The BestPracticeForInternetAccessResourceDetection compliance package helps you detect cloud resources that have unrestricted Internet access enabled. This topic covers the background, scenarios, and default rules of this compliance package template.
Background information
Enabling unrestricted Internet access for cloud resources introduces significant security risks and increases management costs. To address Internet security, cost, permission, and monitoring concerns, enterprise IT teams typically deploy centralized, secure Internet egress points and restrict other cloud resources from having unrestricted public access. This reduces potential risks such as cyber attacks and data leaks. You can create a compliance package from this template to detect cloud resources that have unrestricted Internet access enabled.
Scenarios
Use this template if your enterprise manages critical business data and services on Alibaba Cloud.
Default rules
|
Rule name |
Description |
|
Checks whether Internet access is enabled for each ApsaraDB for Redis instance and all CIDR blocks are added to the IP whitelist of the instance. If not, the evaluation result is Compliant. If so, the evaluation result is Non-compliant. |
|
|
Checks whether Internet access is enabled for each ApsaraDB RDS instance and the 0.0.0.0/0 CIDR block is added to the whitelist. If so, the evaluation result is Non-compliant. |
|
|
Checks whether Internet access is enabled and any Internet access is allowed for each PolarDB instance. If so, the evaluation result is Non-compliant. |
|
|
Checks whether Internet access is enabled and access from any IP address is allowed for each PolarDB instance. If so, the evaluation result is Non-compliant. |
|
|
Checks whether Internet access is enabled and any Internet access is allowed for each ApsaraDB for MongoDB instance. If so, the evaluation result is Non-compliant. |
|
|
Checks whether Internet access is enabled and any Internet access is allowed for each Elasticsearch cluster. If so, the evaluation result is Non-compliant. |
|
|
Checks whether the network type of each Tablestore instance is set to VPC or Console Access. If so, the evaluation result is Compliant. |
|
|
Checks whether each MSE cluster allows access from the Internet and authentication is enabled, or denies access from the Internet. If so, the evaluation result is Compliant. |
|
|
Checks whether the inbound authorization policy of each security group is set to Allow and the port range is set to -1/-1 or the authorized IP address is set to 0.0.0.0/0, or an authorization policy with a higher priority is configured. If so, the evaluation result is Compliant. If the security groups are used by cloud services or virtual network operators, the evaluation result is Not Applicable. |
|
|
Checks whether a public endpoint is specified for each Container Service for Kubernetes cluster. If not, the evaluation result is Compliant. |
|
|
Checks whether the type of the Container Registry image repository is Private. if so, the evaluation result is Compliant. |
|
|
Internet access is disabled for the ApsaraDB for HBase cluster. |
Checks whether Internet access is disabled for an ApsaraDB for HBase cluster. If so, the evaluation result is Compliant. |
|
Checks whether Internet access is disabled for each AnalyticDB instance. If so, the evaluation result is Compliant. |
|
|
Checks whether no public IPv4 addresses or elastic IP addresses are assigned to running ECS instances. If so, the evaluation result is Compliant. |