Best Practices of Network and Data Security
This section describes the best practices of network and data security, their applicable scenarios, and default rules in the conformance package.
Applicable Scenario
This conformance package helps you evaluate network and data security to protect your information assets from network attacks and data leakage.
Exemption Clauses
This package provides you with general guide to help you quickly create scenario-based conformance packages. The conformance package and rules included only apply to cloud service and do not represent any legal advice. This conformance package does not ensure compliance with specific laws, regulations, or industry standards. You are responsible for the compliance and legality of your business and technical operations and assume all related responsibilities.
Conformance Rules
The guideline numbers in the following table are in consistent with the chapter numbers in CIS Control Version 8.
|
Guideline No. |
Rule |
Cloud Service |
Description |
|---|---|---|---|
|
1.1 |
ecs-in-allowed-security-groups |
ecs |
If an ECS does not have any of the specified security groups attached, this ECS is noncompliant. |
|
1.1 |
eip-unbound-check |
vpc |
If an EIP has not been attached to any resource, this EIP is noncompliant. |
|
1.1 |
eip-use-in-specified-days |
eip |
If an EIP is not used within the specified number of days after being created, the EIP is noncompliant. |
|
1.1 |
stopped-ecs-date-diff |
ecs |
If an ECS has been stopped for longer than the time allowed, and no operations have been performed on it, this ECS is noncompliant. |
|
1.1 |
vpc-acl-unused-check |
vpc |
If a network ACL is not attached to any subnets, this ACL is noncompliant. |
|
2.2 |
cce-cluster-oldest-supported-version |
cce |
If a CCE cluster is running the oldest supported version, this cluster is noncompliant. |
|
3.3 |
css-cluster-in-vpc |
css |
If a CSS cluster is not in the specified VPCs, this cluster is noncompliant. |
|
3.3 |
drs-data-guard-job-not-public |
drs |
If the network type of a DR task is set to public network, this DR task is noncompliant. |
|
3.3 |
drs-migration-job-not-public |
drs |
If the network type of a migration task is set to public network, this migration task is noncompliant. |
|
3.3 |
drs-synchronization-job-not-public |
drs |
If the network type of a synchronization task is not set to public network, this task is noncompliant. |
|
3.3 |
ecs-instance-in-vpc |
ecs, vpc |
If an ECS is not within the specified VPC, this ECS is noncompliant. |
|
3.3 |
ecs-instance-no-public-ip |
ecs |
If an ECS has an EIP attached, this ECS is noncompliant. |
|
3.3 |
function-graph-inside-vpc |
fgs |
If a function is not in the specified VPC, this function is noncompliant. |
|
3.3 |
function-graph-public-access-prohibited |
fgs |
If a function can be accessed over a public network, this function is noncompliant. |
|
3.3 |
iam-customer-policy-blocked-kms-actions |
obs, access-analyzer-verified |
If an IAM policy allows any blocked actions on KMS keys, this policy is noncompliant. |
|
3.3 |
iam-group-has-users-check |
iam |
If an IAM user group has no user, this user group is noncompliant. |
|
3.3 |
iam-policy-no-statements-with-admin-access |
iam |
If an IAM policy grants administrator permissions (with the Action element set to *:*:*, *:*, or *), this policy is noncompliant. |
|
3.3 |
iam-role-has-all-permissions |
iam |
If a custom policy or role allows all actions for a cloud service, this policy or role is noncompliant |
|
3.3 |
iam-root-access-key-check |
iam |
If the root user access key is available, this rule is noncompliant. |
|
3.3 |
iam-user-group-membership-check |
iam |
If an IAM user is not in any of the specified IAM user groups, this user is noncompliant. |
|
3.3 |
iam-user-last-login-check |
iam |
If an IAM user does not log in to the system within the specified time range, this user is non-compliant. |
|
3.3 |
mrs-cluster-kerberos-enabled |
mrs |
If kerberos is not enabled for an MRS cluster, this cluster is noncompliant. |
|
3.3 |
mrs-cluster-no-public-ip |
mrs |
If an MRS cluster has an EIP attached, this cluster is noncompliant. |
|
3.3 |
rds-instance-no-public-ip |
rds |
If an RDS instance has an EIP attached, this RDS instance is noncompliant. |
|
3.1 |
apig-instances-ssl-enabled |
apig |
If no SSL certificates are attached to a dedicated APIG gateway, this gateway is considered noncompliant. |
|
3.1 |
css-cluster-disk-encryption-check |
css |
If disk encryption is not enabled for a CSS cluster, this cluster is noncompliant. |
|
3.1 |
css-cluster-https-required |
css |
If HTTPS Access is not enabled for a CSS cluster, this cluster is noncompliant. |
|
3.1 |
dws-enable-ssl |
dws |
If SSL is not enabled for a DWS cluster, this cluster is noncompliant. |
|
3.1 |
elb-tls-https-listeners-only |
elb |
If any listener of a load balancer does not have the frontend protocol set to HTTPS, this load balancer is noncompliant. |
|
3.11 |
cts-kms-encrypted-check |
cts |
If a CTS tracker is not encrypted using KMS, this tracker is noncompliant. |
|
3.11 |
dws-enable-kms |
dws |
If KMS encryption is not enabled for a DWS cluster, this cluster is noncompliant. |
|
3.11 |
gaussdb-nosql-enable-disk-encryption |
gemini db |
If a GeminiDB instance does not have disk encryption enabled, this instance is noncompliant. |
|
3.11 |
rds-instances-enable-kms |
rds |
If KMS encryption is not enabled for an RDS instance, this instance is noncompliant. |
|
3.11 |
sfsturbo-encrypted-check |
sfsturbo |
If KMS encryption is not enabled for an SFS Turbo file system, this file system is noncompliant. |
|
3.11 |
volumes-encrypted-check |
evs, ecs |
If a mounted EVS disk is not encrypted, this disk is noncompliant. |
|
3.14 |
apig-instances-execution-logging-enabled |
apig |
If logging is not enabled for a dedicated APIG gateway, this gateway is considered non-compliant. |
|
3.14 |
cts-lts-enable |
cts |
If a CTS tracker does not have trace transfer to LTS enabled, this tracker is noncompliant. |
|
3.14 |
cts-obs-bucket-track |
cts |
If there are no CTS trackers created for the specified OBS bucket, the current account is noncompliant. |
|
3.14 |
cts-tracker-exists |
cts |
If there are no CTS trackers in an account, this account is noncompliant. |
|
3.14 |
multi-region-cts-tracker-exists |
cts |
If there are no CTS trackers in any of the specified regions, this rule is noncompliant. |
|
3.14 |
rds-instance-logging-enabled |
rds |
If an RDS instance does not have the collection of any types of logs enabled, this instance is noncompliant. |
|
3.14 |
vpc-flow-logs-enabled |
vpc |
If flow logs are not enabled for a VPC, this VPC is noncompliant. If not, the VPCs are considered non-compliant. |
|
4.1 |
access-keys-rotated |
iam |
If an IAM user's access key is not rotated within the specified number of days, this user is noncompliant. |
|
4.1 |
evs-use-in-specified-days |
evs |
If an EVS disk has not been used within the specified time range after being created, this disk is noncompliant. |
|
4.1 |
stopped-ecs-date-diff |
ecs |
If an ECS has been stopped for longer than the time allowed, and no operations have been performed on it, this ECS is noncompliant. |
|
4.1 |
volume-unused-check |
evs |
If an EVS disk is not mounted to any cloud server, this disk is noncompliant. |
|
4.6 |
apig-instances-ssl-enabled |
apig |
If no SSL certificates are attached to a dedicated APIG gateway, this gateway is considered noncompliant. |
|
4.6 |
css-cluster-https-required |
css |
If HTTPS Access is not enabled for a CSS cluster, this cluster is noncompliant. |
|
4.6 |
dws-enable-ssl |
dws |
If SSL is not enabled for a DWS cluster, this cluster is noncompliant. |
|
4.6 |
elb-tls-https-listeners-only |
elb |
If any listener of a load balancer is not configured with HTTPS, this load balancer is noncompliant. |
|
4.7 |
iam-root-access-key-check |
iam |
If the root user access key is available, this rule is noncompliant. |
|
5.2 |
iam-password-policy |
iam |
If the password of an IAM user does not meet the password strength requirements, this IAM user is noncompliant. |
|
5.2 |
iam-user-mfa-enabled |
iam |
If multi-factor authentication is not enabled for an IAM user, this user is noncompliant. |
|
5.2 |
mfa-enabled-for-iam-console-access |
iam |
If MFA is not enabled for an IAM user who has a console password, this IAM user is noncompliant. |
|
5.2 |
root-account-mfa-enabled |
iam |
If multi-factor authentication is not enabled for the root user, the root user is noncompliant. |
|
5.3 |
iam-user-last-login-check |
iam |
If an IAM user does not log in to the system within the specified time range, this user is non-compliant. |
|
5.4 |
iam-policy-no-statements-with-admin-access |
iam |
If an IAM policy grants administrator permissions (with the Action element set to *:*:*, *:*, or *), this policy is noncompliant. |
|
5.4 |
iam-root-access-key-check |
iam |
If the root user access key is available, this rule is noncompliant. |
|
6.4 |
iam-user-mfa-enabled |
iam |
If multi-factor authentication is not enabled for an IAM user, this user is noncompliant. |
|
6.4 |
mfa-enabled-for-iam-console-access |
iam |
If MFA is not enabled for an IAM user who has a console password, this IAM user is noncompliant. |
|
6.4 |
root-account-mfa-enabled |
iam |
If multi-factor authentication is not enabled for the root user, the root user is noncompliant. |
|
8.2 |
apig-instances-execution-logging-enabled |
apig |
If logging is not enabled for a dedicated APIG gateway, this gateway is considered non-compliant. |
|
8.2 |
cts-lts-enable |
cts |
If a CTS tracker does not have trace transfer to LTS enabled, this tracker is noncompliant. |
|
8.2 |
cts-obs-bucket-track |
cts |
If there are no CTS trackers created for the specified OBS bucket, the current account is noncompliant. |
|
8.2 |
cts-tracker-exists |
cts |
If there are no CTS trackers in an account, this account is noncompliant. |
|
8.2 |
multi-region-cts-tracker-exists |
cts |
If there are no CTS trackers in any of the specified regions, this rule is noncompliant. |
|
8.2 |
rds-instance-logging-enabled |
rds |
If neither error logs nor slow query logs are collected for an RDS instance, this instance is noncompliant. |
|
8.2 |
vpc-flow-logs-enabled |
vpc |
If flow logs are not enabled for a VPC, this VPC is noncompliant. If not, the VPCs are considered non-compliant. |
|
8.5 |
apig-instances-execution-logging-enabled |
apig |
If logging is not enabled for a dedicated APIG gateway, this gateway is considered non-compliant. |
|
8.5 |
cts-lts-enable |
cts |
If a CTS tracker does not have trace transfer to LTS enabled, this tracker is noncompliant. |
|
8.5 |
cts-obs-bucket-track |
cts |
If there are no CTS trackers created for the specified OBS bucket, the current account is noncompliant. |
|
8.5 |
cts-tracker-exists |
cts |
If there are no CTS trackers in an account, this account is noncompliant. |
|
8.5 |
multi-region-cts-tracker-exists |
cts |
If there are no CTS trackers in any of the specified regions, this rule is noncompliant. |
|
8.5 |
rds-instance-logging-enabled |
rds |
If an RDS instance does not have the collection of any types of logs enabled, this instance is noncompliant. |
|
8.5 |
vpc-flow-logs-enabled |
vpc |
If flow logs are not enabled for a VPC, this VPC is noncompliant. If not, the VPCs are considered non-compliant. |
|
8.9 |
cts-lts-enable |
cts |
If a CTS tracker does not have trace transfer to LTS enabled, this tracker is noncompliant. |
|
11.2 |
dws-enable-snapshot |
dws |
If automated snapshots are not enabled for a DWS cluster, this cluster is noncompliant. |
|
11.2 |
gaussdb-instance-enable-backup |
gaussdb |
If the backup is not enabled for a GaussDB instance, this instance is noncompliant. |
|
11.2 |
gaussdb-mysql-instance-enable-backup |
gaussdbformysql |
If the backup is disabled for a GaussDB (for MySQL) instance, this instance is noncompliant. |
|
11.2 |
gaussdb-nosql-enable-backup |
gemini db |
If a GeminiDB instance does not have the backup feature enabled, this instance is noncompliant. |
|
11.2 |
rds-instance-enable-backup |
rds |
If backup is not enabled for an RDS instance, this instance is noncompliant. |
|
11.3 |
rds-instances-enable-kms |
rds |
If KMS encryption is not enabled for an RDS instance, this instance is noncompliant. |
|
11.3 |
volumes-encrypted-check |
evs, ecs |
If a mounted EVS disk is not encrypted, this disk is noncompliant. |
|
11.4 |
dws-enable-snapshot |
dws |
If automated snapshots are not enabled for a DWS cluster, this cluster is noncompliant. |
|
11.4 |
gaussdb-instance-enable-backup |
gaussdb |
If the backup is not enabled for a GaussDB instance, this instance is noncompliant. |
|
11.4 |
gaussdb-mysql-instance-enable-backup |
gaussdbformysql |
If the backup is disabled for a GaussDB (for MySQL) instance, this instance is noncompliant. |
|
11.4 |
gaussdb-nosql-enable-backup |
gemini db |
If a GeminiDB instance does not have the backup feature enabled, this instance is noncompliant. |
|
11.4 |
rds-instance-enable-backup |
rds |
If backup is not enabled for an RDS instance, this instance is noncompliant. |
|
12.2 |
css-cluster-in-vpc |
css |
If a CSS cluster is not in the specified VPCs, this cluster is noncompliant. |
|
12.2 |
drs-data-guard-job-not-public |
drs |
If the network type of a DR task is not set to public network, this task is noncompliant. |
|
12.2 |
drs-migration-job-not-public |
drs |
If the network type of a migration task is set to public network, this migration task is noncompliant. |
|
12.2 |
drs-synchronization-job-not-public |
drs |
If the network type of a synchronization task is not set to public network, this task is noncompliant. |
|
12.2 |
ecs-instance-in-vpc |
ecs, vpc |
If an ECS is not within the specified VPC, this ECS is noncompliant. |
|
12.2 |
ecs-instance-no-public-ip |
ecs |
If an ECS has an EIP attached, this ECS is noncompliant. |
|
12.2 |
function-graph-inside-vpc |
fgs |
If a function is not in the specified VPC, this function is noncompliant. |
|
12.2 |
function-graph-public-access-prohibited |
fgs |
If a function can be accessed over a public network, this function is noncompliant. |
|
12.2 |
mrs-cluster-no-public-ip |
mrs |
If an MRS cluster has an EIP attached, this cluster is noncompliant. |
|
12.2 |
pca-certificate-authority-expiration-check |
pca |
If the validity period of a private CA is not within the specified period, this CA is noncompliant. |
|
12.2 |
pca-certificate-expiration-check |
pca |
If the validity period of a certificate is not within the specified range, this certificate is noncompliant. |
|
12.2 |
rds-instance-multi-az-support |
rds |
If an RDS instance does not support multi-AZ deployment, this RDS instance is noncompliant. |
|
12.2 |
rds-instance-no-public-ip |
rds |
If an RDS instance has an EIP attached, this RDS instance is noncompliant. |
|
12.2 |
vpc-default-sg-closed |
vpc |
If a default security group allows all inbound or outbound traffic, this security group is noncompliant. |
|
12.2 |
vpc-sg-ports-check |
vpc |
If a security group allows all inbound traffic (with the source address set to 0.0.0.0/0) and opens all TCP/UDP ports, this security group is noncompliant. |
|
12.2 |
vpc-sg-restricted-common-ports |
vpc |
If a security group allows all IPv4 addresses (0.0.0.0/0) to access a specified port, this security group is noncompliant. |
|
12.2 |
vpc-sg-restricted-ssh |
vpc |
If the source address is set to 0.0.0.0/0 and the TCP port 22 is opened , this security group is non-compliant. |
|
12.2 |
vpn-connections-active |
vpnaas |
If a VPN is not normally connected, this rule is noncompliant. |
|
12.3 |
apig-instances-ssl-enabled |
apig |
If no SSL certificates are attached to a dedicated APIG gateway, this gateway is considered noncompliant. |
|
12.3 |
css-cluster-https-required |
css |
If HTTPS is not enabled for a CSS cluster, this cluster is noncompliant. |
|
12.3 |
dws-enable-ssl |
dws |
If SSL is not enabled for a DWS cluster, this cluster is noncompliant. |
|
12.3 |
elb-tls-https-listeners-only |
elb |
If any listener of a load balancer does not have the frontend protocol set to HTTPS, this load balancer is noncompliant. |
|
12.6 |
apig-instances-ssl-enabled |
apig |
If no SSL certificates are attached to a dedicated APIG gateway, this gateway is considered noncompliant. |
|
12.6 |
css-cluster-https-required |
css |
If HTTPS is not enabled for a CSS cluster, this cluster is noncompliant. |
|
12.6 |
dws-enable-ssl |
dws |
If SSL is not enabled for a DWS cluster, this cluster is noncompliant. |
|
12.6 |
elb-tls-https-listeners-only |
elb |
If any listener of a load balancer does not have the frontend protocol set to HTTPS, this load balancer is noncompliant. |
|
13.6 |
vpc-flow-logs-enabled |
vpc |
If a VPC does not have the flow log enabled, this VPC is noncompliant. |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
