This topic describes the alert rules for account security. You can configure and enable alerts in the Simple Log Service console. This allows you to monitor account security issues. If an alert is triggered, you can identify the cause and fix the error at the earliest opportunity.
Alert rules
The following alert rules are supported. For information about how to set alert parameters, configure whitelists, and perform other related operations, see Configure alerts.
RAM Sub-Account Login without MFA Alert
ID | sls_app_audit_cis_at_ram_mfa |
Name | RAM Sub-Account Login without MFA Alert |
Version | 1 |
Type | Cloud Platform, Alicloud, CIS Standard, Account Security |
Usage | Monitors whether multi-factor authentication (MFA) is disabled for a Resource Access Management (RAM) user who log to the console of an Alibaba Cloud service. When a RAM user logs onto the console, MFA must be enabled for the RAM user. In addition, the number of logons without MFA must be less than or equal to the specified Max logins parameter. Otherwise, an alert is triggered. |
Check Frequency | Fixed interval: 4 minutes. |
Time Range | The data of the last 5 minutes is checked. |
Parameter Settings |
|
External Configurations | You can configure a whitelist of RAM users who can log on to the consoles of Alibaba Cloud services without the need to enable MFA. If MFA is disabled for a RAM user on the whitelist when the RAM user logs on to the console of an Alibaba Cloud Service, no alert is triggered. |
Solution | Make sure that the number of logons without MFA for of a RAM user within 5 minutes is less than or equal to the specified Max logins parameter. |
Prerequisites | The Operations Log switch next to ActionTrail is turned on. To turn on the switch, go to the Log Audit Service page, and then choose . |
RAM Password Expiration Policy Exception Alert
ID | sls_app_audit_cis_at_pwd_expire_policy |
Name | RAM Password Expiration Policy Exception Alert |
Version | 1 |
Type | Cloud Platform, Alicloud, CIS Standard, Account Security |
Usage | Monitors whether the validity period specified in a RAM password policy is valid. In the RAM password policy, the validity period of a RAM password less than or equal to the specified Max validity period parameter in the alert rule. Otherwise, an alert is triggered. |
Check Frequency | Fixed interval: 5 minutes. |
Time Range | The data of the last 5 minutes is checked. |
Parameter Settings |
|
External Configurations | None |
Solution | Make sure that the validity period in the RAM password policy is less than or equal to the specified Max validity period parameter. |
Prerequisites | The Operations Log switch next to ActionTrail is turned on. To turn on the switch, go to the Log Audit Service page, and then choose . |
Root Account Login without MFA Alert
ID | sls_app_audit_cis_at_root_mfa |
Name | Root Account Login without MFA Alert |
Version | 1 |
Type | Cloud Platform, Alicloud, CIS Standard, Account Security |
Usage | Monitors the logons of a root user to the console without MFA being enabled. When a root user wants to log on to the console, the MFA must be enabled. Also, the number of logons without MFA must be smaller than or equal to the specified Max logins parameter. Otherwise, an alert is triggered. |
Check Frequency | Fixed interval: 4 minutes. |
Time Range | The data of the last 5 minutes is checked. |
Parameter Settings |
|
External Configurations | You can configure a whitelist of root users who are allowed to log on without MFA. The root users on the whitelist can log on for an unlimited number of times without MFA. No alert is triggered by such logons. |
Solution | Make sure that the number of non-MFA logins of the root user within 5 minutes is smaller than or equal to the specified Max logins parameter. |
Prerequisites | The Operations Log switch next to ActionTrail is turned on. To turn on the switch, go to the Log Audit Service page, and then choose . |
RAM Password Login Retry Policy Exception Alert
ID | sls_app_audit_cis_at_pwd_login_attemp_policy |
Name | RAM Password Login Retry Policy Exception Alert |
Version | 1 |
Type | Cloud Platform, Alicloud, CIS Standard, Account Security |
Usage | Monitors whether the logon retry policy specified in a RAM password policy is valid. In the RAM password policy, the number of failed logons attempts within one hour due to invalid passwords cannot be greater than the specified Max login failures/h parameter in the alert rule. Otherwise, an alert is triggered. |
Check Frequency | Fixed interval: 5 minutes. |
Time Range | The data of the last 5 minutes is checked. |
Parameter Settings |
|
External Configurations | None |
Solution | You can reset the number of failed logons that are allowed within one hour due to invalid passwords in the RAM password policy. Make sure that it is smaller than or equal to the specified Max login failures/h parameter. |
Prerequisites | The Operations Log switch next to ActionTrail is turned on. To turn on the switch, go to the Log Audit Service page, and then choose . |
Root Account Frequent Login Alert
ID | sls_app_audit_cis_at_root_login |
Name | Root Account Frequent Login Alert |
Version | 1 |
Type | Cloud Platform, Alicloud, CIS Standard, Account Security |
Usage | Monitors frequent logins of a root user. Root users cannot frequently log on to the console of an Alibaba Cloud service. If the number of logons of a root user within 5 minutes exceeds the Max login Times parameter, an alert is triggered. |
Check Frequency | Fixed interval: 5 minutes. |
Time Range | The data of the last 5 minutes is checked. |
Parameter Settings |
|
External Configurations | A whitelist of root users who are allowed to log on frequently. The root users on the whitelist can log on for an unlimited number of times within 5 minutes. No alert is triggered by such logons. |
Solution | On a daily basis, you can limit the number of frequent logons of the root user. Make sure that it is smaller than or equal to the specified Max login Times parameter. |
Prerequisites | The Operations Log switch next to ActionTrail is turned on. To turn on the switch, go to the Log Audit Service page, and then choose . |
RAM History Password Check Policy Exception Alert
ID | sls_app_audit_cis_at_pwd_reuse_policy |
Name | RAM History Password Check Policy Exception Alert |
Version | 1 |
Type | Cloud Platform, Alicloud, CIS Standard, Account Security |
Usage | Monitors whether the historical password check policy specified in the RAM password policy is valid. In a historical password check policy, the previous N passwords cannot be reused. You can specify the minimum value of N in the parameter settings of the alert rule. If the value in the historical password policy is less than this threshold, an alert is triggered. |
Check Frequency | Fixed interval: 1 minute. |
Time Range | The data of the last 2 minutes is checked. |
Parameter Settings |
|
External Configurations | None |
Solution | Make sure that the value of N in the previous N passwords is prohibited is greater than or equal to the specified Minimum password reuse value parameter. |
Prerequisites | The Operations Log switch next to ActionTrail is turned on. To turn on the switch, go to the Log Audit Service page, and then choose . |
KMS Key Configuration Change Alert
ID | sls_app_audit_cis_at_ak_conf_change |
Name | KMS Key Configuration Change Alert |
Version | 1 |
Type | Cloud Platform, Alicloud, CIS Standard, Account Security |
Usage | Monitors whether the key configuration in Key Management Service (KMS) is changed. When the key configuration in KMS is changed (such as deleted or disabled), an alert is triggered. |
Check Frequency | Fixed interval: 1 minute. |
Time Range | The data of the last 2 minutes is checked. |
Parameter Settings | Severity: Critical-10, High-8, Medium-6, Low-4, and Report-2. Default value: High-8 |
External Configurations | You can configure a whitelist of RAM users who are allowed to modify the key configuration in KMS. RAM users on the whitelist can modify the key configuration in KMS without triggering an alert. |
Solution | Prohibit the RAM users that are not included in the whitelist from modifying the key configuration. |
Prerequisites | The Operations Log switch next to ActionTrail is turned on. To turn on the switch, go to the Log Audit Service page, and then choose . |
Account Continuous Login Failure Alert
ID | sls_app_audit_cis_at_abnormal_login_count |
Name | Account Continuous Login Failure Alert |
Version | 1 |
Type | Cloud Platform, Alicloud, CIS Standard, Account Security |
Usage | Monitors the number of consecutive logon failures within a specific period of time. When the number of failed logons within 5 minutes is greater than the specified Failed logins parameter, an alert is triggered. |
Check Frequency | Fixed interval: 4 minutes. |
Time Range | The data of the last 5 minutes is checked. |
Parameter Settings |
|
External Configurations | None |
Solution | Make sure that the number of failed logons within 5 minutes is less than or equal to the Failed logins parameter. |
Prerequisites | The Operations Log switch next to ActionTrail is turned on. To turn on the switch, go to the Log Audit Service page, and then choose . |
Root Account AK Usage Detection
ID | sls_app_audit_cis_at_root_ak_usage |
Name | Root Account AK Usage Detection |
Version | 1 |
Type | Cloud Platform, Alicloud, CIS Standard, Account Security |
Usage | Monitors the usage of the AccessKey pair of a root account. Root users cannot create or use AccessKey pairs for their root accounts. Otherwise, an alert is triggered. |
Check Frequency | Fixed interval: 1 minute. |
Time Range | The data of the last 2 minutes is checked. |
Parameter Settings | Severity: Critical-10, High-8, Medium-6, Low-4, and Report-2. Default value: High-8 |
External Configurations | You can configure a whitelist of root users who are allowed to use AccessKey pairs. Root users on the whitelist can use AccessKey pairs without triggering an alert. |
Solution | Make sure that the Root account AccessKey pair is not used. |
Prerequisites | The Operations Log switch next to ActionTrail is turned on. To turn on the switch, go to the Log Audit Service page, and then choose . |
RAM Password Length Policy Exception Alert
ID | sls_app_audit_cis_at_pwd_length_policy |
Name | RAM Password Length Policy Exception Alert |
Version | 1 |
Type | Cloud Platform, Alicloud, CIS Standard, Account Security |
Usage | Monitors whether the minimum password length specified in the RAM password policy is valid. In the RAM password policy, the minimum length of a RAM password must be greater than or equal to the value of the specified Min password length parameter. Otherwise, an alert is triggered. |
Check Frequency | Fixed interval: 5 minutes. |
Time Range | The data of the last 5 minutes is checked. |
Parameter Settings |
|
External Configurations | None |
Solution | You can reset the minimum password length in the RAM password policy. Make sure that it is greater than or equal to the specified Min password length parameter. |
Prerequisites | The Operations Log switch next to ActionTrail is turned on. To turn on the switch, go to the Log Audit Service page, and then choose . |