, are unique and important identity credentials. We recommend that you enable the detection to prevent AccessKey pair leaks.
14	ApsaraDB for MongoDB - whitelist configurations	2: network access control	high	MongoDB	Checks whether whitelists are enabled for ApsaraDB for MongoDB instances. If whitelists are enabled and a whitelist is empty or contains the 0.0.0.0/0 CIDR block, the requests from all IP addresses are allowed. In this case, security risks may occur. We recommend that you specify trusted IP addresses in a whitelist to allow access from only the specified IP addresses.
15	RAM - MFA configuration for RAM users	1: identity authentication and permissions	medium	RAM	Checks whether MFA is enabled for RAM users.
16	OSS - logging	4: data security	medium	OSS	Checks whether the logging feature is enabled for all OSS buckets. A large number of logs are generated when OSS resources are accessed. After you enable and configure logging for a bucket, OSS generates log objects every hour based on predefined naming conventions and then stores the log objects in a specified bucket. You can use Alibaba Cloud Data Lake Analytics (DLA) or build a Spark cluster to analyze the logs. You can configure lifecycle rules for a bucket to convert the storage class of log objects to Archive for long-term archiving.
17	OSS - cross-region replication	4: data security	low	OSS	Checks whether cross-region replication (CRR) is enabled for all OSS buckets. CRR automatically and asynchronously replicates objects across OSS buckets in different regions. CRR allows you to synchronize operations, such as the create, overwrite, and delete operations on objects, from a source bucket to a destination bucket. This feature can meet your requirements for geo-disaster recovery and data replication. Objects in the destination bucket are extra duplicates of objects in the source bucket. They have the same names, content, and metadata, such as the creation time, owner, user metadata, and ACL.
18	ApsaraDB RDS - database backup	4: data security	medium	RDS	Checks whether database backup is enabled for ApsaraDB RDS instances. We recommend that you enable database backup for ApsaraDB RDS instances and perform a data backup task on a daily basis.
19	ApsaraDB for Redis - whitelist configurations	2: network access control	high	Redis	Checks access control configurations of ApsaraDB for Redis instances.
20	ECS - public key authentication	1: identity authentication and permissions	medium	ECS	Checks whether SSH key pair-based logon is enabled for ECS instances.
21	SLB - health status	5: monitoring and alerting	low	SLB	Checks the health status of SLB instances.
22	PolarDB - whitelist configurations	2: network access control	medium	PolarDB	Checks whether a whitelist of a PolarDB cluster contains the CIDR block 0.0.0.0/0. If the whitelist contains the CIDR block, all IP addresses are allowed to access the PolarDB cluster. For security purposes, we recommend that you configure whitelists to allow access from only specified IP addresses.
23	AnalyticDB for PostgreSQL - whitelist configurations	2: network access control	medium	PostgreSQL	Checks whether a whitelist of an AnalyticDB for PostgreSQL instance contains the CIDR block 0.0.0.0/0. If the whitelist contains the CIDR block, all IP addresses are allowed to access the AnalyticDB for PostgreSQL instance. For security purposes, we recommend that you configure whitelists to allow access from only specified IP addresses.
24	ECS - storage encryption	4: data security	low	ECS	Checks whether disk encryption is enabled. Disk encryption allows you to meet security or regulatory compliance requirements.
25	SLB - whitelist configurations	2: network access control	medium	SLB	Checks the whitelist configurations of SLB instances. We recommend that you configure whitelists for non-HTTP and non-HTTPS services. We recommend that you do not add 0.0.0.0/0 to the whitelists.
26	SLB - certificate validity checks	5: monitoring and alerting	medium	SLB	Checks whether an SLB certificate has expired.
27	ECS - automatic snapshot policies	4: data security	medium	ECS	Checks whether automatic snapshot policies are enabled for ECS instances.
28	Certificate Management Service - validity checks	4: data security	medium	SSL	Checks whether an SSL certificate is within its validity period.
30	OSS - bucket server-side encryption	4: data security	low	OSS	Checks whether server-side encryption is enabled for OSS buckets.
31	OSS - bucket hotlink protection	2: network access control	low	OSS	Checks whether hotlink protection is configured for OSS buckets.
32	ApsaraDB RDS - cross-region backup configurations	4: data security	low	RDS	Checks whether cross-region backup is configured for ApsaraDB RDS instances.
33	ApsaraDB for MongoDB - backup configurations	4: data security	medium	MongoDB	Checks whether data backup is enabled for ApsaraDB for MongoDB instances.
34	ApsaraDB for MongoDB - log audit	3: log audit	medium	MongoDB	Checks whether log audit is enabled for ApsaraDB for MongoDB instances.
35	ApsaraDB for MongoDB - SSL encryption	4: data security	medium	MongoDB	Checks whether SSL certificate checks are enabled for ApsaraDB for MongoDB instances.
36	CloudMonitor - agent status	5: monitoring and alerting	medium	CloudMonitor	Checks whether the status of the CloudMonitor agent is normal.
37	ECS - security group policies	2: network access control	medium	ECS	Checks the security group policies of ECS instances.
38	VPC - DNAT management port mapping	2: network access control	medium	VPC	Checks whether a virtual private cloud (VPC) destination network address translation (DNAT) rule is configured to map management ports to the Internet.
39	ApsaraDB for Redis - backup configurations	4: data security	medium	Redis	Checks whether data backup is enabled for ApsaraDB for Redis instances.
40	Container Registry - repository permission configurations	4: data security	high	CR	Checks whether repository permissions are correctly configured in Container Registry.
41	Container Registry - security scans	6: basic security protection	low	CR	Checks whether security scan is enabled in Container Registry.
42	SLB - logging	3: log audit	medium	SLB	Checks whether access logging is configured for SLB instances.
43	ApsaraDB for Redis - log audit	3: log audit	low	Redis	Checks whether log audit is configured for ApsaraDB for Redis instances.
44	OSS - authorization policies	1: identity authentication and permissions	medium	OSS	Checks whether authorization policies are correctly configured in OSS.
46	PolarDB - backup configurations	4: data security	medium	PolarDB	Checks whether data backup is enabled for PolarDB clusters.
47	PolarDB - SQL Explorer	3: log audit	medium	PolarDB	Checks whether SQL Explorer is enabled for PolarDB clusters.
49	Alibaba Cloud account security - AccessKey pair	1: identity authentication and permissions	medium	RAM	Checks whether the AccessKey pair of your Alibaba Cloud account is enabled.
51	Alibaba Cloud CDN - real-time log push feature	3: log audit	medium	CDN	Checks whether real-time log push is enabled in Alibaba Cloud CDN.
52	ApsaraDB for Redis - SSL encryption	4: data security	medium	Redis	Checks whether SSL certificates are used for ApsaraDB for Redis instances.

Examples

Success response

JSON format

{
  "CurrentPage": 1,
  "RequestId": "AD271C07-4ACE-413D-AA9B-F14FD3B7717F",
  "PageSize": 20,
  "TotalCount": 12,
  "PageCount": 20,
  "Count": 10,
  "List": [
    {
      "RiskLevel": "high",
      "Status": "pass",
      "Type": "Log audit",
      "Sort": 1,
      "RepairStatus": "disabled",
      "RemainingTime": 0,
      "ItemId": 1,
      "StartStatus": "enabled",
      "AffectedCount": 0,
      "RiskAssertType": "ECS",
      "Title": "RDS - Whitelist Configuration",
      "TaskId": 15384933,
      "CheckTime": 1639429164000,
      "RiskItemResources": [
        {
          "ContentResource": {
            "key": "{\n      \"type\": \"link\",\n      \"url\": \"https://***.aliyun.com/abc.html\",\n      \"value\": \"https://***.aliyun.com/abc.html\"\n}"
          },
          "ResourceName": "bestPractice"
        }
      ]
    }
  ]
}

Error codes

HTTP status code	Error code	Error message	Description
400	NoPermission	no permission
500	ServerError	ServerError
403	NoPermission	caller has no permission	You are not authorized to do this operation.

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.