GxP EU Annex 11 standard compliance package

更新时间:
复制 MD 格式

This topic describes the background, scenarios, and default rules of the GxP EU Annex 11 standard compliance package.

Background

GxP EU Annex 11 is a European Union (EU) regulatory requirement for using computerized systems. It primarily applies to companies and organizations that use these systems in the pharmaceutical, biotechnology, and medical device industries. The requirements cover the development, validation, operation, maintenance, and monitoring of computerized systems to ensure they comply with relevant regulations and standards for product quality, control, and reliability. As part of Good Manufacturing Practice (GMP), Annex 11 is a key guiding standard in the drug manufacturing process and is widely used in the pharmaceutical and biotechnology industries in Europe and globally.

The GxP EU Annex 11 standard compliance package is based on the baseline data protection standards of GxP EU Annex 11. It provides recommended compliance checks for cloud resource usage and management.

For more information, see GxP EU Annex 11.

Scenarios

The GxP EU Annex 11 standard compliance package applies to companies and organizations that use computerized systems in the pharmaceutical, biotechnology, and medical device industries.

Default rules

Note

Compliance package templates provide a general framework to help you quickly create compliance packages for your target scenarios. A 'compliant' status for a rule indicates that the resource meets the rule's specific definition. This status does not guarantee that the resource meets all requirements of any specific regulation or industry standard.

Rule name

Rule description

Recommendation ID

Recommendation description

Full log tracking is enabled for ActionTrail

A trail is enabled in ActionTrail to record all events in all regions. This is considered compliant.

1.1

Risk management should be applied throughout the lifecycle of the computerized system, considering patient safety, data integrity, and product quality. As part of a risk management system, decisions on the extent of validation and data integrity controls should be based on a justified and documented risk assessment of the computerized system.

4.2

Validation documentation should include change control records (if applicable) and reports on any deviations observed during the validation process.

9.1

Based on a risk assessment, consider building a system-generated audit trail to record all GMP-relevant changes and deletions. The reason for any change or deletion of GMP-relevant data should be documented. Audit trails need to be available, convertible to a generally intelligible form, and regularly reviewed.

11.1

Computerized systems should be periodically evaluated to confirm that they remain in a valid state and are compliant with GMP. Such evaluations should include, where appropriate, the current range of functionality, deviation records, incidents, problems, upgrade history, performance, reliability, security, and validation status reports.

12.3

The creation, change, and cancellation of access authorizations should be recorded.

12.4

Data and document management systems should be designed to record the identity of operators entering, changing, confirming, or deleting data, including the date and time.

13.1

All incidents, not only system failures and data errors, should be reported and assessed. The root cause of a critical incident should be identified and should form the basis for corrective and preventive actions.

Use Security Center Enterprise Edition

Security Center Enterprise Edition or a later version is used. This is considered compliant.

1.1

Risk management should be applied throughout the lifecycle of the computerized system, considering patient safety, data integrity, and product quality. As part of a risk management system, decisions on the extent of validation and data integrity controls should be based on a justified and documented risk assessment of the computerized system.

11.1

Computerized systems should be periodically evaluated to confirm that they remain in a valid state and are compliant with GMP. Such evaluations should include, where appropriate, the current range of functionality, deviation records, incidents, problems, upgrade history, performance, reliability, security, and validation status reports.

13.1

All incidents, not only system failures and data errors, should be reported and assessed. The root cause of a critical incident should be identified and should form the basis for corrective and preventive actions.

Security Center agent is enabled for running ECS instances

The Security Center agent is enabled for running ECS instances. This is considered compliant.

4.3

An up-to-date listing (inventory) of all relevant systems and their GMP functionality should be available. For critical systems, an up-to-date system description should be available that details the physical and logical arrangements, data flows, interfaces with other systems or processes, any hardware and software prerequisites, and security measures.

Running ECS instances have no vulnerabilities to be fixed

ECS instances have no vulnerabilities of a specified type and severity level to be fixed in Security Center. This is considered compliant.

4.3

An up-to-date listing (inventory) of all relevant systems and their GMP functionality should be available. For critical systems, an up-to-date system description should be available that details the physical and logical arrangements, data flows, interfaces with other systems or processes, any hardware and software prerequisites, and security measures.

The ECS instance is not stopped

The status of the ECS instance is Running. This is considered compliant.

4.3

An up-to-date listing (inventory) of all relevant systems and their GMP functionality should be available. For critical systems, an up-to-date system description should be available that details the physical and logical arrangements, data flows, interfaces with other systems or processes, any hardware and software prerequisites, and security measures.

Check for idle Elastic IP Addresses

All Elastic IP Addresses are associated with ECS instances or NAT Gateway instances. This is considered compliant.

4.3

An up-to-date listing (inventory) of all relevant systems and their GMP functionality should be available. For critical systems, an up-to-date system description should be available that details the physical and logical arrangements, data flows, interfaces with other systems or processes, any hardware and software prerequisites, and security measures.

Check for idle security groups

The number of ECS instances associated with a security group is greater than 0. This is considered compliant.

4.3

An up-to-date listing (inventory) of all relevant systems and their GMP functionality should be available. For critical systems, an up-to-date system description should be available that details the physical and logical arrangements, data flows, interfaces with other systems or processes, any hardware and software prerequisites, and security measures.

Log backup is enabled for RDS instances

Log backup is enabled for RDS instances. This is considered compliant.

4.8

If data is transferred to another data format or system, validation should include checks to ensure that the data is not altered in value or meaning during the migration process.

5.1

For computerized systems that exchange data electronically with other systems, appropriate built-in checks should be in place for the correct and secure entry and processing of data to minimize risks.

7.1

Data should be secured by both physical and electronic means against damage. Stored data should be checked for accessibility, readability, and accuracy. Access to data must be ensured throughout the retention period.

7.2

Regular backups of all relevant data should be performed. The integrity and accuracy of backup data and the ability to restore the data should be checked during validation and monitored periodically.

16.1

For computerized systems that support critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (such as a manual or alternative system). The time required to bring the alternative arrangements into use should be based on risk and be appropriate for a particular system and the business process it supports. These arrangements must be adequately documented and tested.

17.1

Data may be archived. This data should be checked for accessibility, readability, and integrity. If relevant changes are made to the system (such as computer equipment or programs), the ability to retrieve the data must be ensured and tested.

The log backup retention period for PolarDB clusters meets the specified requirements

The log backup retention period for a PolarDB cluster is greater than or equal to the specified number of days. This is considered compliant.

4.8

If data is transferred to another data format or system, validation should include checks to ensure that the data is not altered in value or meaning during the migration process.

5.1

For computerized systems that exchange data electronically with other systems, appropriate built-in checks should be in place for the correct and secure entry and processing of data to minimize risks.

7.1

Data should be secured by both physical and electronic means against damage. Stored data should be checked for accessibility, readability, and accuracy. Access to data must be ensured throughout the retention period.

7.2

Regular backups of all relevant data should be performed. The integrity and accuracy of backup data and the ability to restore the data should be checked during validation and monitored periodically.

16.1

For computerized systems that support critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (such as a manual or alternative system). The time required to bring the alternative arrangements into use should be based on risk and be appropriate for a particular system and the business process it supports. These arrangements must be adequately documented and tested.

17.1

Data may be archived. This data should be checked for accessibility, readability, and integrity. If relevant changes are made to the system (such as computer equipment or programs), the ability to retrieve the data must be ensured and tested.

Incremental backup is enabled for Redis instances

Incremental backup is enabled for Redis instances. This is considered compliant.

4.8

If data is transferred to another data format or system, validation should include checks to ensure that the data is not altered in value or meaning during the migration process.

5.1

For computerized systems that exchange data electronically with other systems, appropriate built-in checks should be in place for the correct and secure entry and processing of data to minimize risks.

7.1

Data should be secured by both physical and electronic means against damage. Stored data should be checked for accessibility, readability, and accuracy. Access to data must be ensured throughout the retention period.

7.2

Regular backups of all relevant data should be performed. The integrity and accuracy of backup data and the ability to restore the data should be checked during validation and monitored periodically.

16.1

For computerized systems that support critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (such as a manual or alternative system). The time required to bring the alternative arrangements into use should be based on risk and be appropriate for a particular system and the business process it supports. These arrangements must be adequately documented and tested.

Automatic backup is enabled for Elasticsearch instances

Automatic backup is enabled for Elasticsearch instances. This is considered compliant.

4.8

If data is transferred to another data format or system, validation should include checks to ensure that the data is not altered in value or meaning during the migration process.

5.1

For computerized systems that exchange data electronically with other systems, appropriate built-in checks should be in place for the correct and secure entry and processing of data to minimize risks.

7.1

Data should be secured by both physical and electronic means against damage. Stored data should be checked for accessibility, readability, and accuracy. Access to data must be ensured throughout the retention period.

7.2

Regular backups of all relevant data should be performed. The integrity and accuracy of backup data and the ability to restore the data should be checked during validation and monitored periodically.

16.1

For computerized systems that support critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (such as a manual or alternative system). The time required to bring the alternative arrangements into use should be based on risk and be appropriate for a particular system and the business process it supports. These arrangements must be adequately documented and tested.

17.1

Data may be archived. This data should be checked for accessibility, readability, and integrity. If relevant changes are made to the system (such as computer equipment or programs), the ability to retrieve the data must be ensured and tested.

Log backup is enabled for ADB clusters

Log backup is enabled for ADB clusters. This is considered compliant.

4.8

If data is transferred to another data format or system, validation should include checks to ensure that the data is not altered in value or meaning during the migration process.

5.1

For computerized systems that exchange data electronically with other systems, appropriate built-in checks should be in place for the correct and secure entry and processing of data to minimize risks.

7.1

Data should be secured by both physical and electronic means against damage. Stored data should be checked for accessibility, readability, and accuracy. Access to data must be ensured throughout the retention period.

7.2

Regular backups of all relevant data should be performed. The integrity and accuracy of backup data and the ability to restore the data should be checked during validation and monitored periodically.

16.1

For computerized systems that support critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (such as a manual or alternative system). The time required to bring the alternative arrangements into use should be based on risk and be appropriate for a particular system and the business process it supports. These arrangements must be adequately documented and tested.

17.1

Data may be archived. This data should be checked for accessibility, readability, and integrity. If relevant changes are made to the system (such as computer equipment or programs), the ability to retrieve the data must be ensured and tested.

Log backup is enabled for MongoDB instances

Log backup is enabled for MongoDB instances. This is considered compliant.

4.8

If data is transferred to another data format or system, validation should include checks to ensure that the data is not altered in value or meaning during the migration process.

5.1

For computerized systems that exchange data electronically with other systems, appropriate built-in checks should be in place for the correct and secure entry and processing of data to minimize risks.

7.1

Data should be secured by both physical and electronic means against damage. Stored data should be checked for accessibility, readability, and accuracy. Access to data must be ensured throughout the retention period.

7.2

Regular backups of all relevant data should be performed. The integrity and accuracy of backup data and the ability to restore the data should be checked during validation and monitored periodically.

16.1

For computerized systems that support critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (such as a manual or alternative system). The time required to bring the alternative arrangements into use should be based on risk and be appropriate for a particular system and the business process it supports. These arrangements must be adequately documented and tested.

17.1

Data may be archived. This data should be checked for accessibility, readability, and integrity. If relevant changes are made to the system (such as computer equipment or programs), the ability to retrieve the data must be ensured and tested.

A backup schedule is created for the NAS file system

A backup schedule is created for the NAS file system. This is considered compliant.

4.8

If data is transferred to another data format or system, validation should include checks to ensure that the data is not altered in value or meaning during the migration process.

5.1

For computerized systems that exchange data electronically with other systems, appropriate built-in checks should be in place for the correct and secure entry and processing of data to minimize risks.

7.1

Data should be secured by both physical and electronic means against damage. Stored data should be checked for accessibility, readability, and accuracy. Access to data must be ensured throughout the retention period.

7.2

Regular backups of all relevant data should be performed. The integrity and accuracy of backup data and the ability to restore the data should be checked during validation and monitored periodically.

16.1

For computerized systems that support critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (such as a manual or alternative system). The time required to bring the alternative arrangements into use should be based on risk and be appropriate for a particular system and the business process it supports. These arrangements must be adequately documented and tested.

17.1

Data may be archived. This data should be checked for accessibility, readability, and integrity. If relevant changes are made to the system (such as computer equipment or programs), the ability to retrieve the data must be ensured and tested.

An automatic snapshot policy is configured for ECS disks

An automatic snapshot policy is configured for ECS disks. This is considered compliant.

4.8

If data is transferred to another data format or system, validation should include checks to ensure that the data is not altered in value or meaning during the migration process.

5.1

For computerized systems that exchange data electronically with other systems, appropriate built-in checks should be in place for the correct and secure entry and processing of data to minimize risks.

7.1

Data should be secured by both physical and electronic means against damage. Stored data should be checked for accessibility, readability, and accuracy. Access to data must be ensured throughout the retention period.

7.2

Regular backups of all relevant data should be performed. The integrity and accuracy of backup data and the ability to restore the data should be checked during validation and monitored periodically.

16.1

For computerized systems that support critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (such as a manual or alternative system). The time required to bring the alternative arrangements into use should be based on risk and be appropriate for a particular system and the business process it supports. These arrangements must be adequately documented and tested.

17.1

Data may be archived. This data should be checked for accessibility, readability, and integrity. If relevant changes are made to the system (such as computer equipment or programs), the ability to retrieve the data must be ensured and tested.

Database Backup is enabled for OceanBase clusters

Database Backup is enabled for OceanBase clusters. This is considered compliant.

4.8

If data is transferred to another data format or system, validation should include checks to ensure that the data is not altered in value or meaning during the migration process.

5.1

For computerized systems that exchange data electronically with other systems, appropriate built-in checks should be in place for the correct and secure entry and processing of data to minimize risks.

7.2

Regular backups of all relevant data should be performed. The integrity and accuracy of backup data and the ability to restore the data should be checked during validation and monitored periodically.

16.1

For computerized systems that support critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (such as a manual or alternative system). The time required to bring the alternative arrangements into use should be based on risk and be appropriate for a particular system and the business process it supports. These arrangements must be adequately documented and tested.

Versioning is enabled for OSS buckets

Versioning is enabled for OSS buckets. This is considered compliant.

4.8

If data is transferred to another data format or system, validation should include checks to ensure that the data is not altered in value or meaning during the migration process.

5.1

For computerized systems that exchange data electronically with other systems, appropriate built-in checks should be in place for the correct and secure entry and processing of data to minimize risks.

7.2

Regular backups of all relevant data should be performed. The integrity and accuracy of backup data and the ability to restore the data should be checked during validation and monitored periodically.

16.1

For computerized systems that support critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (such as a manual or alternative system). The time required to bring the alternative arrangements into use should be based on risk and be appropriate for a particular system and the business process it supports. These arrangements must be adequately documented and tested.

17.1

Data may be archived. This data should be checked for accessibility, readability, and integrity. If relevant changes are made to the system (such as computer equipment or programs), the ability to retrieve the data must be ensured and tested.

Zone-redundant Storage is enabled for OSS buckets

Zone-redundant Storage is enabled for OSS buckets. This is considered compliant.

4.8

If data is transferred to another data format or system, validation should include checks to ensure that the data is not altered in value or meaning during the migration process.

5.1

For computerized systems that exchange data electronically with other systems, appropriate built-in checks should be in place for the correct and secure entry and processing of data to minimize risks.

7.2

Regular backups of all relevant data should be performed. The integrity and accuracy of backup data and the ability to restore the data should be checked during validation and monitored periodically.

16.1

For computerized systems that support critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (such as a manual or alternative system). The time required to bring the alternative arrangements into use should be based on risk and be appropriate for a particular system and the business process it supports. These arrangements must be adequately documented and tested.

17.1

Data may be archived. This data should be checked for accessibility, readability, and integrity. If relevant changes are made to the system (such as computer equipment or programs), the ability to retrieve the data must be ensured and tested.

SSL encryption is used for the source and destination databases of DTS sync tasks

SSL encryption is used for both the source and destination databases of sync tasks in a DTS instance. This is considered compliant.

4.8

If data is transferred to another data format or system, validation should include checks to ensure that the data is not altered in value or meaning during the migration process.

5.1

For computerized systems that exchange data electronically with other systems, appropriate built-in checks should be in place for the correct and secure entry and processing of data to minimize risks.

SSL encryption is used for the source and destination databases of DTS migration tasks

SSL encryption is used for both the source and destination databases of migration tasks in a DTS instance. This is considered compliant.

4.8

If data is transferred to another data format or system, validation should include checks to ensure that the data is not altered in value or meaning during the migration process.

5.1

For computerized systems that exchange data electronically with other systems, appropriate built-in checks should be in place for the correct and secure entry and processing of data to minimize risks.

TLS 1.3 is enabled for accelerated domain names

TLS 1.3 is enabled for accelerated domain names. This is considered compliant.

4.8

If data is transferred to another data format or system, validation should include checks to ensure that the data is not altered in value or meaning during the migration process.

5.1

For computerized systems that exchange data electronically with other systems, appropriate built-in checks should be in place for the correct and secure entry and processing of data to minimize risks.

HTTPS is used for data transmission in Elasticsearch instances

HTTPS is used for data transmission in Elasticsearch instances. This is considered compliant.

4.8

If data is transferred to another data format or system, validation should include checks to ensure that the data is not altered in value or meaning during the migration process.

Functions in Function Compute are bound to custom domain names and a specific TLS version is enabled

A function in Function Compute is bound to a custom domain name that is accessible over the public network, and a specific TLS version is enabled. This is considered compliant.

4.8

If data is transferred to another data format or system, validation should include checks to ensure that the data is not altered in value or meaning during the migration process.

5.1

For computerized systems that exchange data electronically with other systems, appropriate built-in checks should be in place for the correct and secure entry and processing of data to minimize risks.

SSL encryption is configured for PolarDB clusters

SSL encryption is configured for PolarDB clusters. This is considered compliant.

4.8

If data is transferred to another data format or system, validation should include checks to ensure that the data is not altered in value or meaning during the migration process.

5.1

For computerized systems that exchange data electronically with other systems, appropriate built-in checks should be in place for the correct and secure entry and processing of data to minimize risks.

SSL encryption is configured for Redis instances

SSL encryption is configured for Redis instances. This is considered compliant.

4.8

If data is transferred to another data format or system, validation should include checks to ensure that the data is not altered in value or meaning during the migration process.

5.1

For computerized systems that exchange data electronically with other systems, appropriate built-in checks should be in place for the correct and secure entry and processing of data to minimize risks.

APIs in API Gateway that are accessible over the public network use HTTPS

APIs in API Gateway that are accessible over the public network are configured to use HTTPS. This is considered compliant.

4.8

If data is transferred to another data format or system, validation should include checks to ensure that the data is not altered in value or meaning during the migration process.

5.1

For computerized systems that exchange data electronically with other systems, appropriate built-in checks should be in place for the correct and secure entry and processing of data to minimize risks.

SSL certificates are used for RDS instances

SSL certificates are used for RDS instances. This is considered compliant.

4.8

If data is transferred to another data format or system, validation should include checks to ensure that the data is not altered in value or meaning during the migration process.

5.1

For computerized systems that exchange data electronically with other systems, appropriate built-in checks should be in place for the correct and secure entry and processing of data to minimize risks.

Encryption is enabled for in-use data disks of ECS instances

Encryption is enabled for in-use data disks of ECS instances. This is considered compliant.

7.1

Data should be secured by both physical and electronic means against damage. Stored data should be checked for accessibility, readability, and accuracy. Access to data must be ensured throughout the retention period.

17.1

Data may be archived. This data should be checked for accessibility, readability, and integrity. If relevant changes are made to the system (such as computer equipment or programs), the ability to retrieve the data must be ensured and tested.

TDE is enabled for RDS instances

Transparent data encryption (TDE) is enabled for RDS instances. This is considered compliant.

7.1

Data should be secured by both physical and electronic means against damage. Stored data should be checked for accessibility, readability, and accuracy. Access to data must be ensured throughout the retention period.

17.1

Data may be archived. This data should be checked for accessibility, readability, and integrity. If relevant changes are made to the system (such as computer equipment or programs), the ability to retrieve the data must be ensured and tested.

The encryption algorithm used by the VPN connection is not None

The encryption algorithm used by the VPN connection is not None. This is considered compliant.

7.1

Data should be secured by both physical and electronic means against damage. Stored data should be checked for accessibility, readability, and accuracy. Access to data must be ensured throughout the retention period.

Disk encryption is enabled for data nodes of Elasticsearch instances

Disk encryption is enabled for data nodes of Elasticsearch instances. This is considered compliant.

7.1

Data should be secured by both physical and electronic means against damage. Stored data should be checked for accessibility, readability, and accuracy. Access to data must be ensured throughout the retention period.

17.1

Data may be archived. This data should be checked for accessibility, readability, and integrity. If relevant changes are made to the system (such as computer equipment or programs), the ability to retrieve the data must be ensured and tested.

TDE is enabled for PolarDB clusters

TDE is enabled for PolarDB clusters. This is considered compliant.

7.1

Data should be secured by both physical and electronic means against damage. Stored data should be checked for accessibility, readability, and accuracy. Access to data must be ensured throughout the retention period.

17.1

Data may be archived. This data should be checked for accessibility, readability, and integrity. If relevant changes are made to the system (such as computer equipment or programs), the ability to retrieve the data must be ensured and tested.

TDE is enabled for Redis instances with a custom key

TDE is enabled for Redis instances with a custom key. This is considered compliant.

7.1

Data should be secured by both physical and electronic means against damage. Stored data should be checked for accessibility, readability, and accuracy. Access to data must be ensured throughout the retention period.

17.1

Data may be archived. This data should be checked for accessibility, readability, and integrity. If relevant changes are made to the system (such as computer equipment or programs), the ability to retrieve the data must be ensured and tested.

Data encryption is configured for Logstores in Simple Log Service

Data encryption is configured for Logstores in Simple Log Service. This is considered compliant.

7.1

Data should be secured by both physical and electronic means against damage. Stored data should be checked for accessibility, readability, and accuracy. Access to data must be ensured throughout the retention period.

17.1

Data may be archived. This data should be checked for accessibility, readability, and integrity. If relevant changes are made to the system (such as computer equipment or programs), the ability to retrieve the data must be ensured and tested.

Deletion protection is enabled for RDS instances

Deletion protection is enabled for RDS instances. This is considered compliant.

7.1

Data should be secured by both physical and electronic means against damage. Stored data should be checked for accessibility, readability, and accuracy. Access to data must be ensured throughout the retention period.

Deletion protection is enabled for PolarDB clusters

Deletion protection is enabled for PolarDB clusters. This is considered compliant.

10.1

Any changes to a computerized system, including system configurations, should be made only in a controlled manner in accordance with a defined procedure.

16.1

For computerized systems that support critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (such as a manual or alternative system). The time required to bring the alternative arrangements into use should be based on risk and be appropriate for a particular system and the business process it supports. These arrangements must be adequately documented and tested.

Release protection is enabled for ECS instances

Release protection is enabled for ECS instances. This is considered compliant.

10.1

Any changes to a computerized system, including system configurations, should be made only in a controlled manner in accordance with a defined procedure.

16.1

For computerized systems that support critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (such as a manual or alternative system). The time required to bring the alternative arrangements into use should be based on risk and be appropriate for a particular system and the business process it supports. These arrangements must be adequately documented and tested.

Deletion protection is enabled for HBase clusters

Deletion protection is enabled for HBase clusters. This is considered compliant.

10.1

Any changes to a computerized system, including system configurations, should be made only in a controlled manner in accordance with a defined procedure.

16.1

For computerized systems that support critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (such as a manual or alternative system). The time required to bring the alternative arrangements into use should be based on risk and be appropriate for a particular system and the business process it supports. These arrangements must be adequately documented and tested.

Release protection is enabled for MongoDB instances

Release protection is enabled for MongoDB instances. This is considered compliant.

10.1

Any changes to a computerized system, including system configurations, should be made only in a controlled manner in accordance with a defined procedure.

16.1

For computerized systems that support critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (such as a manual or alternative system). The time required to bring the alternative arrangements into use should be based on risk and be appropriate for a particular system and the business process it supports. These arrangements must be adequately documented and tested.

Release protection is enabled for Redis instances

Release protection is enabled for Redis instances. This is considered compliant.

10.1

Any changes to a computerized system, including system configurations, should be made only in a controlled manner in accordance with a defined procedure.

16.1

For computerized systems that support critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (such as a manual or alternative system). The time required to bring the alternative arrangements into use should be based on risk and be appropriate for a particular system and the business process it supports. These arrangements must be adequately documented and tested.

Release protection is enabled for SLB instances

Release protection is enabled for SLB instances. This is considered compliant.

10.1

Any changes to a computerized system, including system configurations, should be made only in a controlled manner in accordance with a defined procedure.

16.1

For computerized systems that support critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (such as a manual or alternative system). The time required to bring the alternative arrangements into use should be based on risk and be appropriate for a particular system and the business process it supports. These arrangements must be adequately documented and tested.

The CloudMonitor agent is installed on running ECS instances

The CloudMonitor agent is installed on running ECS instances. This is considered compliant.

11.1

Computerized systems should be periodically evaluated to confirm that they remain in a valid state and are compliant with GMP. Such evaluations should include, where appropriate, the current range of functionality, deviation records, incidents, problems, upgrade history, performance, reliability, security, and validation status reports.

13.1

All incidents, not only system failures and data errors, should be reported and assessed. The root cause of a critical incident should be identified and should form the basis for corrective and preventive actions.

Event logs are enabled for RDS instances

Event logs are enabled for RDS instances. This is considered compliant.

11.1

Computerized systems should be periodically evaluated to confirm that they remain in a valid state and are compliant with GMP. Such evaluations should include, where appropriate, the current range of functionality, deviation records, incidents, problems, upgrade history, performance, reliability, security, and validation status reports.

12.4

Data and document management systems should be designed to record the identity of operators entering, changing, confirming, or deleting data, including the date and time.

MFA is enabled for the Alibaba Cloud account

Multi-factor authentication (MFA) is enabled for the Alibaba Cloud account. This is considered compliant.

12.1

Physical or logical controls, or both, should be in place to restrict access to the computerized system to authorized persons. Suitable methods of preventing unauthorized entry to the system may include the use of keys, pass cards, personal codes with passwords, biometrics, and restricted access to computer equipment and data storage areas.

MFA is enabled for RAM users

Multi-factor authentication (MFA) is enabled for RAM users. This is considered compliant.

12.1

Physical or logical controls, or both, should be in place to restrict access to the computerized system to authorized persons. Suitable methods of preventing unauthorized entry to the system may include the use of keys, pass cards, personal codes with passwords, biometrics, and restricted access to computer equipment and data storage areas.

Public-read-write is disabled for the ACL of OSS buckets

The access control list (ACL) policy of OSS buckets is set to private. This is considered compliant.

12.1

Physical or logical controls, or both, should be in place to restrict access to the computerized system to authorized persons. Suitable methods of preventing unauthorized entry to the system may include the use of keys, pass cards, personal codes with passwords, biometrics, and restricted access to computer equipment and data storage areas.

No permissions are granted to anonymous accounts in the OSS bucket policy

No read or write permissions are granted to anonymous accounts in the authorization policy of an OSS bucket. This is considered compliant. If no authorization policy is set for an OSS bucket, the bucket is also considered compliant.

12.1

Physical or logical controls, or both, should be in place to restrict access to the computerized system to authorized persons. Suitable methods of preventing unauthorized entry to the system may include the use of keys, pass cards, personal codes with passwords, biometrics, and restricted access to computer equipment and data storage areas.

An instance RAM role is attached to the ECS instance

An instance RAM role is attached to the ECS instance. This is considered compliant.

12.1

Physical or logical controls, or both, should be in place to restrict access to the computerized system to authorized persons. Suitable methods of preventing unauthorized entry to the system may include the use of keys, pass cards, personal codes with passwords, biometrics, and restricted access to computer equipment and data storage areas.

A service role is configured for Function Compute

A service role is configured for Function Compute. This is considered compliant.

12.1

Physical or logical controls, or both, should be in place to restrict access to the computerized system to authorized persons. Suitable methods of preventing unauthorized entry to the system may include the use of keys, pass cards, personal codes with passwords, biometrics, and restricted access to computer equipment and data storage areas.

The RRSA feature is enabled for the ACK cluster

The RAM Roles for Service Accounts (RRSA) feature is enabled for the ACK cluster. This is considered compliant.

12.1

Physical or logical controls, or both, should be in place to restrict access to the computerized system to authorized persons. Suitable methods of preventing unauthorized entry to the system may include the use of keys, pass cards, personal codes with passwords, biometrics, and restricted access to computer equipment and data storage areas.

Check RAM user logon methods

A RAM user does not have both console access and OpenAPI call access enabled. This is considered compliant.

12.1

Physical or logical controls, or both, should be in place to restrict access to the computerized system to authorized persons. Suitable methods of preventing unauthorized entry to the system may include the use of keys, pass cards, personal codes with passwords, biometrics, and restricted access to computer equipment and data storage areas.

Authentication is enabled for MSE clusters that are accessible over the public network

An MSE cluster is considered compliant if it is not accessible over the public network, or if it is accessible over the public network and has authentication enabled.

12.1

Physical or logical controls, or both, should be in place to restrict access to the computerized system to authorized persons. Suitable methods of preventing unauthorized entry to the system may include the use of keys, pass cards, personal codes with passwords, biometrics, and restricted access to computer equipment and data storage areas.

RAM users do not have idle AccessKeys

The time since an AccessKey of a RAM user was last used is less than the time specified in the parameters. This is considered compliant.

12.1

Physical or logical controls, or both, should be in place to restrict access to the computerized system to authorized persons. Suitable methods of preventing unauthorized entry to the system may include the use of keys, pass cards, personal codes with passwords, biometrics, and restricted access to computer equipment and data storage areas.

The password policy for RAM users meets the requirements

All settings in the password policy for RAM users meet the parameter values that you set. This is considered compliant.

12.1

Physical or logical controls, or both, should be in place to restrict access to the computerized system to authorized persons. Suitable methods of preventing unauthorized entry to the system may include the use of keys, pass cards, personal codes with passwords, biometrics, and restricted access to computer equipment and data storage areas.

RAM users have logged on within the specified period

RAM users have logged on within the last 90 days. This is considered compliant.

12.1

Physical or logical controls, or both, should be in place to restrict access to the computerized system to authorized persons. Suitable methods of preventing unauthorized entry to the system may include the use of keys, pass cards, personal codes with passwords, biometrics, and restricted access to computer equipment and data storage areas.

The AccessKeys of RAM users are rotated within the specified period

The time since an AccessKey of a RAM user was created does not exceed the specified number of days. This is considered compliant.

12.1

Physical or logical controls, or both, should be in place to restrict access to the computerized system to authorized persons. Suitable methods of preventing unauthorized entry to the system may include the use of keys, pass cards, personal codes with passwords, biometrics, and restricted access to computer equipment and data storage areas.

Audit logging is enabled for Redis instances

Audit logging is enabled for Redis instances. This is considered compliant.

12.4

Data and document management systems should be designed to record the identity of operators entering, changing, confirming, or deleting data, including the date and time.

Audit logging is enabled for MongoDB instances

Audit logging is enabled for MongoDB instances. This is considered compliant.

12.4

Data and document management systems should be designed to record the identity of operators entering, changing, confirming, or deleting data, including the date and time.

Log storage is enabled for OSS buckets

Log storage is enabled in the Log Management settings of OSS buckets. This is considered compliant.

12.4

Data and document management systems should be designed to record the identity of operators entering, changing, confirming, or deleting data, including the date and time.

Log collection is enabled for WAF instances

Log collection is enabled for all domain names that are protected by WAF. This is considered compliant.

12.4

Data and document management systems should be designed to record the identity of operators entering, changing, confirming, or deleting data, including the date and time.

The retention period for SQL audit logs of RDS instances meets the specified requirements

SQL Audit is enabled for RDS for MySQL instances, and the log retention period is greater than or equal to the specified value. This is considered compliant.

12.4

Data and document management systems should be designed to record the identity of operators entering, changing, confirming, or deleting data, including the date and time.

SQL audit logging is enabled for ADB clusters

SQL audit logging is enabled for ADB clusters. This is considered compliant.

12.4

Data and document management systems should be designed to record the identity of operators entering, changing, confirming, or deleting data, including the date and time.

Access logging is enabled for SLB instances

Access logging is enabled for Classic Load Balancer instances. This is considered compliant.

12.4

Data and document management systems should be designed to record the identity of operators entering, changing, confirming, or deleting data, including the date and time.

RDS instances are deployed in multiple zones

RDS instances support multiple zones. This is considered compliant.

16.1

For computerized systems that support critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (such as a manual or alternative system). The time required to bring the alternative arrangements into use should be based on risk and be appropriate for a particular system and the business process it supports. These arrangements must be adequately documented and tested.

Redis instances are deployed in multiple zones

Redis instances are deployed in multiple zones. This is considered compliant.

16.1

For computerized systems that support critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (such as a manual or alternative system). The time required to bring the alternative arrangements into use should be based on risk and be appropriate for a particular system and the business process it supports. These arrangements must be adequately documented and tested.

SLB instances are deployed in multiple zones

SLB instances are deployed in multiple zones. This is considered compliant.

16.1

For computerized systems that support critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (such as a manual or alternative system). The time required to bring the alternative arrangements into use should be based on risk and be appropriate for a particular system and the business process it supports. These arrangements must be adequately documented and tested.

ALB instances are deployed in multiple zones

ALB instances are deployed in multiple zones. This is considered compliant.

16.1

For computerized systems that support critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (such as a manual or alternative system). The time required to bring the alternative arrangements into use should be based on risk and be appropriate for a particular system and the business process it supports. These arrangements must be adequately documented and tested.

Using a multi-zone MongoDB instance

MongoDB instances are deployed in multiple zones. This is considered compliant.

16.1

For computerized systems that support critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (such as a manual or alternative system). The time required to bring the alternative arrangements into use should be based on risk and be appropriate for a particular system and the business process it supports. These arrangements must be adequately documented and tested.

Auto Scaling groups are associated with at least two vSwitches

An Auto Scaling group is associated with at least two vSwitches. This is considered compliant.

16.1

For computerized systems that support critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (such as a manual or alternative system). The time required to bring the alternative arrangements into use should be based on risk and be appropriate for a particular system and the business process it supports. These arrangements must be adequately documented and tested.

The endpoint service is configured across multiple zones

The endpoint service is configured across multiple zones. This is considered compliant.

16.1

For computerized systems that support critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (such as a manual or alternative system). The time required to bring the alternative arrangements into use should be based on risk and be appropriate for a particular system and the business process it supports. These arrangements must be adequately documented and tested.

A hot standby cluster is enabled for the PolarDB cluster

A hot standby storage cluster is enabled for the PolarDB cluster, and data is distributed across multiple zones. This is considered compliant.

16.1

For computerized systems that support critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (such as a manual or alternative system). The time required to bring the alternative arrangements into use should be based on risk and be appropriate for a particular system and the business process it supports. These arrangements must be adequately documented and tested.

Resources from multiple zones are added to the vServer groups of SLB instances

The attached resources of a vServer group for an SLB instance are distributed across multiple zones. This is considered compliant.

16.1

For computerized systems that support critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (such as a manual or alternative system). The time required to bring the alternative arrangements into use should be based on risk and be appropriate for a particular system and the business process it supports. These arrangements must be adequately documented and tested.

Resources from multiple zones are added to the server groups of ALB instances

The attached resources of a server group for an ALB instance are distributed across multiple zones. This is considered compliant.

16.1

For computerized systems that support critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (such as a manual or alternative system). The time required to bring the alternative arrangements into use should be based on risk and be appropriate for a particular system and the business process it supports. These arrangements must be adequately documented and tested.