Best practices for AI model training architecture detection

更新时间:
复制 MD 格式

Lists the default rules in the ComplianceCheckOnTrainingArchitectureOfGPUAIModel compliance pack. These rules verify that core resources (ECS, NAS, and OSS) in your GPU-based AI training architecture meet design requirements.

Rule name

Rule description

The ACK cluster does not have a public endpoint

An ACK cluster is compliant if it does not have a public endpoint.

The ACK cluster is upgraded to the latest version

An ACK cluster is compliant if it is upgraded to the latest version.

A supported version of ACK is used

An ACK cluster is compliant if its version is still under maintenance.

Encryption at rest is configured for Secrets in the ACK cluster

An ACK cluster is compliant if encryption at rest is configured for its Secrets. This rule is not applicable to ACK Basic clusters.

The CloudMonitor agent is installed on running ECS instances

A running ECS instance is compliant if the CloudMonitor agent is installed and running. Does not apply to stopped instances.

Security Center protection is enabled for running ECS instances

A running ECS instance is compliant if the Security Center plugin is installed. Does not apply to stopped instances.

Deletion protection is enabled for the ECS instance

An ECS instance is compliant if deletion protection is enabled.

The image used by the ECS instance was created within the specified number of days

An ECS instance is compliant if its image age is less than the specified value. Default: 180 days.

The ECS instance is not in the Stopped state

An ECS instance is compliant if it is not stopped. Does not apply to expired instances or instances with Economical Mode enabled.

The ECS instance is not assigned a public IP address

An ECS instance is compliant if no public IPv4 address or EIP is directly assigned to it.

An instance RAM role is attached to the ECS instance

An ECS instance is compliant if an instance RAM role is attached to it.

An SSH key pair is not attached to the ECS instance

An ECS instance is compliant if no SSH key pair is attached. Applies to enterprises with special instance access control requirements.

The inbound rules of the security group are valid

A security group is compliant if no Allow inbound rule has both port range -1/-1 and source 0.0.0.0/0, or if a higher-priority rule denies such access. Does not apply to security groups used by Alibaba Cloud services or virtual server providers.

The security group does not open risky ports to all networks for a specified protocol

A security group is compliant if inbound rules from 0.0.0.0/0 do not open risky ports for a specified protocol, or if a higher-priority rule denies access. Does not apply to security groups used by Alibaba Cloud services or virtual server providers. Default risky ports: 22 and 3389.

A RAM policy is enabled for the NAS file storage access point

A NAS file storage access point is compliant if a RAM policy is enabled for it.

A backup plan is created for the NAS file system

A NAS file system is compliant if a backup plan is created for it.

The root directory of the NAS file storage access point is not set to the default directory

A file storage access point is compliant if its root directory is not set to the default directory.

Encryption is configured for the NAS file system

A NAS file system is compliant if encryption is configured.

The ACL of the OSS bucket does not allow public-read-write access

An OSS bucket is compliant if its ACL does not allow public-read-write access. Public-read-write permissions expose the bucket to malicious data injection.

The ACL of the OSS bucket does not allow public-read access

An OSS bucket is compliant if its ACL does not allow public-read access. Public-read permissions increase the risk of data leaks.

The ACL of the OSS bucket does not allow public-read-write access

An OSS bucket is compliant if its ACL does not allow public-read-write access. Public-read-write permissions expose the bucket to malicious data injection.

Zone-redundant storage is enabled for the OSS bucket

An OSS bucket is compliant if zone-redundant storage (ZRS) is enabled. ZRS ensures data availability and durability when a data center becomes unavailable.

Server-side encryption is enabled for the OSS bucket

An OSS bucket is compliant if server-side encryption with OSS-managed keys or KMS-managed keys is enabled.

Log storage is enabled for the OSS bucket

An OSS bucket is compliant if log storage is enabled in Log Management for the bucket.

Server-side encryption with KMS is enabled for the OSS bucket

An OSS bucket is compliant if server-side encryption with KMS-managed keys is enabled.

Versioning is enabled for the OSS bucket

An OSS bucket is compliant if versioning is enabled, allowing data recovery after overwrites or deletions. Does not apply if a data retention policy is enabled.

The access policy of the OSS bucket is configured for secure access

An OSS bucket is compliant if its access policy requires HTTPS for read and write operations or denies HTTP access. Does not apply to buckets with an empty access policy.

A route is configured for the custom CIDR block of the VPC

A VPC is compliant if its associated route table contains at least one route for an IP address within the custom CIDR block.

Flow log collection is enabled for the VPC

A VPC is compliant if the flow log feature is enabled.

The number of available IP addresses in the vSwitch is greater than the specified value

A vSwitch is compliant if its available IP address count is greater than the specified value.