Compute
Elastic Cloud Server
Huawei Cloud Flexus
Bare Metal Server
Auto Scaling
Image Management Service
Dedicated Host
FunctionGraph
Cloud Phone Host
Huawei Cloud EulerOS
Networking
Virtual Private Cloud
Elastic IP
Elastic Load Balance
NAT Gateway
Direct Connect
Virtual Private Network
VPC Endpoint
Cloud Connect
Enterprise Router
Enterprise Switch
Global Accelerator
Management & Governance
Cloud Eye
Identity and Access Management
Cloud Trace Service
Resource Formation Service
Tag Management Service
Log Tank Service
Config
OneAccess
Resource Access Manager
Simple Message Notification
Application Performance Management
Application Operations Management
Organizations
Optimization Advisor
IAM Identity Center
Cloud Operations Center
Resource Governance Center
Migration
Server Migration Service
Object Storage Migration Service
Cloud Data Migration
Migration Center
Cloud Ecosystem
KooGallery
Partner Center
User Support
My Account
Billing Center
Cost Center
Resource Center
Enterprise Management
Service Tickets
HUAWEI CLOUD (International) FAQs
ICP Filing
Support Plans
My Credentials
Customer Operation Capabilities
Partner Support Plans
Professional Services
Analytics
MapReduce Service
Data Lake Insight
CloudTable Service
Cloud Search Service
Data Lake Visualization
Data Ingestion Service
GaussDB(DWS)
DataArts Studio
Data Lake Factory
DataArts Lake Formation
IoT
IoT Device Access
Others
Product Pricing Details
System Permissions
Console Quick Start
Common FAQs
Instructions for Associating with a HUAWEI CLOUD Partner
Message Center
Security & Compliance
Security Technologies and Applications
Web Application Firewall
Host Security Service
Cloud Firewall
SecMaster
Anti-DDoS Service
Data Encryption Workshop
Database Security Service
Cloud Bastion Host
Data Security Center
Cloud Certificate Manager
Edge Security
Managed Threat Detection
Blockchain
Blockchain Service
Web3 Node Engine Service
Media Services
Media Processing Center
Video On Demand
Live
SparkRTC
MetaStudio
Storage
Object Storage Service
Elastic Volume Service
Cloud Backup and Recovery
Storage Disaster Recovery Service
Scalable File Service Turbo
Scalable File Service
Volume Backup Service
Cloud Server Backup Service
Data Express Service
Dedicated Distributed Storage Service
Containers
Cloud Container Engine
SoftWare Repository for Container
Application Service Mesh
Ubiquitous Cloud Native Service
Cloud Container Instance
Databases
Relational Database Service
Document Database Service
Data Admin Service
Data Replication Service
GeminiDB
GaussDB
Distributed Database Middleware
Database and Application Migration UGO
TaurusDB
Middleware
Distributed Cache Service
API Gateway
Distributed Message Service for Kafka
Distributed Message Service for RabbitMQ
Distributed Message Service for RocketMQ
Cloud Service Engine
Multi-Site High Availability Service
EventGrid
Dedicated Cloud
Dedicated Computing Cluster
Business Applications
Workspace
ROMA Connect
Message & SMS
Domain Name Service
Edge Data Center Management
Meeting
AI
Face Recognition Service
Graph Engine Service
Content Moderation
Image Recognition
Optical Character Recognition
ModelArts
ImageSearch
Conversational Bot Service
Speech Interaction Service
Huawei HiLens
Video Intelligent Analysis Service
Developer Tools
SDK Developer Guide
API Request Signing Guide
Terraform
Koo Command Line Interface
Content Delivery & Edge Computing
Content Delivery Network
Intelligent EdgeFabric
CloudPond
Intelligent EdgeCloud
Solutions
SAP Cloud
High Performance Computing
Developer Services
ServiceStage
CodeArts
CodeArts PerfTest
CodeArts Req
CodeArts Pipeline
CodeArts Build
CodeArts Deploy
CodeArts Artifact
CodeArts TestPlan
CodeArts Check
CodeArts Repo
Cloud Application Engine
MacroVerse aPaaS
KooMessage
KooPhone
KooDrive

Strongly Recommended Governance Policies

Updated on 2025-02-21 GMT+08:00

API Gateway (APIG)

Policy Name

Function

Scenario

Severity

Resource

RGC-GR_CONFIG_APIG_INSTANCES_AUTHORIZATION_TYPE_CONFIGURED

Checks whether security authentication is provided for a dedicated API gateway. This policy is non-compliant if security authentication is not provided.

Encrypting data in transit

Medium

apig:::instance

RGC-GR_CONFIG_APIG_INSTANCES_SSL_ENABLED

Checks whether any domain name of a dedicated API gateway is associated with an SSL certificate. This policy is non-compliant if any domain name is not associated with an SSL certificate.

Encrypting data in transit

Medium

apig:::instance

AS

Policy Name

Function

Scenario

Severity

Resource

RGC-GR_CONFIG_AS_GROUP_IN_VPC

Checks whether an AS group is in the specified VPC. This policy is non-compliant if an AS group is not in the specified VPC.

Controlling network access

High

as:::group

BMS

Policy Name

Function

Scenario

Severity

Resource

RGC-GR_CONFIG_BMS_KEY_PAIR_SECURITY_LOGIN

Checks whether a key pair is used for BMS login. This policy is non-compliant if a key pair is not used.

Using strong authentication

High

bms:::instance

CBR

Policy Name

Function

Scenario

Severity

Resource

RGC-GR_CONFIG_CBR_BACKUP_ENCRYPTED_CHECK

Checks whether CBR backup is encrypted. This policy is non-compliant if the backup is not encrypted.

Encrypting data at rest

High

cbr:::checkpoint

Cloud Container Engine (CCE)

Policy Name

Function

Scenario

Severity

Resource

RGC-GR_CONFIG_CCE_ENDPOINT_PUBLIC_ACCESS

Checks whether a public IP address is bound to a CCE cluster. This policy is non-compliant if a public IP address is bound.

Controlling network access

Medium

cce:::cluster

RGC-GR_CONFIG_CCE_CLUSTER_IN_VPC

Checks whether a CCE cluster is in the specified VPC. This policy is non-compliant if a CCE cluster is not in the specified VPC.

Controlling network access

High

cce:::cluster

CCM

Policy Name

Function

Scenario

Severity

Resource

RGC-GR_CONFIG_PCA_CERTIFICATE_AUTHORITY_EXPIRATION_CHECK

Checks whether a private CA expires within a specified period. This policy is non-compliant if it expires within a specified period.

Encrypting data in transit

Medium

ccm:::privateCertificate

RGC-GR_CONFIG_PCA_CERTIFICATE_EXPIRATION_CHECK

Checks whether a private certificate expires within a specified period. This policy is non-compliant if it expires within a specified period.

Encrypting data in transit

Medium

ccm:::privateCertificate

Content Delivery Network (CDN)

Policy Name

Function

Scenario

Severity

Resource

RGC-GR_CONFIG_CDN_ENABLE_HTTPS_CERTIFICATE

Checks whether an HTTPS certificate is configured for CDN. This policy is non-compliant if an HTTPS certificate is not configured.

Encrypting data in transit

Critical

cdn:::domain

RGC-GR_CONFIG_CDN_ORIGIN_PROTOCOL_NO_HTTP

Checks whether CDN uses HTTPS for origin pull. This policy is non-compliant if HTTPS is not used.

Encrypting data in transit

Critical

cdn:::domain

RGC-GR_CONFIG_CDN_SECURITY_POLICY_CHECK

Checks whether a Transport Layer Security (TLS) version earlier than v1.2 is used for CDN. This policy is non-compliant if a TLS version earlier than v1.2 is used.

Encrypting data in transit

High

cdn:::domain

RGC-GR_CONFIG_CDN_USE_MY_CERTIFICATE

Checks whether CDN uses your own certificates. This policy is non-compliant if CDN uses your own certificates.

Encrypting data in transit

High

cdn:::domain

CFW

Policy Name

Function

Scenario

Severity

Resource

RGC-GR_CONFIG_CFW_POLICY_NOT_EMPTY

Checks whether a CFW instance has protection policies configured. This policy is non-compliant if no protection policies are configured.

Controlling network access

Medium

cfw:::eipProtection

CodeArts Build

Policy Name

Function

Scenario

Severity

Resource

RGC-GR_CONFIG_CLOUDBUILDSERVER_ENCRYPTION_PARAMETER_CHECK

Checks whether encryption is enabled for custom parameters (except for predefined parameters) of a CodeArts project. This policy is non-compliant if encryption is not enabled.

Encrypting data at rest

Medium

codearts:::deployApplication

Cloud Search Service (CSS)

Policy Name

Function

Scenario

Severity

Resource

RGC-GR_CONFIG_CSS_CLUSTER_AUTHORITY_ENABLE

Checks whether authentication is enabled for a CSS cluster. This policy is non-compliant if authentication is not enabled.

Using strong authentication

Critical

css:::cluster

RGC-GR_CONFIG_CSS_CLUSTER_DISK_ENCRYPTION_CHECK

Checks whether disk encryption is enabled for a CSS cluster. This policy is non-compliant if disk encryption is not enabled.

Encrypting data at rest

High

css:::cluster

RGC-GR_CONFIG_CSS_CLUSTER_KIBANA_NOT_ENABLE_WHITE_LIST

Checks whether all IP addresses are whitelisted for Kibana to access a CSS cluster. This policy is non-compliant if all IP addresses are whitelisted.

Controlling network access

Critical

css:::cluster

RGC-GR_CONFIG_CSS_CLUSTER_NO_PUBLIC_ZONE

Checks whether public network access is enabled for a CSS cluster. This policy is non-compliant if public network access is enabled.

Encrypting data at rest

High

css:::cluster

RGC-GR_CONFIG_CSS_CLUSTER_NOT_ENABLE_WHITE_LIST

Checks whether all IP addresses are whitelisted for a CSS cluster. This policy is non-compliant if all addresses are whitelisted.

Controlling network access

Critical

css:::cluster

RGC-GR_CONFIG_CSS_CLUSTER_SECURITY_MODE_ENABLE

Checks whether security mode is enabled for a CSS cluster. This policy is non-compliant if security mode is not enabled.

Enforcing the least privilege

High

css:::cluster

RGC-GR_CONFIG_CSS_CLUSTER_HTTPS_REQUIRED

Checks whether HTTPS access is enabled for a CSS cluster. This policy is non-compliant if HTTPS access is not enabled.

Encrypting data in transit

Medium

css:::cluster

Cloud Trace Service (CTS)

Policy Name

Function

Scenario

Severity

Resource

RGC-GR_CONFIG_CTS_KMS_ENCRYPTED_CHECK

Checks whether a CTS tracker is encrypted using KMS. This policy is non-compliant if the tracker is not encrypted.

Encrypting data at rest

Medium

cts:::tracker

RGC-GR_CONFIG_CTS_SUPPORT_VALIDATE_CHECK

Checks whether trace file verification is enabled for a CTS tracker. This policy is non-compliant if the verification is not enabled.

Protecting data integrity

Medium

cts:::tracker

Distributed Cache Service (DCS)

Policy Name

Function

Scenario

Severity

Resource

RGC-GR_CONFIG_DCS_MEMCACHED_ENABLE_SSL

Checks whether a DCS Memcached instance supports public access but not SSL. This policy is non-compliant if the instance supports public access but not SSL.

Encrypting data in transit

High

dcs:::instance

RGC-GR_CONFIG_DCS_MEMCACHED_NO_PUBLIC_IP

Checks whether a public IP address is bound to a DCS Memcached instance. This policy is non-compliant if a public IP address is bound.

Controlling network access

High

dcs:::instance

RGC-GR_CONFIG_DCS_MEMCACHED_PASSWORD_ACCESS

Checks whether a DCS Memcached instance can be accessed without a password. This policy is non-compliant if the instance can be accessed without a password.

Using strong authentication

Medium

dcs:::instance

RGC-GR_CONFIG_DCS_REDIS_ENABLE_SSL

Checks whether a DCS Redis instance supports public access but not SSL. This policy is non-compliant if the instance supports public access but not SSL.

Controlling network access

High

dcs:::instance

RGC-GR_CONFIG_DCS_REDIS_HIGH_TOLERANCE

Checks whether a DCS Redis instance is highly available. This policy is non-compliant if the instance is not highly available.

Improving availability

Low

dcs:::instance

RGC-GR_CONFIG_DCS_REDIS_NO_PUBLIC_IP

Checks whether a public IP address is bound to a DCS Redis instance. This policy is non-compliant if a public IP address is bound.

Controlling network access

High

dcs:::instance

RGC-GR_CONFIG_DCS_REDIS_PASSWORD_ACCESS

Checks whether a DCS Redis instance can be accessed without a password. This policy is non-compliant if the instance can be accessed without a password.

Using strong authentication

Medium

dcs:::instance

RGC-GR_CONFIG_DCS_MEMCACHED_IN_VPC

Checks whether a DCS Memcached instance is in the specified VPC. This policy is non-compliant if the instance is not in the specified VPC.

Controlling network access

Medium

dcs:::instance

RGC-GR_CONFIG_DCS_REDIS_IN_VPC

Checks whether a DCS Redis instance is in the specified VPC. This policy is non-compliant if the instance is not in the specified VPC.

Controlling network access

Medium

dcs:::instance

Document Database Service (DDS)

Policy Name

Function

Scenario

Severity

Resource

RGC-GR_CONFIG_DDS_INSTANCE_ENABLE_SSL

Checks whether SSL is enabled for a DDS instance. This policy is non-compliant if SSL is not enabled.

Encrypting data in transit

High

dds:::instance

RGC-GR_CONFIG_DDS_INSTANCE_HAS_EIP

Checks whether a public IP address is bound to a DDS instance. This policy is non-compliant if a public IP address is bound.

Controlling network access

High

dds:::instance

RGC-GR_CONFIG_DDS_INSTANCE_PORT_CHECK

Checks whether a DDS instance has unallowed ports enabled. This policy is non-compliant if the instance has unallowed ports enabled.

Controlling network access

High

dds:::instance

DEW

Policy Name

Function

Scenario

Severity

Resource

RGC-GR_CONFIG_CSMS_SECRETS_ROTATION_SUCCESS_CHECK

Checks whether a CSMS secret rotation is successful. This policy is non-compliant if the rotation fails.

Enforcing the least privilege

High

csms:::secret

RGC-GR_CONFIG_KMS_NOT_SCHEDULED_FOR_DELETION

Checks whether a KMS key is scheduled to be deleted. This policy is non-compliant if the key is scheduled to be deleted.

Protecting data integrity

Critical

kms:::key

RGC-GR_CONFIG_KMS_ROTATION_ENABLED

Checks whether key rotation is enabled for a KMS key. This policy is non-compliant if rotation is not enabled.

Encrypting data at rest

Medium

kms:::key

Distributed Message Service (DMS)

Policy Name

Function

Scenario

Severity

Resource

RGC-GR_CONFIG_DMS_KAFKA_NOT_ENABLE_PRIVATE_SSL

Checks whether SSL encryption is enabled for accessing a DMS Kafka instance over a private network. This policy is non-compliant if SSL encryption is not enabled.

Encrypting data in transit

Medium

dms:::kafkaInstance

RGC-GR_CONFIG_DMS_KAFKA_NOT_ENABLE_PUBLIC_SSL

Checks whether SSL encryption is enabled for accessing a DMS Kafka instance over a public network. This policy is non-compliant if SSL encryption is not enabled.

Encrypting data in transit

Medium

dms:::kafkaInstance

RGC-GR_CONFIG_DMS_KAFKA_PUBLIC_ACCESS_ENABLED_CHECK

Checks whether a DMS Kafka instance can be accessed over a public network. This policy is non-compliant if the instance can be accessed over a public network.

Controlling network access

High

dms:::kafkaIZnstance

RGC-GR_CONFIG_DMS_RABBITMQ_NOT_ENABLE_SSL

Checks whether SSL encryption is enabled for a DMS RabbitMQ instance. This policy is non-compliant if SSL encryption is not enabled.

Encrypting data at rest

High

dms:::rabbitmqInstance

RGC-GR_CONFIG_DMS_ROCKETMQ_NOT_ENABLE_SSL

Checks whether SSL encryption is enabled for a DMS Reliability instance. This policy is non-compliant if SSL encryption is not enabled.

Encrypting data at rest

High

dms:::rocketmqInstance

RGC-GR_CONFIG_DMS_RABBITMQ_PUBLIC_ACCESS_ENABLED_CHECK

Checks whether a DMS RabbitMQ instance can be accessed over a public network. This policy is non-compliant if the instance can be accessed over a public network.

Controlling network access

Medium

dms:::rabbitmqInstance

RGC-GR_CONFIG_DMS_RELIABILITY_PUBLIC_ACCESS_ENABLED_CHECK

Checks whether a DMS RocketMQ instance can be accessed over a public network. This policy is non-compliant if the instance can be accessed over a public network.

Controlling network access

Medium

dms:::rocketmqInstance

Data Replication Service (DRS)

Policy Name

Function

Scenario

Severity

Resource

RGC-GR_CONFIG_DRS_DATA_GUARD_JOB_NOT_PUBLIC

Checks whether DRS supports real-time disaster recovery through a public network. This policy is non-compliant if real-time disaster recovery through a public network is supported.

Controlling network access

High

drs:::job

RGC-GR_CONFIG_DRS_MIGRATION_JOB_NOT_PUBLIC

Checks whether DRS supports real-time migration through a public network. This policy is non-compliant if real-time migration through a public network is supported.

Controlling network access

High

drs:::job

RGC-GR_CONFIG_DRS_SYNCHRONIZATION_JOB_NOT_PUBLIC

Checks whether DRS supports real-time synchronization through a public network. This policy is non-compliant if real-time synchronization through a public network is supported.

Controlling network access

High

drs:::job

Data Warehouse Service (DWS)

Policy Name

Function

Scenario

Severity

Resource

RGC-GR_CONFIG_DWS_ENABLE_KMS

Checks whether KMS encryption is enabled for a DWS cluster. This policy is non-compliant if KMS encryption is not enabled.

Encrypting data at rest

Medium

dws:::cluster

RGC-GR_CONFIG_DWS_ENABLE_SSL

Checks whether SSL connection is enabled for a DWS cluster. This policy is non-compliant if SSL connection is not enabled.

Encrypting data in transit

Medium

dws:::cluster

RGC-GR_CONFIG_DWS_CLUSTERS_NO_PUBLIC_IP

Checks whether a DWS cluster has a public IP address bound. This policy is non-compliant if the cluster has a public IP address bound.

Controlling network access

High

dws:::cluster

RGC-GR_CONFIG_DWS_CLUSTERS_IN_VPC

Checks whether a DWS cluster is in the specified VPC. This policy is non-compliant if the cluster is not in the specified VPC.

Controlling network access

High

dws:::cluster

Elastic Cloud Server (ECS)

Policy Name

Function

Scenario

Severity

Resource

RGC-GR_CONFIG_ECS_INSTANCE_KEY_PAIR_LOGIN

Checks whether an ECS has a key pair configured. This policy is non-compliant if no key pair is configured.

Controlling network access

High

ecs:::instanceV1

RGC-GR_CONFIG_ECS_INSTANCE_NO_PUBLIC_IP

Checks whether a public IP address is bound to an ECS. This policy is non-compliant if a public IP address is bound.

Controlling network access

Medium

compute:::instance

RGC-GR_CONFIG_ECS_MULTIPLE_PUBLIC_IP_CHECK

Checks whether multiple public IP addresses are bound to an ECS. This policy is non-compliant if multiple public IP addresses are bound.

Controlling network access

Low

compute:::instance

RGC-GR_CONFIG_ECS_INSTANCE_AGENCY_ATTACH_IAM_AGENCY

Checks whether an ECS has any IAM agencies. This policy is non-compliant if an ECS has no IAM agencies.

Enforcing the least privilege

Low

ecs:::instanceV1

RGC-GR_CONFIG_ECS_IN_ALLOWED_SECURITY_GROUPS

Checks whether an ECS not attached with specified tags is associated with the specified high-risk security groups. This policy is non-compliant if these ECSs are associated with the specified high-risk security groups.

Controlling network access

High

ecs:::instanceV1

ECS and VPC

Policy Name

Function

Scenario

Severity

Resource

RGC-GR_CONFIG_ECS_INSTANCE_IN_VPC

Checks whether an ECS is in the specified VPC. This policy is non-compliant if the ECS is not in the specified VPC.

Controlling network access

Medium

ecs:::instanceV1

Elastic Load Balance (ELB)

Policy Name

Function

Scenario

Severity

Resource

RGC-GR_CONFIG_ELB_LOADBALANCERS_NO_PUBLIC_IP

Checks whether a public IP address is bound to a load balancer. This policy is non-compliant if a public IP address is bound.

Controlling network access

Medium

elb:::loadBalancer

RGC-GR_CONFIG_ELB_TLS_HTTPS_LISTENERS_ONLY

Checks whether HTTPS is configured for any listener of a load balancer. This policy is non-compliant if HTTPS is not configured for any listener.

Encrypting data in transit

Medium

elb:::listener

RGC-GR_CONFIG_ELB_PREDEFINED_SECURITY_POLICY_HTTPS_CHECK

Checks whether a predefined security policy is configured for the HTTPS listener of a dedicated load balancer. This policy is non-compliant if the predefined security policy is not configured.

Controlling network access

Medium

elb:::loadBalancer

RGC-GR_CONFIG_ELB_HTTP_TO_HTTPS_REDIRECTION_CHECK

Checks whether requests to an HTTP listener can be redirected to an HTTPS listener. This policy is non-compliant if requests cannot be redirected.

Controlling network access

Medium

elb:::listener

EVS and ECS

Policy Name

Function

Scenario

Severity

Resource

RGC-GR_CONFIG_VOLUMES_ENCRYPTED_CHECK

Checks whether an EVS disk attached to a cloud server is encrypted. This policy is non-compliant if the disk is not encrypted.

Encrypting data at rest

Low

evs:::volume

FunctionGraph

Policy Name

Function

Scenario

Severity

Resource

RGC-GR_CONFIG_FUNCTION_GRAPH_PUBLIC_ACCESS_PROHIBITED

Checks whether functions in FunctionGraph allow public access. This policy is non-compliant if the functions allow public access.

Controlling network access

Critical

fgs:::function

GaussDB

Policy Name

Function

Scenario

Severity

Resource

RGC-GR_CONFIG_GAUSSDB_INSTANCE_IN_VPC

Checks whether a GaussDB instance is in the specified VPC. This policy is non-compliant if the instance is not in the specified VPC.

Controlling network access

Medium

gaussdb:::opengaussInstance

RGC-GR_CONFIG_GAUSSDB_INSTANCE_NO_PUBLIC_IP_CHECK

Checks whether a GaussDB instance has any EIPs associated. This policy is non-compliant if the instance has any EIPs associated.

Controlling network access

High

gaussdb:::opengaussInstance

RGC-GR_CONFIG_GAUSSDB_INSTANCE_SSL_ENABLE

Checks whether SSL encryption is enabled for a GaussDB instance. This policy is non-compliant if SSL encryption is not enabled.

Encrypting data in transit

High

gaussdb:::opengaussInstance

GeminiDB

Policy Name

Function

Scenario

Severity

Resource

RGC-GR_CONFIG_GAUSSDB_NOSQL_ENABLE_DISK_ENCRYPTION

Checks whether disk encryption is enabled for a GeminiDB instance. This policy is non-compliant if disk encryption is not enabled.

Encrypting data at rest

Medium

gaussdb:::mongoInstance

Identity and Access Management (IAM)

Policy Name

Function

Scenario

Severity

Resource

RGC-GR_CONFIG_IAM_ROOT_ACCESS_KEY_CHECK

Checks whether there are available access keys for an account. This policy is non-compliant if there are available access keys.

Enforcing the least privilege

Critical

identity:::accessKey

RGC-GR_CONFIG_ROOT_ACCOUNT_MFA_ENABLED

Checks whether multi-factor authentication (MFA) is enabled for an account. This policy is non-compliant if MFA is not enabled.

Enforcing the least privilege

High

identity:::acl

RGC-GR_CONFIG_IAM_GROUP_HAS_USERS_CHECK

Checks whether IAM users are added to an IAM user group. This policy is non-compliant if the users are not added to a user group.

Enforcing the least privilege

Medium

identity:::group

RGC-GR_CONFIG_IAM_USER_ACCESS_MODE

Checks whether an IAM user can gain access to both the console and APIs. This policy is non-compliant if the user can gain access to both the console and APIs.

Enforcing the least privilege

Medium

identity:::user

RGC-GR_CONFIG_IAM_USER_CONSOLE_AND_API_ACCESS_AT_CREATION

Checks whether access keys are set for an IAM user accessing from the console. This policy is non-compliant if access keys are set.

Managing confidentiality

Medium

identity:::user

RGC-GR_CONFIG_IAM_USER_SINGLE_ACCESS_KEY

Checks whether an IAM user has multiple access keys in the active state. This policy is non-compliant if the user has multiple access keys in the active state.

Managing confidentiality

High

identity:::user

RGC-GR_CONFIG_MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS

Checks whether MFA is enabled for an IAM user accessing from the console. This policy is non-compliant if MFA is not enabled.

Enforcing the least privilege

Medium

identity:::user

RGC-GR_CONFIG_IAM_POLICY_NO_STATEMENTS_WITH_ADMIN_ACCESS

Checks whether an IAM policy grants the admin permission (*:*:*, *:*, or *). This policy is non-compliant if the IAM policy grants the admin permission.

Enforcing the least privilege

High

identity:::protectionPolicy

RGC-GR_CONFIG_IAM_ROLE_HAS_ALL_PERMISSIONS

Checks whether an IAM custom policy grants the allow permission (*:*). This policy is non-compliant if the IAM policy grants the allow permission.

Enforcing the least privilege

Low

identity:::role

RGC-GR_CONFIG_IAM_USER_MFA_ENABLED

Checks whether MFA is enabled for an IAM user. This policy is non-compliant if MFA is not enabled.

Enforcing the least privilege

Medium

identity:::user

RGC-GR_CONFIG_ACCESS_KEYS_ROTATED

Checks whether an IAM user's access key is rotated within the specified number of days. This policy is non-compliant if the key is not rotated within the specified number of days.

Enforcing the least privilege

High

identity:::accessKey

RGC-GR_CONFIG_IAM_PASSWORD_POLICY

Checks whether the password of an IAM user meets the password strength requirements. This policy is non-compliant if the password does not meet the requirements.

Using strong authentication

High

identity:::user

RGC-GR_CONFIG_IAM_USER_LAST_LOGIN_CHECK

Checks whether an IAM user logs in to the system within a specified period. This policy is non-compliant if the user does not log in to the system within the specified period.

Enforcing the least privilege

Low

identity:::user

RGC-GR_CONFIG_IAM_POLICY_IN_USE

Checks whether an IAM policy has been attached to any IAM users, user groups, or agencies. This policy is non-compliant if the IAM policy has not been attached.

Enforcing the least privilege

Low

identity:::protectionPolicy

RGC-GR_CONFIG_IAM_ROLE_IN_USE

Checks whether an IAM permission has been granted to any IAM users, user groups, or agencies. This policy is non-compliant if the permission has not been granted.

Enforcing the least privilege

Low

identity:::role

RGC-GR_CONFIG_IAM_USER_LOGIN_PROTECTION_ENABLED

Checks whether login protection is enabled for an IAM user. This policy is non-compliant if protection is not enabled.

Using strong authentication

Medium

identity:::user

RGC-GR_CONFIG_IAM_USER_GROUP_MEMBERSHIP_CHECK

Checks whether an IAM user is in a specified IAM user group. This policy is non-compliant if the user is not in a specified user group.

Enforcing the least privilege

Medium

identity:::user

RGC-GR_CONFIG_IAM_AGENCIES_MANAGED_POLICY_CHECK

Checks whether an IAM agency has specified IAM policies and permissions. This policy is non-compliant if the agency has no specified IAM policies and permissions.

Enforcing the least privilege

High

identity:::agency

IMS

Policy Name

Function

Scenario

Severity

Resource

RGC-GR_CONFIG_IMS_IMAGES_ENABLE_ENCRYPTION

Checks whether encryption is enabled for a private image. This policy is non-compliant if encryption is not enabled.

Encrypting data at rest

High

images:::image

MapReduce Service (MRS)

Policy Name

Function

Scenario

Severity

Resource

RGC-GR_CONFIG_MRS_CLUSTER_KERBEROS_ENABLED

Checks whether Kerberos authentication is enabled for an MRS cluster. This policy is non-compliant if authentication is not enabled.

Using strong authentication

Medium

mrs:::cluster

RGC-GR_CONFIG_MRS_CLUSTER_NO_PUBLIC_IP

Checks whether a public IP address is bound to an MRS cluster. This policy is non-compliant if a public IP address is bound.

Controlling network access

Medium

mrs:::cluster

RGC-GR_CONFIG_MRS_CLUSTER_IN_ALLOWED_SECURITY_GROUPS

Checks whether an MRS cluster is in a specified security group. This policy is non-compliant if the cluster is not in the specified security group.

Controlling network access

Medium

mrs:::cluster

RGC-GR_CONFIG_MRS_CLUSTER_IN_VPC

Checks whether an MRS cluster is in the specified VPC. This policy is non-compliant if the cluster is not in the specified VPC.

Controlling network access

Medium

mrs:::cluster

NAT

Policy Name

Function

Scenario

Severity

Resource

RGC-GR_CONFIG_PRIVATE_NAT_GATEWAY_AUTHORIZED_VPC_ONLY

Checks whether a private NAT gateway is in a specified VPC. This policy is non-compliant if the NAT gateway is not in the specified VPC.

Controlling network access

High

nat:::privateGateway

Object Storage Service (OBS)

Policy Name

Function

Scenario

Severity

Resource

RGC-GR_CONFIG_OBS_BUCKET_POLICY_GRANTEE_CHECK

Checks whether an OBS bucket policy allows a prohibited access action. This policy is non-compliant if the bucket policy allows a prohibited access action.

Enforcing the least privilege

High

obs:::bucket

Relational Database Service (RDS)

Policy Name

Function

Scenario

Severity

Resource

RGC-GR_CONFIG_RDS_INSTANCE_NO_PUBLIC_IP

Checks whether a public IP address is bound to an RDS instance. This policy is non-compliant if a public IP address is bound.

Controlling network access

High

rds:::instance

RGC-GR_CONFIG_RDS_INSTANCES_ENABLE_KMS

Checks whether storage encryption is enabled for an RDS instance. This policy is non-compliant if storage encryption is not enabled.

Encrypting data at rest

Low

rds:::instance

RGC-GR_CONFIG_RDS_INSTANCE_PORT_CHECK

Checks whether an RDS instance has forbidden ports. This policy is non-compliant if the instance has forbidden ports.

Controlling network access

High

rds:::instance

RGC-GR_CONFIG_RDS_INSTANCE_SSL_ENABLE

Checks whether SSL encryption is enabled for an RDS instance. This policy is non-compliant if SSL encryption is not enabled.

Encrypting data at rest

High

rds:::instance

Scalable File Service Turbo (SFS Turbo)

Policy Name

Function

Scenario

Severity

Resource

RGC-GR_CONFIG_SFSTURBO_ENCRYPTED_CHECK

Checks whether SFS Turbo is configured to encrypt files using KMS. This policy is non-compliant if SFS Turbo is not configured to encrypt files using KMS.

Encrypting data at rest

Low

sfsturbo:::dir

TaurusDB

Policy Name

Function

Scenario

Severity

Resource

RGC-GR_CONFIG_GAUSSDB_MYSQL_INSTANCE_IN_VPC

Checks whether a TaurusDB instance is in a specified VPC. This policy is non-compliant if the instance is not in the specified VPC.

Controlling network access

High

gaussdb:::mysqlInstance

RGC-GR_CONFIG_GAUSSDB_MYSQL_INSTANCE_NO_PUBLIC_IP_CHECK

Checks whether a TaurusDB instance has an EIP associated. This policy is non-compliant if the instance has an EIP associated.

Controlling network access

High

gaussdb:::mysqlInstance

RGC-GR_CONFIG_GAUSSDB_MYSQL_INSTANCE_SSL_ENABLE

Checks whether SSL encryption is enabled for a TaurusDB instance. This policy is non-compliant if SSL encryption is not enabled.

Encrypting data in transit

High

gaussdb:::mysqlInstance

Virtual Private Cloud (VPC)

Policy Name

Function

Scenario

Severity

Resource

RGC-GR_CONFIG_VPC_SG_PORTS_CHECK

Checks whether the inbound source IP address of a security group is set to 0.0.0.0/0 and all TCP/UDP ports are enabled. This policy is non-compliant if the inbound source IP address is set to 0.0.0.0/0 and all TCP/UDP ports are enabled.

Controlling network access

High

networking:::secgroup

RGC-GR_CONFIG_VPC_ACL_UNUSED_CHECK

Checks whether a network ACL is associated with any subnets. This policy is non-compliant if the network ACL is not associated with any subnets.

Protecting configurations

Low

vpc:::networkAcl

RGC-GR_CONFIG_VPC_DEFAULT_SG_CLOSED

Checks whether the default security group of a VPC allows inbound or outbound traffic. This policy is non-compliant if the default security group allows inbound or outbound traffic.

Controlling network access

High

networking:::secgroup

RGC-GR_CONFIG_VPC_SG_RESTRICTED_SSH

Checks whether the inbound source IP address of a security group is set to 0.0.0.0/0 and TCP port 22 is enabled. This policy is non-compliant if the inbound source IP address is set to 0.0.0.0/0 and TCP port 22 is enabled.

Controlling network access

High

networking:::secgroup

Web Application Firewall (WAF)

Policy Name

Function

Scenario

Severity

Resource

RGC-GR_CONFIG_WAF_INSTANCE_POLICY_NOT_EMPTY

Checks whether a WAF domain name has protection policies configured. This policy is non-compliant if the domain name has no protection policies configured.

Controlling network access

Medium

waf:::cloudInstance

We use cookies to improve our site and your experience. By continuing to browse our site you accept our cookie policy. Find out more

Feedback

Feedback

Feedback

0/500

Selected Content

Submit selected content with the feedback