Governance Center compliance practices

更新时间:
复制 MD 格式

Use the GovernanceCenterCompliancePractices compliance package to continuously check multi-account environment security against the BestPracticesForAccountGovernance rules.

Rule name

Description

oss-bucket-server-side-encryption-enabled

Checks whether the Encryption Method of server-side encryption is set to OSS-Managed for each Object Storage Service (OSS) bucket. Compliant if true.

oss-bucket-public-write-prohibited

Checks whether the ACL policy of each OSS bucket denies public read and write access. Compliant if true.

oss-bucket-public-read-prohibited

Checks whether the ACL policy of each OSS bucket denies read access from the Internet. If so, the evaluation result is Compliant.

root-ak-check

Checks whether an AccessKey pair is created for each Alibaba Cloud account. If not, the evaluation result is Compliant.

root-mfa-check

Checks whether multi-factor authentication (MFA) is enabled for the current Alibaba Cloud account. If so, the evaluation result is Compliant.

ecs-disk-encrypted

Checks whether disk encryption is enabled for each ECS instance. If so, the evaluation result is Compliant.

sg-risky-ports-check

Checks whether high-risk ports exist in inbound rules when Authorization Object is set to 0.0.0.0/0. Compliant if 0.0.0.0/0 is not in the security group IP whitelist, regardless of port settings. Not Applicable for security groups used by cloud services or virtual network operators.

sg-public-access-check

Checks whether each security group has an inbound policy set to Allow with port range -1/-1 or authorized IP 0.0.0.0/0, or a higher-priority policy configured. Compliant if true. Not Applicable for security groups used by cloud services or virtual network operators.

rds-instances-in-vpc

Checks whether the network type of each ApsaraDB RDS instance is set to VPC when the vpcIds parameter is not configured. If so, the evaluation result is Compliant. Checks whether the VPC where each ApsaraDB RDS instance resides is the same as a specified VPC when the vpcIds parameter is not configured. If so, the evaluation result is also Compliant. Separate multiple parameter values with commas (,).

rds-instance-enabled-tde

Checks whether Transparent Data Encryption (TDE) is enabled for each ApsaraDB RDS instance. Compliant if true.

rds-public-access-check

Checks whether no public endpoint is configured for each RDS instance. Compliant if true. Avoid configuring direct internet access to production RDS instances to prevent cyberattacks.

ram-password-policy-check

Checks whether the settings of password policies configured for each RAM user meet the specified values. If so, the evaluation result is Compliant.

ram-user-ak-used-expired-check

Checks whether each RAM user's AccessKey pair was last used more than the specified number of days ago. Compliant if true. Default: 90 days.

ecs-instance-deletion-protection-enabled

Checks whether the release protection feature is enabled for each ECS instance. If so, the evaluation result is Compliant.

slb-delete-protection-enabled

Checks whether the release protection feature is enabled for each Server Load Balancer (SLB) instance. If so, the evaluation result is Compliant.

root-has-specified-role

Checks whether each Alibaba Cloud account assumes a specified role. If so, the evaluation result is Compliant.

ram-user-mfa-check

Checks whether MFA is enabled for each RAM user with console access. Compliant if true.

slb-listener-https-enabled

Checks whether HTTPS listeners are enabled on specified ports of each SLB instance. Compliant if true. Not Applicable if only TCP or UDP listeners are configured on those ports.

resource-region-limit

Checks whether each resource resides in a specified region. If so, the evaluation result is Compliant.

ram-user-last-login-expired-check

Checks whether each RAM user has logged on within the last 90 days. Compliant if true, or if the user was updated within 90 days regardless of logon status. Not Applicable for RAM users without console access.

contains-tag

Checks whether each resource has a specified key-value pair. Compliant if any key-value pair matches. Keys and values are case-sensitive. Asterisks (*) and question marks (?) are supported as wildcards. Separate multiple values with commas (,).

required-tags

Checks whether all resources have a specified tag. Compliant if true. Maximum six tags. Keys and values are case-sensitive, each supporting only one value.

oss-bucket-logging-enabled

Checks whether the logging feature is enabled for each OSS bucket on the Logs page. If so, the evaluation result is Compliant.