Best practices for network and data security

更新时间:
复制 MD 格式

Cloud Config provides default rules based on CIS Benchmarks to check your network architecture and data security configuration, reducing the risk of breaches. The following table lists these rules.

Rule name

Description

In-use ECS data disks require encryption

Verifies that encryption is enabled for each in-use ECS data disk.

ECS instances in a VPC

If vpcIds is not configured, verifies that each ECS instance uses the VPC network type. If vpcIds is configured, verifies that each instance resides in a specified VPC. Separate multiple values with commas (,).

OSS Bucket Server-Side Encryption Enabled

Verifies that server-side encryption is enabled for each OSS bucket.

RDS instances must not allow public access

Verifies that no public endpoint is configured for each RDS instance. Avoid exposing RDS instances directly to the Internet in production environments.

MFA enabled for RAM users

Verifies that MFA is enabled for each RAM user with console access.

No AccessKey for the root account

Verifies that no AccessKey pairs are created for the Alibaba Cloud account.

Enable MFA for the Alibaba Cloud account

Verifies that multi-factor authentication (MFA) is enabled for the Alibaba Cloud account.

Password policy compliance for RAM users

Verifies that password policies for RAM users meet the specified requirements.

No super administrator access

Verifies that no RAM user, user group, or role has the Action parameter set to * (super administrator permissions).

Do not grant policies directly to RAM users

Verifies that no policy is directly attached to any RAM user. RAM users should inherit permissions from user groups or roles.

Enable log storage for OSS buckets

Verifies that logging is enabled for each OSS bucket.

OSS bucket encryption with a custom KMS key

Verifies that a custom KMS key encrypts data in each OSS bucket.

SQL Audit should be enabled for RDS instances

Verifies that SQL explorer and audit is enabled for each ApsaraDB RDS instance.

The SQL Audit log retention period for an RDS instance is compliant

Verifies that SQL explorer and audit is enabled for each ApsaraDB RDS for MySQL instance and the log retention period meets the specified minimum. Default: 180 days.

The PostgreSQL log_connections parameter is enabled

Verifies that the log_connections parameter is set to on for each ApsaraDB RDS for PostgreSQL instance.

The PostgreSQL log_disconnections parameter is enabled

Verifies that the log_disconnections parameter is set to on for each ApsaraDB RDS for PostgreSQL instance.

The log_duration parameter for PostgreSQL is enabled

Verifies that the log_duration parameter is set to on for each ApsaraDB RDS for PostgreSQL instance.

Set an access policy to prohibit anonymous access to public OSS buckets

Verifies that public-read-write OSS buckets have an authorization policy that denies anonymous access. Does not apply to private OSS buckets.

Set an access policy for an OSS bucket to enforce secure access

Verifies that each OSS bucket policy enforces HTTPS-only access. Does not apply to buckets without a bucket policy.

Setting IP restrictions in an OSS bucket authorization policy

Verifies that each OSS bucket is set to private or has an IP whitelist in its authorization policy.

OSS buckets must not have public-read-write ACLs

Verifies that each OSS bucket policy denies public read and write access from the Internet.

Public-read access is prohibited for OSS buckets

Verifies that each OSS bucket policy denies public read access from the Internet.

All ECS instances in the account have the Security Center agent installed

Verifies that the Security Center agent is installed on every ECS instance in the account.

All ECS instance vulnerabilities are remediated

Verifies that all vulnerabilities identified by Security Center on each ECS instance are remediated.

Route configured for a secondary VPC CIDR block

Verifies that the route table includes at least one entry for each custom VPC CIDR block.

RAM user last logon within a specified period

Verifies that each RAM user has logged on or been updated within the last 90 days. Does not apply to RAM users without console access.

Rotate RAM user AccessKeys within a specified period

Verifies that each RAM user's AccessKey pair was created within the specified period. Default: 90 days.

VPC flow logs should be enabled

Verifies that flow logs are enabled for each VPC.

TDE enabled for RDS instances

Verifies that Transparent Data Encryption (TDE) is enabled for each ApsaraDB RDS instance.

RDS instances have SSL encryption enabled

Verifies that SSL encryption is enabled for each ApsaraDB RDS instance.

Enable a full trail in ActionTrail

Verifies that an active ActionTrail trail tracks all event types across all regions. For resource directories, verifies that a trail covers all member accounts.

WAF instance logging is enabled

Verifies that log collection is enabled for each domain protected by WAF.

ACK clusters should use the Terway network plugin

Verifies that the ACK cluster uses the Terway network plugin.

The ACK cluster endpoint has no public network connection

Verifies that no public endpoint is configured for the ACK cluster API server.

Deploy the CloudMonitor agent to ACK cluster nodes

Verifies that a CloudMonitor agent is installed and running on all nodes in each ACK cluster.

A notification method is set for Security Center

Verifies that a notification method is configured for each Security Center notification item.

Upgrade to Security Center Enterprise Edition

Verifies that Security Center Enterprise Edition or higher is in use.

Checks whether a security group allows unrestricted access to risky ports for a specified protocol

When the inbound CIDR is 0.0.0.0/0, verifies that the port range for the specified protocol excludes risky ports. Non-0.0.0.0/0 inbound rules are always compliant. A risky port denied by a higher-priority rule is also compliant. Does not apply to security groups used by cloud products or virtual operators.

Enable Security Center protection on running ECS instances

Verifies that a Security Center agent is installed on each running ECS instance. Does not apply to ECS instances that are not running.

Set the severity level for Security Center vulnerability scans

Verifies that vulnerability scanning for the specified severity level is configured in Security Center.

RDS instances have TDE enabled with custom keys

Verifies that TDE is enabled with a custom key for each ApsaraDB RDS instance.