Overview

更新时间:
复制 MD 格式

Compliance packages dynamically and continuously check your resources for compliance and notify you to fix non-compliant resources. Cloud Config provides 24 compliance packages.

Best practices for network and data security

This package checks network architecture and data security configurations to ensure proper protection and reduce data leak risks.

Check items:

Features

Description

Account

Checks passwords and permission policies for Alibaba Cloud accounts and RAM users.

Check network connectivity

Checks network ownership, security group configurations, traffic monitoring, and open ports for instances.

Check the virtual machine.

Checks disk encryption, system updates, endpoint protection, and open ports for instances.

Checking Object Storage Service (OSS)

Checks read/write permissions, secure transmission, and content encryption for OSS buckets.

Check the database.

Checks connection types, data encryption, and audit configurations of databases.

ClassifiedProtectionPreCheck

Based on the MLPS 2.0 Level 3 standard, this package monitors your Alibaba Cloud resources for compliance to help you avoid repeated corrections during formal inspections.

Check items:

Feature

Description

Network type

Checks whether ECS instances and database instances use VPCs. An instance is compliant if its VPC matches the expected value of the relevant rule parameter.

Protection configurations

Checks whether IP address whitelists of ECS and database instances are set to 0.0.0.0/0 and whether encryption is enabled for ECS data disks.

Checking Object Storage Service (OSS)

Checks whether OSS buckets use read-only access and whether zone-redundant storage and server-side encryption with OSS-managed keys are enabled.

Bandwidth

Checks whether SLB instances and elastic IP addresses meet the specified minimum bandwidth thresholds.

OSS compliance management best practices

This package continuously monitors OSS bucket compliance and notifies you of non-compliant configurations that may lead to data leaks or loss.

Check items:

Features

Description

Read and write permissions

Checks whether OSS bucket ACLs are set to public-read or public-read-write.

Protection configurations

To further enhance data security, file encryption and hotlink protection must be enabled on buckets.

Verify zone-redundant storage

Checks whether zone-redundant storage is enabled for OSS buckets.

BestPracticesForLoadBalancer

This package checks public network and whitelist settings, multi-zone disaster recovery, instance renewal and expiration, and change management for CLB and ALB instances.

Check items:

Feature

Description

Prevent service disruptions

If your network capacity cannot handle peak traffic, your services may be disrupted.

Isolate from the public network

Incorrect network settings can expose your systems to the Internet. This exposure can lead to attacks and data breaches.

Detect network issues promptly

If real-time network monitoring is disabled, you cannot detect network issues promptly. This delay can introduce potential threats to your business.

Resource protection best practices

This package checks whether protection features are enabled for Alibaba Cloud services such as ECS and ApsaraDB RDS.

Check items:

Features

Description

Logon of Alibaba Cloud accounts or RAM users

Checks password validity periods and MFA status for Alibaba Cloud accounts and RAM users.

Security configurations

Checks for invalid RAM users, user groups, or permission policies, and whether key pairs are created for Alibaba Cloud accounts.

Authorization

Checks whether policies are attached to RAM users and whether full permissions on Alibaba Cloud services are granted.

BestPracticesForIdentityAndPermissions

This package checks the settings and usage of AccessKey pairs, Alibaba Cloud accounts, and RAM users.

Best practices for database compliance management

This package checks the compliance of ApsaraDB RDS, ApsaraDB for Redis, ApsaraDB for MongoDB, and PolarDB instances in terms of encryption and access control to prevent data leaks.

Check items:

Features

Description

Validity period

Checks the validity periods of database instances.

Protection configurations

Checks whether release protection is enabled and IP address whitelists are set to 0.0.0.0/0 for database instances.

Network type

Checks whether database instances use VPCs and whether the VPCs match the expected value of the relevant rule parameter.

BestPracticesForECS

This package checks ECS instance compliance in terms of status, security configurations, protection settings, and snapshot configurations to prevent business interruption and cost overruns.

Check items:

Features

Description

Status

The compliance package checks the status of ECS instances.

Verify Security Settings

Checks the validity periods and security groups of ECS instances.

Protection configurations

Checks whether release protection and disk encryption are enabled for ECS instances.

Snapshot configurations

Checks whether automatic snapshot policies are configured, automatic locking is enabled, and snapshot retention periods meet requirements for ECS disks.

RMiTComplianceCheck

This package checks cloud IT system compliance based on the Risk Management in Technology (RMiT) framework for financial institutions in Malaysia.

Check items:

Features

Description

Account

Checks passwords, permission policies, logons, and MFA status of RAM users.

Check the Server Load Balancer (SLB)

Checks whether release protection and HTTPS listeners are enabled for SLB instances and whether Alibaba Cloud certificates are valid.

Checking the ECS instance

Checks whether ECS instances use VPCs, whether disk encryption is enabled, and whether the instances are bound to public IPv4 addresses.

OSS bucket

Checks whether KMS server-side encryption, default server-side encryption, and log storage are enabled for OSS buckets.

Checking ApsaraDB RDS

Checks whether historical event logging and transparent data encryption (TDE) are enabled for ApsaraDB RDS instances and whether the instances support multi-zone deployment.

Check ActionTrail.

Checks whether an enabled ActionTrail trail exists and records all types of event logs.

GovernanceCenterCompliancePractices

This package lets you configure and enable rules for all member accounts of your resource directory in the Cloud Governance Center console, preventing modifications to Cloud Governance Center configurations and resource structures.

BestPracticesForSecurityGroups

This package monitors security group rule compliance to reduce security risks.

BestPracticesForOceanBase

This package continuously monitors the compliance of your OceanBase resources based on the BestPracticesForSecurityGroups compliance package.

BestPracticesForResourceStability

This package monitors cloud resource stability across six dimensions: high-availability infrastructure, capacity protection, change management, monitoring, backup management, and fault isolation.

PCIDSSDataSecurityStandard

This package is based on PCI DSS V4.0 to protect account data and check cloud resource usage and management for compliance.

GxPComplianceCheckForEU11

GxP EU Annex 11 guidelines apply to computerized systems used in the EU, especially in pharmacy, biotechnology, and medical device industries. This package provides compliance evaluation for cloud resource usage and control based on the Annex 11 baseline standards.

BestPracticesForHighAvailabilityArchitecture

A multi-zone architecture provides high data reliability. If the primary zone fails, the system immediately restores your business.

BestPracticesForInternetAccess

This package checks whether Internet access is enabled for Alibaba Cloud resources without proper restrictions, which can cause security risks from cyber attacks and data leaks.

BestPracticeForIdleResourceDetection

This package checks whether purchased resources from services such as EIP, Internet Shared Bandwidth, VPC, and VPN Gateway are idle. Idle resources cause unnecessary costs.

China GMP annex compliance package

Organizations that use computerized systems in pharmaceutical manufacturing must comply with GMP guidelines when using cloud services.

Alibaba Cloud Well-Architected Framework Security Pillar best practices

The security pillars of Alibaba Cloud Well-Architected Framework help you implement security across network, identity, host, and data dimensions, and continuously detect and respond to threats.

BestPracticesForChangeManagement

This package checks cloud resource stability from a change management perspective to identify potential risks and improve O&M efficiency.

BestPracticesForResourceExpirationReminders

This package checks cloud resource stability from the perspective of resource expiration risks to identify potential issues and improve O&M efficiency.

BestPracticesForEnablingResourceBackup

This compliance package checks whether resource backup is enabled for cloud products, such as Tair (Redis OSS-compatible), PolarDB, and RDS. This lets you promptly discover and manage resources that are not backed up.

BestPracticesForRedis

This package checks whether the instance type of Tair (Redis OSS-compatible) meets requirements. It also checks for risks related to audit log enablement, public network and whitelist settings, multi-zone disaster recovery capabilities, instance renewal and expiration, and change management. This ensures the correct use of Tair (Redis OSS-compatible) and guarantees system stability and security.

Best practices for PolarDB applications

This package checks whether PolarDB clusters use a stable version and have a reasonable configuration. It also checks for risks related to backup settings, public network and whitelist settings, instance renewal and expiration, and change management of PolarDB clusters. This ensures that you use PolarDB clusters correctly and guarantees their system stability and security.

Best practices for CDN compliance management

This package performs compliance checks based on product best practices for access control, cache configuration, performance, and cost.

SOC 2 audit standard practice compliance package

The SOC 2 audit standard practice compliance package is based on SOC 2 report requirements. It provides suggested compliance checks for data security, availability, integrity, and confidentiality.

ISO 27001 security management standard compliance package

The ISO 27001 security management standard compliance package is based on the security management standards in Annex A of ISO/IEC 27001:2013. It provides suggested compliance checks for cloud resource risk detection and governance to help your organization implement, maintain, and continuously improve its information security management system.

NIST 800-53 compliance package

This package checks Alibaba Cloud resources for compliance based on select requirements of NIST 800-53 Rev. 5.

MLPS 2.0 Level 2 pre-check compliance package

This package checks Alibaba Cloud resources based on MLPS 2.0 Level 2 requirements. The compliance package template provides a general compliance framework. By specifying rule parameters and correction settings, you can quickly create a compliance package that fits your target scenario. A compliant rule status refers only to the compliance defined by that rule and does not guarantee that you meet all requirements of a specific regulation or industry standard.

Best practices for cost optimization

This package checks CPU, GPU, GPU memory, memory, and disk usage for ECS, RDS, MongoDB, and Redis instances. Tracking low-usage instances helps manage costs. Some rules depend on CloudMonitor data APIs and consume the basic CloudMonitor free quota. To ensure detection quality, enable Hybrid Cloud Monitoring. For billing details, see CloudMonitor billing.

Best practices for AI model training architecture detection

This package checks the architecture design for scenarios where AI models are trained on GPUs. This check includes ensuring that core resources, such as ECS, NAS, and OSS, are matched with training requirements to meet task demands.

Best practices for Alibaba Cloud platform security

Based on Alibaba Cloud platform security governance experience, this package covers key security configuration checks across account security, cloud resource security, network security, data security, backup and recovery, and log auditing.

Quick experience compliance package

This package provides a quick way to experience compliance checks when the service is enabled. It provides basic best practice checks for your cloud resource management and governance.

Best practices for generative AI compliance

This package detects security and stability compliance risks for Model Studio, PAI, and dependent services such as ACS, ACR, OSS, NAS, KMS, SLS, and MaxCompute.