Queries the check results of configuration assessment for your cloud services.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter Type Required Example Description
Action String Yes DescribeRiskCheckResult

The operation that you want to perform. Set the value to DescribeRiskCheckResult.

SourceIp String No 1.2.XX.XX

The source IP address of the request.

Lang String No zh

The language of the content within the request and response. Default value: zh. Valid values:

  • zh: Chinese
  • en: English
GroupId Long No 1

The type of the check item that you want to query. Valid values:

  • 1: identity authentication and permissions
  • 2: network access control
  • 3: log audit
  • 4: data security
  • 5: monitoring and alerting
  • 6: basic security protection
Note If you do not specify this parameter, all types of check items are queried by default.
CurrentPage Integer No 1

The number of the page to return. Default value: 1.

RiskLevel String No high

The risk level of the check item that you want to query. Valid values:

  • high
  • medium
  • low
Status String No pass

The status of the check result. Valid values:

  • pass
  • failed
  • running
  • waiting
  • ignored
  • falsePositive
AssetType String No RDS

The type of the cloud service whose configuration assessment result you want to query. For more information about the description of the cloud service specified by this parameter, see the check item table in the "Response parameters" section of this topic.

Name String No Cloud Platform - MFA configuration of Alibaba Cloud accounts

The name of the check item. For more information about the description of the check item name, see the check item table in the "Response parameters" section of this topic.

PageSize Integer No 20

The number of entries to return on each page. Default value: 20.

QueryFlag String No enabled

Specifies whether the check item is supported by the cloud service. Valid values:

  • enabled: The check item is supported by the cloud service.
  • disabled: The check item is not supported by the cloud service.
ItemIds.N String No 15

The ID of the check item. For more information about the description of the check item ID, see the check item table in the "Response parameters" section of this topic.

Response parameters

Parameter Type Example Description
CurrentPage Integer 1

The page number of the returned page.

RequestId String AD271C07-4ACE-413D-AA9B-F14FD3B7717F

The ID of the request, which is used to locate and troubleshoot issues.

PageSize Integer 20

The number of entries returned per page. Default value: 20.

TotalCount Integer 12

The total number of entries returned.

PageCount Integer 20

The total number of pages returned.

Count Integer 10

The number of entries returned on the current page.

List Array of RiskCheckResultForDisplay

The information about the check item.

RiskLevel String high

The risk level of the check item. Valid values:

  • high
  • medium
  • low
Status String pass

The status of the check result. Valid values:

  • pass
  • failed
  • running
  • waiting
  • ignored
  • falsePositive
Type String Identity authentication and permissions

The type of the check item. Valid values:

  • Identity authentication and permissions
  • Network access control
  • Log audit
  • Data security
  • Monitoring and alerting
  • Basic security protection
Sort Integer 1

The sequence number of the check result. The check items are sorted based on the sequence number.

RepairStatus String disabled

Indicates whether the risks that are detected for the check item can be fixed. Valid values:

  • enabled: The risk can be fixed.
  • disabled: The risk cannot be fixed.
RemainingTime Integer 0

The remaining time before the check is complete.

ItemId Long 1

The ID of the check item. For more information about the description of the check item ID, see the check item table in the "Response parameters" section of this topic.

StartStatus String enabled

Indicates whether the check item is supported by the cloud service. Valid values:

  • enabled: The check item is supported by the cloud service.
  • disable: The check item is not supported by the cloud service.
AffectedCount Integer 0

The number of affected assets.

RiskAssertType String ECS

The type of the affected asset.

Title String Cloud Platform - MFA configuration of Alibaba Cloud accounts

The name of the check item.

TaskId Long 15384933

The ID of the check task.

CheckTime Long 1639429164000

The timestamp when the last check was performed. Unit: milliseconds.

RiskItemResources Array of RiskItemResource

The details about the check item.

ContentResource String { "type": "link", "value": ""Risk: MFA is disabled\n", "url": "https://***.aliyun.com/#/secure\n" }

The details about the check result.

ResourceName String bestPractice

The title in the details about the check item. Valid values:

  • bestPractice: description
  • influence: risk
  • suggestion: solution
  • helpResource: reference

The following table describes the information about the check items that are supported by the configuration assessment feature. The information include the ID, name, type, risk level, and service type.

ItemId (check item ID)

Name(check item name)

GroupId (check item type)

RiskLevel (risk level)

AssetType (Alibaba Cloud service type)

Description

1

ActionTrail - logging

3: log audit

medium

ActionTrail

Checks whether you enable ActionTrail to record operations logs on the cloud and save the logs to Object Storage Service (OSS) buckets.

2

ApsaraDB RDS - database security policies

4: data security

medium

RDS

Checks whether you enable the Secure Sockets Layer (SSL), Transparent Data Encryption (TDE), and SQL audit features for each ApsaraDB RDS instance.

3

Alibaba Cloud account security - MFA

1: identity authentication and permissions

high

RAM

Checks whether multi-factor authentication (MFA) is enabled for Alibaba Cloud accounts.

4

Alibaba Cloud Security - Back-to-origin configurations of Anti-DDoS Pro or Anti-DDoS Premium

2: network access control

high

DDoS

Checks whether actual IP addresses of backend servers are hidden after you use Anti-DDoS Pro or Anti-DDoS Premium. If the actual IP addresses are hidden, attackers cannot directly access the actual IP addresses. To hide the actual IP addresses, you can configure access control policies. For example, if the actual IP addresses are the IP addresses of the Server Load Balancer (SLB) instances, you can configure SLB whitelists on the SLB instances. If the IP addresses are the IP addresses of Elastic Compute Service (ECS) instances, you can configure security group rules for the ECS instances. All these policies allow access from only back-to-origin IP addresses of Anti-DDoS Pro or Anti-DDoS Premium.

5

ApsaraDB RDS - whitelist configurations

2: network access control

high

RDS

Checks whether the whitelist of an ApsaraDB RDS instance contains the CIDR block 0.0.0.0/0. If the whitelist contains the 0.0.0.0/0 CIDR block, all IP addresses are allowed to access the ApsaraDB RDS instance. For security purposes, we recommend that you configure RDS whitelists to allow only requests from specific IP addresses.

6

SLB - open ports

2: network access control

high

SLB

Checks whether SLB is configured to forward requests from high-risk ports to the Internet.

7

Alibaba Cloud Security - back-to-origin configuration checks for WAF

2: network access control

high

WAF

Checks whether the actual IP addresses of backend servers are hidden after you use WAF. If the actual IP addresses are hidden, attackers cannot directly access the actual IP addresses. To hide the actual IP addresses, you can configure access control policies. For example, if the actual IP addresses are the IP addresses of the SLB instances, you can configure SLB whitelists on the SLB instances. If the IP addresses are the IP addresses of ECS instances, you can configure security group rules for the ECS instances. All these access control policies allow access from only back-to-origin IP addresses of WAF.

8

Alibaba Cloud Security - agent status

6: basic security protection

high

ECS

Checks whether the Security Center agent on the ECS instance is always online and provides protection.

12

OSS - bucket permissions

4: data security

high

OSS

Checks whether the object access control list (ACL) of any of your OSS buckets is public-read or public-read-write. The public-read-write or public-read ACL allows users to read or write the data in your OSS buckets without authorization. To ensure data security, we recommend that you set the ACL of all your buckets to private.

13

Security Center - detection of AccessKey pair leaks

5: monitoring and alerting

medium

RAM

Checks whether AccessKey leak detection is enabled. API credentials, also AccessKey pairs, are unique and important identity credentials. We recommend that you enable AccessKey leak detection to prevent AccessKey pair leaks.

14

ApsaraDB for MongoDB - whitelist configurations

2: network access control

high

MongoDB

Checks whether whitelist are enabled for ApsaraDB for MongDB instances. If whitelists are enabled and the whitelists are empty or contain the 0.0.0.0/0 CIDR block, the requests from all IP addresses are allowed. In this case, security risks may occur. We recommend that you configure the whitelist to allow only access requests from trusted IP addresses.

15

RAM - MFA configuration for RAM users

1: identity authentication and permissions

medium

RAM

Checks whether MFA is enabled for RAM users.

16

OSS - logging

4: data security

medium

OSS

Checks whether the log record feature is enabled for all OSS buckets. When you access OSS, a large number of access logs are generated. After you enable and configure the log record feature for a bucket, an object with a specific prefix is generated on an hourly basis to record access logs of the bucket. To analyze the access logs, you can use Alibaba Cloud Data Lake Analytics (DLA) or build a Spark cluster. You can configure lifecycle rules for the bucket to convert the storage class of log objects to Archive for long-term archiving.

17

OSS - cross-region replication

4: data security

low

OSS

Checks whether cross-region replication (CRR) is enabled for all OSS buckets. CRR enables the automatic and asynchronous replication of objects across buckets in different OSS data centers (regions). CRR synchronizes operations such as creation, overwriting, and deletion of objects from the source bucket to the destination bucket. CRR can meet your requirements on cross-region disaster recovery and data replication. Objects in the destination bucket are extra duplicates of objects in the source bucket. They have the same names, content, and metadata, such as the created time, owner, user metadata, and ACL.

18

ApsaraDB RDS - database backup

4: data security

medium

RDS

Checks whether database backup is enabled for ApsaraDB RDS instances. We recommend that you enable database backup for ApsaraDB RDS instances and perform a data backup task on a daily basis.

19

ApsaraDB for Redis - whitelist configurations

2: network access control

high

Redis

Checks access control configurations of ApsaraDB for Redis.

20

ECS - public key authentication

1: identity authentication and permissions

medium

ECS

Checks whether SSH key pair-based logons are enabled for ECS instances.

21

SLB - health status

5: monitoring and alerting

low

SLB

Checks the health status of SLB instances.

22

PolarDB - whitelist configurations

2: network access control

medium

PolarDB

Checks whether the whitelist of a PolarDB cluster contains the CIDR block 0.0.0.0/0. If the whitelist contains the 0.0.0.0/0 CIDR block, all IP addresses are allowed to access the PolarDB cluster. For security purposes, we recommend that you configure whitelists to allow only requests from specific IP addresses.

23

AnalyticDB for PostgreSQL - whitelist configurations

2: network access control

medium

PostgreSQL

Checks whether the whitelist of an AnalyticDB for PostgreSQL instance contains the CIDR block 0.0.0.0/0. If the whitelist contains the 0.0.0.0/0 CIDR block, all IP addresses are allowed to access the AnalyticDB for PostgreSQL instance. For security purposes, we recommend that you configure whitelists to allow only requests from specific IP addresses.

24

ECS - storage encryption

4: data security

low

ECS

Checks whether disk encryption is enabled. Disk encryption allows you to meet security or regulatory compliance requirements.

25

SLB - whitelist configurations

2: network access control

medium

SLB

Checks the SLB whitelist configurations. We recommend that you configure whitelists for non-HTTP and non-HTTPS services, and that you do not add 0.0.0.0/0 to the whitelists.

26

SLB - certificate validity checks

5: monitoring and alerting

medium

SLB

Checks whether the SLB certificate has expired.

27

ECS - automatic snapshot policies

4: data security

medium

ECS

Checks whether automatic snapshot policies are enabled for ECS instances.

28

SSL Certificates Service - validity checks

4: data security

medium

SSL

Checks whether the SSL certificate is within its validity period.

30

OSS - bucket server-side encryption

4: data security

low

OSS

Checks whether server-side encryption is enabled for OSS buckets.

31

OSS - bucket hotlink protection

2: network access control

low

OSS

Checks whether hotlink protection is configured for OSS buckets.

32

ApsaraDB RDS - cross-region backup configurations

4: data security

low

RDS

Checks whether cross-region backup is configured for ApsaraDB RDS instances.

33

ApsaraDB for MongoDB - backup configurations

4: data security

medium

MongoDB

Checks whether data backup is enabled for ApsaraDB for MongoDB instances.

34

ApsaraDB for MongoDB - log audit

3: log audit

medium

MongoDB

Checks whether log audit is enabled for ApsaraDB for MongoDB instances.

35

ApsaraDB for MongoDB - SSL encryption

4: data security

medium

MongoDB

Checks whether SSL certificate checks are enabled for ApsaraDB for MongoDB instances.

36

CloudMonitor - agent status

5: monitoring and alerting

medium

CloudMonitor

Checks whether the status of the Cloud Monitor agent is normal.

37

ECS - security group policies

2: network access control

medium

ECS

Checks the ECS security group policies.

38

VPC - DNAT management port mapping

2: network access control

medium

VPC

Checks whether a VPC DNAT rule is configured to map management ports to the Internet.

39

ApsaraDB for Redis - backup configurations

4: data security

medium

Redis

Checks whether data backup is enabled for ApsaraDB for Redis.

40

Container Registry - repository permission configurations

4: data security

high

CR

Checks whether permissions are correctly configured for the repository in Container Registry.

41

Container Registry - security scans

6: basic security protection

low

CR

Checks whether security scan is enabled for Container Registry.

42

SLB - logging

3: log audit

medium

SLB

Checks whether access logging is configured for SLB instances.

43

ApsaraDB for Redis - log audit

3: log audit

low

Redis

Checks whether log audit is configured for ApsaraDB for Redis.

44

OSS - authorization policies

1: identity authentication and permissions

medium

OSS

Checks whether correct authorization policies are enabled for OSS.

46

PolarDB - backup configurations

4: data security

medium

PolarDB

Checks whether data backup is enabled for PolarDB.

47

PolarDB - SQL Explorer

3: log audit

medium

PolarDB

Checks whether SQL Explorer is enabled for PolarDB clusters.

49

Alibaba Cloud account security - AccessKey pair

1: identity authentication and permissions

medium

RAM

Checks whether the AccessKey pair is enabled for your Alibaba Cloud account.

51

Alibaba Cloud CDN - real-time log push feature

3: log audit

medium

CDN

Checks whether real-time logging push is enabled for CDN.

52

ApsaraDB for Redis - SSL encryption

4: data security

medium

Redis

Checks whether SSL certificates are enabled for ApsaraDB for Redis instances.

Examples

Sample requests

http(s)://[Endpoint]/?Action=DescribeRiskCheckResult
&SourceIp=1.2.XX.XX
&Lang=zh
&GroupId=1
&CurrentPage=1
&RiskLevel=high
&Status=pass
&AssetType=RDS
&Name=Cloud Platform - MFA configuration of Alibaba Cloud accounts
&PageSize=20
&QueryFlag=enabled
&ItemIds=["15"]
&Common request parameters

Sample success responses

XML format

HTTP/1.1 200 OK
Content-Type:application/xml

<DescribeRiskCheckResultResponse>
    <CurrentPage>1</CurrentPage>
    <RequestId>AD271C07-4ACE-413D-AA9B-F14FD3B7717F</RequestId>
    <PageSize>20</PageSize>
    <TotalCount>12</TotalCount>
    <PageCount>20</PageCount>
    <Count>10</Count>
    <List>
        <RiskLevel>high</RiskLevel>
        <Status>pass</Status>
        <Type>Identity authentication and permissions</Type>
        <Sort>1</Sort>
        <RepairStatus>disabled</RepairStatus>
        <RemainingTime>0</RemainingTime>
        <ItemId>1</ItemId>
        <StartStatus>enabled</StartStatus>
        <AffectedCount>0</AffectedCount>
        <RiskAssertType>ECS</RiskAssertType>
        <Title>Cloud Platform - MFA configuration of Alibaba Cloud accounts</Title>
        <TaskId>15384933</TaskId>
        <CheckTime>1639429164000</CheckTime>
        <RiskItemResources>
            <ContentResource>{   "type": "link",   "value": "Risk: MFA is disabled\n",   "url": "https://***.aliyun.com/#/secure\n" }</ContentResource>
            <ResourceName>bestPractice</ResourceName>
        </RiskItemResources>
    </List>
</DescribeRiskCheckResultResponse>

JSON format

HTTP/1.1 200 OK
Content-Type:application/json

{
  "CurrentPage" : 1,
  "RequestId" : "AD271C07-4ACE-413D-AA9B-F14FD3B7717F",
  "PageSize" : 20,
  "TotalCount" : 12,
  "PageCount" : 20,
  "Count" : 10,
  "List" : [ {
    "RiskLevel" : "high",
    "Status" : "pass",
    "Type" : "Identity authentication and permissions",
    "Sort" : 1,
    "RepairStatus" : "disabled",
    "RemainingTime" : 0,
    "ItemId" : 1,
    "StartStatus" : "enabled",
    "AffectedCount" : 0,
    "RiskAssertType" : "ECS",
    "Title" : "Cloud Platform - MFA configuration of Alibaba Cloud accounts",
    "TaskId" : 15384933,
    "CheckTime" : 1639429164000,
    "RiskItemResources" : [ {
      "ContentResource": "{   \"type\": \"link\",   \"value\": \"Risk: MFA is disabled\\n\",   \"url\": \"https://***.aliyun.com/#/secure\\n\" }",
      "ResourceName" : "bestPractice"
    } ]
  } ]
}

Error codes

HTTP status code Error code Error message Description
400 NoPermission no permission The error message returned because you do not have access permissions.
500 ServerError ServerError The error message returned because a server error occurred.

For a list of error codes, visit the API Error Center.