This topic describes the background, scenarios, and default rules of the GxP EU Annex 11 standard compliance package.
Background
GxP EU Annex 11 is a European Union (EU) regulatory requirement for using computerized systems. It primarily applies to companies and organizations that use these systems in the pharmaceutical, biotechnology, and medical device industries. The requirements cover the development, validation, operation, maintenance, and monitoring of computerized systems to ensure they comply with relevant regulations and standards for product quality, control, and reliability. As part of Good Manufacturing Practice (GMP), Annex 11 is a key guiding standard in the drug manufacturing process and is widely used in the pharmaceutical and biotechnology industries in Europe and globally.
The GxP EU Annex 11 standard compliance package is based on the baseline data protection standards of GxP EU Annex 11. It provides recommended compliance checks for cloud resource usage and management.
For more information, see GxP EU Annex 11.
Scenarios
The GxP EU Annex 11 standard compliance package applies to companies and organizations that use computerized systems in the pharmaceutical, biotechnology, and medical device industries.
Default rules
Compliance package templates provide a general framework to help you quickly create compliance packages for your target scenarios. A 'compliant' status for a rule indicates that the resource meets the rule's specific definition. This status does not guarantee that the resource meets all requirements of any specific regulation or industry standard.
Rule name | Rule description | Recommendation ID | Recommendation description |
A trail is enabled in ActionTrail to record all events in all regions. This is considered compliant. | 1.1 | Risk management should be applied throughout the lifecycle of the computerized system, considering patient safety, data integrity, and product quality. As part of a risk management system, decisions on the extent of validation and data integrity controls should be based on a justified and documented risk assessment of the computerized system. | |
4.2 | Validation documentation should include change control records (if applicable) and reports on any deviations observed during the validation process. | ||
9.1 | Based on a risk assessment, consider building a system-generated audit trail to record all GMP-relevant changes and deletions. The reason for any change or deletion of GMP-relevant data should be documented. Audit trails need to be available, convertible to a generally intelligible form, and regularly reviewed. | ||
11.1 | Computerized systems should be periodically evaluated to confirm that they remain in a valid state and are compliant with GMP. Such evaluations should include, where appropriate, the current range of functionality, deviation records, incidents, problems, upgrade history, performance, reliability, security, and validation status reports. | ||
12.3 | The creation, change, and cancellation of access authorizations should be recorded. | ||
12.4 | Data and document management systems should be designed to record the identity of operators entering, changing, confirming, or deleting data, including the date and time. | ||
13.1 | All incidents, not only system failures and data errors, should be reported and assessed. The root cause of a critical incident should be identified and should form the basis for corrective and preventive actions. | ||
Security Center Enterprise Edition or a later version is used. This is considered compliant. | 1.1 | Risk management should be applied throughout the lifecycle of the computerized system, considering patient safety, data integrity, and product quality. As part of a risk management system, decisions on the extent of validation and data integrity controls should be based on a justified and documented risk assessment of the computerized system. | |
11.1 | Computerized systems should be periodically evaluated to confirm that they remain in a valid state and are compliant with GMP. Such evaluations should include, where appropriate, the current range of functionality, deviation records, incidents, problems, upgrade history, performance, reliability, security, and validation status reports. | ||
13.1 | All incidents, not only system failures and data errors, should be reported and assessed. The root cause of a critical incident should be identified and should form the basis for corrective and preventive actions. | ||
The Security Center agent is enabled for running ECS instances. This is considered compliant. | 4.3 | An up-to-date listing (inventory) of all relevant systems and their GMP functionality should be available. For critical systems, an up-to-date system description should be available that details the physical and logical arrangements, data flows, interfaces with other systems or processes, any hardware and software prerequisites, and security measures. | |
ECS instances have no vulnerabilities of a specified type and severity level to be fixed in Security Center. This is considered compliant. | 4.3 | An up-to-date listing (inventory) of all relevant systems and their GMP functionality should be available. For critical systems, an up-to-date system description should be available that details the physical and logical arrangements, data flows, interfaces with other systems or processes, any hardware and software prerequisites, and security measures. | |
The status of the ECS instance is Running. This is considered compliant. | 4.3 | An up-to-date listing (inventory) of all relevant systems and their GMP functionality should be available. For critical systems, an up-to-date system description should be available that details the physical and logical arrangements, data flows, interfaces with other systems or processes, any hardware and software prerequisites, and security measures. | |
All Elastic IP Addresses are associated with ECS instances or NAT Gateway instances. This is considered compliant. | 4.3 | An up-to-date listing (inventory) of all relevant systems and their GMP functionality should be available. For critical systems, an up-to-date system description should be available that details the physical and logical arrangements, data flows, interfaces with other systems or processes, any hardware and software prerequisites, and security measures. | |
The number of ECS instances associated with a security group is greater than 0. This is considered compliant. | 4.3 | An up-to-date listing (inventory) of all relevant systems and their GMP functionality should be available. For critical systems, an up-to-date system description should be available that details the physical and logical arrangements, data flows, interfaces with other systems or processes, any hardware and software prerequisites, and security measures. | |
Log backup is enabled for RDS instances. This is considered compliant. | 4.8 | If data is transferred to another data format or system, validation should include checks to ensure that the data is not altered in value or meaning during the migration process. | |
5.1 | For computerized systems that exchange data electronically with other systems, appropriate built-in checks should be in place for the correct and secure entry and processing of data to minimize risks. | ||
7.1 | Data should be secured by both physical and electronic means against damage. Stored data should be checked for accessibility, readability, and accuracy. Access to data must be ensured throughout the retention period. | ||
7.2 | Regular backups of all relevant data should be performed. The integrity and accuracy of backup data and the ability to restore the data should be checked during validation and monitored periodically. | ||
16.1 | For computerized systems that support critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (such as a manual or alternative system). The time required to bring the alternative arrangements into use should be based on risk and be appropriate for a particular system and the business process it supports. These arrangements must be adequately documented and tested. | ||
17.1 | Data may be archived. This data should be checked for accessibility, readability, and integrity. If relevant changes are made to the system (such as computer equipment or programs), the ability to retrieve the data must be ensured and tested. | ||
The log backup retention period for PolarDB clusters meets the specified requirements | The log backup retention period for a PolarDB cluster is greater than or equal to the specified number of days. This is considered compliant. | 4.8 | If data is transferred to another data format or system, validation should include checks to ensure that the data is not altered in value or meaning during the migration process. |
5.1 | For computerized systems that exchange data electronically with other systems, appropriate built-in checks should be in place for the correct and secure entry and processing of data to minimize risks. | ||
7.1 | Data should be secured by both physical and electronic means against damage. Stored data should be checked for accessibility, readability, and accuracy. Access to data must be ensured throughout the retention period. | ||
7.2 | Regular backups of all relevant data should be performed. The integrity and accuracy of backup data and the ability to restore the data should be checked during validation and monitored periodically. | ||
16.1 | For computerized systems that support critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (such as a manual or alternative system). The time required to bring the alternative arrangements into use should be based on risk and be appropriate for a particular system and the business process it supports. These arrangements must be adequately documented and tested. | ||
17.1 | Data may be archived. This data should be checked for accessibility, readability, and integrity. If relevant changes are made to the system (such as computer equipment or programs), the ability to retrieve the data must be ensured and tested. | ||
Incremental backup is enabled for Redis instances. This is considered compliant. | 4.8 | If data is transferred to another data format or system, validation should include checks to ensure that the data is not altered in value or meaning during the migration process. | |
5.1 | For computerized systems that exchange data electronically with other systems, appropriate built-in checks should be in place for the correct and secure entry and processing of data to minimize risks. | ||
7.1 | Data should be secured by both physical and electronic means against damage. Stored data should be checked for accessibility, readability, and accuracy. Access to data must be ensured throughout the retention period. | ||
7.2 | Regular backups of all relevant data should be performed. The integrity and accuracy of backup data and the ability to restore the data should be checked during validation and monitored periodically. | ||
16.1 | For computerized systems that support critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (such as a manual or alternative system). The time required to bring the alternative arrangements into use should be based on risk and be appropriate for a particular system and the business process it supports. These arrangements must be adequately documented and tested. | ||
Automatic backup is enabled for Elasticsearch instances. This is considered compliant. | 4.8 | If data is transferred to another data format or system, validation should include checks to ensure that the data is not altered in value or meaning during the migration process. | |
5.1 | For computerized systems that exchange data electronically with other systems, appropriate built-in checks should be in place for the correct and secure entry and processing of data to minimize risks. | ||
7.1 | Data should be secured by both physical and electronic means against damage. Stored data should be checked for accessibility, readability, and accuracy. Access to data must be ensured throughout the retention period. | ||
7.2 | Regular backups of all relevant data should be performed. The integrity and accuracy of backup data and the ability to restore the data should be checked during validation and monitored periodically. | ||
16.1 | For computerized systems that support critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (such as a manual or alternative system). The time required to bring the alternative arrangements into use should be based on risk and be appropriate for a particular system and the business process it supports. These arrangements must be adequately documented and tested. | ||
17.1 | Data may be archived. This data should be checked for accessibility, readability, and integrity. If relevant changes are made to the system (such as computer equipment or programs), the ability to retrieve the data must be ensured and tested. | ||
Log backup is enabled for ADB clusters. This is considered compliant. | 4.8 | If data is transferred to another data format or system, validation should include checks to ensure that the data is not altered in value or meaning during the migration process. | |
5.1 | For computerized systems that exchange data electronically with other systems, appropriate built-in checks should be in place for the correct and secure entry and processing of data to minimize risks. | ||
7.1 | Data should be secured by both physical and electronic means against damage. Stored data should be checked for accessibility, readability, and accuracy. Access to data must be ensured throughout the retention period. | ||
7.2 | Regular backups of all relevant data should be performed. The integrity and accuracy of backup data and the ability to restore the data should be checked during validation and monitored periodically. | ||
16.1 | For computerized systems that support critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (such as a manual or alternative system). The time required to bring the alternative arrangements into use should be based on risk and be appropriate for a particular system and the business process it supports. These arrangements must be adequately documented and tested. | ||
17.1 | Data may be archived. This data should be checked for accessibility, readability, and integrity. If relevant changes are made to the system (such as computer equipment or programs), the ability to retrieve the data must be ensured and tested. | ||
Log backup is enabled for MongoDB instances. This is considered compliant. | 4.8 | If data is transferred to another data format or system, validation should include checks to ensure that the data is not altered in value or meaning during the migration process. | |
5.1 | For computerized systems that exchange data electronically with other systems, appropriate built-in checks should be in place for the correct and secure entry and processing of data to minimize risks. | ||
7.1 | Data should be secured by both physical and electronic means against damage. Stored data should be checked for accessibility, readability, and accuracy. Access to data must be ensured throughout the retention period. | ||
7.2 | Regular backups of all relevant data should be performed. The integrity and accuracy of backup data and the ability to restore the data should be checked during validation and monitored periodically. | ||
16.1 | For computerized systems that support critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (such as a manual or alternative system). The time required to bring the alternative arrangements into use should be based on risk and be appropriate for a particular system and the business process it supports. These arrangements must be adequately documented and tested. | ||
17.1 | Data may be archived. This data should be checked for accessibility, readability, and integrity. If relevant changes are made to the system (such as computer equipment or programs), the ability to retrieve the data must be ensured and tested. | ||
A backup schedule is created for the NAS file system. This is considered compliant. | 4.8 | If data is transferred to another data format or system, validation should include checks to ensure that the data is not altered in value or meaning during the migration process. | |
5.1 | For computerized systems that exchange data electronically with other systems, appropriate built-in checks should be in place for the correct and secure entry and processing of data to minimize risks. | ||
7.1 | Data should be secured by both physical and electronic means against damage. Stored data should be checked for accessibility, readability, and accuracy. Access to data must be ensured throughout the retention period. | ||
7.2 | Regular backups of all relevant data should be performed. The integrity and accuracy of backup data and the ability to restore the data should be checked during validation and monitored periodically. | ||
16.1 | For computerized systems that support critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (such as a manual or alternative system). The time required to bring the alternative arrangements into use should be based on risk and be appropriate for a particular system and the business process it supports. These arrangements must be adequately documented and tested. | ||
17.1 | Data may be archived. This data should be checked for accessibility, readability, and integrity. If relevant changes are made to the system (such as computer equipment or programs), the ability to retrieve the data must be ensured and tested. | ||
An automatic snapshot policy is configured for ECS disks. This is considered compliant. | 4.8 | If data is transferred to another data format or system, validation should include checks to ensure that the data is not altered in value or meaning during the migration process. | |
5.1 | For computerized systems that exchange data electronically with other systems, appropriate built-in checks should be in place for the correct and secure entry and processing of data to minimize risks. | ||
7.1 | Data should be secured by both physical and electronic means against damage. Stored data should be checked for accessibility, readability, and accuracy. Access to data must be ensured throughout the retention period. | ||
7.2 | Regular backups of all relevant data should be performed. The integrity and accuracy of backup data and the ability to restore the data should be checked during validation and monitored periodically. | ||
16.1 | For computerized systems that support critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (such as a manual or alternative system). The time required to bring the alternative arrangements into use should be based on risk and be appropriate for a particular system and the business process it supports. These arrangements must be adequately documented and tested. | ||
17.1 | Data may be archived. This data should be checked for accessibility, readability, and integrity. If relevant changes are made to the system (such as computer equipment or programs), the ability to retrieve the data must be ensured and tested. | ||
Database Backup is enabled for OceanBase clusters. This is considered compliant. | 4.8 | If data is transferred to another data format or system, validation should include checks to ensure that the data is not altered in value or meaning during the migration process. | |
5.1 | For computerized systems that exchange data electronically with other systems, appropriate built-in checks should be in place for the correct and secure entry and processing of data to minimize risks. | ||
7.2 | Regular backups of all relevant data should be performed. The integrity and accuracy of backup data and the ability to restore the data should be checked during validation and monitored periodically. | ||
16.1 | For computerized systems that support critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (such as a manual or alternative system). The time required to bring the alternative arrangements into use should be based on risk and be appropriate for a particular system and the business process it supports. These arrangements must be adequately documented and tested. | ||
Versioning is enabled for OSS buckets. This is considered compliant. | 4.8 | If data is transferred to another data format or system, validation should include checks to ensure that the data is not altered in value or meaning during the migration process. | |
5.1 | For computerized systems that exchange data electronically with other systems, appropriate built-in checks should be in place for the correct and secure entry and processing of data to minimize risks. | ||
7.2 | Regular backups of all relevant data should be performed. The integrity and accuracy of backup data and the ability to restore the data should be checked during validation and monitored periodically. | ||
16.1 | For computerized systems that support critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (such as a manual or alternative system). The time required to bring the alternative arrangements into use should be based on risk and be appropriate for a particular system and the business process it supports. These arrangements must be adequately documented and tested. | ||
17.1 | Data may be archived. This data should be checked for accessibility, readability, and integrity. If relevant changes are made to the system (such as computer equipment or programs), the ability to retrieve the data must be ensured and tested. | ||
Zone-redundant Storage is enabled for OSS buckets. This is considered compliant. | 4.8 | If data is transferred to another data format or system, validation should include checks to ensure that the data is not altered in value or meaning during the migration process. | |
5.1 | For computerized systems that exchange data electronically with other systems, appropriate built-in checks should be in place for the correct and secure entry and processing of data to minimize risks. | ||
7.2 | Regular backups of all relevant data should be performed. The integrity and accuracy of backup data and the ability to restore the data should be checked during validation and monitored periodically. | ||
16.1 | For computerized systems that support critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (such as a manual or alternative system). The time required to bring the alternative arrangements into use should be based on risk and be appropriate for a particular system and the business process it supports. These arrangements must be adequately documented and tested. | ||
17.1 | Data may be archived. This data should be checked for accessibility, readability, and integrity. If relevant changes are made to the system (such as computer equipment or programs), the ability to retrieve the data must be ensured and tested. | ||
SSL encryption is used for the source and destination databases of DTS sync tasks | SSL encryption is used for both the source and destination databases of sync tasks in a DTS instance. This is considered compliant. | 4.8 | If data is transferred to another data format or system, validation should include checks to ensure that the data is not altered in value or meaning during the migration process. |
5.1 | For computerized systems that exchange data electronically with other systems, appropriate built-in checks should be in place for the correct and secure entry and processing of data to minimize risks. | ||
SSL encryption is used for the source and destination databases of DTS migration tasks | SSL encryption is used for both the source and destination databases of migration tasks in a DTS instance. This is considered compliant. | 4.8 | If data is transferred to another data format or system, validation should include checks to ensure that the data is not altered in value or meaning during the migration process. |
5.1 | For computerized systems that exchange data electronically with other systems, appropriate built-in checks should be in place for the correct and secure entry and processing of data to minimize risks. | ||
TLS 1.3 is enabled for accelerated domain names. This is considered compliant. | 4.8 | If data is transferred to another data format or system, validation should include checks to ensure that the data is not altered in value or meaning during the migration process. | |
5.1 | For computerized systems that exchange data electronically with other systems, appropriate built-in checks should be in place for the correct and secure entry and processing of data to minimize risks. | ||
HTTPS is used for data transmission in Elasticsearch instances | HTTPS is used for data transmission in Elasticsearch instances. This is considered compliant. | 4.8 | If data is transferred to another data format or system, validation should include checks to ensure that the data is not altered in value or meaning during the migration process. |
Functions in Function Compute are bound to custom domain names and a specific TLS version is enabled | A function in Function Compute is bound to a custom domain name that is accessible over the public network, and a specific TLS version is enabled. This is considered compliant. | 4.8 | If data is transferred to another data format or system, validation should include checks to ensure that the data is not altered in value or meaning during the migration process. |
5.1 | For computerized systems that exchange data electronically with other systems, appropriate built-in checks should be in place for the correct and secure entry and processing of data to minimize risks. | ||
SSL encryption is configured for PolarDB clusters. This is considered compliant. | 4.8 | If data is transferred to another data format or system, validation should include checks to ensure that the data is not altered in value or meaning during the migration process. | |
5.1 | For computerized systems that exchange data electronically with other systems, appropriate built-in checks should be in place for the correct and secure entry and processing of data to minimize risks. | ||
SSL encryption is configured for Redis instances. This is considered compliant. | 4.8 | If data is transferred to another data format or system, validation should include checks to ensure that the data is not altered in value or meaning during the migration process. | |
5.1 | For computerized systems that exchange data electronically with other systems, appropriate built-in checks should be in place for the correct and secure entry and processing of data to minimize risks. | ||
APIs in API Gateway that are accessible over the public network use HTTPS | APIs in API Gateway that are accessible over the public network are configured to use HTTPS. This is considered compliant. | 4.8 | If data is transferred to another data format or system, validation should include checks to ensure that the data is not altered in value or meaning during the migration process. |
5.1 | For computerized systems that exchange data electronically with other systems, appropriate built-in checks should be in place for the correct and secure entry and processing of data to minimize risks. | ||
SSL certificates are used for RDS instances. This is considered compliant. | 4.8 | If data is transferred to another data format or system, validation should include checks to ensure that the data is not altered in value or meaning during the migration process. | |
5.1 | For computerized systems that exchange data electronically with other systems, appropriate built-in checks should be in place for the correct and secure entry and processing of data to minimize risks. | ||
Encryption is enabled for in-use data disks of ECS instances | Encryption is enabled for in-use data disks of ECS instances. This is considered compliant. | 7.1 | Data should be secured by both physical and electronic means against damage. Stored data should be checked for accessibility, readability, and accuracy. Access to data must be ensured throughout the retention period. |
17.1 | Data may be archived. This data should be checked for accessibility, readability, and integrity. If relevant changes are made to the system (such as computer equipment or programs), the ability to retrieve the data must be ensured and tested. | ||
Transparent data encryption (TDE) is enabled for RDS instances. This is considered compliant. | 7.1 | Data should be secured by both physical and electronic means against damage. Stored data should be checked for accessibility, readability, and accuracy. Access to data must be ensured throughout the retention period. | |
17.1 | Data may be archived. This data should be checked for accessibility, readability, and integrity. If relevant changes are made to the system (such as computer equipment or programs), the ability to retrieve the data must be ensured and tested. | ||
The encryption algorithm used by the VPN connection is not None | The encryption algorithm used by the VPN connection is not None. This is considered compliant. | 7.1 | Data should be secured by both physical and electronic means against damage. Stored data should be checked for accessibility, readability, and accuracy. Access to data must be ensured throughout the retention period. |
Disk encryption is enabled for data nodes of Elasticsearch instances | Disk encryption is enabled for data nodes of Elasticsearch instances. This is considered compliant. | 7.1 | Data should be secured by both physical and electronic means against damage. Stored data should be checked for accessibility, readability, and accuracy. Access to data must be ensured throughout the retention period. |
17.1 | Data may be archived. This data should be checked for accessibility, readability, and integrity. If relevant changes are made to the system (such as computer equipment or programs), the ability to retrieve the data must be ensured and tested. | ||
TDE is enabled for PolarDB clusters. This is considered compliant. | 7.1 | Data should be secured by both physical and electronic means against damage. Stored data should be checked for accessibility, readability, and accuracy. Access to data must be ensured throughout the retention period. | |
17.1 | Data may be archived. This data should be checked for accessibility, readability, and integrity. If relevant changes are made to the system (such as computer equipment or programs), the ability to retrieve the data must be ensured and tested. | ||
TDE is enabled for Redis instances with a custom key. This is considered compliant. | 7.1 | Data should be secured by both physical and electronic means against damage. Stored data should be checked for accessibility, readability, and accuracy. Access to data must be ensured throughout the retention period. | |
17.1 | Data may be archived. This data should be checked for accessibility, readability, and integrity. If relevant changes are made to the system (such as computer equipment or programs), the ability to retrieve the data must be ensured and tested. | ||
Data encryption is configured for Logstores in Simple Log Service | Data encryption is configured for Logstores in Simple Log Service. This is considered compliant. | 7.1 | Data should be secured by both physical and electronic means against damage. Stored data should be checked for accessibility, readability, and accuracy. Access to data must be ensured throughout the retention period. |
17.1 | Data may be archived. This data should be checked for accessibility, readability, and integrity. If relevant changes are made to the system (such as computer equipment or programs), the ability to retrieve the data must be ensured and tested. | ||
Deletion protection is enabled for RDS instances. This is considered compliant. | 7.1 | Data should be secured by both physical and electronic means against damage. Stored data should be checked for accessibility, readability, and accuracy. Access to data must be ensured throughout the retention period. | |
Deletion protection is enabled for PolarDB clusters. This is considered compliant. | 10.1 | Any changes to a computerized system, including system configurations, should be made only in a controlled manner in accordance with a defined procedure. | |
16.1 | For computerized systems that support critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (such as a manual or alternative system). The time required to bring the alternative arrangements into use should be based on risk and be appropriate for a particular system and the business process it supports. These arrangements must be adequately documented and tested. | ||
Release protection is enabled for ECS instances. This is considered compliant. | 10.1 | Any changes to a computerized system, including system configurations, should be made only in a controlled manner in accordance with a defined procedure. | |
16.1 | For computerized systems that support critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (such as a manual or alternative system). The time required to bring the alternative arrangements into use should be based on risk and be appropriate for a particular system and the business process it supports. These arrangements must be adequately documented and tested. | ||
Deletion protection is enabled for HBase clusters. This is considered compliant. | 10.1 | Any changes to a computerized system, including system configurations, should be made only in a controlled manner in accordance with a defined procedure. | |
16.1 | For computerized systems that support critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (such as a manual or alternative system). The time required to bring the alternative arrangements into use should be based on risk and be appropriate for a particular system and the business process it supports. These arrangements must be adequately documented and tested. | ||
Release protection is enabled for MongoDB instances. This is considered compliant. | 10.1 | Any changes to a computerized system, including system configurations, should be made only in a controlled manner in accordance with a defined procedure. | |
16.1 | For computerized systems that support critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (such as a manual or alternative system). The time required to bring the alternative arrangements into use should be based on risk and be appropriate for a particular system and the business process it supports. These arrangements must be adequately documented and tested. | ||
Release protection is enabled for Redis instances. This is considered compliant. | 10.1 | Any changes to a computerized system, including system configurations, should be made only in a controlled manner in accordance with a defined procedure. | |
16.1 | For computerized systems that support critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (such as a manual or alternative system). The time required to bring the alternative arrangements into use should be based on risk and be appropriate for a particular system and the business process it supports. These arrangements must be adequately documented and tested. | ||
Release protection is enabled for SLB instances. This is considered compliant. | 10.1 | Any changes to a computerized system, including system configurations, should be made only in a controlled manner in accordance with a defined procedure. | |
16.1 | For computerized systems that support critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (such as a manual or alternative system). The time required to bring the alternative arrangements into use should be based on risk and be appropriate for a particular system and the business process it supports. These arrangements must be adequately documented and tested. | ||
The CloudMonitor agent is installed on running ECS instances | The CloudMonitor agent is installed on running ECS instances. This is considered compliant. | 11.1 | Computerized systems should be periodically evaluated to confirm that they remain in a valid state and are compliant with GMP. Such evaluations should include, where appropriate, the current range of functionality, deviation records, incidents, problems, upgrade history, performance, reliability, security, and validation status reports. |
13.1 | All incidents, not only system failures and data errors, should be reported and assessed. The root cause of a critical incident should be identified and should form the basis for corrective and preventive actions. | ||
Event logs are enabled for RDS instances. This is considered compliant. | 11.1 | Computerized systems should be periodically evaluated to confirm that they remain in a valid state and are compliant with GMP. Such evaluations should include, where appropriate, the current range of functionality, deviation records, incidents, problems, upgrade history, performance, reliability, security, and validation status reports. | |
12.4 | Data and document management systems should be designed to record the identity of operators entering, changing, confirming, or deleting data, including the date and time. | ||
Multi-factor authentication (MFA) is enabled for the Alibaba Cloud account. This is considered compliant. | 12.1 | Physical or logical controls, or both, should be in place to restrict access to the computerized system to authorized persons. Suitable methods of preventing unauthorized entry to the system may include the use of keys, pass cards, personal codes with passwords, biometrics, and restricted access to computer equipment and data storage areas. | |
Multi-factor authentication (MFA) is enabled for RAM users. This is considered compliant. | 12.1 | Physical or logical controls, or both, should be in place to restrict access to the computerized system to authorized persons. Suitable methods of preventing unauthorized entry to the system may include the use of keys, pass cards, personal codes with passwords, biometrics, and restricted access to computer equipment and data storage areas. | |
The access control list (ACL) policy of OSS buckets is set to private. This is considered compliant. | 12.1 | Physical or logical controls, or both, should be in place to restrict access to the computerized system to authorized persons. Suitable methods of preventing unauthorized entry to the system may include the use of keys, pass cards, personal codes with passwords, biometrics, and restricted access to computer equipment and data storage areas. | |
No permissions are granted to anonymous accounts in the OSS bucket policy | No read or write permissions are granted to anonymous accounts in the authorization policy of an OSS bucket. This is considered compliant. If no authorization policy is set for an OSS bucket, the bucket is also considered compliant. | 12.1 | Physical or logical controls, or both, should be in place to restrict access to the computerized system to authorized persons. Suitable methods of preventing unauthorized entry to the system may include the use of keys, pass cards, personal codes with passwords, biometrics, and restricted access to computer equipment and data storage areas. |
An instance RAM role is attached to the ECS instance. This is considered compliant. | 12.1 | Physical or logical controls, or both, should be in place to restrict access to the computerized system to authorized persons. Suitable methods of preventing unauthorized entry to the system may include the use of keys, pass cards, personal codes with passwords, biometrics, and restricted access to computer equipment and data storage areas. | |
A service role is configured for Function Compute. This is considered compliant. | 12.1 | Physical or logical controls, or both, should be in place to restrict access to the computerized system to authorized persons. Suitable methods of preventing unauthorized entry to the system may include the use of keys, pass cards, personal codes with passwords, biometrics, and restricted access to computer equipment and data storage areas. | |
The RAM Roles for Service Accounts (RRSA) feature is enabled for the ACK cluster. This is considered compliant. | 12.1 | Physical or logical controls, or both, should be in place to restrict access to the computerized system to authorized persons. Suitable methods of preventing unauthorized entry to the system may include the use of keys, pass cards, personal codes with passwords, biometrics, and restricted access to computer equipment and data storage areas. | |
A RAM user does not have both console access and OpenAPI call access enabled. This is considered compliant. | 12.1 | Physical or logical controls, or both, should be in place to restrict access to the computerized system to authorized persons. Suitable methods of preventing unauthorized entry to the system may include the use of keys, pass cards, personal codes with passwords, biometrics, and restricted access to computer equipment and data storage areas. | |
Authentication is enabled for MSE clusters that are accessible over the public network | An MSE cluster is considered compliant if it is not accessible over the public network, or if it is accessible over the public network and has authentication enabled. | 12.1 | Physical or logical controls, or both, should be in place to restrict access to the computerized system to authorized persons. Suitable methods of preventing unauthorized entry to the system may include the use of keys, pass cards, personal codes with passwords, biometrics, and restricted access to computer equipment and data storage areas. |
The time since an AccessKey of a RAM user was last used is less than the time specified in the parameters. This is considered compliant. | 12.1 | Physical or logical controls, or both, should be in place to restrict access to the computerized system to authorized persons. Suitable methods of preventing unauthorized entry to the system may include the use of keys, pass cards, personal codes with passwords, biometrics, and restricted access to computer equipment and data storage areas. | |
All settings in the password policy for RAM users meet the parameter values that you set. This is considered compliant. | 12.1 | Physical or logical controls, or both, should be in place to restrict access to the computerized system to authorized persons. Suitable methods of preventing unauthorized entry to the system may include the use of keys, pass cards, personal codes with passwords, biometrics, and restricted access to computer equipment and data storage areas. | |
RAM users have logged on within the last 90 days. This is considered compliant. | 12.1 | Physical or logical controls, or both, should be in place to restrict access to the computerized system to authorized persons. Suitable methods of preventing unauthorized entry to the system may include the use of keys, pass cards, personal codes with passwords, biometrics, and restricted access to computer equipment and data storage areas. | |
The AccessKeys of RAM users are rotated within the specified period | The time since an AccessKey of a RAM user was created does not exceed the specified number of days. This is considered compliant. | 12.1 | Physical or logical controls, or both, should be in place to restrict access to the computerized system to authorized persons. Suitable methods of preventing unauthorized entry to the system may include the use of keys, pass cards, personal codes with passwords, biometrics, and restricted access to computer equipment and data storage areas. |
Audit logging is enabled for Redis instances. This is considered compliant. | 12.4 | Data and document management systems should be designed to record the identity of operators entering, changing, confirming, or deleting data, including the date and time. | |
Audit logging is enabled for MongoDB instances. This is considered compliant. | 12.4 | Data and document management systems should be designed to record the identity of operators entering, changing, confirming, or deleting data, including the date and time. | |
Log storage is enabled in the Log Management settings of OSS buckets. This is considered compliant. | 12.4 | Data and document management systems should be designed to record the identity of operators entering, changing, confirming, or deleting data, including the date and time. | |
Log collection is enabled for all domain names that are protected by WAF. This is considered compliant. | 12.4 | Data and document management systems should be designed to record the identity of operators entering, changing, confirming, or deleting data, including the date and time. | |
The retention period for SQL audit logs of RDS instances meets the specified requirements | SQL Audit is enabled for RDS for MySQL instances, and the log retention period is greater than or equal to the specified value. This is considered compliant. | 12.4 | Data and document management systems should be designed to record the identity of operators entering, changing, confirming, or deleting data, including the date and time. |
SQL audit logging is enabled for ADB clusters. This is considered compliant. | 12.4 | Data and document management systems should be designed to record the identity of operators entering, changing, confirming, or deleting data, including the date and time. | |
Access logging is enabled for Classic Load Balancer instances. This is considered compliant. | 12.4 | Data and document management systems should be designed to record the identity of operators entering, changing, confirming, or deleting data, including the date and time. | |
RDS instances support multiple zones. This is considered compliant. | 16.1 | For computerized systems that support critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (such as a manual or alternative system). The time required to bring the alternative arrangements into use should be based on risk and be appropriate for a particular system and the business process it supports. These arrangements must be adequately documented and tested. | |
Redis instances are deployed in multiple zones. This is considered compliant. | 16.1 | For computerized systems that support critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (such as a manual or alternative system). The time required to bring the alternative arrangements into use should be based on risk and be appropriate for a particular system and the business process it supports. These arrangements must be adequately documented and tested. | |
SLB instances are deployed in multiple zones. This is considered compliant. | 16.1 | For computerized systems that support critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (such as a manual or alternative system). The time required to bring the alternative arrangements into use should be based on risk and be appropriate for a particular system and the business process it supports. These arrangements must be adequately documented and tested. | |
ALB instances are deployed in multiple zones. This is considered compliant. | 16.1 | For computerized systems that support critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (such as a manual or alternative system). The time required to bring the alternative arrangements into use should be based on risk and be appropriate for a particular system and the business process it supports. These arrangements must be adequately documented and tested. | |
MongoDB instances are deployed in multiple zones. This is considered compliant. | 16.1 | For computerized systems that support critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (such as a manual or alternative system). The time required to bring the alternative arrangements into use should be based on risk and be appropriate for a particular system and the business process it supports. These arrangements must be adequately documented and tested. | |
Auto Scaling groups are associated with at least two vSwitches | An Auto Scaling group is associated with at least two vSwitches. This is considered compliant. | 16.1 | For computerized systems that support critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (such as a manual or alternative system). The time required to bring the alternative arrangements into use should be based on risk and be appropriate for a particular system and the business process it supports. These arrangements must be adequately documented and tested. |
The endpoint service is configured across multiple zones. This is considered compliant. | 16.1 | For computerized systems that support critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (such as a manual or alternative system). The time required to bring the alternative arrangements into use should be based on risk and be appropriate for a particular system and the business process it supports. These arrangements must be adequately documented and tested. | |
A hot standby storage cluster is enabled for the PolarDB cluster, and data is distributed across multiple zones. This is considered compliant. | 16.1 | For computerized systems that support critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (such as a manual or alternative system). The time required to bring the alternative arrangements into use should be based on risk and be appropriate for a particular system and the business process it supports. These arrangements must be adequately documented and tested. | |
Resources from multiple zones are added to the vServer groups of SLB instances | The attached resources of a vServer group for an SLB instance are distributed across multiple zones. This is considered compliant. | 16.1 | For computerized systems that support critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (such as a manual or alternative system). The time required to bring the alternative arrangements into use should be based on risk and be appropriate for a particular system and the business process it supports. These arrangements must be adequately documented and tested. |
Resources from multiple zones are added to the server groups of ALB instances | The attached resources of a server group for an ALB instance are distributed across multiple zones. This is considered compliant. | 16.1 | For computerized systems that support critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (such as a manual or alternative system). The time required to bring the alternative arrangements into use should be based on risk and be appropriate for a particular system and the business process it supports. These arrangements must be adequately documented and tested. |