规则名称 | 规则描述 | 建议项编号 | 建议项说明 |
RDS实例开启日志备份 | RDS实例开启日志备份,视为“合规”。 | | The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives. The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate.
|
为NAS文件系统创建备份计划 | 为NAS文件系统创建备份计划,视为“合规”。 | | The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives. The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate.
|
OSS存储空间开启同城冗余存储 | 如果没有开启同城冗余存储,会导致当出现某个机房不可用时,OSS服务无法提供一致性服务,影响数据恢复目标。OSS存储空间开启同城冗余存储,视为“合规”。 | | The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives. The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate.
|
PolarDB集群的数据一级备份保留周期满足指定要求 | PolarDB集群一级备份保留周期大于等于指定天数,视为“合规”。参数默认值7天。 | | The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives. The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate.
|
为API分组设置调用日志存储 | API网关中API分组设置了调用日志存储,视为“合规”。 | | The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives. The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events. The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures.
|
OSS存储空间开启版本控制 | 如果没有开启版本控制,会导致数据被覆盖或删除时无法恢复。如果开启版本控制,则视为“合规”。 | | The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives. The entity identifies and maintains confidential information to meet the entity's objectives related to confidentiality. The entity disposes of confidential information to meet the entity's objectives related to confidentiality. The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate.
|
SLB实例开启访问日志 | SLB传统型负载均衡实例开启访问日志,视为“合规”。未启用7层监听的实例不支持开启访问日志,视为“不适用”。 | | The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives. COSO Principle 7: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events. The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures.
|
ADB集群开启日志备份 | ADB集群开启日志备份,视为“合规”。 | | The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives. The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate.
|
ECS磁盘设置自动快照策略 | ECS磁盘设置了自动快照策略,视为“合规”。 | CC7.4 | The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate. |
开启操作审计全量日志跟踪 | 操作审计中存在开启状态的跟踪,且跟踪全部地域和全部事件类型,视为“合规”。如果是资源目录成员账号,当管理员有创建应用到所有成员账号的跟踪时,视为“合规”。 | | The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives. COSO Principle 7: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities. The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events.
|
云安全中心通知项目已设置通知方式 | 云安全中心通知项目均已设置通知方式,视为“合规”。 | A1.2 | The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives. |
RDS实例开启删除保护 | RDS实例开启删除保护,视为“合规”。付费类型为包年包月的实例不支持该功能,视为“不适用”。 | C1.1 | The entity identifies and maintains confidential information to meet the entity's objectives related to confidentiality. |
PolarDB集群开启删除保护 | PolarDB集群开启删除保护,视为“合规”。预付费类型的集群视为“不适用”。 | C1.1 | The entity identifies and maintains confidential information to meet the entity's objectives related to confidentiality. |
KMS主密钥开启删除保护 | KMS主密钥开启删除保护,视为“合规”。如果密钥状态非启用中,视为“不适用”,如果密钥为服务密钥,由于本身不可删除,视为“不适用”。 | C1.1 | The entity identifies and maintains confidential information to meet the entity's objectives related to confidentiality. |
RAM用户组非空 | RAM用户组至少包含一个RAM用户,视为“合规”。 | | COSO Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized. The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity's objectives.
|
不存在闲置的RAM用户组 | RAM用户组至少包含一个RAM用户且绑定了至少一个RAM权限策略,视为“合规”。 | | COSO Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized. The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity's objectives.
|
不存在闲置的RAM权限策略 | RAM权限策略至少绑定一个RAM用户组、RAM角色或RAM用户,视为“合规”。 | CC1.3 | COSO Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. |
不存在超级管理员 | RAM用户、RAM用户组、RAM角色均未拥有Resource为*且Action为*的超级管理员权限,视为“合规”。 | | COSO Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized. The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity's objectives.
|
使用云安全中心企业版 | 使用云安全中心企业版或者更高级别的版本,视为“合规”。 | CC3.1 CC6.6 CC6.8 CC7.1 CC7.2 CC7.3 CC7.4
| COSO Principle 6: The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. The entity implements logical access security measures to protect against threats from sources outside its system boundaries.#The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity's objectives. To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities. The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events. The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures. The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate.
|
云防火墙中资产开启保护 | 云防火墙中资产开启保护,视为“合规”。本规则只对云防火墙付费用户有效,未开通云防火墙或者免费用户资产无检测数据。 | | COSO Principle 6: The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. The entity implements logical access security measures to protect against threats from sources outside its system boundaries. The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity's objectives.
|
在云安全中心设置指定等级的漏洞扫描 | 在云安全中心设置指定风险等级的漏洞扫描,视为“合规”。 | | COSO Principle 6: The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. The entity implements logical access security measures to protect against threats from sources outside its system boundaries. The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity's objectives.
|
在云安全中心开启指定类型的主动防御 | 在云安全中开启了参数指定的主动防御类型,视为“合规”。 | | COSO Principle 6: The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. The entity implements logical access security measures to protect against threats from sources outside its system boundaries. The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity's objectives.
|
WAF3实例开启指定防护规则 | WAF3.0实例开启指定防护场景的规则,视为“合规”。 | | COSO Principle 6: The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. The entity implements logical access security measures to protect against threats from sources outside its system boundaries. The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity's objectives.
|
运行中的ECS实例开启云安全中心防护 | 通过在主机上安装云安全中心插件,提供主机的安全防护服务。如果有安装云安全中心插件,则视为“合规”。非运行中状态的实例不适用本规则,视为“不适用”。 | | COSO Principle 7: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities.
|
RAM用户开启MFA | 开启控制台访问功能的RAM用户登录设置中必须开启多因素认证或者已启用MFA,视为“合规”。 | | COSO Principle 7: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity's objectives. The entity implements logical access security measures to protect against threats from sources outside its system boundaries.
|
运行中的ECS实例安装了云监控插件 | 运行中的ECS实例安装云监控插件而且插件状态为运行中,视为“合规”。非运行中状态的实例不适用本规则,视为“不适用”。 | | COSO Principle 7: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities. The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events. The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures.
|
ACK集群运行中节点安装云监控插件 | ACK集群运行中节点均安装了云监控插件,且监控运行状态正常,视为“合规”。 | | COSO Principle 7: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events.
|
VPC开启流日志记录 | VPC已开启流日志(Flowlog)记录功能,视为“合规”。 | | COSO Principle 7: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. The entity implements logical access security measures to protect against threats from sources outside its system boundaries. The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures.
|
密钥管理服务设置凭据自动轮转 | 密钥管理服务中的凭据设置自动轮转,视为“合规”。如果密钥类型为普通密钥,视为“不适用”。 | | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized.
|
运行中的ECS实例未绑定公网地址 | 运行中的ECS实例没有直接绑定IPv4公网IP或弹性公网IP,视为“合规”。 | | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. The entity implements logical access security measures to protect against threats from sources outside its system boundaries.
|
OSS存储空间开启服务端加密 | OSS存储空间开启服务端OSS完全托管加密,视为“合规”。 | CC6.1 | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. |
OSS存储空间开启日志转存 | OSS存储空间的日志管理中开启日志转存,视为“合规”。 | | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events.#The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures.
|
OSS存储空间ACL禁止公共读 | OSS存储空间的ACL策略禁止公共读,视为“合规”。 | CC6.1 | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. |
阿里云账号不存在AccessKey | 阿里云账号不存在任何状态的AccessKey,视为“合规”。 | | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized. The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity's objectives.
|
ECS数据磁盘开启加密 | ECS数据磁盘已开启加密,视为“合规”。 | CC6.1 | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. |
KMS凭据成功轮转 | KMS凭据开启自动轮转并且根据设定的轮转周期成功进行了轮转,视为“合规”。通用凭据不支持在KMS直接配置周期性轮转,视为“不适用”。 | CC6.1 | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. |
OSS存储空间权限策略设置安全访问 | OSS存储空间权限策略中包含了读写操作的访问方式设置为HTTPS,或者拒绝访问的访问方式设置为HTTP,视为“合规”。权限策略为空的OSS存储空间,视为“不适用”。 | | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives.
|
函数计算服务禁止访问公网 | 函数计算服务设置了禁止访问公网,视为“合规”。 | CC6.1 | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. |
SSL证书到期检测 | SSL证书到期时间剩余天数大于参数指定的天数,视为”合规“。参数默认值为30天。 | | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives.
|
NAS文件系统设置了加密 | NAS文件系统设置了加密,视为“合规”。 | CC6.1 | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. |
Elasticsearch实例数据节点开启云盘加密 | Elasticsearch实例数据节点开启云盘加密,视为“合规”。 | CC6.1 | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. |
KMS主密钥未设置为待删除 | KMS主密钥未设置为待删除,视为“合规”。 | CC6.1 | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. |
ADB集群未开启公网 | ADB实例未开启公网访问,视为“合规”。 | CC6.1 | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. |
OSS存储空间ACL禁止公共读写 | OSS存储空间的ACL策略禁止公共读写,视为“合规”。 | CC6.1 | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. |
RAM用户的AccessKey在指定时间内轮换 | RAM用户的AccessKey创建时间距离检查时间不超过指定天数,视为“合规”。默认值:90天。 | | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized. The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity's objectives.
|
Elasticsearch实例未开启公网访问 | Elasticsearch实例未开启公网访问,视为“合规”。 | CC6.1、CC6.6 | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. The entity implements logical access security measures to protect against threats from sources outside its system boundaries.
|
RAM用户密码策略符合要求 | RAM用户密码策略中各项配置满足参数设置的值,视为“合规”。 | | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives.#The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity's objectives. |
运行中的ECS实例在专有网络 | 阿里云推荐购买的ECS放在VPC里面。如果ECS有归属VPC,则视为“合规”。如果指定参数,则检查ECS实例的专有网络实例在指定参数范围内,视为“合规”。非运行中的ECS实例视为“不适用”。 | | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. The entity implements logical access security measures to protect against threats from sources outside its system boundaries.
|
ALB实例HTTP监听设置移除Header的转发功能 | ALB负载均衡运行中的HTTP监听设置了删除Header的转发动作,视为“合规”。 | | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives.
|
RDS实例禁止配置公网地址 | RDS实例未配置公网地址,视为“合规”。生产环境的RDS实例不推荐配置公网直接访问,容易被黑客攻击。 | | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. The entity implements logical access security measures to protect against threats from sources outside its system boundaries.
|
SLB开启HTTPS监听 | SLB在指定端口上开启HTTPS协议的监听,视为“合规”。如果SLB实例只开启TCP或者UDP协议的监听,视为“不适用”。 | | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives.
|
安全组非白名单端口入网设置有效 | 除指定的白名单端口外,其余端口不能有授权策略设置为允许而且来源为0.0.0.0/0的入方向规则,视为“合规”。云产品或虚商所使用的安全组不适用本规则,视为“不适用”。 | | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. The entity implements logical access security measures to protect against threats from sources outside its system boundaries.
|
Elasticsearch实例使用HTTPS传输协议 | Elasticsearch实例使用HTTPS传输协议,视为“合规”。 | | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives.
|
函数服务设置为仅允许指定VPC调用 | 函数服务设置为仅允许指定VPC调用,视为“合规”。 | | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. The entity implements logical access security measures to protect against threats from sources outside its system boundaries.
|
RDS实例开启TDE加密 | RDS实例的数据安全性设置开启TDE加密,视为“合规”。不支持TDE加密的实例规格或版本视为“不适用”。 | | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized.
|
安全组指定协议不允许对全部网段开启风险端口 | 当安全组入网网段设置为0.0.0.0/0时,指定协议的端口范围不包含指定风险端口,视为“合规”。若入网网段未设置为0.0.0.0/0时,即使端口范围包含指定的风险端口,也视为“合规”。如果检测到的风险端口被优先级更高的授权策略拒绝,视为“合规”。云产品或虚商所使用的安全组视为“不适用”。 | | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. The entity implements logical access security measures to protect against threats from sources outside its system boundaries. The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events.
|
PolarDB实例IP白名单禁止设置为全网段 | PolarDB实例IP白名单未设置为0.0.0.0/0,视为“合规”。 | CC6.1 | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. |
PolarDB集群的所有连接地址都未开启公网 | PolarDB集群的所有连接地址都未开启公网,视为“合规”。 | | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. The entity implements logical access security measures to protect against threats from sources outside its system boundaries.
|
检测闲置弹性公网IP | 弹性公网已绑定到ECS或者NAT实例,非闲置状态,视为“合规”。 | CC6.2 | Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized. |
RAM用户访问设置人员和程序分离 | RAM用户未同时开启控制台访问和API调用访问,视为“合规”。 | | Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized. The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity's objectives.
|
不直接授权给RAM用户 | RAM用户没有直接绑定权限策略,视为“合规”。推荐RAM用户从RAM组或角色继承权限。 | | Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized. The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity's objectives.
|
RAM用户归属用户组 | 所有RAM用户均归属于RAM用户组,视为“合规”。 | | Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized. The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity's objectives.
|
RAM用户不存在激活状态的密钥 | RAM用户不存在激活状态的密钥,视为“合规”。 | | Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized. The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity's objectives.
|
ACK集群安装ack-ram-authenticator组件基于RAM进行请求认证 | ACK集群安装ack-ram-authenticator组件,实现基于RAM的鉴权,视为“合规”。 | CC6.3 | The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity's objectives. |
ECS实例被授予实例RAM角色 | ECS实例被授予了实例RAM角色,视为“合规”。 | CC6.3 | The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity's objectives. |
PolarDB集群开启TDE | PolarDB集群开启TDE,视为“合规”。 | CC6.6 | The entity implements logical access security measures to protect against threats from sources outside its system boundaries. |
API网关中配置API安全认证 | API网关中配置API安全认证为阿里云APP或者使用指定的插件类型,视为“合规”。 | CC6.6 | The entity implements logical access security measures to protect against threats from sources outside its system boundaries. |
API网关中API分组绑定域名接入WAF或者WAF3.0 | API网关中的API分组绑定的域名接入了WAF或者WAF3.0,视为“合规”。 | CC6.6 | The entity implements logical access security measures to protect against threats from sources outside its system boundaries. |
弹性伸缩配置中未设置分配公网IPv4地址 | 弹性伸缩配置中未设置分配公网IPv4地址,视为“合规”。 | CC6.6 | The entity implements logical access security measures to protect against threats from sources outside its system boundaries. |
运行中的ECS实例无待修复漏洞 | ECS实例在云安全中心无指定类型和等级的待修复漏洞,视为“合规”。非运行中状态的实例不适用本规则,视为“不适用”。 | | The entity implements logical access security measures to protect against threats from sources outside its system boundaries. The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity's objectives. To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities. The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures.
|
账号下所有ECS实例已安装云安全中心代理 | 账号下所有ECS实例均已安装云安全中心代理,视为“合规”。 | CC6.6 | The entity implements logical access security measures to protect against threats from sources outside its system boundaries. |
SLB实例未绑定公网IP | SLB实例未绑定公网IP,视为“合规”。如果没有公网需求,建议SLB实例不要直接绑定公网IP地址。如果有公网需求,建议购买EIP并和相关SLB实例进行绑定,使用EIP更加灵活、同时可使用共享带宽降低成本。 | CC6.6 | The entity implements logical access security measures to protect against threats from sources outside its system boundaries. |
NAT网关不允许映射指定的风险端口 | NAT网关DNAT映射端口不包含指定的风险端口,视为“合规”。 | CC6.6 | The entity implements logical access security measures to protect against threats from sources outside its system boundaries. |
SLB使用证书为阿里云签发 | SLB使用证书为阿里云签发,视为“合规”。 | CC6.7 | The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives. |
SLB实例的HTTPS监听使用指定的安全策略套件 | SLB实例的所有HTTPS类型监听使用参数指定的安全策略套件版本,视为“合规”。未设置HTTPS类型监听的SLB实例,视为“不适用”。 | CC6.7 | The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives. |
API网关中API分组的自定义域名设置了SSL证书 | API网关中的API分组绑定自定义域名并且设置了SSL证书,视为“合规”。 | CC6.7 | The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives. |
PolarDB集群设置SSL加密 | PolarDB集群设置了SSL加密,视为“合规”。 | CC6.7 | The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives. |
CDN域名开启TLS13版本检测 | 检测CDN域名是否启用TLS1.3,启用视为“合规”。 | CC6.7 | The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives. |
DTS同步任务源库和目标库使用SSL安全链接 | DTS实例下同步任务源库和目标库均使用SSL安全链接,视为“合规”。任务类型为非同步类型的DTS实例不适用本规则,视为“不适用”。 | CC6.7 | The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives. |
ECS实例禁止绑定公网地址 | ECS实例没有直接绑定IPv4公网IP或弹性公网IP,视为“合规”。 | CC6.7 | The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives. |
容器镜像服务实例未打开公网访问入口 | 容器镜像服务实例未打开公网访问入口,视为“合规”,适用于企业版。 | CC6.7 | The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives. |
Redis实例设置TLS或SSL加密 | Redis实例设置TLS或SSL加密,视为“合规”。 | CC6.7 | The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives. |
云安全中心无待修复的镜像漏洞 | 云安全中心开启镜像扫描且无待修复的镜像漏洞,视为“合规”。未开启或未执行镜像扫描时无法获取漏洞信息,视为“不适用”。 | | The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity's objectives. To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities.
|
ACK集群节点安装云监控插件 | ACK集群节点均已安装云监控插件,且插件运行状态正常,视为“合规”。 | CC7.1 | To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities. |
函数计算中函数设置满足参数指定要求 | 函数计算2.0中的函数设置满足参数指定的要求,视为“合规”。 | CC7.2 | The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events. |
为指定云产品设置云监控报警规则 | 在云监控为指定命名空间的云服务设置了至少一条报警规则,视为“合规”。 | | The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events. The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures. The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate.
|
ADB集群开启SQL审计日志 | ADB集群开启SQL审计日志,视为“合规”。 | CC7.3 | The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures. |
PolarDB集群开启SQL审计 | PolarDB集群SQL审计状态为开启,视为“合规”。 | CC7.4 | The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate. |