中国GMP附录合规包

在制药领域中使用计算机化系统的企业和组织,在用云过程中需要满足中国GMP附录《计算机化系统》标准。本合规包模板提供了标准细则与阿里云的产品设置的对应关系。本文为您介绍中国GMP附录合规包中的默认规则。

规则名称

规则描述

建议项编号

建议项说明

开启操作审计全量日志跟踪

操作审计中存在开启状态的跟踪,且跟踪全部地域和全部事件类型,视为“合规”。如果是资源目录成员账号,当管理员有创建应用到所有成员账号的跟踪时,视为“合规”。

  • 2.3

  • 5.16

  • 5.21

Risk management must span the entire lifecycle of a computerized system. Patient safety, data integrity, and product quality must be taken into account. As a quality risk management, risk management must be applied to confirm the required verification scope and control level of data integrity based on your written risk evaluation result. A computerized system must record the identity of each operator that inputs or verifies core data. Only authorized operators can modify inputted data. Each time an operator modifies an existing core data piece, the operation must be approved and the reason for the modification must be recorded. An enterprise can build a tracking system to audit data in a computerized system based on the result of risk evaluation. This way, data inputs and modifications can be recorded. You must develop an operation guide on how to process system failures or damages. You can verify the content of the operation guide if necessary. All incidents, including system failures and data faults must be recorded and evaluated. You must investigate major incidents, identify the root causes of the incidents, and take the required corrective measures and preventive measures.

使用云安全中心企业版

使用云安全中心企业版或者更高级别的版本,视为“合规”。

  • 2.3

  • 5.21

Risk management must span the entire lifecycle of a computerized system. Patient safety, data integrity, and product quality must be taken into account. As a quality risk management, risk management must be applied to confirm the required verification scope and control level of data integrity based on your written risk evaluation result. You must develop an operation guide on how to process system failures or damages. You can verify the content of the operation guide if necessary. All incidents, including system failures and data faults must be recorded and evaluated. You must investigate major incidents, identify the root causes of the incidents, and take the required corrective measures and preventive measures.

运行中的ECS实例开启云安全中心防护

通过在主机上安装云安全中心插件,提供主机的安全防护服务。如果有安装云安全中心插件,视为“合规”。非运行中状态的实例不适用本规则,视为“不适用”。

4.7

You must build an inventory that includes the details of all computerized systems and specifies the details of the features that are related to the quality management of pharmaceutical manufacturing. The inventory must be updated at the earliest opportunity.

运行中的ECS实例无待修复漏洞

ECS实例在云安全中心无指定类型和等级的待修复漏洞,视为“合规”。非运行中状态的实例不适用本规则,视为“不适用”。

4.7

You must build an inventory that includes the details of all computerized systems and specifies the details of the features that are related to the quality management of pharmaceutical manufacturing. The inventory must be updated at the earliest opportunity.

ECS实例状态不是已停止状态

ECS实例状态不是已停止状态,视为“合规”。

4.7

You must build an inventory that includes the details of all computerized systems and specifies the details of the features that are related to the quality management of pharmaceutical manufacturing. The inventory must be updated at the earliest opportunity.

检测闲置弹性公网IP

弹性公网已绑定到ECS或者NAT实例,非闲置状态,视为“合规”。

4.7

You must build an inventory that includes the details of all computerized systems and specifies the details of the features that are related to the quality management of pharmaceutical manufacturing. The inventory must be updated at the earliest opportunity.

检查闲置安全组

检查闲置安全组,安全组绑定的ECS实例数量大于0,视为“合规”。

4.7

You must build an inventory that includes the details of all computerized systems and specifies the details of the features that are related to the quality management of pharmaceutical manufacturing. The inventory must be updated at the earliest opportunity.

RDS实例开启日志备份

RDS实例开启日志备份,视为“合规”。

  • 4.9

  • 5.15

  • 5.19

  • 5.20

When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected. If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security by using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard. You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity.

PolarDB集群日志备份保留周期满足指定要求

PolarDB集群日志备份保留周期大于等于指定天数,视为“合规”。参数默认值30天。未开启日志备份或备份保留周期小于指定天数,视为“不合规”。

  • 4.9

  • 5.15

  • 5.19

  • 5.20

When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected. If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security by using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard. You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity.

Redis实例开启增量备份

Redis实例开启增量备份,视为“合规”。本规则只适用于类型为Tair的实例,非Tair类型的实例,视为“不适用”。

  • 4.9

  • 5.15

  • 5.19

  • 5.20

When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected. If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security by using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard. You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity.

Elasticsearch实例开启自动备份

Elasticsearch实例开启了自动备份,视为“合规”。

  • 4.9

  • 5.15

  • 5.19

  • 5.20

When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected. If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security by using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard. You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity.

ADB集群开启日志备份

ADB集群开启日志备份,视为“合规”。

  • 4.9

  • 5.15

  • 5.19

  • 5.20

When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected. If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security by using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard. You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity.

MongoDB实例打开日志备份

MongoDB实例开启日志备份,视为“合规”。

  • 4.9

  • 5.15

  • 5.19

  • 5.20

When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected. If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security by using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard. You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity.

为NAS文件系统创建备份计划

为NAS文件系统创建备份计划,视为“合规”。

  • 4.9

  • 5.15

  • 5.19

  • 5.20

When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected. If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security by using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard. You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity.

ECS磁盘设置自动快照策略

ECS磁盘设置了自动快照策略,视为“合规”。

  • 4.9

  • 5.15

  • 5.19

  • 5.20

When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected. If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security by using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard. You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity.

OceanBase集群开启数据库备份

OceanBase集群开启数据库备份,视为“合规”。

  • 4.9

  • 5.15

  • 5.19

  • 5.20

When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected. If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security by using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard. You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity.

OSS存储空间开启版本控制

如果没有开启版本控制,会导致数据被覆盖或删除时无法恢复。如果开启版本控制则,视为“合规”。

  • 4.9

  • 5.15

  • 5.19

  • 5.20

When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected. If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security by using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard. You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity.

OSS存储空间开启同城冗余存储

如果没有开启同城冗余存储,会导致当出现某个机房不可用时,OSS服务无法提供一致性服务,影响数据恢复目标。OSS存储空间开启同城冗余存储,视为“合规”。

  • 4.9

  • 5.15

  • 5.19

  • 5.20

When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected. If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security by using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard. You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity.

DTS同步任务源库和目标库使用SSL安全链接

DTS实例下同步任务源库和目标库均使用SSL安全链接,视为“合规”。任务类型为非同步类型的DTS实例不适用本规则,视为“不适用”。

  • 4.9

  • 5.15

When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected.

DTS迁移任务源库和目标库使用SSL安全链接

DTS实例下迁移任务源库和目标库均使用SSL安全链接,视为“合规”。任务类型为非迁移类型的DTS实例不适用本规则,视为“不适用”。

  • 4.9

  • 5.15

When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected.

CDN域名开启TLS13版本检测

检测CDN域名是否启用TLS1.3,启用,视为“合规”。

  • 4.9

  • 5.15

When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected.

Elasticsearch实例使用HTTPS传输协议

Elasticsearch实例使用HTTPS传输协议,视为“合规”。

  • 4.9

  • 5.15

When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected.

函数计算函数绑定到自定义域名且开启TLS指定版本

函数计算函数绑定到自定义域名且开启TLS指定版本,视为“合规”。

  • 4.9

  • 5.15

When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected.

PolarDB集群设置SSL加密

PolarDB集群设置了SSL加密,视为“合规”。

  • 4.9

  • 5.15

When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected.

Redis实例设置SSL加密

Redis实例设置SSL加密,视为“合规”。

  • 4.9

  • 5.15

When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected.

API网关中开启公网访问的API请求方式为HTTPS

API网关中开启公网访问的API请求方式设置为HTTPS,视为“合规”。只限制内网调用的API不适用此规则,视为“不适用”。

  • 4.9

  • 5.15

When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected.

RDS实例使用SSL证书

RDS实例的数据安全性设置开启SSL证书,视为“合规”。

  • 4.9

  • 5.15

When you convert data formats or migrate data, make sure that the value and definition of the data do not change. When an operator inputs core data, such as the weight and batch ID of materials when the operator weighs the materials, the operator must review the inputted records to ensure the correctness. The review operation can be performed by another operator or a validated application. You can configure the review feature for a system if necessary. This ensures the accuracy of inputted data and that data is processed as expected.

使用中的ECS数据磁盘开启加密

使用中的ECS数据磁盘已开启加密,视为“合规”。

5.19

If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security by using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard.

RDS实例开启TDE加密

RDS实例的数据安全性设置开启TDE加密,视为“合规”。

5.19

If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security by using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard.

VPN连接使用的加密算法不为None

VPN连接使用的加密算法不为None,视为“合规”。

5.19

If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security by using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard.

Elasticsearch实例数据节点开启云盘加密

Elasticsearch实例数据节点开启云盘加密,视为“合规”。

5.19

If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security by using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard.

PolarDB集群开启TDE

PolarDB集群开启TDE,视为“合规”。

5.19

If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security by using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard.

Redis实例使用自定义密钥开启TDE加密

Redis实例使用自定义密钥开启TDE加密,视为“合规”。

5.19

If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security by using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard.

日志服务日志库设置数据加密

日志服务日志库设置了数据加密,视为“合规”。

5.19

If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security by using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard.

ECS自动快照保留天数满足指定要求

ECS自动快照策略设置快照保留天数大于设置的天数,视为“合规”。默认值:7天。

5.19

If most of the data of an enterprise is digital, you must meet the following requirements:2. Ensure the data security by using physical or electronic methods and prevent the data from being intentionally and unintentionally damaged. If changes occur in a system when you perform daily operations and maintenance, such as computers or their applications, you must check the accessibility and data integrity of the stored data.3. You must develop an operation guide on how to back up and restore data and back up data on a regular basis to protect stored data for subsequent use. Data backups must be stored in a separate and secure location. The retention period must meet the requirements for the retention period of files and records in the standard.

RDS实例开启删除保护

RDS实例开启删除保护,视为“合规”。付费类型为包年包月的实例不支持该功能,视为“不适用”。

  • 5.17

  • 5.20

Changes in a computerized system must be performed based on a predefined operation guide. The operation guide must include the procedures for evaluating, validating, reviewing, approving, and performing changes. Changes in a computerized system must be approved by some owners of the computerized system. The details of the changes must be recorded. Major changes must be validated. You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity.

PolarDB集群开启删除保护

PolarDB集群开启删除保护,视为“合规”。预付费类型的集群,视为“不适用”。

  • 5.17

  • 5.20

Changes in a computerized system must be performed based on a predefined operation guide. The operation guide must include the procedures for evaluating, validating, reviewing, approving, and performing changes. Changes in a computerized system must be approved by some owners of the computerized system. The details of the changes must be recorded. Major changes must be validated. You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity.

ECS实例开启释放保护

ECS实例开启释放保护,视为“合规”。

  • 5.17

  • 5.20

Changes in a computerized system must be performed based on a predefined operation guide. The operation guide must include the procedures for evaluating, validating, reviewing, approving, and performing changes. Changes in a computerized system must be approved by some owners of the computerized system. The details of the changes must be recorded. Major changes must be validated. You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity.

HBase集群开启删除保护

HBase集群开启删除保护,视为“合规”。预付费类型的集群,视为“不适用”。

  • 5.17

  • 5.20

Changes in a computerized system must be performed based on a predefined operation guide. The operation guide must include the procedures for evaluating, validating, reviewing, approving, and performing changes. Changes in a computerized system must be approved by some owners of the computerized system. The details of the changes must be recorded. Major changes must be validated. You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity.

MongoDB实例开启释放保护

MongoDB实例开启释放保护,视为“合规”。预付费类型的实例,视为“不适用”。

  • 5.17

  • 5.20

Changes in a computerized system must be performed based on a predefined operation guide. The operation guide must include the procedures for evaluating, validating, reviewing, approving, and performing changes. Changes in a computerized system must be approved by some owners of the computerized system. The details of the changes must be recorded. Major changes must be validated. You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity.

Redis实例开启释放保护

Redis实例开启释放保护,视为“合规”。预付费类型的实例,视为“不适用”。

  • 5.17

  • 5.20

Changes in a computerized system must be performed based on a predefined operation guide. The operation guide must include the procedures for evaluating, validating, reviewing, approving, and performing changes. Changes in a computerized system must be approved by some owners of the computerized system. The details of the changes must be recorded. Major changes must be validated. You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity.

SLB实例开启释放保护

SLB实例开启释放保护,视为“合规”。

  • 5.17

  • 5.20

Changes in a computerized system must be performed based on a predefined operation guide. The operation guide must include the procedures for evaluating, validating, reviewing, approving, and performing changes. Changes in a computerized system must be approved by some owners of the computerized system. The details of the changes must be recorded. Major changes must be validated. You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity.

运行中的ECS实例安装了云监控插件

运行中的ECS实例安装云监控插件而且插件状态为运行中,视为“合规”。非运行中状态的实例不适用本规则,视为“不适用”。

5.21

You must develop an operation guide on how to process system failures or damages. You can verify the content of the operation guide if necessary. All incidents, including system failures and data faults must be recorded and evaluated. You must investigate major incidents, identify the root causes of the incidents, and take the required corrective measures and preventive measures.

RDS实例开启历史事件

RDS实例开启历史事件日志,视为“合规”。

5.16

A computerized system must record the identity of each operator that inputs or verifies core data. Only authorized operators can modify inputted data. Each time an operator modifies an existing core data piece, the operation must be approved and the reason for the modification must be recorded. An enterprise can build a tracking system to audit data in a computerized system based on the result of risk evaluation. This way, data inputs and modifications can be recorded.

阿里云账号开启MFA

阿里云账号开启MFA,视为“合规”。

5.14

Only authorized operators can input or modify data. You can take the following measures to prevent unauthorized operators from inputting data: keys, encryption cards, individual passwords, and limited access to computers. You must develop a guideline on how to authorize, cancel authorization, change authorization, and change individual passwords when an operator needs to input or modify data. You can also configure a feature for the existing system to record system access attempts from unauthorized operators. If the process cannot be manually controlled due to some by-design issues of the system, a written document that describes how to record operational logs and take physical isolation measures must be provided. This ensures that only authorized operators can perform the required operations.

RAM用户开启MFA

开启控制台访问功能的RAM用户登录设置中必须开启多因素认证或者已启用MFA,视为“合规”。

5.14

Only authorized operators can input or modify data. You can take the following measures to prevent unauthorized operators from inputting data: keys, encryption cards, individual passwords, and limited access to computers. You must develop a guideline on how to authorize, cancel authorization, change authorization, and change individual passwords when an operator needs to input or modify data. You can also configure a feature for the existing system to record system access attempts from unauthorized operators. If the process cannot be manually controlled due to some by-design issues of the system, a written document that describes how to record operational logs and take physical isolation measures must be provided. This ensures that only authorized operators can perform the required operations.

OSS存储空间ACL禁止公共读写

OSS存储空间的ACL策略禁止公共读写,视为“合规”。

5.14

Only authorized operators can input or modify data. You can take the following measures to prevent unauthorized operators from inputting data: keys, encryption cards, individual passwords, and limited access to computers. You must develop a guideline on how to authorize, cancel authorization, change authorization, and change individual passwords when an operator needs to input or modify data. You can also configure a feature for the existing system to record system access attempts from unauthorized operators. If the process cannot be manually controlled due to some by-design issues of the system, a written document that describes how to record operational logs and take physical isolation measures must be provided. This ensures that only authorized operators can perform the required operations.

OSS存储空间不能为匿名账号授予任何权限

OSS Bucket授权策略中未授予匿名账号任何读写权限,视为“合规”。若OSS Bucket未设置任何授权策略,视为“合规”。

5.14

Only authorized operators can input or modify data. You can take the following measures to prevent unauthorized operators from inputting data: keys, encryption cards, individual passwords, and limited access to computers. You must develop a guideline on how to authorize, cancel authorization, change authorization, and change individual passwords when an operator needs to input or modify data. You can also configure a feature for the existing system to record system access attempts from unauthorized operators. If the process cannot be manually controlled due to some by-design issues of the system, a written document that describes how to record operational logs and take physical isolation measures must be provided. This ensures that only authorized operators can perform the required operations.

ECS实例被授予实例RAM角色

ECS实例被授予了实例RAM角色,视为“合规”。

5.14

Only authorized operators can input or modify data. You can take the following measures to prevent unauthorized operators from inputting data: keys, encryption cards, individual passwords, and limited access to computers. You must develop a guideline on how to authorize, cancel authorization, change authorization, and change individual passwords when an operator needs to input or modify data. You can also configure a feature for the existing system to record system access attempts from unauthorized operators. If the process cannot be manually controlled due to some by-design issues of the system, a written document that describes how to record operational logs and take physical isolation measures must be provided. This ensures that only authorized operators can perform the required operations.

函数计算服务配置了服务角色

函数计算服务配置了服务角色,视为“合规”。避免因暴露阿里云账号密钥,造成安全风险。

5.14

Only authorized operators can input or modify data. You can take the following measures to prevent unauthorized operators from inputting data: keys, encryption cards, individual passwords, and limited access to computers. You must develop a guideline on how to authorize, cancel authorization, change authorization, and change individual passwords when an operator needs to input or modify data. You can also configure a feature for the existing system to record system access attempts from unauthorized operators. If the process cannot be manually controlled due to some by-design issues of the system, a written document that describes how to record operational logs and take physical isolation measures must be provided. This ensures that only authorized operators can perform the required operations.

ACK集群启用RRSA功能

启用ACK集群的RRSA功能,视为“合规”。RRSA功能可以在集群内实现Pod维度的OpenAPI权限隔离,从而实现云资源访问权限的细粒度隔离,降低安全风险。

5.14

Only authorized operators can input or modify data. You can take the following measures to prevent unauthorized operators from inputting data: keys, encryption cards, individual passwords, and limited access to computers. You must develop a guideline on how to authorize, cancel authorization, change authorization, and change individual passwords when an operator needs to input or modify data. You can also configure a feature for the existing system to record system access attempts from unauthorized operators. If the process cannot be manually controlled due to some by-design issues of the system, a written document that describes how to record operational logs and take physical isolation measures must be provided. This ensures that only authorized operators can perform the required operations.

RAM用户访问设置人员和程序分离

RAM用户未同时开启控制台访问和API调用访问,视为“合规”。

5.14

Only authorized operators can input or modify data. You can take the following measures to prevent unauthorized operators from inputting data: keys, encryption cards, individual passwords, and limited access to computers. You must develop a guideline on how to authorize, cancel authorization, change authorization, and change individual passwords when an operator needs to input or modify data. You can also configure a feature for the existing system to record system access attempts from unauthorized operators. If the process cannot be manually controlled due to some by-design issues of the system, a written document that describes how to record operational logs and take physical isolation measures must be provided. This ensures that only authorized operators can perform the required operations.

MSE集群开放公网访问时需开启鉴权

MSE集群开放公网访问时开启鉴权,视为“合规”。未开启公网访问时,视为“合规”。

5.14

Only authorized operators can input or modify data. You can take the following measures to prevent unauthorized operators from inputting data: keys, encryption cards, individual passwords, and limited access to computers. You must develop a guideline on how to authorize, cancel authorization, change authorization, and change individual passwords when an operator needs to input or modify data. You can also configure a feature for the existing system to record system access attempts from unauthorized operators. If the process cannot be manually controlled due to some by-design issues of the system, a written document that describes how to record operational logs and take physical isolation measures must be provided. This ensures that only authorized operators can perform the required operations.

RAM用户不存在闲置AccessKey

RAM用户AccessKey的最后使用时间距今天数小于参数设置的天数,视为“合规”。默认值:90天。

5.14

Only authorized operators can input or modify data. You can take the following measures to prevent unauthorized operators from inputting data: keys, encryption cards, individual passwords, and limited access to computers. You must develop a guideline on how to authorize, cancel authorization, change authorization, and change individual passwords when an operator needs to input or modify data. You can also configure a feature for the existing system to record system access attempts from unauthorized operators. If the process cannot be manually controlled due to some by-design issues of the system, a written document that describes how to record operational logs and take physical isolation measures must be provided. This ensures that only authorized operators can perform the required operations.

RAM用户密码策略符合要求

RAM用户密码策略中各项配置满足参数设置的值,视为“合规”。

5.14

Only authorized operators can input or modify data. You can take the following measures to prevent unauthorized operators from inputting data: keys, encryption cards, individual passwords, and limited access to computers. You must develop a guideline on how to authorize, cancel authorization, change authorization, and change individual passwords when an operator needs to input or modify data. You can also configure a feature for the existing system to record system access attempts from unauthorized operators. If the process cannot be manually controlled due to some by-design issues of the system, a written document that describes how to record operational logs and take physical isolation measures must be provided. This ensures that only authorized operators can perform the required operations.

RAM用户在指定时间内有登录行为

如果RAM用户在最近90天有登录行为,视为“合规”。如果RAM用户的最近登录时间为空,则检查更新时间,当更新时间小于等于90天时,视为“合规”。未开启控制台访问的用户,视为“不适用”。

5.14

Only authorized operators can input or modify data. You can take the following measures to prevent unauthorized operators from inputting data: keys, encryption cards, individual passwords, and limited access to computers. You must develop a guideline on how to authorize, cancel authorization, change authorization, and change individual passwords when an operator needs to input or modify data. You can also configure a feature for the existing system to record system access attempts from unauthorized operators. If the process cannot be manually controlled due to some by-design issues of the system, a written document that describes how to record operational logs and take physical isolation measures must be provided. This ensures that only authorized operators can perform the required operations.

RAM用户的AccessKey在指定时间内轮换

RAM用户下AccessKey的创建时间距离检查时间不超过指定天数,视为“合规”。默认值:90天。

5.14

Only authorized operators can input or modify data. You can take the following measures to prevent unauthorized operators from inputting data: keys, encryption cards, individual passwords, and limited access to computers. You must develop a guideline on how to authorize, cancel authorization, change authorization, and change individual passwords when an operator needs to input or modify data. You can also configure a feature for the existing system to record system access attempts from unauthorized operators. If the process cannot be manually controlled due to some by-design issues of the system, a written document that describes how to record operational logs and take physical isolation measures must be provided. This ensures that only authorized operators can perform the required operations.

Redis实例开启审计日志

Redis实例开启审计日志,视为“合规”。不支持开启审计日志的相关版本实例,视为“不适用”。

5.16

A computerized system must record the identity of each operator that inputs or verifies core data. Only authorized operators can modify inputted data. Each time an operator modifies an existing core data piece, the operation must be approved and the reason for the modification must be recorded. An enterprise can build a tracking system to audit data in a computerized system based on the result of risk evaluation. This way, data inputs and modifications can be recorded.

MongoDB集群开启审计日志

MongoDB实例开启审计日志,视为“合规”。

5.16

A computerized system must record the identity of each operator that inputs or verifies core data. Only authorized operators can modify inputted data. Each time an operator modifies an existing core data piece, the operation must be approved and the reason for the modification must be recorded. An enterprise can build a tracking system to audit data in a computerized system based on the result of risk evaluation. This way, data inputs and modifications can be recorded.

OSS存储空间开启日志转存

OSS存储空间的日志管理中开启日志转存,视为“合规”。

5.16

A computerized system must record the identity of each operator that inputs or verifies core data. Only authorized operators can modify inputted data. Each time an operator modifies an existing core data piece, the operation must be approved and the reason for the modification must be recorded. An enterprise can build a tracking system to audit data in a computerized system based on the result of risk evaluation. This way, data inputs and modifications can be recorded.

WAF实例开启日志采集

已接入WAF2.0进行防护的域名均开启日志采集,视为“合规”。

5.16

A computerized system must record the identity of each operator that inputs or verifies core data. Only authorized operators can modify inputted data. Each time an operator modifies an existing core data piece, the operation must be approved and the reason for the modification must be recorded. An enterprise can build a tracking system to audit data in a computerized system based on the result of risk evaluation. This way, data inputs and modifications can be recorded.

RDS实例SQL审计日志保留天数满足指定要求

RDS Mysql类型实例开启SQL审计且日志保留天数大于等于指定值,视为“合规”。默认值:180天。

5.16

A computerized system must record the identity of each operator that inputs or verifies core data. Only authorized operators can modify inputted data. Each time an operator modifies an existing core data piece, the operation must be approved and the reason for the modification must be recorded. An enterprise can build a tracking system to audit data in a computerized system based on the result of risk evaluation. This way, data inputs and modifications can be recorded.

ADB集群开启SQL审计日志

ADB集群开启SQL审计日志,视为“合规”。

5.16

A computerized system must record the identity of each operator that inputs or verifies core data. Only authorized operators can modify inputted data. Each time an operator modifies an existing core data piece, the operation must be approved and the reason for the modification must be recorded. An enterprise can build a tracking system to audit data in a computerized system based on the result of risk evaluation. This way, data inputs and modifications can be recorded.

SLB实例开启访问日志

SLB传统型负载均衡实例开启访问日志,视为“合规”。未启用7层监听的实例不支持开启访问日志,视为“不适用”。

5.16

A computerized system must record the identity of each operator that inputs or verifies core data. Only authorized operators can modify inputted data. Each time an operator modifies an existing core data piece, the operation must be approved and the reason for the modification must be recorded. An enterprise can build a tracking system to audit data in a computerized system based on the result of risk evaluation. This way, data inputs and modifications can be recorded.

使用多可用区的RDS实例

RDS实例为多可用区实例,视为“合规”。

5.20

You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity.

Redis实例为多可用区实例

Redis实例为多可用区实例,视为“合规”。

5.20

You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity.

使用多可用区的SLB实例

SLB实例为多可用区实例,视为“合规”。

5.20

You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity.

使用多可用区的ALB实例

ALB实例为多可用区实例,视为“合规”。如果只选择了一个可用区,当这个可用区出现故障时,会影响ALB实例,进而影响业务稳定性。

5.20

You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity.

使用多可用区MongoDB实例

使用多可用区的MongoDB实例,视为“合规”。

5.20

You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity.

弹性伸缩组关联至少两个交换机

弹性伸缩组关联至少两个交换机,视为“合规”。

5.20

You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity.

为终端节点服务配置多个可用区

终端节点服务配置多个可用区,视为“合规”。

5.20

You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity.

为PolarDB集群开启热备集群

PolarDB集群开启存储热备集群,数据分布在多个可用区,视为“合规”。

5.20

You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity.

SLB负载均衡的虚拟服务器组添加多个可用区资源

SLB负载均衡的虚拟服务器组挂载资源分布在多个可用区,视为“合规”。虚拟服务器组无挂载任何资源时不适用本规则,视为“不适用”。

5.20

You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity.

ALB负载均衡服务器组添加多个可用区资源

ALB负载均衡的服务器组挂载资源分布在多个可用区,视为“合规”。ALB服务器组无挂载任何资源时不适用本规则,视为“不适用”。

5.20

You must develop a emergency response plan and launch the plan when a system is damaged. The timeliness of a launch of the plan is subject to the emergency level of the issue that requires the launch of the plan. For example, information that affects the recall of products must be obtained at the earliest opportunity.