Cloud Config provides default rules based on CIS Benchmarks to check your network architecture and data security configuration, reducing the risk of breaches. The following table lists these rules.
|
Rule name |
Description |
|
Verifies that encryption is enabled for each in-use ECS data disk. |
|
|
If vpcIds is not configured, verifies that each ECS instance uses the VPC network type. If vpcIds is configured, verifies that each instance resides in a specified VPC. Separate multiple values with commas (,). |
|
|
Verifies that server-side encryption is enabled for each OSS bucket. |
|
|
Verifies that no public endpoint is configured for each RDS instance. Avoid exposing RDS instances directly to the Internet in production environments. |
|
|
Verifies that MFA is enabled for each RAM user with console access. |
|
|
Verifies that no AccessKey pairs are created for the Alibaba Cloud account. |
|
|
Verifies that multi-factor authentication (MFA) is enabled for the Alibaba Cloud account. |
|
|
Verifies that password policies for RAM users meet the specified requirements. |
|
|
Verifies that no RAM user, user group, or role has the Action parameter set to * (super administrator permissions). |
|
|
Verifies that no policy is directly attached to any RAM user. RAM users should inherit permissions from user groups or roles. |
|
|
Verifies that logging is enabled for each OSS bucket. |
|
|
Verifies that a custom KMS key encrypts data in each OSS bucket. |
|
|
Verifies that SQL explorer and audit is enabled for each ApsaraDB RDS instance. |
|
|
The SQL Audit log retention period for an RDS instance is compliant |
Verifies that SQL explorer and audit is enabled for each ApsaraDB RDS for MySQL instance and the log retention period meets the specified minimum. Default: 180 days. |
|
Verifies that the log_connections parameter is set to on for each ApsaraDB RDS for PostgreSQL instance. |
|
|
Verifies that the log_disconnections parameter is set to on for each ApsaraDB RDS for PostgreSQL instance. |
|
|
Verifies that the log_duration parameter is set to on for each ApsaraDB RDS for PostgreSQL instance. |
|
|
Set an access policy to prohibit anonymous access to public OSS buckets |
Verifies that public-read-write OSS buckets have an authorization policy that denies anonymous access. Does not apply to private OSS buckets. |
|
Set an access policy for an OSS bucket to enforce secure access |
Verifies that each OSS bucket policy enforces HTTPS-only access. Does not apply to buckets without a bucket policy. |
|
Setting IP restrictions in an OSS bucket authorization policy |
Verifies that each OSS bucket is set to private or has an IP whitelist in its authorization policy. |
|
Verifies that each OSS bucket policy denies public read and write access from the Internet. |
|
|
Verifies that each OSS bucket policy denies public read access from the Internet. |
|
|
All ECS instances in the account have the Security Center agent installed |
Verifies that the Security Center agent is installed on every ECS instance in the account. |
|
Verifies that all vulnerabilities identified by Security Center on each ECS instance are remediated. |
|
|
Verifies that the route table includes at least one entry for each custom VPC CIDR block. |
|
|
Verifies that each RAM user has logged on or been updated within the last 90 days. Does not apply to RAM users without console access. |
|
|
Verifies that each RAM user's AccessKey pair was created within the specified period. Default: 90 days. |
|
|
Verifies that flow logs are enabled for each VPC. |
|
|
Verifies that Transparent Data Encryption (TDE) is enabled for each ApsaraDB RDS instance. |
|
|
Verifies that SSL encryption is enabled for each ApsaraDB RDS instance. |
|
|
Verifies that an active ActionTrail trail tracks all event types across all regions. For resource directories, verifies that a trail covers all member accounts. |
|
|
Verifies that log collection is enabled for each domain protected by WAF. |
|
|
Verifies that the ACK cluster uses the Terway network plugin. |
|
|
Verifies that no public endpoint is configured for the ACK cluster API server. |
|
|
Verifies that a CloudMonitor agent is installed and running on all nodes in each ACK cluster. |
|
|
Verifies that a notification method is configured for each Security Center notification item. |
|
|
Verifies that Security Center Enterprise Edition or higher is in use. |
|
|
Checks whether a security group allows unrestricted access to risky ports for a specified protocol |
When the inbound CIDR is 0.0.0.0/0, verifies that the port range for the specified protocol excludes risky ports. Non-0.0.0.0/0 inbound rules are always compliant. A risky port denied by a higher-priority rule is also compliant. Does not apply to security groups used by cloud products or virtual operators. |
|
Verifies that a Security Center agent is installed on each running ECS instance. Does not apply to ECS instances that are not running. |
|
|
Set the severity level for Security Center vulnerability scans |
Verifies that vulnerability scanning for the specified severity level is configured in Security Center. |
|
Verifies that TDE is enabled with a custom key for each ApsaraDB RDS instance. |