Lists the default rules in the ComplianceCheckOnTrainingArchitectureOfGPUAIModel compliance pack. These rules verify that core resources (ECS, NAS, and OSS) in your GPU-based AI training architecture meet design requirements.
|
Rule name |
Rule description |
|
An ACK cluster is compliant if it does not have a public endpoint. |
|
|
An ACK cluster is compliant if it is upgraded to the latest version. |
|
|
An ACK cluster is compliant if its version is still under maintenance. |
|
|
Encryption at rest is configured for Secrets in the ACK cluster |
An ACK cluster is compliant if encryption at rest is configured for its Secrets. This rule is not applicable to ACK Basic clusters. |
|
The CloudMonitor agent is installed on running ECS instances |
A running ECS instance is compliant if the CloudMonitor agent is installed and running. Does not apply to stopped instances. |
|
Security Center protection is enabled for running ECS instances |
A running ECS instance is compliant if the Security Center plugin is installed. Does not apply to stopped instances. |
|
An ECS instance is compliant if deletion protection is enabled. |
|
|
The image used by the ECS instance was created within the specified number of days |
An ECS instance is compliant if its image age is less than the specified value. Default: 180 days. |
|
An ECS instance is compliant if it is not stopped. Does not apply to expired instances or instances with Economical Mode enabled. |
|
|
An ECS instance is compliant if no public IPv4 address or EIP is directly assigned to it. |
|
|
An ECS instance is compliant if an instance RAM role is attached to it. |
|
|
An ECS instance is compliant if no SSH key pair is attached. Applies to enterprises with special instance access control requirements. |
|
|
A security group is compliant if no Allow inbound rule has both port range -1/-1 and source 0.0.0.0/0, or if a higher-priority rule denies such access. Does not apply to security groups used by Alibaba Cloud services or virtual server providers. |
|
|
The security group does not open risky ports to all networks for a specified protocol |
A security group is compliant if inbound rules from 0.0.0.0/0 do not open risky ports for a specified protocol, or if a higher-priority rule denies access. Does not apply to security groups used by Alibaba Cloud services or virtual server providers. Default risky ports: 22 and 3389. |
|
A RAM policy is enabled for the NAS file storage access point |
A NAS file storage access point is compliant if a RAM policy is enabled for it. |
|
A NAS file system is compliant if a backup plan is created for it. |
|
|
The root directory of the NAS file storage access point is not set to the default directory |
A file storage access point is compliant if its root directory is not set to the default directory. |
|
A NAS file system is compliant if encryption is configured. |
|
|
The ACL of the OSS bucket does not allow public-read-write access |
An OSS bucket is compliant if its ACL does not allow public-read-write access. Public-read-write permissions expose the bucket to malicious data injection. |
|
An OSS bucket is compliant if its ACL does not allow public-read access. Public-read permissions increase the risk of data leaks. |
|
|
The ACL of the OSS bucket does not allow public-read-write access |
An OSS bucket is compliant if its ACL does not allow public-read-write access. Public-read-write permissions expose the bucket to malicious data injection. |
|
An OSS bucket is compliant if zone-redundant storage (ZRS) is enabled. ZRS ensures data availability and durability when a data center becomes unavailable. |
|
|
An OSS bucket is compliant if server-side encryption with OSS-managed keys or KMS-managed keys is enabled. |
|
|
An OSS bucket is compliant if log storage is enabled in Log Management for the bucket. |
|
|
Server-side encryption with KMS is enabled for the OSS bucket |
An OSS bucket is compliant if server-side encryption with KMS-managed keys is enabled. |
|
An OSS bucket is compliant if versioning is enabled, allowing data recovery after overwrites or deletions. Does not apply if a data retention policy is enabled. |
|
|
The access policy of the OSS bucket is configured for secure access |
An OSS bucket is compliant if its access policy requires HTTPS for read and write operations or denies HTTP access. Does not apply to buckets with an empty access policy. |
|
A VPC is compliant if its associated route table contains at least one route for an IP address within the custom CIDR block. |
|
|
A VPC is compliant if the flow log feature is enabled. |
|
|
The number of available IP addresses in the vSwitch is greater than the specified value |
A vSwitch is compliant if its available IP address count is greater than the specified value. |