Help Center/ Config/ User Guide/ Conformance Packages/ Conformance Package Templates/ Conformance Package for Germany Cloud Computing Compliance Criteria Catalogue
Updated on 2024-10-28 GMT+08:00

Conformance Package for Germany Cloud Computing Compliance Criteria Catalogue

This section describes the background, applicable scenarios, and the compliance package to meet requirements by Germany Cloud Computing Compliance Criteria Catalogue (C5).

Background

C5 is a guide on how to adopt cloud computing. It provides best practices on data protection, data sovereignty, transparency, responsibility, and cloud service provider selection. For more information about this guide, see C5_2020.

Applicable Scenarios

This compliance package is intended to help enterprises to develop cloud computing in Germany and meet C5 requirements related laws and regulations. This package needs to be reviewed and implemented based on specific conditions.

Exemption Clauses

This package provides you with general guide to help you quickly create scenario-based conformance packages. The conformance package and rules included only apply to cloud service and do not represent any legal advice. This conformance package does not ensure compliance with specific laws, regulations, or industry standards. You are responsible for the compliance and legality of your business and technical operations and assume all related responsibilities.

Rules

The guideline No in the following table are in consistent with the chapter No in C5_2020.

Table 1 Rules in this conformance package

Guideline No.

Rule

Solution

COS-03

drs-data-guard-job-not-public

Block public access to DRS real-time DR tasks.

COS-03

drs-migration-job-not-public

Block public access to DRS real-time migration tasks.

COS-03

drs-synchronization-job-not-public

Block public access to DRS real-time synchronization tasks.

COS-03

ecs-instance-no-public-ip

Block public access to ECSs to protect sensitive data.

COS-03

ecs-instance-in-vpc

Include all ECSs in VPCs.

COS-03

css-cluster-in-vpc

Include all CSS clusters in VPCs.

COS-03

css-cluster-in-vpc

Include all CSS clusters in VPCs.

COS-03

mrs-cluster-no-public-ip

Block access to MRS clusters through public networks to protect sensitive data.

COS-03

function-graph-public-access-prohibited

Block public access to FunctionGraph functions. Public access may reduce resource availability.

COS-03

rds-instance-no-public-ip

Block access to cloud databases from public networks to protect sensitive data.

COS-03

vpc-sg-restricted-common-ports

You can configure security groups to control connections to frequently used ports.

COS-03

vpc-sg-restricted-ssh

You can configure security groups to only allow traffic from some IPs to access the SSH port 22 of ECSs to ensure secure remote access to ECSs.

COS-03

vpc-default-sg-closed

Use security groups to control access within a VPC. You can directly use the default security group for resource access control.

COS-03

vpc-sg-ports-check

You can use security groups to control port connections.

COS-05

iam-user-mfa-enabled

Enable MFA for all IAM users to prevent account theft.

COS-05

mfa-enabled-for-iam-console-access

Enable MFA for all IAM users who can access Huawei Cloud management console. MFA enhances account security to prevent account theft and protect sensitive data.

COS-05

root-account-mfa-enabled

Enable MFA for root users. MFA enhances account security.

COS-05

ecs-instance-no-public-ip

Block public access to ECSs to protect sensitive data.

COS-05

mrs-cluster-no-public-ip

Block access to MRS clusters through public networks to protect sensitive data.

COS-05

rds-instance-no-public-ip

Block access to RDS instances from public networks to protect sensitive data.

COS-05

vpc-sg-restricted-common-ports

You can configure security groups to control connections to frequently used ports.

COS-05

vpc-sg-restricted-ssh

You can configure security groups to only allow traffic from some IPs to access the SSH port 22 of ECSs to ensure secure remote access to ECSs.

COS-05

vpc-default-sg-closed

Use security groups to control access within a VPC. You can directly use the default security group for resource access control.

COS-05

vpc-sg-ports-check

You can use security groups to control port connections.

CRY-02

apig-instances-ssl-enabled

Enable SSL for APIG REST APIs to authenticate API requests.

CRY-02

elb-predefined-security-policy-https-check

Ensure that your dedicated load balancers are configured with specified security policy to enhance service security.

CRY-02

css-cluster-https-required

After HTTPS is enabled for a CSS cluster, communication is encrypted when you access this cluster. If HTTPS is disabled, HTTP protocol is used for cluster communication. In this case, data security cannot be ensured and public address is not allowed.

CRY-02

css-cluster-disk-encryption-check

Enable disk encryption for CSS clusters to protect sensitive data.

CRY-02

elb-tls-https-listeners-only

Ensure that your load balancer listeners are configured with the HTTPS protocol.

CRY-02

dws-enable-ssl

Enable SSL for DWS clusters to protect data.

CRY-02

css-cluster-disk-encryption-check

Enable disk encryption for CSS clusters to protect sensitive data.

CRY-03

cts-kms-encrypted-check

Enable trace file encryption for CTS trackers.

CRY-03

sfsturbo-encrypted-check

Enable KMS encryption for SFS Turbo file systems.

CRY-03

volumes-encrypted-check

Enable encryption for EVS to protect data.

CRY-03

rds-instances-enable-kms

Enable KMS encryption for RDS instances to protect sensitive data.

CRY-04

kms-rotation-enabled

Enable KMS key rotation.

DEV-07

cts-lts-enable

Use LTS to centrally collect CTS data.

DEV-07

cts-tracker-exists

Ensure that a CTS tracker has been created for your account to record operations on the Huawei Cloud management console.

DEV-07

multi-region-cts-tracker-exists

Create CTS trackers for different regions where your services are deployed. When you enable CTS for the first time, a management tracker, system, is created automatically. You can create multiple trackers for different regions to help make services better satisfy customer needs as well as legal or regulatory requirements.

DEV-07

cts-obs-bucket-track

Create at least one CTS tracker for specified OBS buckets

DEV-07

multi-region-cts-tracker-exists

Create CTS trackers for different regions to satisfy different customer requirements and meets the laws and regulations of different regions.

IDM-01

access-keys-rotated

Enable key rotation.

IDM-01

mrs-cluster-kerberos-enabled

Enable Kerberos for MRS clusters.

IDM-01

iam-password-policy

Set thresholds for IAM user password strength.

IDM-01

iam-root-access-key-check

Ensure that the root access key has been deleted.

IDM-01

iam-user-group-membership-check

Add IAM users to user groups so that users can inherit permissions attached to user groups that they are in.

IDM-01

iam-user-mfa-enabled

Enable MFA for all IAM users to prevent account theft.

IDM-01

mfa-enabled-for-iam-console-access

Enable MFA for all IAM users who can access Huawei Cloud management console. MFA enhances account security to prevent account theft and protect sensitive data.

IDM-01

root-account-mfa-enabled

Enable MFA for root users. MFA enhances account security.

IDM-01

iam-group-has-users-check

Add IAM users to at least one user group so that users can inherit permissions attached to the user group that they are in.

IDM-01

iam-role-has-all-permissions

Grant IAM users only necessary permissions to perform required operations to ensure compliance with the least privilege and SOD principles

IDM-08

iam-password-policy

Set thresholds for IAM user password strength.

CRY-01

iam-password-policy

Set thresholds for IAM user password strength.

IDM-09

iam-user-mfa-enabled

Enable MFA for all IAM users to prevent account theft.

IDM-09

mfa-enabled-for-iam-console-access

Enable MFA for all IAM users who can access Huawei Cloud management console. MFA enhances account security to prevent account theft and protect sensitive data.

IDM-09

root-account-mfa-enabled

Enable MFA for root users. MFA enhances account security.

OPS-01

rds-instance-multi-az-support

Deploy RDS instance across AZs to increase service availability. RDS automatically creates a primary DB instance and replicates data to standby DB instances in different AZs that are physically separate. If an infrastructure fault occurs, RDS automatically fails over to the standby database so that you can restore databases in a timely manner.

OPS-02

as-group-elb-healthcheck-required

Enable health check for AS groups. Elastic Load Balance (ELB) automatically distributes incoming traffic across multiple backend cloud servers based on forwarding policies.

OPS-02

rds-instance-multi-az-support

Deploy RDS instance across AZs to increase service availability. RDS automatically creates a primary DB instance and replicates data to standby DB instances in different AZs that are physically separate. If an infrastructure fault occurs, RDS automatically fails over to the standby database so that you can restore databases in a timely manner.

OPS-07

rds-instance-enable-backup

Enable backups for RDS instances.

OPS-07

dws-enable-snapshot

Enable snapshots for DWS clusters. Automated snapshots are enabled by default when a cluster is created. Snapshots are periodically taken of a cluster based on the specified time and interval, usually every eight hours. Users can configure one or more automated snapshot policies for the cluster as needed.

OPS-07

gaussdb-nosql-enable-backup

Enable backups for GeminiDB.

OPS-14

cts-support-validate-check

You can enable file verification for CTS trackers to prevent log files from being modified or deleted after being stored.

OPS-14

cts-kms-encrypted-check

Enable trace file encryption for CTS trackers.

OPS-15

apig-instances-execution-logging-enabled

Enable CTS for your dedicated API gateways. APIG supports custom log analysis templates, which you can use to collect and manage logs and trace and analyze API request exceptions.

OPS-15

cts-lts-enable

Use LTS to centrally collect CTS data.

OPS-15

dws-enable-log-dump

Enable log dumps to obtain access information for DWS clusters.

OPS-15

vpc-flow-logs-enabled

Enable flow logs for VPCs to monitor network traffic, analyze network attacks, and optimize security group and ACL configurations.

OPS-15

cts-tracker-exists

Ensure that a CTS tracker has been created for your account to record operations on the Huawei Cloud management console.

OPS-15

multi-region-cts-tracker-exists

Create CTS trackers for different regions where your services are deployed. When you enable CTS for the first time, a management tracker, system, is created automatically. You can create multiple trackers for different regions to help make services better satisfy customer needs as well as legal or regulatory requirements.

OPS-15

cts-obs-bucket-track

Create at least one CTS tracker for each OBS bucket.

OPS-15

multi-region-cts-tracker-exists

Create CTS trackers for different regions where your services are deployed. When you enable CTS for the first time, a management tracker, system, is created automatically. You can create multiple trackers for different regions to help make services better satisfy customer needs as well as legal or regulatory requirements.

PSS-05

iam-user-mfa-enabled

Enable MFA for all IAM users to prevent account theft.

PSS-05

mfa-enabled-for-iam-console-access

Enable MFA for all IAM users who can access Huawei Cloud management console. MFA enhances account security to prevent account theft and protect sensitive data.

PSS-05

root-account-mfa-enabled

Enable MFA for root users. MFA enhances account security.

PSS-07

iam-password-policy

Set thresholds for IAM user password strength.