Conformance Package for PCI DSS
This section describes the background, applicable scenarios, and the conformance package to meet requirements of the Payment Card Industry Data Security Standard (PCI-DSS).
Background
PCI DSS is an information security standard for safe payments worldwide. PCI DSS contains technical and operational baselines to ensure data security of paying accounts. Although specifically designed to focus on environments with payment card account data, PCI DSS can also help reduce payment threats and protect the people, processes, and technologies across the payment ecosystem. For more information about PCI DSS, see Payment Card Industry (PCI) Data Security Standard.
Applicable Scenarios
This conformance package helps enterprises meet PCI DSS and legal requirements for safe card payments. It needs to be reviewed and implemented based on specific conditions.
Exemption Clauses
This package provides you with general guide to help you quickly create scenario-based conformance packages. The conformance package and rules included only apply to cloud service and do not represent any legal advice. This conformance package does not ensure compliance with specific laws, regulations, or industry standards. You are responsible for the compliance and legality of your business and technical operations and assume all related responsibilities.
Rules
The guideline numbers in the following table are in consistent with the chapter numbers in Payment Card Industry (PCI) Data Security Standard.
Guideline No. |
Guideline Description |
Rule |
Solution |
---|---|---|---|
1.3 |
Prohibit direct public access between the Internet and any system component in the cardholder data environment. |
css-cluster-in-vpc |
Deploy all CSS clusters within VPCs. |
1.3 |
Prohibit direct public access between the Internet and any system component in the cardholder data environment. |
css-cluster-in-vpc |
Deploy all CSS clusters within VPCs. |
1.3 |
Prohibit direct public access between the Internet and any system component in the cardholder data environment. |
drs-data-guard-job-not-public |
Block public access to DRS real-time DR tasks. |
1.3 |
Prohibit direct public access between the Internet and any system component in the cardholder data environment. |
drs-migration-job-not-public |
Block public access to DRS real-time migration tasks. |
1.3 |
Prohibit direct public access between the Internet and any system component in the cardholder data environment. |
drs-synchronization-job-not-public |
Block public access to DRS real-time synchronization tasks. |
1.3 |
Prohibit direct public access between the Internet and any system component in the cardholder data environment. |
ecs-instance-in-vpc |
Deploy all ECSs within VPCs. |
1.3 |
Prohibit direct public access between the Internet and any system component in the cardholder data environment. |
ecs-instance-no-public-ip |
Block public access to ECSs to protect data. |
1.3 |
Prohibit direct public access between the Internet and any system component in the cardholder data environment. |
function-graph-inside-vpc |
Configure VPC access for all functions using the FunctionGraph service. |
1.3 |
Prohibit direct public access between the Internet and any system component in the cardholder data environment. |
function-graph-public-access-prohibited |
Block public access to FunctionGraph functions. Public access may affect resource availability. |
1.3 |
Prohibit direct public access between the Internet and any system component in the cardholder data environment. |
mrs-cluster-no-public-ip |
Block public access to MRS clusters. MRS instances may contain sensitive information, and access control is required. |
1.3 |
Prohibit direct public access between the Internet and any system component in the cardholder data environment. |
rds-instance-no-public-ip |
Block access to RDS instances over public networks. RDS instances may contain sensitive information, and access control is required. |
1.3 |
Prohibit direct public access between the Internet and any system component in the cardholder data environment. |
vpc-default-sg-closed |
Use security groups to control access within a VPC. You can directly use the default security group for resource access control. |
1.3 |
Prohibit direct public access between the Internet and any system component in the cardholder data environment. |
vpc-sg-ports-check |
You can use security groups to control port connections. |
1.3 |
Prohibit direct public access between the Internet and any system component in the cardholder data environment. |
vpc-sg-restricted-common-ports |
You can configure security groups to control connections to frequently used ports. |
1.3 |
Prohibit direct public access between the Internet and any system component in the cardholder data environment. |
vpc-sg-restricted-ssh |
You can configure security groups to only allow traffic from some IPs to access the SSH port 22 of ECSs to ensure secure remote access to ECSs. |
2.1 |
Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network. This applies to ALL default passwords, including but not limited to those used by operating systems, software that provides security services, application and system accounts, point-of-sale (POS) terminals, payment applications, Simple Network Management Protocol (SNMP) community strings, etc.). |
root-account-mfa-enabled |
Enable MFA for root users. MFA provides additional protection to login credentials. |
2.1 |
Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network. This applies to ALL default passwords, including but not limited to those used by operating systems, software that provides security services, application and system accounts, point-of-sale (POS) terminals, payment applications, Simple Network Management Protocol (SNMP) community strings, etc.). |
vpc-default-sg-closed |
Use security groups to control access within a VPC. You can directly use the default security group for resource access control. |
2.2 |
Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardIPng standards. Sources of industry-accepted system hardIPng standards may include, but are not limited to: Center for Internet Security (CIS), International Organization for Standardization (ISO), SysAdmin Audit Network Security (SANS), and Institute National Institute of Standards Technology (NIST). |
access-keys-rotated |
Enable key rotation. |
2.2 |
Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. Sources of industry-accepted system hardIPng standards may include, but are not limited to: Center for Internet Security (CIS), International Organization for Standardization (ISO), SysAdmin Audit Network Security (SANS), and Institute National Institute of Standards Technology (NIST). |
access-keys-rotated |
Enable key rotation. |
2.2 |
Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. Sources of industry-accepted system hardIPng standards may include, but are not limited to: Center for Internet Security (CIS), International Organization for Standardization (ISO), SysAdmin Audit Network Security (SANS), and Institute National Institute of Standards Technology (NIST). |
cts-kms-encrypted-check |
Enable trace file encryption for CTS trackers. |
2.2 |
Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. Sources of industry-accepted system hardIPng standards may include, but are not limited to: Center for Internet Security (CIS), International Organization for Standardization (ISO), SysAdmin Audit Network Security (SANS), and Institute National Institute of Standards Technology (NIST). |
cts-lts-enable |
Enable Transfer to LTS for CTS trackers. |
2.2 |
Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. Sources for guidance on configuration standards include but are not limited to: Center for Internet Security (CIS), International Organization for Standardization (ISO), National Institute of Standards and Technology (NIST), Cloud Security Alliance, and product vendors. |
cts-obs-bucket-track |
Create at least one CTS tracker for each OBS bucket. |
2.2 |
Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. Sources of industry-accepted system hardIPng standards may include, but are not limited to: Center for Internet Security (CIS), International Organization for Standardization (ISO), SysAdmin Audit Network Security (SANS), and Institute National Institute of Standards Technology (NIST). |
cts-support-validate-check |
You can enable file verification for CTS trackers to prevent log files from being modified or deleted after being stored. |
2.2 |
Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. Sources of industry-accepted system hardIPng standards may include, but are not limited to: Center for Internet Security (CIS), International Organization for Standardization (ISO), SysAdmin Audit Network Security (SANS), and Institute National Institute of Standards Technology (NIST). |
ecs-in-allowed-security-groups |
Use security groups to control access to ECSs. The rules of a security group will apply to all ECSs that are added to this security group. |
2.2 |
Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. Sources of industry-accepted system hardIPng standards may include, but are not limited to: Center for Internet Security (CIS), International Organization for Standardization (ISO), SysAdmin Audit Network Security (SANS), and Institute National Institute of Standards Technology (NIST). |
ecs-multiple-public-ip-check |
You can use this rule to identify ECSs that have multiple EIPs attached to reduce network security risks. |
2.2 |
Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. Sources of industry-accepted system hardIPng standards may include, but are not limited to: Center for Internet Security (CIS), International Organization for Standardization (ISO), SysAdmin Audit Network Security (SANS), and Institute National Institute of Standards Technology (NIST). |
iam-policy-no-statements-with-admin-access |
Grant IAM users only necessary permissions for performing specific operations. Granting users more permissions than they need may violate the principles of least privilege and separation of duties. |
2.2 |
Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. Sources of industry-accepted system hardIPng standards may include, but are not limited to: Center for Internet Security (CIS), International Organization for Standardization (ISO), SysAdmin Audit Network Security (SANS), and Institute National Institute of Standards Technology (NIST). |
iam-root-access-key-check |
Grant IAM users only necessary permissions for performing specific operations. Granting users more permissions than they need may violate the principles of least privilege and separation of duties. |
2.2 |
Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. Sources of industry-accepted system hardIPng standards may include, but are not limited to: Center for Internet Security (CIS), International Organization for Standardization (ISO), SysAdmin Audit Network Security (SANS), and Institute National Institute of Standards Technology (NIST). |
iam-user-group-membership-check |
Ensure each user is in at least one user group for permission management. Granting users more permissions than they need may violate the principles of least privilege and separation of duties. |
2.2 |
Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. Sources of industry-accepted system hardIPng standards may include, but are not limited to: Center for Internet Security (CIS), International Organization for Standardization (ISO), SysAdmin Audit Network Security (SANS), and Institute National Institute of Standards Technology (NIST). |
kms-rotation-enabled |
Enable KMS key rotation. |
2.2 |
Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. Sources of industry-accepted system hardIPng standards may include, but are not limited to: Center for Internet Security (CIS), International Organization for Standardization (ISO), SysAdmin Audit Network Security (SANS), and Institute National Institute of Standards Technology (NIST). |
mfa-enabled-for-iam-console-access |
Enable MFA for all IAM users who can access Huawei Cloud management console. MFA enhances account security to prevent account theft and protect sensitive data. |
2.2 |
Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. Sources of industry-accepted system hardIPng standards may include, but are not limited to: Center for Internet Security (CIS), International Organization for Standardization (ISO), SysAdmin Audit Network Security (SANS), and Institute National Institute of Standards Technology (NIST). |
multi-region-cts-tracker-exists |
Create CTS trackers for different regions where your services are deployed. When you enable CTS for the first time, a management tracker, system, is created automatically. You can create multiple trackers for different regions to help make services better satisfy customer needs as well as legal or regulatory requirements. |
2.2 |
Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardIPng standards. Sources of industry-accepted system hardIPng standards may include, but are not limited to: Center for Internet Security (CIS), International Organization for Standardization (ISO), SysAdmin Audit Network Security (SANS), and Institute National Institute of Standards Technology (NIST). |
root-account-mfa-enabled |
Enable MFA for root users. MFA provides additional protection to login credentials. |
2.2 |
Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. Sources of industry-accepted system hardIPng standards may include, but are not limited to: Center for Internet Security (CIS), International Organization for Standardization (ISO), SysAdmin Audit Network Security (SANS), and Institute National Institute of Standards Technology (NIST). |
volumes-encrypted-check |
Enable encryption for all EVS disks to protect data. |
2.2 |
Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. Sources of industry-accepted system hardIPng standards may include, but are not limited to: Center for Internet Security (CIS), International Organization for Standardization (ISO), SysAdmin Audit Network Security (SANS), and Institute National Institute of Standards Technology (NIST). |
vpc-default-sg-closed |
Use security groups to control access within a VPC. You can directly use the default security group for resource access control. |
2.2 |
Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. Sources of industry-accepted system hardIPng standards may include, but are not limited to: Center for Internet Security (CIS), International Organization for Standardization (ISO), SysAdmin Audit Network Security (SANS), and Institute National Institute of Standards Technology (NIST). |
vpc-flow-logs-enabled |
Enable flow logs for VPCs to help monitor network traffic, analyze network attacks, and optimize security group and ACL configurations. |
2.2 |
Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. Sources of industry-accepted system hardIPng standards may include, but are not limited to: Center for Internet Security (CIS), International Organization for Standardization (ISO), SysAdmin Audit Network Security (SANS), and Institute National Institute of Standards Technology (NIST). |
vpc-sg-restricted-common-ports |
You can configure security groups to control connections to frequently used ports. |
2.2 |
Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. Sources of industry-accepted system hardIPng standards may include, but are not limited to: Center for Internet Security (CIS), International Organization for Standardization (ISO), SysAdmin Audit Network Security (SANS), and Institute National Institute of Standards Technology (NIST). |
vpc-sg-restricted-ssh |
You can configure security groups to restrict connections to SSH port 23. |
2.3 |
Encrypt all non-console administrative access using strong cryptography. |
apig-instances-ssl-enabled |
Enable SSL for APIG REST APIs to authenticate API requests. |
2.3 |
Encrypt all non-console administrative access using strong cryptography. |
css-cluster-https-required |
After HTTPS is enabled for a CSS cluster, communication is encrypted when you access this cluster. If HTTPS is disabled, HTTP protocol is used for cluster communication. In this case, data security cannot be ensured and public address is not allowed. |
2.3 |
Encrypt all non-console administrative access using strong cryptography. |
dws-enable-ssl |
Enable SSL for DWS clusters to protect data. |
2.3 |
Encrypt all non-console administrative access using strong cryptography. |
elb-tls-https-listeners-only |
Ensure that your load balancer listeners are configured with the HTTPS protocol. |
2.4 |
Maintain an inventory of system components that are in scope for PCI DSS. |
ecs-in-allowed-security-groups |
Use security groups to control access to ECSs. The rules of a security group will apply to all ECSs that are added to this security group. You can also associate more strict security groups to specific ECSs. |
2.4 |
Maintain an inventory of system components that are in scope for PCI DSS. |
eip-unbound-check |
Ensure that there are no unattached EIPs. |
2.4 |
Maintain an inventory of system components that are in scope for PCI DSS. |
eip-use-in-specified-days |
Ensure that there are no unattached EIPs. |
2.4 |
Maintain an inventory of system components that are in scope for PCI DSS. |
vpc-acl-unused-check |
Use this rule to identity unattached ACLs. An ACL helps control traffic in and out of a subnet. |
3.4 |
Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches: one-way hashes based on strong cryptography (hash must be of the entire PAN), truncation (hashing cannot be used to replace the truncated segment of PAN), index tokens and pads (pads must be securely stored), and strong cryptography with associated key-management processes and procedures. Note: It is a relatively trivial effort for a malicious individual to reconstruct original PAN data if they have access to both the truncated and hashed version of a PAN. Where hashed and truncated versions of the same PAN are present in an entity's environment, additional controls must be in place to ensure that the hashed and truncated versions cannot be correlated to reconstruct the original PAN. |
cts-kms-encrypted-check |
Enable trace file encryption for CTS trackers. |
3.4 |
Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches: One-way hashes based on strong cryptography (hash must be of the entire PAN), truncation (hashing cannot be used to replace the truncated segment of PAN), index tokens and pads (pads must be securely stored), and strong cryptography with associated key-management processes and procedures. Note: It is a relatively trivial effort for a malicious individual to reconstruct original PAN data if they have access to both the truncated and hashed version of a PAN. Where hashed and truncated versions of the same PAN are present in an entity's environment, additional controls must be in place to ensure that the hashed and truncated versions cannot be correlated to reconstruct the original PAN. |
rds-instances-enable-kms |
Enable KMS encryption for RDS instances to protect data. |
3.4 |
Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches: One-way hashes based on strong cryptography (hash must be of the entire PAN), truncation (hashing cannot be used to replace the truncated segment of PAN), index tokens and pads (pads must be securely stored), and strong cryptography with associated key-management processes and procedures. Note: It is a relatively trivial effort for a malicious individual to reconstruct original PAN data if they have access to both the truncated and hashed version of a PAN. Where hashed and truncated versions of the same PAN are present in an entity's environment, additional controls must be in place to ensure that the hashed and truncated versions cannot be correlated to reconstruct the original PAN. |
sfsturbo-encrypted-check |
Enable KMS encryption for SFS Turbo file systems. |
3.4 |
Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches: One-way hashes based on strong cryptography (hash must be of the entire PAN), truncation (hashing cannot be used to replace the truncated segment of PAN), index tokens and pads (pads must be securely stored), and strong cryptography with associated key-management processes and procedures. Note: It is a relatively trivial effort for a malicious individual to reconstruct original PAN data if they have access to both the truncated and hashed version of a PAN. Where hashed and truncated versions of the same PAN are present in an entity's environment, additional controls must be in place to ensure that the hashed and truncated versions cannot be correlated to reconstruct the original PAN. |
volumes-encrypted-check |
Enable encryption for EVS to protect data. |
4.1 |
Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks, including the following: Only trusted keys and certificates are accepted. The protocol in use only supports secure versions or configurations. The encryption strength is appropriate for the encryption methodology in use. Examples of open, public networks include but are not limited to: The Internet Wireless technologies, including 802.11 and Bluetooth Cellular technologies, for example, Global System for Mobile communications (GSM), code division multiple access (CDMA), General Packet Radio Service (GPRS), and satellite communications. |
apig-instances-ssl-enabled |
Enable SSL for API Gateway REST APIs to authenticate API requests. |
4.1 |
Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks, including the following: Only trusted keys and certificates are accepted. The protocol in use only supports secure versions or configurations. The encryption strength is appropriate for the encryption methodology in use. Examples of open, public networks include but are not limited to: The Internet Wireless technologies, including 802.11 and Bluetooth Cellular technologies, for example, Global System for Mobile communications (GSM), code division multiple access (CDMA), General Packet Radio Service (GPRS), and satellite communications. |
css-cluster-disk-encryption-check |
Enable disk encryption for CSS clusters to protect data. |
4.1 |
Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks, including the following: Only trusted keys and certificates are accepted. The protocol in use only supports secure versions or configurations. The encryption strength is appropriate for the encryption methodology in use. Examples of open, public networks include but are not limited to: The Internet Wireless technologies, including 802.11 and Bluetooth Cellular technologies, for example, Global System for Mobile communications (GSM), code division multiple access (CDMA), General Packet Radio Service (GPRS), and satellite communications. |
css-cluster-disk-encryption-check |
Enable disk encryption for CSS clusters to protect sensitive data. |
4.1 |
Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks, including the following: Only trusted keys and certificates are accepted. The protocol in use only supports secure versions or configurations. The encryption strength is appropriate for the encryption methodology in use. Examples of open, public networks include but are not limited to: The Internet Wireless technologies, including 802.11 and Bluetooth Cellular technologies, for example, Global System for Mobile communications (GSM), code division multiple access (CDMA), General Packet Radio Service (GPRS), and satellite communications. |
css-cluster-https-required |
Enable HTTPS for CSS clusters to ensure data security and allow access over public networks. After HTTPS is disabled, HTTP protocol is used for cluster communication. In this case, data security cannot be ensured and public IP address cannot be used. |
4.1 |
Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks, including the following: Only trusted keys and certificates are accepted. The protocol in use only supports secure versions or configurations. The encryption strength is appropriate for the encryption methodology in use. Examples of open, public networks include but are not limited to: The Internet Wireless technologies, including 802.11 and Bluetooth Cellular technologies, for example, Global System for Mobile communications (GSM), code division multiple access (CDMA), General Packet Radio Service (GPRS), and satellite communications. |
dws-enable-ssl |
Enable SSL for DWS clusters to protect data. |
4.1 |
Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks, including the following: Only trusted keys and certificates are accepted. The protocol in use only supports secure versions or configurations. The encryption strength is appropriate for the encryption methodology in use. Examples of open, public networks include but are not limited to: The Internet Wireless technologies, including 802.11 and Bluetooth Cellular technologies, for example, Global System for Mobile communications (GSM), code division multiple access (CDMA), General Packet Radio Service (GPRS), and satellite communications. |
elb-tls-https-listeners-only |
Ensure that your load balancer listeners are configured with the HTTPS protocol. |
4.1 |
Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks, including the following: Only trusted keys and certificates are accepted. The protocol in use only supports secure versions or configurations. The encryption strength is appropriate for the encryption methodology in use. Examples of open, public networks include but are not limited to: The Internet Wireless technologies, including 802.11 and Bluetooth Cellular technologies, for example, Global System for Mobile communications (GSM), code division multiple access (CDMA), General Packet Radio Service (GPRS), and satellite communications. |
pca-certificate-authority-expiration-check |
Use Private Certificate Authority (PCA) to create and manage your private CAs and ensure that there are no expired certificates. |
4.1 |
Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks, including the following: Only trusted keys and certificates are accepted. The protocol in use only supports secure versions or configurations. The encryption strength is appropriate for the encryption methodology in use. Examples of open, public networks include but are not limited to: The Internet Wireless technologies, including 802.11 and Bluetooth Cellular technologies, for example, Global System for Mobile communications (GSM), code division multiple access (CDMA), General Packet Radio Service (GPRS), and satellite communications. |
pca-certificate-expiration-check |
Use Private Certificate Authority (PCA) to create and manage your private CAs and ensure that there are no expired certificates. |
6.2 |
Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor- supplied security patches. Install critical security patches within one month of release. Note: Critical security patches should be identified according to the risk ranking process defined in Requirement 6.1. |
cce-cluster-end-of-maintenance-version |
Ensure that CCE cluster versions can be maintained. |
6.2 |
Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor- supplied security patches. Install critical security patches within one month of release. Note: Critical security patches should be identified according to the risk ranking process defined in Requirement 6.1. |
cce-cluster-oldest-supported-version |
Ensure that there are no CCE cluster versions that cannot be maintained. For CCE clusters of supported versions, The system automatically deploys security patches to upgrade your CCE clusters. If any security issue is identified, Huawei Cloud will fix the issue. |
10.1 |
Implement audit trails to link all access to system components to each individual user. |
apig-instances-execution-logging-enabled |
Enable CTS for your dedicated APIG gateways. APIG supports custom log analysis templates, which you can use to collect and manage logs and trace and analyze API request exceptions. |
10.1 |
Implement audit trails to link all access to system components to each individual user. |
cts-obs-bucket-track |
Create at least one CTS tracker for each OBS bucket. |
10.1 |
Implement audit trails to link all access to system components to each individual user. |
cts-tracker-exists |
Ensure that a CTS tracker has been created for your account to record operations on the Huawei Cloud management console. |
10.1 |
Implement audit trails to link all access to system components to each individual user. |
multi-region-cts-tracker-exists |
Ensure that there are CTS trackers in regions where your services are deployed. Cloud Trace Service (CTS) allows you to collect, store, and query operation records of cloud resources. When you enable CTS for the first time, a management tracker, system, is created automatically. You can create multiple trackers. |
10.1 |
Implement audit trails to link all access to system components to each individual user. |
vpc-flow-logs-enabled |
Enable flow logs for VPCs to help monitor network traffic, analyze network attacks, and optimize security group and ACL configurations. |
10.5 |
Secure audit trails so they cannot be altered. |
cts-kms-encrypted-check |
Enable trace file encryption for CTS trackers. |
11.5 |
Deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly. |
cts-support-validate-check |
You can enable file verification for CTS trackers to prevent log files from being modified or deleted after being stored. |
1.2.1 |
Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic. |
css-cluster-in-vpc |
Deploy all CSS clusters within VPCs. |
1.2.1 |
Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic. |
css-cluster-in-vpc |
Deploy all CSS clusters within VPCs. |
1.2.1 |
Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic. |
drs-data-guard-job-not-public |
Block public access to DRS real-time DR tasks. |
1.2.1 |
Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic. |
drs-migration-job-not-public |
Block public access to DRS real-time migration tasks. |
1.2.1 |
Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic. |
drs-synchronization-job-not-public |
Block public access to DRS real-time synchronization tasks. |
1.2.1 |
Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic. |
ecs-instance-in-vpc |
Deploy all ECSs within VPCs. |
1.2.1 |
Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic. |
ecs-instance-no-public-ip |
Block public access to ECSs to protect data. |
1.2.1 |
Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic. |
function-graph-inside-vpc |
Deploy FunctionGraph functions within VPCs. |
1.2.1 |
Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic. |
function-graph-public-access-prohibited |
Block public access to FunctionGraph functions. Public access may reduce resource availability. |
1.2.1 |
Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic. |
mrs-cluster-no-public-ip |
Block public access to MRS clusters. MRS instances may contain sensitive information, and access control is required. |
1.2.1 |
Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic. |
rds-instance-no-public-ip |
Block public access to RDS instances. RDS instances may contain sensitive information, and access control is required. |
1.2.1 |
Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic. |
vpc-default-sg-closed |
Use security groups to control access within a VPC. You can directly use the default security group for resource access control. |
1.2.1 |
Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic. |
vpc-sg-ports-check |
You can use security groups to control port connections. |
1.2.1 |
Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic. |
vpc-sg-restricted-common-ports |
You can configure security groups to control connections to frequently used ports. |
1.2.1 |
Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic. |
vpc-sg-restricted-ssh |
You can configure security groups to restrict connections to SSH port 24. |
1.3.1 |
Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports. |
css-cluster-in-vpc |
Deploy all CSS clusters within VPCs. |
1.3.1 |
Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports. |
css-cluster-in-vpc |
Deploy all CSS clusters within VPCs. |
1.3.1 |
Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports. |
drs-data-guard-job-not-public |
Block public access to DRS real-time DR tasks. |
1.3.1 |
Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports. |
drs-migration-job-not-public |
Block public access to DRS real-time migration tasks. |
1.3.1 |
Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports. |
drs-synchronization-job-not-public |
Block public access to DRS real-time synchronization tasks. |
1.3.1 |
Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports. |
ecs-instance-in-vpc |
Deploy all ECSs within VPCs. |
1.3.1 |
Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports. |
ecs-instance-no-public-ip |
Block public access to ECSs to protect data. |
1.3.1 |
Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports. |
function-graph-inside-vpc |
Deploy FunctionGraph functions within VPCs. |
1.3.1 |
Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports. |
function-graph-public-access-prohibited |
Block public access to FunctionGraph functions. Public access may reduce resource availability. |
1.3.1 |
Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports. |
mrs-cluster-no-public-ip |
Block public access to MRS clusters. MRS instances may contain sensitive information, and access control is required. |
1.3.1 |
Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports. |
rds-instance-no-public-ip |
Block public access to RDS instances. RDS instances may contain sensitive information, and access control is required. |
1.3.1 |
Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports. |
vpc-default-sg-closed |
Use security groups to control access within a VPC. You can directly use the default security group for resource access control. |
1.3.1 |
Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports. |
vpc-sg-ports-check |
You can use security groups to control port connections. |
1.3.1 |
Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports. |
vpc-sg-restricted-common-ports |
You can configure security groups to control connections to frequently used ports. |
1.3.1 |
Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports. |
vpc-sg-restricted-ssh |
Configure security groups to restrict connections to SSH port 25. |
1.3.2 |
Limit inbound Internet traffic to IP addresses within the DMZ. |
css-cluster-in-vpc |
Deploy all CSS clusters within VPCs. |
1.3.2 |
Limit inbound Internet traffic to IP addresses within the DMZ. |
css-cluster-in-vpc |
Deploy all CSS clusters within VPCs. |
1.3.2 |
Limit inbound Internet traffic to IP addresses within the DMZ. |
drs-data-guard-job-not-public |
Block public access to DRS real-time DR tasks. |
1.3.2 |
Limit inbound Internet traffic to IP addresses within the DMZ. |
drs-migration-job-not-public |
Block public access to DRS real-time migration tasks. |
1.3.2 |
Limit inbound Internet traffic to IP addresses within the DMZ. |
drs-synchronization-job-not-public |
Block public access to DRS real-time synchronization tasks. |
1.3.2 |
Limit inbound Internet traffic to IP addresses within the DMZ. |
ecs-instance-in-vpc |
Deploy all ECSs within VPCs. |
1.3.2 |
Limit inbound Internet traffic to IP addresses within the DMZ. |
ecs-instance-no-public-ip |
Block public access to ECSs to protect data. |
1.3.2 |
Limit inbound Internet traffic to IP addresses within the DMZ. |
function-graph-inside-vpc |
Deploy FunctionGraph functions within VPCs. |
1.3.2 |
Limit inbound Internet traffic to IP addresses within the DMZ. |
function-graph-public-access-prohibited |
Block public access to FunctionGraph functions. Public access may reduce resource availability. |
1.3.2 |
Limit inbound Internet traffic to IP addresses within the DMZ. |
mrs-cluster-no-public-ip |
Block public access to MRS clusters. MRS instances may contain sensitive information, and access control is required. |
1.3.2 |
Limit inbound Internet traffic to IP addresses within the DMZ. |
rds-instance-no-public-ip |
Block public access to RDS instances. RDS instances may contain sensitive information, and access control is required. |
1.3.2 |
Limit inbound Internet traffic to IP addresses within the DMZ. |
vpc-default-sg-closed |
Use security groups to control access within a VPC. You can directly use the default security group for resource access control. |
1.3.2 |
Limit inbound Internet traffic to IP addresses within the DMZ. |
vpc-sg-ports-check |
You can use security groups to control prot connections. |
1.3.2 |
Limit inbound Internet traffic to IP addresses within the DMZ. |
vpc-sg-restricted-common-ports |
You can configure security groups to control connections to frequently used ports. |
1.3.2 |
Limit inbound Internet traffic to IP addresses within the DMZ. |
vpc-sg-restricted-ssh |
Configure security groups to restrict connections to SSH port 26. |
1.3.4 |
Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet. |
css-cluster-in-vpc |
Deploy all CSS clusters within VPCs. |
1.3.4 |
Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet. |
css-cluster-in-vpc |
Deploy all CSS clusters within VPCs. |
1.3.4 |
Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet. |
drs-data-guard-job-not-public |
Block public access to DRS real-time DR tasks. |
1.3.4 |
Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet. |
drs-migration-job-not-public |
Block public access to DRS real-time migration tasks. |
1.3.4 |
Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet. |
drs-synchronization-job-not-public |
Block public access to DRS real-time synchronization tasks. |
1.3.4 |
Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet. |
ecs-instance-in-vpc |
Deploy all ECSs within VPCs. |
1.3.4 |
Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet. |
ecs-instance-no-public-ip |
Block public access to ECSs to protect data. |
1.3.4 |
Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet. |
function-graph-inside-vpc |
Deploy FunctionGraph functions within VPCs. |
1.3.4 |
Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet. |
function-graph-public-access-prohibited |
Block public access to FunctionGraph functions. Public access may reduce resource availability. |
1.3.4 |
Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet. |
mrs-cluster-no-public-ip |
Block public access to MRS clusters. MRS instances may contain sensitive information, and access control is required. |
1.3.4 |
Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet. |
rds-instance-no-public-ip |
Block public access to RDS instances. RDS instances may contain sensitive information, and access control is required. |
1.3.4 |
Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet. |
vpc-default-sg-closed |
Use security groups to control access within a VPC. You can directly use the default security group for resource access control. |
1.3.4 |
Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet. |
vpc-sg-ports-check |
You can use security groups to control port connections. |
1.3.4 |
Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet. |
vpc-sg-restricted-common-ports |
Configure security groups to control connections to common ports in a VPC. |
1.3.4 |
Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet. |
vpc-sg-restricted-ssh |
Configure security groups to restrict connections to SSH port 27. |
1.3.6 |
Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks. |
css-cluster-in-vpc |
Deploy all CSS clusters within VPCs. |
1.3.6 |
Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks. |
css-cluster-in-vpc |
Deploy all CSS clusters within VPCs. |
1.3.6 |
Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks. |
drs-data-guard-job-not-public |
Block public access to DRS real-time DR tasks. |
1.3.6 |
Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks. |
drs-migration-job-not-public |
Block public access to DRS real-time migration tasks. |
1.3.6 |
Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks. |
drs-synchronization-job-not-public |
Block public access to DRS real-time synchronization tasks. |
1.3.6 |
Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks. |
ecs-instance-in-vpc |
Deploy all ECSs within VPCs. |
1.3.6 |
Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks. |
ecs-instance-no-public-ip |
Block public access to ECSs to protect data. |
1.3.6 |
Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks. |
rds-instance-no-public-ip |
Block public access to RDS instances. RDS instances may contain sensitive information, and access control is required. |
1.3.6 |
Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks. |
vpc-default-sg-closed |
Use security groups to control access within a VPC. You can directly use the default security group for resource access control. |
1.3.6 |
Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks. |
vpc-sg-ports-check |
You can use security groups to control port connections. |
1.3.6 |
Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks. |
vpc-sg-restricted-common-ports |
You can configure security groups to control connections to frequently used ports. |
1.3.6 |
Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks. |
vpc-sg-restricted-ssh |
Configure security groups to restrict connections to SSH port 28. |
10.2.1 |
Implement automated audit trails for all system components to reconstruct the following events: all individual user accesses to cardholder data. |
apig-instances-execution-logging-enabled |
Enable CTS for your dedicated APIG gateways. APIG supports custom log analysis templates, which you can use to collect and manage logs and trace and analyze API request exceptions. |
10.2.1 |
Implement automated audit trails for all system components to reconstruct the following events: all individual user accesses to cardholder data. |
cts-obs-bucket-track |
Create at least one CTS tracker for each OBS bucket. |
10.2.1 |
Implement automated audit trails for all system components to reconstruct the following events: all individual user accesses to cardholder data. |
cts-tracker-exists |
Ensure that a CTS tracker has been created for your account to record operations on the Huawei Cloud management console. |
10.2.1 |
Implement automated audit trails for all system components to reconstruct the following events: all individual user accesses to cardholder data. |
multi-region-cts-tracker-exists |
Create CTS trackers for different regions where your services are deployed. When you enable CTS for the first time, a management tracker, system, is created automatically. You can create multiple trackers for different regions to help make services better satisfy customer needs as well as legal or regulatory requirements. |
10.2.2 |
Implement automated audit trails for all system components to reconstruct the following events: All actions taken by any individual with root or administrative privileges. |
cts-tracker-exists |
Ensure that a CTS tracker has been created for your account to record operations on the Huawei Cloud console. |
10.2.2 |
Implement automated audit trails for all system components to reconstruct the following events: All actions taken by any individual with root or administrative privileges. |
multi-region-cts-tracker-exists |
Create CTS trackers for different regions where your services are deployed. When you enable CTS for the first time, a management tracker, system, is created automatically. You can create multiple trackers for different regions to help make services better satisfy customer needs as well as legal or regulatory requirements. |
10.2.3 |
Implement automated audit trails for all system components to reconstruct the following events: Access to all audit trails. |
cts-obs-bucket-track |
Create at least one CTS tracker for each OBS bucket. |
10.2.3 |
Implement automated audit trails for all system components to reconstruct the following events: Access to all audit trails. |
cts-tracker-exists |
Ensure that a CTS tracker has been created for your account to record operations on the Huawei Cloud console. |
10.2.3 |
Implement automated audit trails for all system components to reconstruct the following events: Access to all audit trails. |
multi-region-cts-tracker-exists |
Create CTS trackers for different regions where your services are deployed. When you enable CTS for the first time, a management tracker, system, is created automatically. You can create multiple trackers for different regions to help make services better satisfy customer needs as well as legal or regulatory requirements. |
10.2.4 |
Implement automated audit trails for all system components to reconstruct the following events: Invalid logical access attempts. |
apig-instances-execution-logging-enabled |
Enable CTS for your dedicated API gateways. APIG supports custom log analysis templates, which you can use to collect and manage logs and trace and analyze API request exceptions. |
10.2.4 |
Implement automated audit trails for all system components to reconstruct the following events: Invalid logical access attempts. |
cts-obs-bucket-track |
Create at least one CTS tracker for each OBS bucket. |
10.2.4 |
Implement automated audit trails for all system components to reconstruct the following events: Invalid logical access attempts. |
cts-tracker-exists |
Ensure that a CTS tracker has been created for your account to record operations on the Huawei Cloud console. |
10.2.4 |
Implement automated audit trails for all system components to reconstruct the following events: Invalid logical access attempts. |
multi-region-cts-tracker-exists |
Create CTS trackers for different regions where your services are deployed. When you enable CTS for the first time, a management tracker, system, is created automatically. You can create multiple trackers for different regions to help make services better satisfy customer needs as well as legal or regulatory requirements. |
10.2.5 |
Implement automated audit trails for all system components to reconstruct the following events: Use of and changes to identification and authentication mechanisms—including but not limited to creation of new accounts and elevation of privileges—and all changes, additions, or deletions to accounts with root or administrative privileges. |
cts-tracker-exists |
Ensure that a CTS tracker has been created for your account to record operations on the Huawei Cloud console. |
10.2.5 |
Implement automated audit trails for all system components to reconstruct the following events: Use of and changes to identification and authentication mechanisms—including but not limited to creation of new accounts and elevation of privileges—and all changes, additions, or deletions to accounts with root or administrative privileges. |
multi-region-cts-tracker-exists |
Create CTS trackers for different regions where your services are deployed. When you enable CTS for the first time, a management tracker, system, is created automatically. You can create multiple trackers for different regions to help make services better satisfy customer needs as well as legal or regulatory requirements. |
10.2.6 |
Implement automated audit trails for all system components to reconstruct the following events: Initialization, stopping, or pausing of the audit logs. |
cts-tracker-exists |
Ensure that a CTS tracker has been created for your account to record operations on the Huawei Cloud console. |
10.2.6 |
Implement automated audit trails for all system components to reconstruct the following events: Initialization, stopping, or pausing of the audit logs. |
multi-region-cts-tracker-exists |
Create CTS trackers for different regions where your services are deployed. When you enable CTS for the first time, a management tracker, system, is created automatically. You can create multiple trackers for different regions to help make services better satisfy customer needs as well as legal or regulatory requirements. |
10.2.7 |
Implement automated audit trails for all system components to reconstruct the following events: Creation and deletion of system-level objects. |
apig-instances-execution-logging-enabled |
Enable CTS for your dedicated API gateways. APIG supports custom log analysis templates, which you can use to collect and manage logs and trace and analyze API request exceptions. |
10.2.7 |
Implement automated audit trails for all system components to reconstruct the following events: Creation and deletion of system-level objects. |
cts-tracker-exists |
Ensure that a CTS tracker has been created for your account to record operations on the Huawei Cloud console. |
10.2.7 |
Implement automated audit trails for all system components to reconstruct the following events: Creation and deletion of system-level objects. |
multi-region-cts-tracker-exists |
Create CTS trackers for different regions where your services are deployed. When you enable CTS for the first time, a management tracker, system, is created automatically. You can create multiple trackers for different regions to help make services better satisfy customer needs as well as legal or regulatory requirements. |
10.3.1 |
Record at least the following audit trail entries for all system components for each event: User identification. |
apig-instances-execution-logging-enabled |
Enable CTS for your dedicated API gateways. APIG supports custom log analysis templates, which you can use to collect and manage logs and trace and analyze API request exceptions. |
10.3.1 |
Record at least the following audit trail entries for all system components for each event: User identification. |
cts-obs-bucket-track |
Create at least one CTS tracker for each OBS bucket. |
10.3.1 |
Record at least the following audit trail entries for all system components for each event: User identification. |
cts-tracker-exists |
Ensure that a CTS tracker has been created for your account to record operations on the Huawei Cloud console. |
10.3.1 |
Record at least the following audit trail entries for all system components for each event: User identification. |
multi-region-cts-tracker-exists |
Create CTS trackers for different regions where your services are deployed. When you enable CTS for the first time, a management tracker, system, is created automatically. You can create multiple trackers for different regions to help make services better satisfy customer needs as well as legal or regulatory requirements. |
10.3.1 |
Record at least the following audit trail entries for all system components for each event: User identification. |
vpc-flow-logs-enabled |
Enable flow logs for VPCs to help monitor network traffic, analyze network attacks, and optimize security group and ACL configurations. |
10.5.2 |
Protect audit trail files from unauthorized modifications. |
cts-kms-encrypted-check |
Enable trace file encryption for CTS trackers. |
10.5.3 |
Promptly back up audit trail files to a centralized log server or media that is difficult to alter. |
cts-lts-enable |
Enable Transfer to LTS for CTS trackers. |
10.5.5 |
Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert). |
cts-support-validate-check |
You can enable file verification for CTS trackers to prevent log files from being modified or deleted after being stored. |
2.2.2 |
Enable only necessary services, protocols, daemons, etc., as required for the function of the system. |
drs-data-guard-job-not-public |
Block public access to DRS real-time DR tasks. |
2.2.2 |
Enable only necessary services, protocols, daemons, etc., as required for the function of the system. |
drs-migration-job-not-public |
Block public access to DRS real-time migration tasks. |
2.2.2 |
Enable only necessary services, protocols, daemons, etc., as required for the function of the system. |
drs-synchronization-job-not-public |
Block public access to DRS real-time synchronization tasks. |
2.2.2 |
Enable only necessary services, protocols, daemons, etc., as required for the function of the system. |
ecs-instance-in-vpc |
Deploy all ECSs within VPCs. |
2.2.2 |
Enable only necessary services, protocols, daemons, etc., as required for the function of the system. |
ecs-instance-no-public-ip |
Block public access to ECSs to protect data. |
2.2.2 |
Enable only necessary services, protocols, daemons, etc., as required for the function of the system. |
function-graph-inside-vpc |
Deploy FunctionGraph functions within VPCs. |
2.2.2 |
Enable only necessary services, protocols, daemons, etc., as required for the function of the system. |
function-graph-public-access-prohibited |
Block public access to FunctionGraph functions. Public access may reduce resource availability. |
2.2.2 |
Enable only necessary services, protocols, daemons, etc., as required for the function of the system. |
mrs-cluster-no-public-ip |
Block public access to MRS clusters. MRS instances may contain sensitive information, and access control is required. |
2.2.2 |
Enable only necessary services, protocols, daemons, etc., as required for the function of the system. |
rds-instance-no-public-ip |
Block public access to RDS instances. RDS instances may contain sensitive information, and access control is required. |
2.2.2 |
Enable only necessary services, protocols, daemons, etc., as required for the function of the system. |
vpc-default-sg-closed |
Use security groups to control access within a VPC. You can directly use the default security group for resource access control. |
2.2.2 |
Enable only necessary services, protocols, daemons, etc., as required for the function of the system. |
vpc-sg-ports-check |
You can use security groups to control port connections. |
2.2.2 |
Enable only necessary services, protocols, daemons, etc., as required for the function of the system. |
vpc-sg-restricted-common-ports |
You can configure security groups to control connections to frequently used ports. |
2.2.2 |
Enable only necessary services, protocols, daemons, etc., as required for the function of the system. |
vpc-sg-restricted-ssh |
Configure security groups to restrict connections to SSH port 29. |
3.5.2 |
Restrict access to cryptographic keys to the fewest number of custodians necessary. |
iam-customer-policy-blocked-kms-actions |
Use this rule to identity policies that disable KMS encryption. Granting users more permissions than they need may violate the principles of least privilege and separation of duties. |
3.6.4 |
Cryptographic key changes for keys that have reached the end of their cryptoperiod (for example, after a defined period of time has passed and/or after a certain amount of cipher-text has been produced by a given key), as defined by the associated application vendor or key owner, and based on industry best practices and guidelines (for example, NIST Special Publication 800-57). |
kms-rotation-enabled |
Enable KMS key rotation. |
3.6.5 |
Retirement or replacement (for example, archiving, destruction, and/or revocation) of keys as deemed necessary when the integrity of the key has been weakened (for example, departure of an employee with knowledge of a clear-text key component), or keys are suspected of being compromised. Note: If retired or replaced cryptographic keys need to be retained, these keys must be securely archived (for example, by using a key-encryption key). Archived cryptographic keys should only be used for decryption/verification purposes. |
kms-not-scheduled-for-deletion |
Ensure that there are no KMS keys scheduled for deletion. |
3.6.7 |
Prevention of unauthorized substitution of cryptographic keys. |
kms-not-scheduled-for-deletion |
Ensure that there are no KMS keys scheduled for deletion. |
7.1.1 |
Define access needs for each role, including: system components and data resources that each role needs to access for their job function and level of privilege required (for example, user, administrator, etc.) for accessing resources. |
iam-customer-policy-blocked-kms-actions |
Use this rule to identity policies that disable KMS encryption. Granting users more permissions than they need may violate the principles of least privilege and separation of duties. |
7.1.1 |
Define access needs for each role, including: system components and data resources that each role needs to access for their job function and level of privilege required (for example, user, administrator, etc.) for accessing resources. |
iam-group-has-users-check |
Add IAM users to at least one user group so that users can inherit permissions attached to the user group that they are in. |
7.1.1 |
Define access needs for each role, including: system components and data resources that each role needs to access for their job function and level of privilege required (for example, user, administrator, etc.) for accessing resources. |
iam-policy-no-statements-with-admin-access |
Grant IAM users only necessary permissions for performing specific operations. Granting users more permissions than they need may violate the principles of least privilege and separation of duties. |
7.1.1 |
Define access needs for each role, including: system components and data resources that each role needs to access for their job function and level of privilege required (for example, user, administrator, etc.) for accessing resources. |
iam-role-has-all-permissions |
Only grant IAM users necessary permissions for performing specific operations. Granting users more permissions than they need may violate the least privilege principle and damage separation of duties. |
7.1.1 |
Define access needs for each role, including: system components and data resources that each role needs to access for their job function and level of privilege required (for example, user, administrator, etc.) for accessing resources. |
iam-root-access-key-check |
Grant IAM users only necessary permissions for performing specific operations. Granting users more permissions than they need may violate the principles of least privilege and separation of duties. |
7.1.1 |
Define access needs for each role, including: system components and data resources that each role needs to access for their job function and level of privilege required (for example, user, administrator, etc.) for accessing resources. |
iam-user-group-membership-check |
Ensure each user is in at least one user group for permission management. Granting users more permissions than they need may violate the principles of least privilege and separation of duties. |
7.1.1 |
Define access needs for each role, including: system components and data resources that each role needs to access for their job function and level of privilege required (for example, user, administrator, etc.) for accessing resources. |
mrs-cluster-kerberos-enabled |
Enable Kerberos for MRS clusters. |
7.1.2 |
Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities. |
iam-customer-policy-blocked-kms-actions |
Use this rule to identity policies that disable KMS encryption. Granting users more permissions than they need may violate the principles of least privilege and separation of duties. |
7.1.2 |
Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities. |
iam-group-has-users-check |
Add IAM users to at least one user group so that users can inherit permissions attached to the user group that they are in. |
7.1.2 |
Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities |
iam-policy-no-statements-with-admin-access |
Grant IAM users only necessary permissions for performing specific operations. Granting users more permissions than they need may violate the principles of least privilege and separation of duties. |
7.1.2 |
Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities. |
iam-role-has-all-permissions |
Only grant IAM users necessary permissions for performing specific operations. Granting users more permissions than they need may violate the least privilege principle and damage separation of duties. |
7.1.2 |
Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities. |
iam-root-access-key-check |
Grant IAM users only necessary permissions for performing specific operations. Granting users more permissions than they need may violate the principles of least privilege and separation of duties. |
7.1.2 |
Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities. |
iam-user-group-membership-check |
Ensure each user is in at least one user group for permission management. Granting users more permissions than they need may violate the principles of least privilege and separation of duties. |
7.2.1 |
Establish an access control system that restricts access based on a user's need to know, and is set to "deny all" unless specifically allowed. This access control system(s) must include the following: Coverage of all system components. |
iam-customer-policy-blocked-kms-actions |
Use this rule to identity policies that disable KMS encryption. Granting users more permissions than they need may violate the principles of least privilege and separation of duties. |
7.2.1 |
Establish an access control system that restricts access based on a user's need to know, and is set to "deny all" unless specifically allowed. This access control system(s) must include the following: Coverage of all system components. |
iam-group-has-users-check |
Add IAM users to at least one user group so that users can inherit permissions attached to the user group that they are in. |
7.2.1 |
Establish an access control system that restricts access based on a user's need to know, and is set to "deny all" unless specifically allowed. This access control system(s) must include the following: Coverage of all system components. |
iam-policy-no-statements-with-admin-access |
Grant IAM users only necessary permissions for performing specific operations. Granting users more permissions than they need may violate the principles of least privilege and separation of duties. |
7.2.1 |
Establish an access control system that restricts access based on a user's need to know, and is set to "deny all" unless specifically allowed. This access control system(s) must include the following: Coverage of all system components. |
iam-role-has-all-permissions |
Only grant IAM users necessary permissions for performing specific operations. Granting users more permissions than they need may violate the least privilege principle and damage separation of duties. |
7.2.1 |
Establish an access control system that restricts access based on a user's need to know, and is set to "deny all" unless specifically allowed. This access control system(s) must include the following: Coverage of all system components. |
iam-root-access-key-check |
Grant IAM users only necessary permissions for performing specific operations. Granting users more permissions than they need may violate the principles of least privilege and separation of duties. |
7.2.1 |
Establish an access control system that restricts access based on a user's need to know, and is set to "deny all" unless specifically allowed. This access control system(s) must include the following: Coverage of all system components. |
iam-user-group-membership-check |
Ensure that each user is in at least one user group for permission management. Granting users more permissions than they need may violate the principles of least privilege and separation of duties. |
7.2.1 |
Establish an access control system that restricts access based on a user's need to know, and is set to "deny all" unless specifically allowed. This access control system(s) must include the following: Coverage of all system components. |
mrs-cluster-kerberos-enabled |
Enable Kerberos for MRS clusters. |
7.2.2 |
Establish an access control system that restricts access based on a user's need to know, and is set to "deny all" unless specifically allowed. This access control system(s) must include the following: Coverage of all system components |
iam-customer-policy-blocked-kms-actions |
Use this rule to identity policies that disable KMS encryption. Granting users more permissions than they need may violate the principles of least privilege and separation of duties. |
7.2.2 |
Establish an access control system that restricts access based on a user's need to know, and is set to "deny all" unless specifically allowed. This access control system(s) must include the following: Coverage of all system components |
iam-group-has-users-check |
Add IAM users to at least one user group so that users can inherit permissions attached to the user group that they are in. |
7.2.2 |
Establish an access control system that restricts access based on a user's need to know, and is set to "deny all" unless specifically allowed. This access control system(s) must include the following: Coverage of all system components |
iam-policy-no-statements-with-admin-access |
Grant IAM users only necessary permissions for performing specific operations. Granting users more permissions than they need may violate the principles of least privilege and separation of duties. |
7.2.2 |
Establish an access control system that restricts access based on a user's need to know, and is set to "deny all" unless specifically allowed. This access control system(s) must include the following: Coverage of all system components |
iam-role-has-all-permissions |
Only grant IAM users necessary permissions for performing specific operations. Granting users more permissions than they need may violate the least privilege principle and damage separation of duties. |
7.2.2 |
Establish an access control system that restricts access based on a user's need to know, and is set to "deny all" unless specifically allowed. This access control system(s) must include the following: Coverage of all system components |
iam-root-access-key-check |
Grant IAM users only necessary permissions for performing specific operations. Granting users more permissions than they need may violate the principles of least privilege and separation of duties. |
7.2.2 |
Establish an access control system that restricts access based on a user's need to know, and is set to "deny all" unless specifically allowed. This access control system(s) must include the following: Coverage of all system components |
iam-user-group-membership-check |
Ensure that each user is in at least one user group for permission management. Granting users more permissions than they need may violate the principles of least privilege and separation of duties. |
7.2.2 |
Establish an access control system that restricts access based on a user's need to know, and is set to "deny all" unless specifically allowed. This access control system(s) must include the following: Coverage of all system components |
mrs-cluster-kerberos-enabled |
Enable Kerberos for MRS clusters. |
8.1.1 |
Assign all users a unique ID before allowing them to access system components or cardholder data. |
iam-root-access-key-check |
Grant IAM users only necessary permissions for performing specific operations. Granting users more permissions than they need may violate the principles of least privilege and separation of duties. |
8.1.4 |
Remove/disable inactive user accounts within 90 days. |
access-keys-rotated |
Enable key rotation. |
8.2.1 |
Using strong cryptography, render all authentication credentials (such as passwords/phrases) unreadable during transmission and storage on all system components. |
apig-instances-ssl-enabled |
Enable SSL for API Gateway REST APIs to authenticate API requests. |
8.2.1 |
Using strong cryptography, render all authentication credentials (such as passwords/phrases) unreadable during transmission and storage on all system components. |
elb-tls-https-listeners-only |
Ensure that your load balancer listeners are configured with the HTTPS protocol. |
8.2.1 |
Using strong cryptography, render all authentication credentials (such as passwords/phrases) unreadable during transmission and storage on all system components. |
rds-instances-enable-kms |
Enable KMS for RDS to encrypt data at rest. |
8.2.1 |
Using strong cryptography, render all authentication credentials (such as passwords/phrases) unreadable during transmission and storage on all system components. |
sfsturbo-encrypted-check |
Enable KMS encryption for SFS Turbo file systems. |
8.2.1 |
Using strong cryptography, render all authentication credentials (such as passwords/phrases) unreadable during transmission and storage on all system components. |
volumes-encrypted-check |
Enable encryption for EVS to protect data. |
8.2.3 |
Passwords/passphrases must meet the following: Require a minimum length of at least seven characters; only digits and letters are allowed; and alternatively, the complexity and strength of the password/passphrase must be at least comparable to the parameters specified above. |
iam-password-policy |
Set thresholds for IAM user password strength. |
8.2.4 |
Change user passwords/passphrases at least once every 90 days. |
access-keys-rotated |
Enable key rotation. |
8.2.4 |
Change user passwords/passphrases at least once every 90 days. |
access-keys-rotated |
Enable key rotation. |
8.2.4 |
Change user passwords/passphrases at least once every 90 days. |
iam-password-policy |
Set thresholds for IAM user password strength. |
8.2.5 |
Do not allow an individual to submit a new password/passphrase that is the same as any of the last four passwords/passphrases he or she has used. |
iam-password-policy |
Set thresholds for IAM user password strength. |
8.3.1 |
Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access. |
iam-user-mfa-enabled |
Enable MFA for all IAM users. MFA provides an additional layer of protection in addition to the username and password. |
8.3.1 |
Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access. |
mfa-enabled-for-iam-console-access |
Enable MFA for all IAM users who can access Huawei Cloud management console MFA provides an additional layer of protection in addition to the username and password. |
8.3.1 |
Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access. |
root-account-mfa-enabled |
Enable MFA for root users. MFA adds additional protection to login credentials. |
8.3.2 |
Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access. |
iam-user-mfa-enabled |
Enable MFA for all IAM users. MFA provides an additional layer of protection in addition to the username and password. |
8.3.2 |
Incorporate multi-factor authentication for all remote network access (both user and administrator, and including third-party access for support or maintenance) originating from outside the entity's network. |
mfa-enabled-for-iam-console-access |
Enable MFA for all IAM users who can access Huawei Cloud management console MFA provides an additional layer of protection in addition to the username and password. |
8.3.2 |
Incorporate multi-factor authentication for all remote network access (both user and administrator, and including third-party access for support or maintenance) originating from outside the entity's network. |
root-account-mfa-enabled |
Enable MFA for root users. MFA adds additional protection to login credentials. |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot