ISO 27001 security management standard compliance pack

更新时间:
复制 MD 格式

The ISO 27001 security management standard compliance pack is based on the security management standards in Annex A of ISO/IEC 27001:2013. It provides recommended compliance checks for detecting and governing cloud resource risks. These checks help your organization implement, maintain, and continuously improve its information security management. This topic describes the default rules included in the compliance pack.

Rule name

Rule description

Recommendation number

Recommendation description

Separate personnel and programmatic access for RAM users

A Resource Access Management (RAM) user is compliant if console access and API call access are not enabled simultaneously.

A.6.1.2

Segregation of duties

Do not grant permissions directly to RAM users

A RAM user is compliant if no access policies are directly attached. Permissions should be inherited from a RAM user group or RAM role.

A.6.1.2

Segregation of duties

No idle RAM user groups exist

A RAM user group is compliant if it contains at least one RAM user and has at least one RAM access policy attached.

  • A.6.1.2

  • A.9.1.1

  • A.9.2.1

  • A.9.2.2

  • A.9.2.3

  • Segregation of duties

  • Access control policy

  • User registration and de-registration

  • User access provisioning

  • Management of privileged access rights

RAM user groups are not empty

A RAM user group is compliant if it contains at least one RAM user.

  • A.6.1.2

  • A.9.1.1

  • A.9.2.1

  • A.9.2.2

  • A.9.2.3

  • Segregation of duties

  • Access control policy

  • User registration and de-registration

  • User access provisioning

  • Management of privileged access rights

No super administrators exist

A resource is compliant if no RAM users, RAM user groups, or RAM roles have super administrator permissions, where Resource is * and Action is *.

  • A.6.1.2

  • A.9.1.1

  • A.9.2.1

  • A.9.2.2

  • A.9.2.3

  • A.9.4.1

  • A.9.4.5

  • A.18.1.3

  • Segregation of duties

  • Access control policy

  • User registration and de-registration

  • User access provisioning

  • Management of privileged access rights

  • Information access restriction

  • Access control to program source code

  • Protection of records

No idle RAM access policies exist

A RAM access policy is compliant if it is attached to at least one RAM user group, RAM role, or RAM user.

  • A.6.1.2

  • A.9.2.1

  • A.9.2.2

  • A.9.2.3

  • A.9.4.5

  • Segregation of duties

  • User registration and de-registration

  • User access provisioning

  • Management of privileged access rights

  • Access control to program source code

Security Center protection is enabled for running ECS instances

An instance is compliant if the Security Center agent is installed to provide host security protection. This rule applies only to running instances.

  • A.8.1.1

  • A.8.1.2

  • A.12.1.2

  • A.12.5.1

  • A.12.6.1

  • A.14.1.1

  • A.14.2.1

  • A.16.1.2

  • Inventory of assets

  • Ownership of assets

  • Change management

  • Installation of software on operational systems

  • Management of technical vulnerabilities

  • Information security requirements analysis and specification

  • Secure development policy

  • Reporting information security events

All specified tags exist

A resource is compliant if it has all the specified tags. You can define up to 10 tag groups, and you must enter only one value for each group. Tag input is case-sensitive.

  • A.8.1.1

  • A.8.1.2

  • Inventory of assets

  • Ownership of assets

The resource group of an ECS associated resource is inherited from the ECS instance

This rule checks whether a resource associated with an ECS instance inherits the resource group of the instance. The resource is compliant if it is attached to an ECS instance and they share the same resource group. This rule does not apply if the resource is not attached to an ECS instance.

  • A.8.1.1

  • A.8.1.2

  • Inventory of assets

  • Ownership of assets

The resource group associated with a resource is not the default resource group

A resource is compliant if its associated resource group is not the default resource group. This rule does not apply if no resource group is associated.

  • A.8.1.1

  • A.8.1.2

  • Inventory of assets

  • Ownership of assets

The Alibaba Cloud account does not have an AccessKey

An Alibaba Cloud account is compliant if it does not have an AccessKey in any state.

  • A.9.1.1

  • A.9.2.1

  • A.9.2.2

  • A.9.2.3

  • A.9.4.1

  • A.9.4.4

  • A.9.4.5

  • A.18.1.3

  • Access control policy

  • User registration and de-registration

  • User access provisioning

  • Management of privileged access rights

  • Information access restriction

  • Use of privileged utility programs

  • Access control to program source code

  • Protection of records

Do not grant permissions directly to RAM users

A RAM user is compliant if no access policies are directly attached. Permissions should be inherited from a RAM user group or RAM role.

  • A.6.1.2

  • A.9.1.1

  • Segregation of duties

  • Access control policy

Public network access is disabled for Elasticsearch instances

An Elasticsearch instance is compliant if public network access is disabled.

  • A.9.1.2

  • A.9.4.1

  • A.9.4.4

  • A.13.1.1

  • A.13.1.3

  • A.18.1.3

  • A.18.1.4

  • Access to networks and network services

  • Information access restriction

  • Use of privileged utility programs

  • Network controls

  • Segregation in networks

  • Protection of records

  • Privacy and protection of personally identifiable information

Public-read-write is disabled for the ACL of the OSS bucket

An OSS bucket is compliant if its access control list (ACL) policy prohibits public-read-write access.

  • A.9.1.2

  • A.9.4.1

  • A.9.4.4

  • A.9.4.5

  • A.13.1.1

  • A.13.2.3

  • A.18.1.3

  • A.18.1.4

  • Access to networks and network services

  • Information access restriction

  • Use of privileged utility programs

  • Access control to program source code

  • Network controls

  • Electronic messaging

  • Protection of records

  • Privacy and protection of personally identifiable information

Public network access is disabled for the Function Compute service

A Function Compute service is compliant if public network access is disabled.

  • A.9.1.2

  • A.9.4.1

  • A.9.4.4

  • A.9.4.5

  • A.13.1.1

  • A.13.2.3

  • A.18.1.3

  • A.18.1.4

  • Access to networks and network services

  • Information access restriction

  • Use of privileged utility programs

  • Access control to program source code

  • Network controls

  • Electronic messaging

  • Protection of records

  • Privacy and protection of personally identifiable information

Running ECS instances are in a VPC

Alibaba Cloud recommends that you deploy ECS instances in a virtual private cloud (VPC). An ECS instance is compliant if it is in a VPC. If parameters are specified, the rule also checks whether the instance's VPC is within the specified range. This rule applies only to running ECS instances.

  • A.9.1.2

  • A.9.4.1

  • A.9.4.4

  • A.9.4.5

  • A.13.1.1

  • A.13.2.3

  • A.18.1.3

  • A.18.1.4

  • Access to networks and network services

  • Information access restriction

  • Use of privileged utility programs

  • Access control to program source code

  • Network controls

  • Electronic messaging

  • Protection of records

  • Privacy and protection of personally identifiable information

Public network access is disabled for ADB clusters

An ADB instance is compliant if public network access is disabled.

  • A.9.1.2

  • A.9.4.1

  • A.9.4.4

  • A.9.4.5

  • A.13.1.1

  • A.13.2.3

  • A.18.1.3

  • A.18.1.4

  • Access to networks and network services

  • Information access restriction

  • Use of privileged utility programs

  • Access control to program source code

  • Network controls

  • Electronic messaging

  • Protection of records

  • Privacy and protection of personally identifiable information

Public endpoints are not configured for RDS instances

An RDS instance is compliant if no public endpoint is configured. Configuring Direct Internet Access for RDS instances in a production environment makes them vulnerable to cyberattacks.

  • A.9.1.2

  • A.9.4.1

  • A.9.4.4

  • A.9.4.5

  • A.13.1.1

  • A.13.2.3

  • A.18.1.3

  • A.18.1.4

  • Access to networks and network services

  • Information access restriction

  • Use of privileged utility programs

  • Access control to program source code

  • Network controls

  • Electronic messaging

  • Protection of records

  • Privacy and protection of personally identifiable information

Public endpoints are not configured for ACK clusters

An ACK cluster is compliant if no public endpoint is configured.

  • A.9.1.2

  • A.9.4.1

  • A.9.4.4

  • A.9.4.5

  • A.13.1.1

  • A.13.2.3

  • A.18.1.3

  • A.18.1.4

  • Access to networks and network services

  • Information access restriction

  • Use of privileged utility programs

  • Access control to program source code

  • Network controls

  • Electronic messaging

  • Protection of records

  • Privacy and protection of personally identifiable information

Enforced mode is used to access ECS instance metadata

An instance is compliant if enforced mode is used to access its instance metadata.

  • A.9.1.2

  • A.9.4.4

  • Access to networks and network services

  • Use of privileged utility programs

The Function Compute service is configured to allow calls only from specified VPCs

A Function Compute service is compliant if it is configured to allow calls only from specified VPCs.

  • A.9.1.2

  • A.9.4.1

  • A.9.4.4

  • A.9.4.5

  • A.13.1.1

  • A.13.2.3

  • A.18.1.3

  • A.18.1.4

  • Access to networks and network services

  • Information access restriction

  • Use of privileged utility programs

  • Access control to program source code

  • Network controls

  • Electronic messaging

  • Protection of records

  • Privacy and protection of personally identifiable information

Public-read is disabled for the ACL of the OSS bucket

An OSS bucket is compliant if its ACL policy prohibits public-read access.

  • A.9.1.2

  • A.9.4.1

  • A.9.4.4

  • A.9.4.5

  • A.13.1.1

  • A.13.2.3

  • A.18.1.3

  • A.18.1.4

  • Access to networks and network services

  • Information access restriction

  • Use of privileged utility programs

  • Access control to program source code

  • Network controls

  • Electronic messaging

  • Protection of records

  • Privacy and protection of personally identifiable information

Running ECS instances are not associated with public IP addresses

A running ECS instance is compliant if it is not directly associated with an IPv4 public IP address or an Elastic IP Address.

  • A.9.1.2

  • A.9.4.1

  • A.9.4.4

  • A.9.4.5

  • A.13.1.1

  • A.13.2.3

  • A.18.1.3

  • A.18.1.4

  • Access to networks and network services

  • Information access restriction

  • Use of privileged utility programs

  • Access control to program source code

  • Network controls

  • Electronic messaging

  • Protection of records

  • Privacy and protection of personally identifiable information

Public network access is disabled for all endpoints of a PolarDB cluster

A PolarDB cluster is compliant if public network access is disabled for all its endpoints.

  • A.9.1.2

  • A.9.4.1

  • A.9.4.4

  • A.9.4.5

  • A.13.1.1

  • A.13.2.3

  • A.18.1.3

  • A.18.1.4

  • Access to networks and network services

  • Information access restriction

  • Use of privileged utility programs

  • Access control to program source code

  • Network controls

  • Electronic messaging

  • Protection of records

  • Privacy and protection of personally identifiable information

MFA is enabled for the Alibaba Cloud account

An Alibaba Cloud account is compliant if multi-factor authentication (MFA) is enabled.

  • A.9.2.1

  • A.9.2.2

  • A.9.2.3

  • User registration and de-registration

  • User access provisioning

  • Management of privileged access rights

MFA is enabled for RAM users

A RAM user with console access enabled is compliant if MFA is enabled in the logon settings.

  • A.9.2.1

  • A.9.2.2

  • A.9.2.3

  • User registration and de-registration

  • User access provisioning

  • Management of privileged access rights

Security Center Enterprise Edition is used

An account is compliant if it uses Security Center Enterprise Edition or a later version.

  • A.12.2.1

  • A.12.4.1

  • A.12.6.1

  • A.16.1.1

  • A.16.1.2

  • Controls against malware

  • Event logging

  • Management of technical vulnerabilities

  • Responsibilities and procedures

  • Reporting information security events

Automatic rotation is configured for credentials in KMS

A credential in Key Management Service (KMS) is compliant if automatic rotation is configured. This rule does not apply to generic secrets.

  • A.9.2.1

  • A.9.2.2

  • A.9.2.3

  • A.18.1.5

  • User registration and de-registration

  • User access provisioning

  • Management of privileged access rights

  • Regulation of cryptographic controls

KMS credentials are rotated successfully

A KMS credential is compliant if automatic rotation is enabled and the credential has been successfully rotated within the configured rotation period. This rule does not apply to generic secrets because you cannot directly configure periodic rotation for them in KMS.

  • A.9.2.1

  • A.9.2.2

  • A.9.2.3

  • A.18.1.5

  • User registration and de-registration

  • User access provisioning

  • Management of privileged access rights

  • Regulation of cryptographic controls

The password policy for RAM users meets requirements

A password policy is compliant if all its configurations meet the specified parameter values.

  • A.9.2.1

  • A.9.2.2

  • A.9.2.3

  • User registration and de-registration

  • User access provisioning

  • Management of privileged access rights

The AccessKeys of RAM users are rotated within the specified period

An AccessKey of a RAM user is compliant if its age does not exceed the specified number of days. The default value is 90 days.

  • A.9.2.1

  • A.9.2.2

  • A.9.2.3

  • User registration and de-registration

  • User access provisioning

  • Management of privileged access rights

Full log tracking is enabled for ActionTrail

A trail in ActionTrail is compliant if it is enabled and tracks all regions and all event types. For a member account in a resource directory, the account is compliant if the administrator of the resource directory has created a trail that applies to all member accounts.

  • A.9.2.1

  • A.9.2.2

  • A.9.2.3

  • A.12.4.1

  • A.12.4.2

  • A.12.4.3

  • A.14.1.1

  • A.14.2.3

  • A.16.1.2

  • A.16.1.7

  • User registration and de-registration

  • User access provisioning

  • Management of privileged access rights

  • Event logging

  • Protection of log information

  • Administrator and operator logs

  • Information security requirements analysis and specification

  • Technical review of applications after operating platform changes

  • Reporting information security events

  • Collection of evidence

TDE is enabled for RDS instances

An RDS instance is compliant if transparent data encryption (TDE) is enabled in the data security settings. This rule does not apply to instance types or versions that do not support TDE.

A.10.1.1

Policy on the use of cryptographic controls

Secure access is configured in the access policy of the OSS bucket

An OSS bucket is compliant if its access policy requires HTTPS for read and write operations, or denies access over HTTP. This rule does not apply to OSS buckets with empty access policies.

  • A.10.1.1

  • A.13.2.1

  • A.14.1.2

  • Policy on the use of cryptographic controls

  • Information transfer policies and procedures

  • Securing application services on public networks

Server-side encryption is enabled for the OSS bucket

An OSS bucket is compliant if server-side encryption with fully managed OSS keys is enabled.

  • A.10.1.1

  • A.12.4.3

  • A.16.1.7

  • Policy on the use of cryptographic controls

  • Administrator and operator logs

  • Collection of evidence

The certificate used by SLB is issued by Alibaba Cloud

An SLB instance is compliant if the certificate it uses is issued by Alibaba Cloud.

  • A.10.1.1

  • A.13.2.1

  • A.14.1.2

  • Policy on the use of cryptographic controls

  • Information transfer policies and procedures

  • Securing application services on public networks

Encryption is configured for the NAS file system

A NAS file system is compliant if encryption is configured.

A.10.1.1

Policy on the use of cryptographic controls

Encryption is enabled for ECS data disks

An ECS data disk is compliant if encryption is enabled.

A.10.1.1

Policy on the use of cryptographic controls

Disk encryption is enabled for data nodes of the Elasticsearch instance

An Elasticsearch instance is compliant if disk encryption is enabled for its data nodes.

A.10.1.1

Policy on the use of cryptographic controls

TDE is enabled for the PolarDB cluster

A PolarDB cluster is compliant if TDE is enabled.

A.10.1.1

Policy on the use of cryptographic controls

Encryption is configured for all data tables in the Tablestore instance

A Tablestore instance is compliant if encryption is configured for all its data tables.

A.10.1.1

Policy on the use of cryptographic controls

Encryption is enabled for the MaxCompute project

A MaxCompute project is compliant if encryption is enabled. This rule does not apply to projects that are frozen.

A.10.1.1

Policy on the use of cryptographic controls

Automatic rotation is configured for master keys in KMS

A customer master key (CMK) in KMS is compliant if automatic rotation is configured. This rule does not apply to service keys or keys from Bring Your Own Key (BYOK).

  • A.10.1.2

  • A.18.1.5

  • Key management

  • Regulation of cryptographic controls

KMS master keys are not pending deletion

A KMS master key is compliant if it is not in the pending deletion state.

  • A.10.1.2

  • A.18.1.5

  • Key management

  • Regulation of cryptographic controls

SSL certificate expiration check

An SSL Certificate is compliant if it expires in more than the specified number of days. The default value is 30 days.

  • A.10.1.2

  • A.13.1.1

  • A.13.1.3

  • A.13.2.1

  • A.13.2.3

  • A.14.1.2

  • A.18.1.4

  • Key management

  • Network controls

  • Segregation in networks

  • Information transfer policies and procedures

  • Electronic messaging

  • Securing application services on public networks

  • Privacy and protection of personally identifiable information

A reasonable maintenance window is set for the PolarDB cluster

A PolarDB cluster is compliant if its maintenance window is within one of the specified time ranges. If the maintenance window overlaps with business peak hours, your services may be affected.

A.12.1.2

Change management

A reasonable maintenance window is set for the RDS instance

An RDS instance is compliant if its maintenance window is within one of the specified time ranges. If the maintenance window overlaps with business peak hours, your services may be affected.

A.12.1.2

Change management

A reasonable creation time is set for the automatic snapshot policy

An automatic snapshot policy is compliant if the snapshot creation time is within the specified time range. Creating a snapshot temporarily reduces the I/O performance of block storage, typically by less than 10%, which causes a brief slowdown. We recommend that you schedule snapshots outside of business peak hours.

A.12.1.2

Change management

Function settings in Function Compute meet specified parameter requirements

A function in Function Compute 2.0 is compliant if its settings meet the specified parameter requirements.

A.12.1.3

Capacity management

The number of available IP addresses for the VPC vSwitch is greater than the specified value

A VPC vSwitch is compliant if its number of available IP addresses is greater than the specified value.

A.12.1.3

Capacity management

An automatic snapshot policy is configured for the ECS disk

An ECS disk is compliant if an automatic snapshot policy is configured.

A.12.3.1

Information backup

A backup schedule is created for the NAS file system

Creating a backup plan for a NAS file system is a compliance requirement.

A.12.3.1

Information backup

Log backup is enabled for the ADB cluster

An ADB cluster is compliant if log backup is enabled.

A.12.3.1

Information backup

Log backup is enabled for the RDS instance

An RDS instance is compliant if log backup is enabled.

A.12.3.1

Information backup

Incremental backup is enabled for the Redis instance

A Redis instance is compliant if incremental backup is enabled. This rule applies only to Tair or Enterprise Edition instances. This rule does not apply to other instance types.

A.12.3.1

Information backup

Zone-redundant storage is enabled for the OSS bucket

An OSS bucket is compliant if zone-redundant storage is enabled. If zone-redundant storage is not enabled, OSS cannot ensure service continuity when a data center becomes unavailable, which affects data restoration objectives.

  • A.12.3.1

  • A.17.1.2

  • A.17.2.1

  • Information backup

  • Implementing information security continuity

  • Availability of information processing facilities

The retention period for level-1 backups of the PolarDB cluster meets specified requirements

A PolarDB cluster is compliant if its level-1 backup retention period is greater than or equal to the specified number of days. The default value is 7 days.

A.12.3.1

Information backup

Versioning is enabled for the OSS bucket

An OSS bucket is compliant if versioning is enabled. If versioning is not enabled, data that is overwritten or deleted cannot be recovered.

  • A.12.4.1

  • A.12.4.2

  • A.17.1.2

  • Event logging

  • Protection of log information

  • Implementing information security continuity

Access logging is enabled for the SLB instance

A Classic Load Balancer instance is compliant if access logging is enabled. This rule does not apply to instances that do not have Layer 7 listeners, because access logging is not supported for them.

  • A.12.4.1

  • A.14.1.1

  • A.14.2.3

  • A.16.1.7

  • Event logging

  • Information security requirements analysis and specification

  • Technical review of applications after operating platform changes

  • Collection of evidence

Flow log recording is enabled for the VPC

A VPC is compliant if the flow log recording feature is enabled.

  • A.12.4.1

  • A.14.1.1

  • A.14.2.3

  • A.16.1.7

  • Event logging

  • Information security requirements analysis and specification

  • Technical review of applications after operating platform changes

  • Collection of evidence

Log storage is configured for API group calls

An API group in API Gateway is compliant if log storage is configured for its calls.

A.12.4.1

Event logging

Log storage is enabled for the OSS bucket

An OSS bucket is compliant if log storage is enabled in Log Management.

A.12.4.1

Event logging

SQL Audit is enabled for the PolarDB cluster

A PolarDB cluster is compliant if its SQL Audit status is enabled.

  • A.12.4.1

  • A.14.2.3

  • A.16.1.1

  • A.16.1.7

  • Event logging

  • Technical review of applications after operating platform changes

  • Responsibilities and procedures

  • Collection of evidence

The log backup retention period for the PolarDB cluster meets specified requirements

A PolarDB cluster is compliant if its log backup retention period is greater than or equal to the specified number of days. The default value is 30 days. The cluster is not compliant if log backup is disabled or the retention period is less than the specified number of days.

A.12.4.2

Protection of log information

Running ECS instances have no vulnerabilities to be fixed

An ECS instance is compliant if it has no unpatched vulnerabilities of the specified type and severity in Security Center. This rule applies only to running instances.

A.12.6.1

Management of technical vulnerabilities

The specified protocol in the security group does not allow high-risk ports to be open to all CIDR blocks

A security group is compliant if its inbound rules for the specified protocol do not expose the specified high-risk ports to the 0.0.0.0/0 CIDR block. The security group is considered compliant if the inbound CIDR block is not 0.0.0.0/0, even if the port range includes high-risk ports. The security group is also compliant if a higher-priority authorization policy denies access to a detected high-risk port. This rule does not apply to security groups used by cloud products or virtual businesses.

  • A.13.1.1

  • A.13.1.3

  • A.13.2.3

  • A.18.1.4

  • Network controls

  • Segregation in networks

  • Electronic messaging

  • Privacy and protection of personally identifiable information

The IP address whitelist of the PolarDB instance is not set to all CIDR blocks

A PolarDB instance is compliant if its IP address whitelist is not set to 0.0.0.0/0.

  • A.13.1.1

  • A.13.1.3

  • A.18.1.3

  • A.18.1.4

  • Network controls

  • Segregation in networks

  • Protection of records

  • Privacy and protection of personally identifiable information

SSL encryption is configured for the PolarDB cluster

A PolarDB cluster is compliant if Secure Sockets Layer (SSL) encryption is configured.

  • A.13.2.1

  • A.14.1.2

  • Information transfer policies and procedures

  • Securing application services on public networks

TLS 1.3 version check is enabled for the CDN accelerated domain name

A CDN accelerated domain name is compliant if TLS 1.3 is enabled.

  • A.13.2.1

  • A.14.1.2

  • Information transfer policies and procedures

  • Securing application services on public networks

The source and destination databases of a DTS sync task use secure SSL connections

A DTS instance is compliant if both the source and destination databases of its sync task use secure SSL connections. This rule does not apply to DTS instances with task types other than sync.

A.13.2.1

Information transfer policies and procedures

The Function Compute function is bound to a custom domain name and a specified TLS version is enabled

A Function Compute function is compliant if it is bound to a custom domain name and the specified TLS version is enabled.

  • A.13.2.1

  • A.14.1.2

  • Information transfer policies and procedures

  • Securing application services on public networks

HTTPS listener is enabled for SLB

An SLB instance is compliant if an HTTPS listener is enabled on the specified port. This rule does not apply if the SLB instance has only TCP or UDP listeners enabled.

  • A.13.2.1

  • A.14.1.2

  • Information transfer policies and procedures

  • Securing application services on public networks

The CloudMonitor agent is installed on ACK cluster nodes

An ACK cluster is compliant if the CloudMonitor agent is installed on all its nodes and the agent is running properly.

  • A.14.2.1

  • A.16.1.1

  • A.16.1.2

  • Secure development policy

  • Responsibilities and procedures

  • Reporting information security events

The CloudMonitor agent is installed on running ECS instances

An ECS instance is compliant if the CloudMonitor agent is installed and running. This rule applies only to running instances.

  • A.12.5.1

  • A.14.2.1

  • A.16.1.1

  • A.16.1.2

  • Installation of software on operational systems

  • Secure development policy

  • Responsibilities and procedures

  • Reporting information security events

A notification method is configured for notification items in Security Center

An account is compliant if a notification method is configured for all notification items in Security Center.

A.16.1.2

Reporting information security events

The IPsec VPN connection is established

An IPsec VPN connection is compliant if its status is "Established".

A.17.1.2

Implementing information security continuity

Release protection is enabled for the SLB instance

An SLB instance is compliant if release protection is enabled.

A.17.1.2

Implementing information security continuity

ECS instance health check is enabled for the Auto Scaling group

An Auto Scaling group is compliant if health checks are enabled for its ECS instances.

  • A.17.1.2

  • A.17.2.1

  • Implementing information security continuity

  • Availability of information processing facilities

Multi-zone RDS instances are used

An RDS instance is compliant if it is a multi-zone instance.

  • A.17.1.2

  • A.17.2.1

  • Implementing information security continuity

  • Availability of information processing facilities

Deletion protection is enabled for the PolarDB cluster

A PolarDB cluster is compliant if deletion protection is enabled. This rule does not apply to subscription clusters.

A.17.1.2

Implementing information security continuity

Enable deletion protection for ACK clusters

An ACK cluster is compliant if release protection is enabled.

A.17.1.2

Implementing information security continuity

A hot standby cluster is enabled for the PolarDB cluster

A PolarDB cluster is compliant if a hot standby storage cluster is enabled and data is distributed across multiple zones.

  • A.17.1.2

  • A.17.2.1

  • Implementing information security continuity

  • Availability of information processing facilities

The Auto Scaling group is associated with at least two vSwitches

An Auto Scaling group is compliant if it is associated with at least two vSwitches.

A.17.2.1

Availability of information processing facilities

Multi-zone ALB instances are used

An ALB instance is compliant if it is a multi-zone instance. If only one zone is selected, a failure in that zone can affect the ALB instance and impact service stability.

A.17.2.1

Availability of information processing facilities

Regional multi-zone clusters are used

An ACK cluster is compliant if it is a regional cluster with nodes distributed across three or more zones.

A.17.2.1

Availability of information processing facilities

Health checks are configured for all listeners and forwarding rules of the ALB instance

An ALB instance is compliant if health checks are configured for all its listeners and forwarding rules.

A.17.2.1

Availability of information processing facilities