The Alibaba Cloud platform security best practices compliance package continuously detects risky configurations across account security, cloud resource security, network security, data security, backup and recovery, and log audits.
|
Rule name |
Rule description |
|
An Alibaba Cloud account is considered compliant if multi-factor authentication (MFA) is enabled. MFA reduces the risk of account theft. |
|
|
An Alibaba Cloud account is considered compliant if it does not have an AccessKey. The AccessKey of an Alibaba Cloud account has unrestricted permissions, and a leak can have catastrophic consequences. Use RAM user AccessKeys with proper access control instead. |
|
|
An API Gateway API is considered compliant if it uses HTTPS for public requests to encrypt data in transit. APIs restricted to internal network calls are not applicable. |
|
|
An accelerated domain name is considered compliant if HTTPS is enabled to encrypt data in transit. |
|
|
An ECS disk is considered compliant if an automatic snapshot policy is configured. Disks not in use, disks that do not support automatic snapshot policies, or disks mounted on ACK clusters for non-persistent use are not applicable. Automatic snapshots enable quick recovery from security events such as virus intrusions or ransomware attacks. |
|
|
An ECS instance is considered compliant if the Security Center plugin is installed. Instances that are not running are not applicable. |
|
|
An ECS instance is considered compliant if its network type is VPC. If a parameter is specified, the instance is compliant only if it is in the specified VPC. VPC provides basic network isolation for your cloud environment. |
|
|
A Linux host is considered compliant if a key pair is used for logon. SSH key pairs provide secure and convenient authentication that resists brute-force attacks. |
|
|
Prevent security groups from opening risky ports to all IP addresses for specified protocols |
A security group is considered compliant if its inbound rule for a specified protocol does not open specified risky ports to 0.0.0.0/0. This reduces the risk of brute-force attacks. A security group is also compliant if a higher-priority authorization policy rejects the risky port. Security groups used by cloud products or virtual operators are not applicable. By default, this rule detects risky ports 22 and 3389. |
|
A MongoDB instance is considered compliant if public network access is disabled or the whitelist does not allow access from any source. This prevents brute-force attacks and reduces the risk of data leaks. |
|
|
A MongoDB instance is considered compliant if log backup is enabled. Log backups allow you to restore data to any point in time within the retention period. |
|
|
An OSS bucket is considered compliant if its access control list (ACL) is not set to public-read-write. Public-read-write allows any visitor to write to the bucket, creating a risk of malicious data injection. |
|
|
An OSS bucket is considered compliant if its ACL is not set to public-read. Public-read increases the risk of data leaks. |
|
|
Set an access policy for public OSS buckets and grant no permissions to anonymous accounts |
An OSS bucket with public read or write permissions is considered compliant if its authorization policy does not grant read or write permissions to anonymous accounts. This reduces the risk of data leaks. Buckets with private permissions are not applicable. |
|
Do not enable public access for PolarDB instances or set the IP whitelist to all network segments |
A PolarDB instance is considered compliant if public network access is disabled or the IP whitelist does not allow access from all IP addresses. This prevents brute-force attacks and reduces the risk of data leaks. |
|
A PolarDB cluster is considered compliant if SSL encryption is enabled to protect data in transit. |
|
|
Set the log backup retention period for PolarDB clusters to more than 30 days |
A PolarDB cluster is considered compliant if its log backup retention period is at least the specified number of days (default: 30 days). Non-compliant if log backup is disabled or the retention period is shorter. Log backups enable point-in-time data restoration. |
|
Do not grant super administrator (Admin) permissions to RAM users |
Compliant if no RAM user, RAM user group, or RAM role is granted Admin permissions (Resource: *, Action: *). Follow the principle of least privilege. |
|
A RAM user with console access is considered compliant if MFA is enabled. MFA reduces the risk of account theft. |
|
|
A RAM user's AccessKey is considered compliant if it has been used within the specified number of days (default: 90 days). Disable idle AccessKeys promptly. |
|
|
An RDS instance is considered compliant if it has no public IP address. Direct Internet Access in production environments makes instances vulnerable to brute-force attacks and data leaks. |
|
|
An RDS instance is considered compliant if log backup is enabled. Read-only instances are not applicable. Log backups enable point-in-time data restoration. |
|
|
Enable SSL for RDS instances and use a specified TLS version |
An RDS instance is considered compliant if SSL is enabled and the TLS version matches a version specified by the parameter. This encrypts data in transit. |
|
Do not enable public access for Redis instances or set the whitelist to allow access from any source |
A Redis instance is considered compliant if public network access is disabled or its whitelist does not allow access from any source. Unrestricted public access exposes instances to brute-force attacks and data leaks. |
|
A Redis instance is considered compliant if SSL encryption is enabled to protect data in transit. |
|
|
A Redis instance is considered compliant if incremental backup is enabled. Only Tair or Enterprise Edition instances are applicable. Incremental backups enable point-in-time data restoration. |
|
|
Do not configure the access control list of a CLB instance to all address segments |
A CLB instance is considered compliant if its access control list does not contain a 0.0.0.0/0 entry. For non-HTTP/HTTPS services, enable access control with a whitelist that excludes 0.0.0.0/0. |
|
A CLB instance is considered compliant if its listeners do not monitor specified risky ports. Do not forward ports such as 22 and 3389 to the internet to reduce brute-force attack risk. |
|
|
A CLB instance is considered compliant if an HTTPS listener is configured on a specified port to encrypt data in transit. Instances with only TCP or UDP listeners are not applicable. Default port: 443. Multiple ports can be comma-separated; the instance is compliant if any specified port has an HTTPS listener. |
|
|
A VPC is considered compliant if its inbound rules for TCP or UDP on ports 22 and 3389 do not allow source 0.0.0.0/0. This reduces the risk of brute-force attacks. |