You can configure and enable protection rules that are provided by Cloud Config in the Cloud Governance Center console in a unified manner. This prevents the basic configurations of Cloud Governance Center and the resource structure that is created in Cloud Governance Center from being modified. This also ensures the security of the multi-account environment.

Protection rules

You can enable the following types of protection rules based on your business requirements:

  • Required rules: basic protection rules. The required rules must be enabled and cannot be disabled.
  • Recommended rules: security compliance rules. We recommend that you enable the recommended rules. You can enable or disable the recommended rules based on your business requirements.
  • Optional rules: You can enable or disable the optional rules based on your business requirements.
Rule name Description Effective node Purpose Type
Server-side encryption is enabled for the Object Storage Service (OSS) bucket that is specified for Cloud Governance Center to store audit logs. If server-side encryption is enabled for the OSS bucket that is specified for Cloud Governance Center to store audit logs, the evaluation result is compliant. Log archive account Compliance and auditing Required rule
The public-read-write access control list (ACL) is not configured for the OSS bucket that is specified for Cloud Governance Center to store audit logs. If the ACL of the OSS bucket that is specified for Cloud Governance Center to store audit logs is not public-read-write, the evaluation result is compliant. Log archive account Compliance and auditing Required rule
No AccessKey pairs are created for the Alibaba Cloud accounts in the resource directory. If no AccessKey pairs are created for the Alibaba Cloud accounts in the resource directory, the evaluation result is compliant. Resource directory Identity authentication Required rule
MFA is enabled for the Alibaba Cloud accounts in the resource directory. If multi-factor authentication (MFA) is enabled for the Alibaba Cloud accounts in the resource directory, the evaluation result is compliant. Resource directory Identity authentication Required rule
A service-linked of Cloud Governance Center is created. If a service-linked role of Cloud Governance Center is created, the evaluation result is compliant. Log archive account Cloud Governance Center Required rule
Encryption is enabled for all the data disks of an Elastic Compute Service (ECS) instance. If encryption is enabled for all the data disks of an ECS instance, the evaluation result is compliant. Resource directory Data security Recommended rule
High-risk ports are disabled for a security group that allows access from all CIDR blocks. If 0.0.0.0/0 is added to a security group and ports 22 and 3389 are disabled, the evaluation result is compliant. Resource directory Network security Recommended rule
The network access settings for a security group are valid. If the Action parameter is set to Allow for inbound traffic of a security group, and the port range is not set to -1/-1 or the authorization object is not set to 0.0.0.0/0, the evaluation result is compliant. Resource directory Network security Recommended rule
Public-read-write is disabled for all OSS buckets. If the ACLs of all OSS buckets are not public-read-write, the evaluation result is compliant. Resource directory Data security Recommended rule
A virtual private cloud (VPC)-type ApsaraDB RDS instance is used. If the vpcIds parameter is not specified, Cloud Governance Center checks whether the network type of an ApsaraDB RDS instance is VPC. If the network type is VPC, the evaluation result is compliant. If the vpcIds parameter is specified, Cloud Governance Center checks whether the ID of the VPC in which an ApsaraDB RDS instance resides matches the specified value of the parameter. If the ID matches the specified value, the evaluation result is compliant. You can set the vpcIds parameter to multiple VPC IDs. If you set the vpcIds parameter to multiple VPC IDs, separate the VPC IDs with commas (,). Resource directory Resource management Recommended rule
TDE encryption is enabled for an ApsaraDB RDS instance. If the TDE encryption feature is enabled in the data security settings of an ApsaraDB RDS instance, the evaluation result is compliant. Resource directory Data security Recommended rule
The IP address whitelist of an ApsaraDB RDS does not include 0.0.0.0/0. If 0.0.0.0/0 is not added to the IP address whitelist of an ApsaraDB RDS instance, the evaluation result is compliant. Resource directory Data security Recommended rule
The password policy for a RAM user meets the requirements. If the password policy for a RAM user meets the requirements, the evaluation result is compliant. Resource directory Identity authentication Recommended rule
No idle AccessKey pairs are available for a RAM user. If the duration between the last time the AccessKey pair of a RAM user is used and the current time is less than the value specified by the days parameter, the evaluation result is compliant. Default value of the days parameter: 90. Unit: days. Resource directory Identity authentication Recommended rule
Release protection is enabled for an ECS instance. If release protection is enabled for an ECS instance, the evaluation result is compliant. Resource directory Resource management Recommended rule
Release protection is enabled for an Server Load Balancer (SLB) instance. If release protection is enabled for an SLB instance, the evaluation result is compliant. Resource directory Resource management Recommended rule
Server-side encryption is enabled for all OSS buckets. If server-side encryption is enabled for all OSS buckets, the evaluation result is compliant. Resource directory Data security Optional rule
Logging is enabled for all OSS buckets. If the logging feature is enabled for all OSS buckets, the evaluation result is compliant. You can enable the logging feature on the Logging tab in the OSS console. Resource directory Data security Optional rule
MFA is enabled for a RAM user. If MFA is enabled for a RAM user, the evaluation result is compliant. Resource directory Identity authentication Optional rule
A resource contains at least one of the values of a specified tag. The value parameter can be set to multiple tag values. If the tag of a resource contains one of the tag values, the evaluation result is compliant. Resource directory Resource management Optional rule
A resource matches all the specified tags. If a resource matches all the specified tags, the evaluation result is compliant. You can specify up to six tags. Resource directory Resource management Optional rule
HTTPS listeners are enabled for an SLB instance. If ports 80 and 8080 are specified for the HTTPS listeners of an SLB instance, the evaluation result is compliant. Resource directory Resource management Optional rule
Resources reside in one or more specified regions. If resources reside in one or more regions that are specified by the regions parameter, the evaluation result is compliant. Resource directory Resource management Optional rule
A RAM user logs on to the Alibaba Cloud Management Console within a specified time period. If a RAM user logs on to the Alibaba Cloud Management Console within the last 90 days, the evaluation result is compliant. If no logon records are found for a RAM user, Cloud Governance Center checks the update time for the status of the RAM user. If the update time is within 90 days, the evaluation result is compliant. This rule does not apply to the RAM users for which console access is not enabled. Resource directory Identity authentication Optional rule

Initialize the protection rule task

You can initialize the protection rule task to enable required rules and recommended rules.

  1. Log on to the Cloud Governance Center console.
  2. In the left-side navigation pane, click Initialization Tasks.
  3. On the Initialization Tasks page, click Initialization task for guardrails.
  4. Click Start.
  5. View the required rules and click Create.
    For more information about the required rules, see the description of required rules in Protection rules.
  6. Wait until the required rules are enabled. Then, click Next.
  7. Select the recommended rules that you want to enable and click Create.
    For more information about the recommended rules, see the description of recommended rules in Protection rules.
  8. After the recommended rules are enabled, click OK.
  9. Click Close.

Enable optional rules

You can enable optional rules based on your business requirements.

  1. In the left-side navigation pane, choose Compliance Auditing > Guardrails.
  2. In the protection rule list, click the optional rule that you want to enable.
  3. On the Guardrail details tab, turn on the switch.

View evaluation results

After you enable a protection rule, you can view the evaluation results for involved resources based on the rule.

  1. In the left-side navigation pane, choose Compliance Auditing > Guardrails.
  2. In the Risk column of the protection rule list, check whether the evaluation result based on each rule is compliant.
  3. Click the name of a rule. Then, click the Result tab to view the evaluation result for each resource.