Security Center provides the configuration assessment feature. This feature can help you check whether risks exist in the configurations of your Alibaba Cloud services. This topic describes how to use the configuration assessment feature.
Run a configuration check on cloud services
The configuration assessment feature allows you to manually run configuration checks and enable automatic checks on your cloud services. For more information about the check items that are supported by each edition of Security Center, see Check items.
View check results
Handle the detected configuration risks of your cloud services
Check items
The following table describes the check items that are supported by each edition of
Security Center.
Note The following symbols are used to indicate whether a check item is supported:
: The check item is not supported.
: The check item is supported.
The severity levels in the following table are defined in Security Center.
Identity permission management (CIEM)
Best security practice | Check item | Check item type | Risk level | Basic and Anti-virus | Advanced | Enterprise and Ultimate |
---|---|---|---|---|---|---|
IDAAS | IDAAS password complexity | Password Policy | Important | ![]() |
![]() |
![]() |
IDAAS history password detection | Password Policy | Important | ![]() |
![]() |
![]() |
|
IDAAS enables secondary authentication | Certification management | Important | ![]() |
![]() |
![]() |
|
IDAAS regular password change | Password Policy | Medium | ![]() |
![]() |
![]() |
|
IDAAS Forgot Password | Password Policy | Medium | ![]() |
![]() |
![]() |
|
Validity period of IDAAS login | Certification management | Medium | ![]() |
![]() |
![]() |
|
Alibaba cloud RAM best security practices | Root Account AK disabled | AK Security | Important | ![]() |
![]() |
![]() |
RAM Users MFA Configuration | authentication management | Important | ![]() |
![]() |
![]() |
|
Root account enable MFA | authentication management | Important | ![]() |
![]() |
![]() |
|
Separation of personnel and program users | Identity management | Medium | ![]() |
![]() |
![]() |
|
Password_validity | Password Policy | Medium | ![]() |
![]() |
![]() |
|
Ram restricted IP access | Access_Control | Low | ![]() |
![]() |
![]() |
|
RAM_CheckAccesskeyAuth | AK Security | Important | ![]() |
![]() |
![]() |
|
Password_complexity | Password Policy | Important | ![]() |
![]() |
![]() |
|
Session security settings | authentication management | Important | ![]() |
![]() |
![]() |
|
Create Ram User | Identity management | Important | ![]() |
![]() |
![]() |
|
Create only one AK | AK Security | Important | ![]() |
![]() |
![]() |
|
AK regular rotation | AK Security | Medium | ![]() |
![]() |
![]() |
|
Password reuse restrictions | Password Policy | Medium | ![]() |
![]() |
![]() |
|
Idle RAM AK cleaning | AK Security | Low | ![]() |
![]() |
![]() |
|
Idle user cleaning | Identity management | Low | ![]() |
![]() |
![]() |
|
RAM Privilege Management | RAM-Super Administrator Authorization | Grants Management | Important | ![]() |
![]() |
![]() |
RAM - Cloud product administrator authorization | Grants Management | Medium | ![]() |
![]() |
![]() |
|
User-CheckRamRiskApi | Grants Management | Important | ![]() |
![]() |
![]() |
|
Role-CheckRamRiskApi | Grants Management | Important | ![]() |
![]() |
![]() |
|
User-CheckEcsRiskApi | Grants Management | Important | ![]() |
![]() |
![]() |
|
Role-CheckEcsRiskApi | Grants Management | Important | ![]() |
![]() |
![]() |
|
Role-CheckOssRiskApi | Grants Management | Important | ![]() |
![]() |
![]() |
|
Role-CheckRdsRiskApi | Grants Management | Important | ![]() |
![]() |
![]() |
|
User-CheckRdsRiskApi | Grants Management | Important | ![]() |
![]() |
![]() |
|
User-CheckOssRiskApi | Grants Management | Important | ![]() |
![]() |
![]() |
Cloud product configuration management (Cloud Service Risk)
Best security practice | Check item | Check item type | Risk level | Basic and Anti-virus | Advanced | Enterprise and Ultimate |
---|---|---|---|---|---|---|
Alibaba cloud MSE best security practices | MSE-Public Network Authentication | Access Control | Low | ![]() |
![]() |
![]() |
Alibaba cloud NAS best security practices | NAS - enable log management | Log Audit | Low | ![]() |
![]() |
![]() |
NAS - Classic Network Configuration | Access Control | Low | ![]() |
![]() |
![]() |
|
NAS Backup Settings | Access Control | Low | ![]() |
![]() |
![]() |
|
Alibaba cloud OSS best security practices | OSS Bucket Version Control | Disaster Recovery Backup | Medium | ![]() |
![]() |
![]() |
OSS Authorization Policy | Access Control | Important | ![]() |
![]() |
![]() |
|
OSS Bucket Immobilizer Configuration | Access Control | Low | ![]() |
![]() |
![]() |
|
OSS Bucket server encryption | Data Security | Low | ![]() |
![]() |
![]() |
|
OSS - Cross-Region Replication Configuration | Disaster Recovery Backup | Low | ![]() |
![]() |
![]() |
|
OSS - Logging Configuration | Log Audit | Medium | ![]() |
![]() |
![]() |
|
OSS Bucket Permission Settings | Access Control | Important | ![]() |
![]() |
![]() |
|
OSS Sensitive File Disclosure | Data Security | Low | ![]() |
![]() |
![]() |
|
Encrypt the manifest file under OSS public permission | Log Audit | Low | ![]() |
![]() |
![]() |
|
Disable logs under OSS public permissions | Access Control | Low | ![]() |
![]() |
![]() |
|
Alibaba cloud SLB best security practices | ALB high risk port exposure | Access Control | Important | ![]() |
![]() |
![]() |
CLB white list configuration check | Access Control | Important | ![]() |
![]() |
![]() |
|
CLB - Certificate Expiration | Monitoring alarms | Medium | ![]() |
![]() |
![]() |
|
CLB - Health Status | Monitoring alarms | Low | ![]() |
![]() |
![]() |
|
ALB white list configuration check | Access Control | Important | ![]() |
![]() |
![]() |
|
CLB- High Risk Port Exposure | Access Control | Important | ![]() |
![]() |
![]() |
|
ALB - Certificate Expiration | Monitoring alarms | Medium | ![]() |
![]() |
![]() |
|
ALB_HealthStatus | Monitoring alarms | Low | ![]() |
![]() |
![]() |
|
Alibaba cloud PostgreSQL best security practices | PostgreSQL Backup Settings | Disaster Recovery Backup | Medium | ![]() |
![]() |
![]() |
PostgreSQL - Cloud Disk Encryption | Data Security | Medium | ![]() |
![]() |
![]() |
|
PostgreSQL SSL certificate | Data Security | Medium | ![]() |
![]() |
![]() |
|
PostgreSQL - Whitelist Configuration | Access Control | Important | ![]() |
![]() |
![]() |
|
Alibaba cloud redis best security practices | Redis Audit Log Configuration | Log Audit | Low | ![]() |
![]() |
![]() |
Redis Access Advanced Anti DDoS | Access Control | Medium | ![]() |
![]() |
![]() |
|
Redis - Whitelist Configuration | Access Control | Important | ![]() |
![]() |
![]() |
|
Redis - enable TDE encryption | Data security | Medium | ![]() |
![]() |
![]() |
|
Redis use ordinary users | Identity_Authentication | Medium | ![]() |
![]() |
![]() |
|
Redis - Disable high risk commands | Access Control | Medium | ![]() |
![]() |
![]() |
|
Redis VPC password free mode application white list | Access Control | Medium | ![]() |
![]() |
![]() |
|
Redis - set timeout time of client connection | Access Control | Medium | ![]() |
![]() |
![]() |
|
Redis SSL Enabled | Data security | Medium | ![]() |
![]() |
![]() |
|
Redis Backup Settings | Disaster Recovery Backup | Medium | ![]() |
![]() |
![]() |
|
Redis - close VPC secret free access | Identity_Authentication | Low | ![]() |
![]() |
![]() |
|
Alibaba cloud ACK best security practices | ACK - Forbid Binding EIP | Network Configuration | Low | ![]() |
![]() |
![]() |
ACK - Network Plugin Configuration | Network Configuration | Low | ![]() |
![]() |
![]() |
|
ACK - Network Policy Configuration | Network Configuration | Low | ![]() |
![]() |
![]() |
|
Alibaba cloud RDS best security practices | RDS-Ordinary User Login | Authentication | Medium | ![]() |
![]() |
![]() |
RDS Enable Database Backup | Disaster Recovery Backup | Medium | ![]() |
![]() |
![]() |
|
RDS - TDE Configuration | Data Security | Low | ![]() |
![]() |
![]() |
|
RDS - SSL Configuration | Data Security | Low | ![]() |
![]() |
![]() |
|
RDS - SQL Audit | Data Security | Low | ![]() |
![]() |
![]() |
|
RDS - Cross Region Backup | Disaster Recovery Backup | Low | ![]() |
![]() |
![]() |
|
RDS white list configuration | Access Control | Important | ![]() |
![]() |
![]() |
|
RDS - Port Configuration | service configuration | Low | ![]() |
![]() |
![]() |
|
RDS-Instance Release Protection Configuration | service configuration | Low | ![]() |
![]() |
![]() |
|
RDS - Cloud Disk Encryption | Data Security | Low | ![]() |
![]() |
![]() |
|
Alibaba cloud PolarDB best security practices | PolarDB SQL Insight | Log Audit | Medium | ![]() |
![]() |
![]() |
PolarDB Backup Settings | Data Security | Medium | ![]() |
![]() |
![]() |
|
PolarDB - Whitelist Configuration | Access Control | Important | ![]() |
![]() |
![]() |
|
Alibaba cloud best security practices | Cloud Effect Codeup Code Security | Security protection | Important | ![]() |
![]() |
![]() |
Cloud Security - WAF Back-to-origin Configuration | Security protection | Important | ![]() |
![]() |
![]() |
|
Action Trail - Logging Configuration | Log audit | Medium | ![]() |
![]() |
![]() |
|
Cloud Security - High Anti-Back Source Configuration | Security protection | Important | ![]() |
![]() |
![]() |
|
Container Registry - Repository Visibility Settings | Data Security | Important | ![]() |
![]() |
![]() |
|
SSL certificate validity check | Data Security | Important | ![]() |
![]() |
![]() |
|
CDN real-time log push | Log audit | Medium | ![]() |
![]() |
![]() |
|
Alibaba cloud ECS best security practices | ECS - Security Groups Setting | Access Control | Important | ![]() |
![]() |
![]() |
ECS - Automatic Snapshot Policy | Data Security | Medium | ![]() |
![]() |
![]() |
|
ECS storage encryption | Data Security | Low | ![]() |
![]() |
![]() |
|
Cloud Monitoring - Host Plug in Status | Monitoring Alarms | Medium | ![]() |
![]() |
![]() |
|
ECS Key Pair Login | Authentication | Important | ![]() |
![]() |
![]() |
|
Yundun - Host Security Protection | Security | Important | ![]() |
![]() |
![]() |
|
Alibaba cloud MongoDB best security practices | MongoDB SSL ON | Data Security | Medium | ![]() |
![]() |
![]() |
Mongodb - enable TDE encryption | Data Security | Medium | ![]() |
![]() |
![]() |
|
Mongodb - close secret free access | Identity Authentication | Low | ![]() |
![]() |
![]() |
|
MongoDB Log Audit | Log Audit | Medium | ![]() |
![]() |
![]() |
|
MongoDB Backup Settings | Data Security | Medium | ![]() |
![]() |
![]() |
|
Mongodb - Whitelist Configuration | Access Control | Important | ![]() |
![]() |
![]() |
Compliance (Compliance Risk)
Best security practice | Check item | Check item type | Risk level | Basic, Anti-virus, and Advanced | Enterprise and Ultimate |
---|---|---|---|---|---|
CIS Alibaba Cloud Foundation Benchmark | Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 | Virtual Machines | Important | ![]() |
![]() |
Ensure RAM password policy require at least one symbol | Identity and Access Management | Important | ![]() |
![]() |
|
Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 | Virtual Machines | Important | ![]() |
![]() |
|
Ensure RAM policies are attached only to groups or roles | Identity and Access Management | Medium | ![]() |
![]() |
|
Ensure RAM password policy requires minimum length of 14 or greater | Identity and Access Management | Important | ![]() |
![]() |
|
Ensure RAM password policy expires passwords within 90 days or less | Identity and Access Management | Important | ![]() |
![]() |
|
Ensure RAM password policy temporarily blocks logon after 5 incorrect logon attempts within an hour | Identity and Access Management | Important | ![]() |
![]() |
|
Ensure RAM password policy prevents password reuse | Identity and Access Management | Important | ![]() |
![]() |
|
Ensure RAM password policy requires at least one uppercase letter | Identity and Access Management | Important | ![]() |
![]() |
|
Ensure RAM password policy requires at least one lowercase letter | Identity and Access Management | Important | ![]() |
![]() |
|
Ensure RAM password policy require at least one number | Identity and Access Management | Important | ![]() |
![]() |
|
Ensure legacy networks does not exist | Networking | Medium | ![]() |
![]() |
|
Ensure CloudMonitor is set to Enabled on Kubernetes Engine Clusters | Kubernetes Engine | Low | ![]() |
![]() |
|
Ensure that notification is enabled on all high risk items | Security Center | Low | ![]() |
![]() |
|
Ensure that 'Auditing' Retention is 'greater than 6 months' | Relational Database Services | Low | ![]() |
![]() |
|
Ensure that 'Unattached disks' are encrypted | Virtual Machines | Low | ![]() |
![]() |