Help Center/ Config/ User Guide/ Conformance Packages/ Conformance Package Templates/ Conformance Package for Healthcare Industry
Updated on 2024-12-10 GMT+08:00

Conformance Package for Healthcare Industry

The following table describes the compliance rules and solutions in the sample template.

Table 1 Conformance package description

Rule Identifier

Cloud Service

Description

apig-instances-execution-logging-enabled

apig

If logging is not enabled for a dedicated APIG gateway, this gateway is considered non-compliant.

apig-instances-ssl-enabled

apig

If no SSL certificates are attached to a dedicated APIG gateway, this gateway is considered noncompliant.

as-group-elb-healthcheck-required

as

If an AS group is not using Elastic Load Balancing health check, this rule is noncompliant.

css-cluster-disk-encryption-check

css

If disk encryption is not enabled for a CSS cluster, this cluster is noncompliant.

css-cluster-https-required

css

If HTTPS is not enabled for a CSS cluster, this cluster is noncompliant.

css-cluster-in-vpc

css

If a CSS cluster is not in the specified VPCs, this cluster is noncompliant.

cts-kms-encrypted-check

cts

If a CTS tracker is not encrypted using KMS, this tracker is noncompliant.

cts-lts-enable

cts

If Transfer to LTS is not enabled for a CTS tracker, this tracker is noncompliant.

cts-obs-bucket-track

cts

If no CTS trackers are created for the specified OBS bucket, this rule is noncompliant.

cts-support-validate-check

cts

If Verify Trace File is not enabled for a CTS tracker, this tacker is noncompliant.

cts-tracker-exists

cts

If there is no tracker in the current account, this rule is noncompliant

drs-data-guard-job-not-public

drs

If the network type of a DR task is set to public network, this DR task is noncompliant.

drs-migration-job-not-public

drs

If the network type of a migration task is set to public network, this migration task is noncompliant.

drs-synchronization-job-not-public

drs

If the network type of a synchronization task is not set to public network, this task is noncompliant.

dws-enable-log-dump

dws

If a DWS cluster does not have log transfer enabled, this cluster is noncompliant.

dws-enable-snapshot

dws

If automated snapshots are not enabled for a DWS cluster, this cluster is noncompliant.

dws-enable-ssl

dws

If SSL is not enabled for a DWS cluster, this cluster is noncompliant.

ecs-instance-in-vpc

ecs, vpc

If an ECS is not within the specified VPC, this ECS is noncompliant.

ecs-instance-no-public-ip

ecs

If an ECS has an EIP attached, this ECS is noncompliant.

eip-unbound-check

vpc

If an EIP has not been attached to any resource, this EIP is noncompliant.

eip-use-in-specified-days

eip

If an EIP is not used within the specified number of days after being created, the EIP is noncompliant.

elb-predefined-security-policy-https-check

elb

If a specified security policy is not configured for the HTTPS listener of a dedicated load balancer, this dedicated load balancer is noncompliant.

elb-tls-https-listeners-only

elb

If any listener of a load balancer does not have the frontend protocol set to HTTPS, this load balancer is noncompliant.

function-graph-public-access-prohibited

fgs

If a function can be accessed over a public network, this function is noncompliant.

gaussdb-nosql-enable-backup

gaussdb nosql

If the backup is not enabled for a GeminiDB instance, this instance is noncompliant.

gaussdb-nosql-enable-disk-encryption

gaussdb nosql

If Disk Encryption is disabled for a GeminiDB instance, this instance is noncompliant.

iam-customer-policy-blocked-kms-actions

iam

If there is a blocked action for KMS in an IAM policy, this policy is noncompliant.

iam-password-policy

iam

If the password of an IAM user does not meet the password strength requirements, this IAM user is noncompliant.

iam-policy-no-statements-with-admin-access

iam

If an IAM policy grants administrator permissions (with the Action element set to *:*:*, *:*, or *), this policy is noncompliant.

iam-role-has-all-permissions

iam

If an IAM custom policy contains *:* in the allow section, this policy is noncompliant.

iam-root-access-key-check

iam

If the root user access key is available, this rule is noncompliant.

iam-user-last-login-check

iam

If an IAM user does not log in to the system within the specified time range, this user is non-compliant.

iam-user-mfa-enabled

iam

If multi-factor authentication is not enabled for an IAM user, this user is noncompliant.

kms-not-scheduled-for-deletion

kms

If a KMS key is scheduled for deletion, this key is noncompliant.

mfa-enabled-for-iam-console-access

iam

If MFA is not enabled for an IAM user who has a console password, this IAM user is noncompliant.

mrs-cluster-kerberos-enabled

mrs

If kerberos is not enabled for an MRS cluster, this cluster is noncompliant.

mrs-cluster-no-public-ip

mrs

If an MRS cluster has an EIP attached, this cluster is noncompliant.

multi-region-cts-tracker-exists

cts

If there are no CTS trackers in any of the specified regions, this rule is noncompliant.

pca-certificate-authority-expiration-check

pca

If the validity period of a private CA is not within the specified period, this CA is noncompliant.

pca-certificate-expiration-check

pca

If the validity period of a certificate is not within the specified range, this certificate is noncompliant.

private-nat-gateway-authorized-vpc-only

nat

If a private NAT gateway is not in a specified VPC, this gateway is noncompliant.

rds-instance-enable-backup

rds

If backup is not enabled for an RDS instance, this instance is noncompliant.

rds-instance-multi-az-support

rds

If an RDS instance does not support multi-AZ deployment, this RDS instance is noncompliant.

rds-instance-no-public-ip

rds

If an RDS instance has an EIP attached, this RDS instance is noncompliant.

rds-instances-enable-kms

rds

If KMS encryption is not enabled for an RDS instance, this instance is noncompliant.

root-account-mfa-enabled

iam

If multi-factor authentication is not enabled for the root user, the root user is noncompliant.

sfsturbo-encrypted-check

sfsturbo

If KMS encryption is not enabled for an SFS Turbo file system, this file system is noncompliant.

stopped-ecs-date-diff

ecs

If an ECS has been stopped for longer than the time allowed, and no operations have been performed on it, this ECS is noncompliant.

volumes-encrypted-check

ecs, evs

If a mounted EVS disk is not encrypted, this disk is noncompliant.

vpc-acl-unused-check

vpc

If a network ACL is not attached to any subnets, this ACL is noncompliant.

vpc-default-sg-closed

vpc

If a default security group allows all inbound or outbound traffic, this security group is noncompliant.

vpc-flow-logs-enabled

vpc

If there is a flow log that has not been enabled for a VPC, this VPC is noncompliant.

vpc-sg-ports-check

vpc

If a security group allows all inbound traffic (with the source address set to 0.0.0.0/0) and opens all TCP/UDP ports, this security group is noncompliant.

vpc-sg-restricted-common-ports

vpc

If a security group allows all IPv4 addresses (0.0.0.0/0) to access a specified port, this security group is noncompliant.

vpc-sg-restricted-ssh

vpc

If the source address is set to 0.0.0.0/0 and the TCP port 22 is opened , this security group is non-compliant.

vpn-connections-active

vpnaas

If a VPN is not normally connected, this rule is noncompliant.