Alibaba Cloud Well-Architected Framework Security Pillar Best Practices

更新时间:
复制 MD 格式

Lists the default CloudConfig compliance rules mapped to the Well-Architected Framework Security Pillar, covering network security, identity security, host security, and data security.

Rule name

Rule description

Enable global logging for ActionTrail

Compliant if ActionTrail has a trail enabled that tracks all regions and all event types. A resource directory member account is also compliant if an administrator trail covers all member accounts.

Set an appropriate maintenance window for ADB clusters

Compliant if the ADB cluster maintenance window falls within the time range specified in the parameter.

Disable public network access for ADB clusters

Compliant if the ADB instance does not have public network access enabled.

Connect custom domains of API groups in API Gateway to WAF or WAF 3.0

Compliant if a custom domain bound to an API Gateway group is connected to WAF or WAF 3.0.

Configure an SSL certificate for the custom domain of an API group in API Gateway

Compliant if the API Gateway group has a custom domain with an SSL certificate configured.

Check for idle cloud disks

Compliant if the cloud disk is in use. Not applicable to disks created within the specified number of days (default: 7).

Enable encryption for in-use ECS data disks

Compliant if the in-use ECS data disk has encryption enabled.

Enable Security Center protection for running ECS instances

Compliant if the Security Center agent is installed for host security protection. Not applicable to instances not in the Running state.

Attach an instance RAM role to an ECS instance

Compliant if the ECS instance has an instance RAM role attached.

Ensure ECS instances are not stopped

Compliant if the ECS instance is not in the Stopped state.

Ensure running ECS instances have no vulnerabilities to fix

Compliant if the ECS instance has no vulnerabilities of the specified type and severity that require fixing in Security Center. Not applicable to instances not in the Running state.

Use ECS instances in a VPC

If no parameter is specified, compliant if the ECS instance network type is VPC. If a parameter is specified, the VPC must be within the specified range. Separate multiple values with commas (,).

Do not assign public IP addresses to running ECS instances

Compliant if the running ECS instance has no public IPv4 address or Elastic IP Address assigned.

Check for idle security groups

Compliant if the security group is attached to at least one ECS instance.

Disallow risky ports for the 0.0.0.0/0 CIDR block in a security group for a specified protocol

Compliant if inbound rules allowing access from 0.0.0.0/0 for a specified protocol do not include any specified risky ports. Also compliant if a higher-priority deny rule exists for the risky port. Not applicable to security groups used by Alibaba Cloud services or virtual server providers.

Restrict inbound access from 0.0.0.0/0 to whitelisted ports in a security group

Compliant if inbound rules allowing access from 0.0.0.0/0 are configured only for specified whitelisted ports. Not applicable to security groups used by Alibaba Cloud services or virtual server providers.

Enable disk encryption for data nodes of Elasticsearch instances

Compliant if disk encryption is enabled for the data nodes of the Elasticsearch instance.

Use Elasticsearch instances in a VPC

If no parameter is specified, compliant if the Elasticsearch instance network type is VPC. If a parameter is specified, the associated VPC must be within the specified range.

Do not assign public IPv4 addresses in Auto Scaling configurations

Compliant if the Auto Scaling configuration does not assign a public IPv4 address.

Disable public network access for Function Compute services

Compliant if the Function Compute service has public network access disabled.

Configure Function Compute services to be invoked only from a specified VPC

Compliant if the Function Compute service is configured to be invoked only from a specified VPC.

Do not use KMS master keys from external sources

Compliant if the KMS master key source is not external.

Enable automatic rotation for customer master keys in Key Management Service

Compliant if automatic rotation is enabled for customer master keys (CMKs) in KMS.

Ensure KMS master keys are not pending deletion

Compliant if the KMS master key is not pending deletion.

Enable automatic rotation for credentials in Key Management Service

Compliant if automatic rotation is enabled for credentials in KMS.

Enable encryption for NAS file systems

Compliant if encryption is enabled for the NAS file system.

Enable log storage for OSS buckets

Compliant if log storage is enabled in the Log Management settings of the OSS bucket.

Configure a secure access policy for an OSS bucket

Compliant if the OSS bucket access policy allows only HTTPS or denies HTTP. Not applicable to buckets with an empty access policy.

Do not grant any permissions to anonymous accounts for an OSS bucket

Compliant if the OSS bucket authorization policy does not grant read or write permissions to anonymous accounts. Also compliant if no authorization policy is configured.

Prohibit public-read access for OSS buckets

Compliant if the OSS bucket ACL prohibits public-read access.

Prohibit public-read-write access for OSS buckets

Compliant if the OSS bucket ACL prohibits public-read-write access.

Enable server-side encryption for OSS buckets

Compliant if server-side encryption with fully managed OSS keys is enabled for the bucket.

Enable versioning for OSS buckets

Compliant if versioning is enabled for the OSS bucket. Versioning helps recover data from accidental overwrites or deletions.

Use a custom KMS key to encrypt an OSS bucket

Compliant if the OSS bucket is encrypted using a custom KMS key.

Enable encryption for all tables in a Tablestore instance

Compliant if all data tables in the Tablestore instance have encryption enabled.

Ensure RAM user groups are not empty

Compliant if the RAM user group contains at least one RAM user.

Ensure the password policy for RAM users meets requirements

Compliant if all password policy settings for RAM users meet the specified parameter values.

Ensure no super administrator exists

Compliant if no RAM user, user group, or role has super administrator permissions where Resource is set to * and Action is set to *.

Rotate AccessKey pairs for RAM users within a specified period

Compliant if the RAM user AccessKey pair was created within the specified period (default: 90 days).

Ensure no idle AccessKey pairs exist for RAM users

Compliant if the RAM user AccessKey pair has been used within the specified period (default: 90 days).

Assign RAM users to RAM user groups

All RAM users assigned to a user group are considered compliant.

Enable MFA for RAM users

Compliant if RAM users with console access have MFA enabled for logon.

Ensure RAM users and their user groups do not have super administrator or product-specific administrator permissions

Compliant if the RAM user does not have administrative or product-specific administrator permissions, including permissions inherited from user groups.

Enable TDE for RDS instances

Compliant if TDE is enabled in the data security settings of the RDS instance.

Ensure the retention period for SQL audit logs of RDS instances meets requirements

Compliant if SQL Audit is enabled for the ApsaraDB RDS for MySQL instance and the log retention period is at least the specified value (default: 180 days).

Ensure RDS instances do not have both public network access and an open-to-all IP whitelist

Non-compliant if the RDS instance has public network access enabled and its whitelist is set to 0.0.0.0/0.

Ensure no AccessKey pair exists for an Alibaba Cloud account

Compliant if the Alibaba Cloud account does not have an AccessKey pair.

Enable MFA for an Alibaba Cloud account

Compliant if MFA is enabled for the Alibaba Cloud account.

Use Security Center Enterprise Edition

Compliant if Security Center Enterprise Edition or a later edition is in use.

Enable access logs for SLB instances

Compliant if access logs are enabled for the CLB instance. Not applicable to instances without a Layer 7 listener (access logs are not supported).

Enable HTTPS listeners for SLB instances

Compliant if the SLB instance has an HTTPS listener enabled on the specified port. Not applicable to instances with only TCP or UDP listeners.

Enable flow logs for VPCs

Compliant if flow logs are enabled for the VPC.

Enable log collection for WAF instances

Compliant if log collection is enabled for all domain names protected by WAF 2.0.