Use the GovernanceCenterCompliancePractices compliance package to continuously check multi-account environment security against the BestPracticesForAccountGovernance rules.
|
Rule name |
Description |
|
Checks whether the Encryption Method of server-side encryption is set to OSS-Managed for each Object Storage Service (OSS) bucket. Compliant if true. |
|
|
Checks whether the ACL policy of each OSS bucket denies public read and write access. Compliant if true. |
|
|
Checks whether the ACL policy of each OSS bucket denies read access from the Internet. If so, the evaluation result is Compliant. |
|
|
Checks whether an AccessKey pair is created for each Alibaba Cloud account. If not, the evaluation result is Compliant. |
|
|
Checks whether multi-factor authentication (MFA) is enabled for the current Alibaba Cloud account. If so, the evaluation result is Compliant. |
|
|
Checks whether disk encryption is enabled for each ECS instance. If so, the evaluation result is Compliant. |
|
|
Checks whether high-risk ports exist in inbound rules when Authorization Object is set to 0.0.0.0/0. Compliant if 0.0.0.0/0 is not in the security group IP whitelist, regardless of port settings. Not Applicable for security groups used by cloud services or virtual network operators. |
|
|
Checks whether each security group has an inbound policy set to Allow with port range -1/-1 or authorized IP 0.0.0.0/0, or a higher-priority policy configured. Compliant if true. Not Applicable for security groups used by cloud services or virtual network operators. |
|
|
Checks whether the network type of each ApsaraDB RDS instance is set to VPC when the vpcIds parameter is not configured. If so, the evaluation result is Compliant. Checks whether the VPC where each ApsaraDB RDS instance resides is the same as a specified VPC when the vpcIds parameter is not configured. If so, the evaluation result is also Compliant. Separate multiple parameter values with commas (,). |
|
|
Checks whether Transparent Data Encryption (TDE) is enabled for each ApsaraDB RDS instance. Compliant if true. |
|
|
Checks whether no public endpoint is configured for each RDS instance. Compliant if true. Avoid configuring direct internet access to production RDS instances to prevent cyberattacks. |
|
|
Checks whether the settings of password policies configured for each RAM user meet the specified values. If so, the evaluation result is Compliant. |
|
|
Checks whether each RAM user's AccessKey pair was last used more than the specified number of days ago. Compliant if true. Default: 90 days. |
|
|
Checks whether the release protection feature is enabled for each ECS instance. If so, the evaluation result is Compliant. |
|
|
Checks whether the release protection feature is enabled for each Server Load Balancer (SLB) instance. If so, the evaluation result is Compliant. |
|
|
Checks whether each Alibaba Cloud account assumes a specified role. If so, the evaluation result is Compliant. |
|
|
Checks whether MFA is enabled for each RAM user with console access. Compliant if true. |
|
|
Checks whether HTTPS listeners are enabled on specified ports of each SLB instance. Compliant if true. Not Applicable if only TCP or UDP listeners are configured on those ports. |
|
|
Checks whether each resource resides in a specified region. If so, the evaluation result is Compliant. |
|
|
Checks whether each RAM user has logged on within the last 90 days. Compliant if true, or if the user was updated within 90 days regardless of logon status. Not Applicable for RAM users without console access. |
|
|
Checks whether each resource has a specified key-value pair. Compliant if any key-value pair matches. Keys and values are case-sensitive. Asterisks ( |
|
|
Checks whether all resources have a specified tag. Compliant if true. Maximum six tags. Keys and values are case-sensitive, each supporting only one value. |
|
|
Checks whether the logging feature is enabled for each OSS bucket on the Logs page. If so, the evaluation result is Compliant. |