Evaluates whether PolarDB clusters in your Alibaba Cloud account are exposed to public Internet access. A cluster is compliant if Internet access is disabled or if Internet access is enabled but no unrestricted public access is allowed.
Scenarios
Adding 0.0.0.0/0 to the IP whitelist of a PolarDB cluster allows access from all CIDR blocks, which poses significant security risks.
Risk level
Default risk level: high.
You can change the risk level based on your business requirements when you configure this rule.
Compliance evaluation logic
-
If Internet access is not enabled for a PolarDB cluster, or if Internet access is enabled but the cluster does not allow unrestricted public access, the evaluation result is Compliant.
-
If Internet access is enabled for a PolarDB cluster and the cluster allows unrestricted public access, the evaluation result is Non-compliant. For more information about how to remediate a non-compliant configuration, see Incompliance remediation.
Rule details
|
Item |
Description |
|
Rule name |
polardb-public-and-any-ip-access-check |
|
Rule identifier |
polardb-public-and-any-ip-access-check |
|
Tag |
Public and PolarDB |
|
Automatic remediation |
Not supported |
|
Trigger type |
Periodic execution |
|
Evaluation frequency |
Interval of 24 hours |
|
Supported resource type |
PolarDB clusters |
|
Input parameter |
None |
Incompliance remediation
Disable Internet access for the PolarDB cluster, or remove 0.0.0.0/0 from the IP whitelist of a PolarDB cluster that has Internet access enabled. For more information, see Configure an IP whitelist.