Lists the default CloudConfig compliance rules mapped to the Well-Architected Framework Security Pillar, covering network security, identity security, host security, and data security.
|
Rule name |
Rule description |
|
Compliant if ActionTrail has a trail enabled that tracks all regions and all event types. A resource directory member account is also compliant if an administrator trail covers all member accounts. |
|
|
Compliant if the ADB cluster maintenance window falls within the time range specified in the parameter. |
|
|
Compliant if the ADB instance does not have public network access enabled. |
|
|
Connect custom domains of API groups in API Gateway to WAF or WAF 3.0 |
Compliant if a custom domain bound to an API Gateway group is connected to WAF or WAF 3.0. |
|
Configure an SSL certificate for the custom domain of an API group in API Gateway |
Compliant if the API Gateway group has a custom domain with an SSL certificate configured. |
|
Compliant if the cloud disk is in use. Not applicable to disks created within the specified number of days (default: 7). |
|
|
Compliant if the in-use ECS data disk has encryption enabled. |
|
|
Compliant if the Security Center agent is installed for host security protection. Not applicable to instances not in the Running state. |
|
|
Compliant if the ECS instance has an instance RAM role attached. |
|
|
Compliant if the ECS instance is not in the Stopped state. |
|
|
Compliant if the ECS instance has no vulnerabilities of the specified type and severity that require fixing in Security Center. Not applicable to instances not in the Running state. |
|
|
If no parameter is specified, compliant if the ECS instance network type is VPC. If a parameter is specified, the VPC must be within the specified range. Separate multiple values with commas (,). |
|
|
Compliant if the running ECS instance has no public IPv4 address or Elastic IP Address assigned. |
|
|
Compliant if the security group is attached to at least one ECS instance. |
|
|
Disallow risky ports for the 0.0.0.0/0 CIDR block in a security group for a specified protocol |
Compliant if inbound rules allowing access from 0.0.0.0/0 for a specified protocol do not include any specified risky ports. Also compliant if a higher-priority deny rule exists for the risky port. Not applicable to security groups used by Alibaba Cloud services or virtual server providers. |
|
Restrict inbound access from 0.0.0.0/0 to whitelisted ports in a security group |
Compliant if inbound rules allowing access from 0.0.0.0/0 are configured only for specified whitelisted ports. Not applicable to security groups used by Alibaba Cloud services or virtual server providers. |
|
Enable disk encryption for data nodes of Elasticsearch instances |
Compliant if disk encryption is enabled for the data nodes of the Elasticsearch instance. |
|
If no parameter is specified, compliant if the Elasticsearch instance network type is VPC. If a parameter is specified, the associated VPC must be within the specified range. |
|
|
Do not assign public IPv4 addresses in Auto Scaling configurations |
Compliant if the Auto Scaling configuration does not assign a public IPv4 address. |
|
Compliant if the Function Compute service has public network access disabled. |
|
|
Configure Function Compute services to be invoked only from a specified VPC |
Compliant if the Function Compute service is configured to be invoked only from a specified VPC. |
|
Compliant if the KMS master key source is not external. |
|
|
Enable automatic rotation for customer master keys in Key Management Service |
Compliant if automatic rotation is enabled for customer master keys (CMKs) in KMS. |
|
Compliant if the KMS master key is not pending deletion. |
|
|
Enable automatic rotation for credentials in Key Management Service |
Compliant if automatic rotation is enabled for credentials in KMS. |
|
Compliant if encryption is enabled for the NAS file system. |
|
|
Compliant if log storage is enabled in the Log Management settings of the OSS bucket. |
|
|
Compliant if the OSS bucket access policy allows only HTTPS or denies HTTP. Not applicable to buckets with an empty access policy. |
|
|
Do not grant any permissions to anonymous accounts for an OSS bucket |
Compliant if the OSS bucket authorization policy does not grant read or write permissions to anonymous accounts. Also compliant if no authorization policy is configured. |
|
Compliant if the OSS bucket ACL prohibits public-read access. |
|
|
Compliant if the OSS bucket ACL prohibits public-read-write access. |
|
|
Compliant if server-side encryption with fully managed OSS keys is enabled for the bucket. |
|
|
Compliant if versioning is enabled for the OSS bucket. Versioning helps recover data from accidental overwrites or deletions. |
|
|
Compliant if the OSS bucket is encrypted using a custom KMS key. |
|
|
Compliant if all data tables in the Tablestore instance have encryption enabled. |
|
|
Compliant if the RAM user group contains at least one RAM user. |
|
|
Compliant if all password policy settings for RAM users meet the specified parameter values. |
|
|
Compliant if no RAM user, user group, or role has super administrator permissions where Resource is set to * and Action is set to *. |
|
|
Rotate AccessKey pairs for RAM users within a specified period |
Compliant if the RAM user AccessKey pair was created within the specified period (default: 90 days). |
|
Compliant if the RAM user AccessKey pair has been used within the specified period (default: 90 days). |
|
|
All RAM users assigned to a user group are considered compliant. |
|
|
Compliant if RAM users with console access have MFA enabled for logon. |
|
|
Compliant if the RAM user does not have administrative or product-specific administrator permissions, including permissions inherited from user groups. |
|
|
Compliant if TDE is enabled in the data security settings of the RDS instance. |
|
|
Ensure the retention period for SQL audit logs of RDS instances meets requirements |
Compliant if SQL Audit is enabled for the ApsaraDB RDS for MySQL instance and the log retention period is at least the specified value (default: 180 days). |
|
Ensure RDS instances do not have both public network access and an open-to-all IP whitelist |
Non-compliant if the RDS instance has public network access enabled and its whitelist is set to 0.0.0.0/0. |
|
Ensure no AccessKey pair exists for an Alibaba Cloud account |
Compliant if the Alibaba Cloud account does not have an AccessKey pair. |
|
Compliant if MFA is enabled for the Alibaba Cloud account. |
|
|
Compliant if Security Center Enterprise Edition or a later edition is in use. |
|
|
Compliant if access logs are enabled for the CLB instance. Not applicable to instances without a Layer 7 listener (access logs are not supported). |
|
|
Compliant if the SLB instance has an HTTPS listener enabled on the specified port. Not applicable to instances with only TCP or UDP listeners. |
|
|
Compliant if flow logs are enabled for the VPC. |
|
|
Compliant if log collection is enabled for all domain names protected by WAF 2.0. |