Queries the check results of configuration assessment for your cloud services.
Debugging
Request parameters
| Parameter | Type | Required | Example | Description |
|---|---|---|---|---|
| Action | String | Yes | DescribeRiskCheckResult |
The operation that you want to perform. Set the value to DescribeRiskCheckResult. |
| SourceIp | String | No | 1.2.XX.XX |
The source IP address of the request. |
| Lang | String | No | zh |
The language of the content within the request and response. Default value: zh. Valid values:
|
| GroupId | Long | No | 1 |
The type of the check item that you want to query. Valid values:
Note If you do not specify this parameter, all types of check items are queried by default.
|
| CurrentPage | Integer | No | 1 |
The number of the page to return. Default value: 1. |
| RiskLevel | String | No | high |
The risk level of the check item that you want to query. Valid values:
|
| Status | String | No | pass |
The status of the check result. Valid values:
|
| AssetType | String | No | RDS |
The type of the cloud service whose configuration assessment result you want to query. For more information about the description of the cloud service specified by this parameter, see the check item table in the "Response parameters" section of this topic. |
| Name | String | No | Cloud Platform - MFA configuration of Alibaba Cloud accounts |
The name of the check item. For more information about the description of the check item name, see the check item table in the "Response parameters" section of this topic. |
| PageSize | Integer | No | 20 |
The number of entries to return on each page. Default value: 20. |
| QueryFlag | String | No | enabled |
Specifies whether the check item is supported by the cloud service. Valid values:
|
| ItemIds.N | String | No | 15 |
The ID of the check item. For more information about the description of the check item ID, see the check item table in the "Response parameters" section of this topic. |
Response parameters
| Parameter | Type | Example | Description |
|---|---|---|---|
| CurrentPage | Integer | 1 |
The page number of the returned page. |
| RequestId | String | AD271C07-4ACE-413D-AA9B-F14FD3B7717F |
The ID of the request, which is used to locate and troubleshoot issues. |
| PageSize | Integer | 20 |
The number of entries returned per page. Default value: 20. |
| TotalCount | Integer | 12 |
The total number of entries returned. |
| PageCount | Integer | 20 |
The total number of pages returned. |
| Count | Integer | 10 |
The number of entries returned on the current page. |
| List | Array of RiskCheckResultForDisplay |
The information about the check item. |
|
| RiskLevel | String | high |
The risk level of the check item. Valid values:
|
| Status | String | pass |
The status of the check result. Valid values:
|
| Type | String | Identity authentication and permissions |
The type of the check item. Valid values:
|
| Sort | Integer | 1 |
The sequence number of the check result. The check items are sorted based on the sequence number. |
| RepairStatus | String | disabled |
Indicates whether the risks that are detected for the check item can be fixed. Valid values:
|
| RemainingTime | Integer | 0 |
The remaining time before the check is complete. |
| ItemId | Long | 1 |
The ID of the check item. For more information about the description of the check item ID, see the check item table in the "Response parameters" section of this topic. |
| StartStatus | String | enabled |
Indicates whether the check item is supported by the cloud service. Valid values:
|
| AffectedCount | Integer | 0 |
The number of affected assets. |
| RiskAssertType | String | ECS |
The type of the affected asset. |
| Title | String | Cloud Platform - MFA configuration of Alibaba Cloud accounts |
The name of the check item. |
| TaskId | Long | 15384933 |
The ID of the check task. |
| CheckTime | Long | 1639429164000 |
The timestamp when the last check was performed. Unit: milliseconds. |
| RiskItemResources | Array of RiskItemResource |
The details about the check item. |
|
| ContentResource | String | { "type": "link", "value": ""Risk: MFA is disabled\n", "url": "https://***.aliyun.com/#/secure\n" } |
The details about the check result. |
| ResourceName | String | bestPractice |
The title in the details about the check item. Valid values:
|
The following table describes the information about the check items that are supported by the configuration assessment feature. The information include the ID, name, type, risk level, and service type.
|
ItemId (check item ID) |
Name(check item name) |
GroupId (check item type) |
RiskLevel (risk level) |
AssetType (Alibaba Cloud service type) |
Description |
|---|---|---|---|---|---|
|
1 |
ActionTrail - logging |
3: log audit |
medium |
ActionTrail |
Checks whether you enable ActionTrail to record operations logs on the cloud and save the logs to Object Storage Service (OSS) buckets. |
|
2 |
ApsaraDB RDS - database security policies |
4: data security |
medium |
RDS |
Checks whether you enable the Secure Sockets Layer (SSL), Transparent Data Encryption (TDE), and SQL audit features for each ApsaraDB RDS instance. |
|
3 |
Alibaba Cloud account security - MFA |
1: identity authentication and permissions |
high |
RAM |
Checks whether multi-factor authentication (MFA) is enabled for Alibaba Cloud accounts. |
|
4 |
Alibaba Cloud Security - Back-to-origin configurations of Anti-DDoS Pro or Anti-DDoS Premium |
2: network access control |
high |
DDoS |
Checks whether actual IP addresses of backend servers are hidden after you use Anti-DDoS Pro or Anti-DDoS Premium. If the actual IP addresses are hidden, attackers cannot directly access the actual IP addresses. To hide the actual IP addresses, you can configure access control policies. For example, if the actual IP addresses are the IP addresses of the Server Load Balancer (SLB) instances, you can configure SLB whitelists on the SLB instances. If the IP addresses are the IP addresses of Elastic Compute Service (ECS) instances, you can configure security group rules for the ECS instances. All these policies allow access from only back-to-origin IP addresses of Anti-DDoS Pro or Anti-DDoS Premium. |
|
5 |
ApsaraDB RDS - whitelist configurations |
2: network access control |
high |
RDS |
Checks whether the whitelist of an ApsaraDB RDS instance contains the CIDR block 0.0.0.0/0. If the whitelist contains the 0.0.0.0/0 CIDR block, all IP addresses are allowed to access the ApsaraDB RDS instance. For security purposes, we recommend that you configure RDS whitelists to allow only requests from specific IP addresses. |
|
6 |
SLB - open ports |
2: network access control |
high |
SLB |
Checks whether SLB is configured to forward requests from high-risk ports to the Internet. |
|
7 |
Alibaba Cloud Security - back-to-origin configuration checks for WAF |
2: network access control |
high |
WAF |
Checks whether the actual IP addresses of backend servers are hidden after you use WAF. If the actual IP addresses are hidden, attackers cannot directly access the actual IP addresses. To hide the actual IP addresses, you can configure access control policies. For example, if the actual IP addresses are the IP addresses of the SLB instances, you can configure SLB whitelists on the SLB instances. If the IP addresses are the IP addresses of ECS instances, you can configure security group rules for the ECS instances. All these access control policies allow access from only back-to-origin IP addresses of WAF. |
|
8 |
Alibaba Cloud Security - agent status |
6: basic security protection |
high |
ECS |
Checks whether the Security Center agent on the ECS instance is always online and provides protection. |
|
12 |
OSS - bucket permissions |
4: data security |
high |
OSS |
Checks whether the object access control list (ACL) of any of your OSS buckets is public-read or public-read-write. The public-read-write or public-read ACL allows users to read or write the data in your OSS buckets without authorization. To ensure data security, we recommend that you set the ACL of all your buckets to private. |
|
13 |
Security Center - detection of AccessKey pair leaks |
5: monitoring and alerting |
medium |
RAM |
Checks whether AccessKey leak detection is enabled. API credentials, also AccessKey pairs, are unique and important identity credentials. We recommend that you enable AccessKey leak detection to prevent AccessKey pair leaks. |
|
14 |
ApsaraDB for MongoDB - whitelist configurations |
2: network access control |
high |
MongoDB |
Checks whether whitelist are enabled for ApsaraDB for MongDB instances. If whitelists are enabled and the whitelists are empty or contain the 0.0.0.0/0 CIDR block, the requests from all IP addresses are allowed. In this case, security risks may occur. We recommend that you configure the whitelist to allow only access requests from trusted IP addresses. |
|
15 |
RAM - MFA configuration for RAM users |
1: identity authentication and permissions |
medium |
RAM |
Checks whether MFA is enabled for RAM users. |
|
16 |
OSS - logging |
4: data security |
medium |
OSS |
Checks whether the log record feature is enabled for all OSS buckets. When you access OSS, a large number of access logs are generated. After you enable and configure the log record feature for a bucket, an object with a specific prefix is generated on an hourly basis to record access logs of the bucket. To analyze the access logs, you can use Alibaba Cloud Data Lake Analytics (DLA) or build a Spark cluster. You can configure lifecycle rules for the bucket to convert the storage class of log objects to Archive for long-term archiving. |
|
17 |
OSS - cross-region replication |
4: data security |
low |
OSS |
Checks whether cross-region replication (CRR) is enabled for all OSS buckets. CRR enables the automatic and asynchronous replication of objects across buckets in different OSS data centers (regions). CRR synchronizes operations such as creation, overwriting, and deletion of objects from the source bucket to the destination bucket. CRR can meet your requirements on cross-region disaster recovery and data replication. Objects in the destination bucket are extra duplicates of objects in the source bucket. They have the same names, content, and metadata, such as the created time, owner, user metadata, and ACL. |
|
18 |
ApsaraDB RDS - database backup |
4: data security |
medium |
RDS |
Checks whether database backup is enabled for ApsaraDB RDS instances. We recommend that you enable database backup for ApsaraDB RDS instances and perform a data backup task on a daily basis. |
|
19 |
ApsaraDB for Redis - whitelist configurations |
2: network access control |
high |
Redis |
Checks access control configurations of ApsaraDB for Redis. |
|
20 |
ECS - public key authentication |
1: identity authentication and permissions |
medium |
ECS |
Checks whether SSH key pair-based logons are enabled for ECS instances. |
|
21 |
SLB - health status |
5: monitoring and alerting |
low |
SLB |
Checks the health status of SLB instances. |
|
22 |
PolarDB - whitelist configurations |
2: network access control |
medium |
PolarDB |
Checks whether the whitelist of a PolarDB cluster contains the CIDR block 0.0.0.0/0. If the whitelist contains the 0.0.0.0/0 CIDR block, all IP addresses are allowed to access the PolarDB cluster. For security purposes, we recommend that you configure whitelists to allow only requests from specific IP addresses. |
|
23 |
AnalyticDB for PostgreSQL - whitelist configurations |
2: network access control |
medium |
PostgreSQL |
Checks whether the whitelist of an AnalyticDB for PostgreSQL instance contains the CIDR block 0.0.0.0/0. If the whitelist contains the 0.0.0.0/0 CIDR block, all IP addresses are allowed to access the AnalyticDB for PostgreSQL instance. For security purposes, we recommend that you configure whitelists to allow only requests from specific IP addresses. |
|
24 |
ECS - storage encryption |
4: data security |
low |
ECS |
Checks whether disk encryption is enabled. Disk encryption allows you to meet security or regulatory compliance requirements. |
|
25 |
SLB - whitelist configurations |
2: network access control |
medium |
SLB |
Checks the SLB whitelist configurations. We recommend that you configure whitelists for non-HTTP and non-HTTPS services, and that you do not add 0.0.0.0/0 to the whitelists. |
|
26 |
SLB - certificate validity checks |
5: monitoring and alerting |
medium |
SLB |
Checks whether the SLB certificate has expired. |
|
27 |
ECS - automatic snapshot policies |
4: data security |
medium |
ECS |
Checks whether automatic snapshot policies are enabled for ECS instances. |
|
28 |
SSL Certificates Service - validity checks |
4: data security |
medium |
SSL |
Checks whether the SSL certificate is within its validity period. |
|
30 |
OSS - bucket server-side encryption |
4: data security |
low |
OSS |
Checks whether server-side encryption is enabled for OSS buckets. |
|
31 |
OSS - bucket hotlink protection |
2: network access control |
low |
OSS |
Checks whether hotlink protection is configured for OSS buckets. |
|
32 |
ApsaraDB RDS - cross-region backup configurations |
4: data security |
low |
RDS |
Checks whether cross-region backup is configured for ApsaraDB RDS instances. |
|
33 |
ApsaraDB for MongoDB - backup configurations |
4: data security |
medium |
MongoDB |
Checks whether data backup is enabled for ApsaraDB for MongoDB instances. |
|
34 |
ApsaraDB for MongoDB - log audit |
3: log audit |
medium |
MongoDB |
Checks whether log audit is enabled for ApsaraDB for MongoDB instances. |
|
35 |
ApsaraDB for MongoDB - SSL encryption |
4: data security |
medium |
MongoDB |
Checks whether SSL certificate checks are enabled for ApsaraDB for MongoDB instances. |
|
36 |
CloudMonitor - agent status |
5: monitoring and alerting |
medium |
CloudMonitor |
Checks whether the status of the Cloud Monitor agent is normal. |
|
37 |
ECS - security group policies |
2: network access control |
medium |
ECS |
Checks the ECS security group policies. |
|
38 |
VPC - DNAT management port mapping |
2: network access control |
medium |
VPC |
Checks whether a VPC DNAT rule is configured to map management ports to the Internet. |
|
39 |
ApsaraDB for Redis - backup configurations |
4: data security |
medium |
Redis |
Checks whether data backup is enabled for ApsaraDB for Redis. |
|
40 |
Container Registry - repository permission configurations |
4: data security |
high |
CR |
Checks whether permissions are correctly configured for the repository in Container Registry. |
|
41 |
Container Registry - security scans |
6: basic security protection |
low |
CR |
Checks whether security scan is enabled for Container Registry. |
|
42 |
SLB - logging |
3: log audit |
medium |
SLB |
Checks whether access logging is configured for SLB instances. |
|
43 |
ApsaraDB for Redis - log audit |
3: log audit |
low |
Redis |
Checks whether log audit is configured for ApsaraDB for Redis. |
|
44 |
OSS - authorization policies |
1: identity authentication and permissions |
medium |
OSS |
Checks whether correct authorization policies are enabled for OSS. |
|
46 |
PolarDB - backup configurations |
4: data security |
medium |
PolarDB |
Checks whether data backup is enabled for PolarDB. |
|
47 |
PolarDB - SQL Explorer |
3: log audit |
medium |
PolarDB |
Checks whether SQL Explorer is enabled for PolarDB clusters. |
|
49 |
Alibaba Cloud account security - AccessKey pair |
1: identity authentication and permissions |
medium |
RAM |
Checks whether the AccessKey pair is enabled for your Alibaba Cloud account. |
|
51 |
Alibaba Cloud CDN - real-time log push feature |
3: log audit |
medium |
CDN |
Checks whether real-time logging push is enabled for CDN. |
|
52 |
ApsaraDB for Redis - SSL encryption |
4: data security |
medium |
Redis |
Checks whether SSL certificates are enabled for ApsaraDB for Redis instances. |
Examples
Sample requests
http(s)://[Endpoint]/?Action=DescribeRiskCheckResult
&SourceIp=1.2.XX.XX
&Lang=zh
&GroupId=1
&CurrentPage=1
&RiskLevel=high
&Status=pass
&AssetType=RDS
&Name=Cloud Platform - MFA configuration of Alibaba Cloud accounts
&PageSize=20
&QueryFlag=enabled
&ItemIds=["15"]
&Common request parametersSample success responses
XML format
HTTP/1.1 200 OK
Content-Type:application/xml
<DescribeRiskCheckResultResponse>
<CurrentPage>1</CurrentPage>
<RequestId>AD271C07-4ACE-413D-AA9B-F14FD3B7717F</RequestId>
<PageSize>20</PageSize>
<TotalCount>12</TotalCount>
<PageCount>20</PageCount>
<Count>10</Count>
<List>
<RiskLevel>high</RiskLevel>
<Status>pass</Status>
<Type>Identity authentication and permissions</Type>
<Sort>1</Sort>
<RepairStatus>disabled</RepairStatus>
<RemainingTime>0</RemainingTime>
<ItemId>1</ItemId>
<StartStatus>enabled</StartStatus>
<AffectedCount>0</AffectedCount>
<RiskAssertType>ECS</RiskAssertType>
<Title>Cloud Platform - MFA configuration of Alibaba Cloud accounts</Title>
<TaskId>15384933</TaskId>
<CheckTime>1639429164000</CheckTime>
<RiskItemResources>
<ContentResource>{ "type": "link", "value": "Risk: MFA is disabled\n", "url": "https://***.aliyun.com/#/secure\n" }</ContentResource>
<ResourceName>bestPractice</ResourceName>
</RiskItemResources>
</List>
</DescribeRiskCheckResultResponse>JSON format
HTTP/1.1 200 OK
Content-Type:application/json
{
"CurrentPage" : 1,
"RequestId" : "AD271C07-4ACE-413D-AA9B-F14FD3B7717F",
"PageSize" : 20,
"TotalCount" : 12,
"PageCount" : 20,
"Count" : 10,
"List" : [ {
"RiskLevel" : "high",
"Status" : "pass",
"Type" : "Identity authentication and permissions",
"Sort" : 1,
"RepairStatus" : "disabled",
"RemainingTime" : 0,
"ItemId" : 1,
"StartStatus" : "enabled",
"AffectedCount" : 0,
"RiskAssertType" : "ECS",
"Title" : "Cloud Platform - MFA configuration of Alibaba Cloud accounts",
"TaskId" : 15384933,
"CheckTime" : 1639429164000,
"RiskItemResources" : [ {
"ContentResource": "{ \"type\": \"link\", \"value\": \"Risk: MFA is disabled\\n\", \"url\": \"https://***.aliyun.com/#/secure\\n\" }",
"ResourceName" : "bestPractice"
} ]
} ]
}Error codes
| HTTP status code | Error code | Error message | Description |
|---|---|---|---|
| 400 | NoPermission | no permission | The error message returned because you do not have access permissions. |
| 500 | ServerError | ServerError | The error message returned because a server error occurred. |
For a list of error codes, visit the API Error Center.