Best Practices of Network and Data Security

This section describes the best practices of network and data security, their applicable scenarios, and default rules in the conformance package.

Applicable Scenario

This conformance package helps you evaluate network and data security to protect your information assets from network attacks and data leakage.

Exemption Clauses

This package provides you with general guide to help you quickly create scenario-based conformance packages. The conformance package and rules included only apply to cloud service and do not represent any legal advice. This conformance package does not ensure compliance with specific laws, regulations, or industry standards. You are responsible for the compliance and legality of your business and technical operations and assume all related responsibilities.

Conformance Rules

**Table 1** Rules for network and data security best practices
Guideline No.	Rule
1.1	ecs-in-allowed-security-groups
1.1	eip-unbound-check
1.1	eip-use-in-specified-days
1.1	stopped-ecs-date-diff
1.1	vpc-acl-unused-check
2.2	cce-cluster-oldest-supported-version
3.3	css-cluster-in-vpc
3.3	drs-data-guard-job-not-public
3.3	drs-migration-job-not-public
3.3	drs-synchronization-job-not-public
3.3	ecs-instance-in-vpc
3.3	ecs-instance-no-public-ip
3.3	function-graph-inside-vpc
3.3	function-graph-public-access-prohibited
3.3	iam-customer-policy-blocked-kms-actions
3.3	iam-group-has-users-check
3.3	iam-policy-no-statements-with-admin-access
3.3	iam-role-has-all-permissions
3.3	iam-root-access-key-check
3.3	iam-user-group-membership-check
3.3	iam-user-last-login-check
3.3	mrs-cluster-kerberos-enabled
3.3	mrs-cluster-no-public-ip
3.3	rds-instance-no-public-ip
3.1	apig-instances-ssl-enabled
3.1	css-cluster-disk-encryption-check
3.1	css-cluster-https-required
3.1	dws-enable-ssl
3.1	elb-tls-https-listeners-only
3.11	cts-kms-encrypted-check
3.11	dws-enable-kms
3.11	gaussdb-nosql-enable-disk-encryption
3.11	rds-instances-enable-kms
3.11	sfsturbo-encrypted-check
3.11	volumes-encrypted-check
3.14	apig-instances-execution-logging-enabled
3.14	cts-lts-enable
3.14	cts-obs-bucket-track
3.14	cts-tracker-exists
3.14	multi-region-cts-tracker-exists
3.14	rds-instance-logging-enabled
3.14	vpc-flow-logs-enabled
4.1	access-keys-rotated
4.1	evs-use-in-specified-days
4.1	stopped-ecs-date-diff
4.1	volume-unused-check
4.6	apig-instances-ssl-enabled
4.6	css-cluster-https-required
4.6	dws-enable-ssl
4.6	elb-tls-https-listeners-only
4.7	iam-root-access-key-check
5.2	iam-password-policy
5.2	iam-user-mfa-enabled
5.2	mfa-enabled-for-iam-console-access
5.2	root-account-mfa-enabled
5.3	iam-user-last-login-check
5.4	iam-policy-no-statements-with-admin-access
5.4	iam-root-access-key-check
6.4	iam-user-mfa-enabled
6.4	mfa-enabled-for-iam-console-access
6.4	root-account-mfa-enabled
8.2	apig-instances-execution-logging-enabled
8.2	cts-lts-enable
8.2	cts-obs-bucket-track
8.2	cts-tracker-exists
8.2	multi-region-cts-tracker-exists
8.2	rds-instance-logging-enabled
8.2	vpc-flow-logs-enabled
8.5	apig-instances-execution-logging-enabled
8.5	cts-lts-enable
8.5	cts-obs-bucket-track
8.5	cts-tracker-exists
8.5	multi-region-cts-tracker-exists
8.5	rds-instance-logging-enabled
8.5	vpc-flow-logs-enabled
8.9	cts-lts-enable
11.2	dws-enable-snapshot
11.2	gaussdb-instance-enable-backup
11.2	gaussdb-mysql-instance-enable-backup
11.2	gaussdb-nosql-enable-backup
11.2	rds-instance-enable-backup
11.3	rds-instances-enable-kms
11.3	volumes-encrypted-check
11.4	dws-enable-snapshot
11.4	gaussdb-instance-enable-backup
11.4	gaussdb-mysql-instance-enable-backup
11.4	gaussdb-nosql-enable-backup
11.4	rds-instance-enable-backup
12.2	css-cluster-in-vpc
12.2	css-cluster-in-vpc
12.2	drs-data-guard-job-not-public
12.2	drs-migration-job-not-public
12.2	drs-synchronization-job-not-public
12.2	ecs-instance-in-vpc
12.2	ecs-instance-no-public-ip
12.2	function-graph-inside-vpc
12.2	function-graph-public-access-prohibited
12.2	mrs-cluster-no-public-ip
12.2	pca-certificate-authority-expiration-check
12.2	pca-certificate-expiration-check
12.2	rds-instance-multi-az-support
12.2	rds-instance-no-public-ip
12.2	vpc-default-sg-closed
12.2	vpc-sg-ports-check
12.2	vpc-sg-restricted-common-ports
12.2	vpc-sg-restricted-ssh
12.2	vpn-connections-active
12.3	apig-instances-ssl-enabled
12.3	css-cluster-https-required
12.3	dws-enable-ssl
12.3	elb-tls-https-listeners-only
12.6	apig-instances-ssl-enabled
12.6	css-cluster-https-required
12.6	dws-enable-ssl
12.6	elb-tls-https-listeners-only
13.6	vpc-flow-logs-enabled