The ISO 27001 security management standard compliance pack is based on the security management standards in Annex A of ISO/IEC 27001:2013. It provides recommended compliance checks for detecting and governing cloud resource risks. These checks help your organization implement, maintain, and continuously improve its information security management. This topic describes the default rules included in the compliance pack.
Rule name | Rule description | Recommendation number | Recommendation description |
A Resource Access Management (RAM) user is compliant if console access and API call access are not enabled simultaneously. | A.6.1.2 | Segregation of duties | |
A RAM user is compliant if no access policies are directly attached. Permissions should be inherited from a RAM user group or RAM role. | A.6.1.2 | Segregation of duties | |
A RAM user group is compliant if it contains at least one RAM user and has at least one RAM access policy attached. |
|
| |
A RAM user group is compliant if it contains at least one RAM user. |
|
| |
A resource is compliant if no RAM users, RAM user groups, or RAM roles have super administrator permissions, where Resource is * and Action is *. |
|
| |
A RAM access policy is compliant if it is attached to at least one RAM user group, RAM role, or RAM user. |
|
| |
Security Center protection is enabled for running ECS instances | An instance is compliant if the Security Center agent is installed to provide host security protection. This rule applies only to running instances. |
|
|
A resource is compliant if it has all the specified tags. You can define up to 10 tag groups, and you must enter only one value for each group. Tag input is case-sensitive. |
|
| |
The resource group of an ECS associated resource is inherited from the ECS instance | This rule checks whether a resource associated with an ECS instance inherits the resource group of the instance. The resource is compliant if it is attached to an ECS instance and they share the same resource group. This rule does not apply if the resource is not attached to an ECS instance. |
|
|
The resource group associated with a resource is not the default resource group | A resource is compliant if its associated resource group is not the default resource group. This rule does not apply if no resource group is associated. |
|
|
An Alibaba Cloud account is compliant if it does not have an AccessKey in any state. |
|
| |
A RAM user is compliant if no access policies are directly attached. Permissions should be inherited from a RAM user group or RAM role. |
|
| |
Public network access is disabled for Elasticsearch instances | An Elasticsearch instance is compliant if public network access is disabled. |
|
|
An OSS bucket is compliant if its access control list (ACL) policy prohibits public-read-write access. |
|
| |
Public network access is disabled for the Function Compute service | A Function Compute service is compliant if public network access is disabled. |
|
|
Alibaba Cloud recommends that you deploy ECS instances in a virtual private cloud (VPC). An ECS instance is compliant if it is in a VPC. If parameters are specified, the rule also checks whether the instance's VPC is within the specified range. This rule applies only to running ECS instances. |
|
| |
An ADB instance is compliant if public network access is disabled. |
|
| |
An RDS instance is compliant if no public endpoint is configured. Configuring Direct Internet Access for RDS instances in a production environment makes them vulnerable to cyberattacks. |
|
| |
An ACK cluster is compliant if no public endpoint is configured. |
|
| |
An instance is compliant if enforced mode is used to access its instance metadata. |
|
| |
The Function Compute service is configured to allow calls only from specified VPCs | A Function Compute service is compliant if it is configured to allow calls only from specified VPCs. |
|
|
An OSS bucket is compliant if its ACL policy prohibits public-read access. |
|
| |
Running ECS instances are not associated with public IP addresses | A running ECS instance is compliant if it is not directly associated with an IPv4 public IP address or an Elastic IP Address. |
|
|
Public network access is disabled for all endpoints of a PolarDB cluster | A PolarDB cluster is compliant if public network access is disabled for all its endpoints. |
|
|
An Alibaba Cloud account is compliant if multi-factor authentication (MFA) is enabled. |
|
| |
A RAM user with console access enabled is compliant if MFA is enabled in the logon settings. |
|
| |
An account is compliant if it uses Security Center Enterprise Edition or a later version. |
|
| |
A credential in Key Management Service (KMS) is compliant if automatic rotation is configured. This rule does not apply to generic secrets. |
|
| |
A KMS credential is compliant if automatic rotation is enabled and the credential has been successfully rotated within the configured rotation period. This rule does not apply to generic secrets because you cannot directly configure periodic rotation for them in KMS. |
|
| |
A password policy is compliant if all its configurations meet the specified parameter values. |
|
| |
The AccessKeys of RAM users are rotated within the specified period | An AccessKey of a RAM user is compliant if its age does not exceed the specified number of days. The default value is 90 days. |
|
|
A trail in ActionTrail is compliant if it is enabled and tracks all regions and all event types. For a member account in a resource directory, the account is compliant if the administrator of the resource directory has created a trail that applies to all member accounts. |
|
| |
An RDS instance is compliant if transparent data encryption (TDE) is enabled in the data security settings. This rule does not apply to instance types or versions that do not support TDE. | A.10.1.1 | Policy on the use of cryptographic controls | |
Secure access is configured in the access policy of the OSS bucket | An OSS bucket is compliant if its access policy requires HTTPS for read and write operations, or denies access over HTTP. This rule does not apply to OSS buckets with empty access policies. |
|
|
An OSS bucket is compliant if server-side encryption with fully managed OSS keys is enabled. |
|
| |
An SLB instance is compliant if the certificate it uses is issued by Alibaba Cloud. |
|
| |
A NAS file system is compliant if encryption is configured. | A.10.1.1 | Policy on the use of cryptographic controls | |
An ECS data disk is compliant if encryption is enabled. | A.10.1.1 | Policy on the use of cryptographic controls | |
Disk encryption is enabled for data nodes of the Elasticsearch instance | An Elasticsearch instance is compliant if disk encryption is enabled for its data nodes. | A.10.1.1 | Policy on the use of cryptographic controls |
A PolarDB cluster is compliant if TDE is enabled. | A.10.1.1 | Policy on the use of cryptographic controls | |
Encryption is configured for all data tables in the Tablestore instance | A Tablestore instance is compliant if encryption is configured for all its data tables. | A.10.1.1 | Policy on the use of cryptographic controls |
A MaxCompute project is compliant if encryption is enabled. This rule does not apply to projects that are frozen. | A.10.1.1 | Policy on the use of cryptographic controls | |
A customer master key (CMK) in KMS is compliant if automatic rotation is configured. This rule does not apply to service keys or keys from Bring Your Own Key (BYOK). |
|
| |
A KMS master key is compliant if it is not in the pending deletion state. |
|
| |
An SSL Certificate is compliant if it expires in more than the specified number of days. The default value is 30 days. |
|
| |
A reasonable maintenance window is set for the PolarDB cluster | A PolarDB cluster is compliant if its maintenance window is within one of the specified time ranges. If the maintenance window overlaps with business peak hours, your services may be affected. | A.12.1.2 | Change management |
An RDS instance is compliant if its maintenance window is within one of the specified time ranges. If the maintenance window overlaps with business peak hours, your services may be affected. | A.12.1.2 | Change management | |
A reasonable creation time is set for the automatic snapshot policy | An automatic snapshot policy is compliant if the snapshot creation time is within the specified time range. Creating a snapshot temporarily reduces the I/O performance of block storage, typically by less than 10%, which causes a brief slowdown. We recommend that you schedule snapshots outside of business peak hours. | A.12.1.2 | Change management |
Function settings in Function Compute meet specified parameter requirements | A function in Function Compute 2.0 is compliant if its settings meet the specified parameter requirements. | A.12.1.3 | Capacity management |
The number of available IP addresses for the VPC vSwitch is greater than the specified value | A VPC vSwitch is compliant if its number of available IP addresses is greater than the specified value. | A.12.1.3 | Capacity management |
An ECS disk is compliant if an automatic snapshot policy is configured. | A.12.3.1 | Information backup | |
Creating a backup plan for a NAS file system is a compliance requirement. | A.12.3.1 | Information backup | |
An ADB cluster is compliant if log backup is enabled. | A.12.3.1 | Information backup | |
An RDS instance is compliant if log backup is enabled. | A.12.3.1 | Information backup | |
A Redis instance is compliant if incremental backup is enabled. This rule applies only to Tair or Enterprise Edition instances. This rule does not apply to other instance types. | A.12.3.1 | Information backup | |
An OSS bucket is compliant if zone-redundant storage is enabled. If zone-redundant storage is not enabled, OSS cannot ensure service continuity when a data center becomes unavailable, which affects data restoration objectives. |
|
| |
The retention period for level-1 backups of the PolarDB cluster meets specified requirements | A PolarDB cluster is compliant if its level-1 backup retention period is greater than or equal to the specified number of days. The default value is 7 days. | A.12.3.1 | Information backup |
An OSS bucket is compliant if versioning is enabled. If versioning is not enabled, data that is overwritten or deleted cannot be recovered. |
|
| |
A Classic Load Balancer instance is compliant if access logging is enabled. This rule does not apply to instances that do not have Layer 7 listeners, because access logging is not supported for them. |
|
| |
A VPC is compliant if the flow log recording feature is enabled. |
|
| |
An API group in API Gateway is compliant if log storage is configured for its calls. | A.12.4.1 | Event logging | |
An OSS bucket is compliant if log storage is enabled in Log Management. | A.12.4.1 | Event logging | |
A PolarDB cluster is compliant if its SQL Audit status is enabled. |
|
| |
The log backup retention period for the PolarDB cluster meets specified requirements | A PolarDB cluster is compliant if its log backup retention period is greater than or equal to the specified number of days. The default value is 30 days. The cluster is not compliant if log backup is disabled or the retention period is less than the specified number of days. | A.12.4.2 | Protection of log information |
An ECS instance is compliant if it has no unpatched vulnerabilities of the specified type and severity in Security Center. This rule applies only to running instances. | A.12.6.1 | Management of technical vulnerabilities | |
A security group is compliant if its inbound rules for the specified protocol do not expose the specified high-risk ports to the 0.0.0.0/0 CIDR block. The security group is considered compliant if the inbound CIDR block is not 0.0.0.0/0, even if the port range includes high-risk ports. The security group is also compliant if a higher-priority authorization policy denies access to a detected high-risk port. This rule does not apply to security groups used by cloud products or virtual businesses. |
|
| |
The IP address whitelist of the PolarDB instance is not set to all CIDR blocks | A PolarDB instance is compliant if its IP address whitelist is not set to 0.0.0.0/0. |
|
|
A PolarDB cluster is compliant if Secure Sockets Layer (SSL) encryption is configured. |
|
| |
TLS 1.3 version check is enabled for the CDN accelerated domain name | A CDN accelerated domain name is compliant if TLS 1.3 is enabled. |
|
|
The source and destination databases of a DTS sync task use secure SSL connections | A DTS instance is compliant if both the source and destination databases of its sync task use secure SSL connections. This rule does not apply to DTS instances with task types other than sync. | A.13.2.1 | Information transfer policies and procedures |
A Function Compute function is compliant if it is bound to a custom domain name and the specified TLS version is enabled. |
|
| |
An SLB instance is compliant if an HTTPS listener is enabled on the specified port. This rule does not apply if the SLB instance has only TCP or UDP listeners enabled. |
|
| |
An ACK cluster is compliant if the CloudMonitor agent is installed on all its nodes and the agent is running properly. |
|
| |
The CloudMonitor agent is installed on running ECS instances | An ECS instance is compliant if the CloudMonitor agent is installed and running. This rule applies only to running instances. |
|
|
A notification method is configured for notification items in Security Center | An account is compliant if a notification method is configured for all notification items in Security Center. | A.16.1.2 | Reporting information security events |
An IPsec VPN connection is compliant if its status is "Established". | A.17.1.2 | Implementing information security continuity | |
An SLB instance is compliant if release protection is enabled. | A.17.1.2 | Implementing information security continuity | |
ECS instance health check is enabled for the Auto Scaling group | An Auto Scaling group is compliant if health checks are enabled for its ECS instances. |
|
|
An RDS instance is compliant if it is a multi-zone instance. |
|
| |
A PolarDB cluster is compliant if deletion protection is enabled. This rule does not apply to subscription clusters. | A.17.1.2 | Implementing information security continuity | |
An ACK cluster is compliant if release protection is enabled. | A.17.1.2 | Implementing information security continuity | |
A PolarDB cluster is compliant if a hot standby storage cluster is enabled and data is distributed across multiple zones. |
|
| |
The Auto Scaling group is associated with at least two vSwitches | An Auto Scaling group is compliant if it is associated with at least two vSwitches. | A.17.2.1 | Availability of information processing facilities |
An ALB instance is compliant if it is a multi-zone instance. If only one zone is selected, a failure in that zone can affect the ALB instance and impact service stability. | A.17.2.1 | Availability of information processing facilities | |
An ACK cluster is compliant if it is a regional cluster with nodes distributed across three or more zones. | A.17.2.1 | Availability of information processing facilities | |
Health checks are configured for all listeners and forwarding rules of the ALB instance | An ALB instance is compliant if health checks are configured for all its listeners and forwarding rules. | A.17.2.1 | Availability of information processing facilities |