Elective Governance Policies
*
Policy Name |
Function |
Scenario |
Severity |
Resource |
---|---|---|---|---|
RGC-GR_CONFIG_REGULAR_MATCHING_OF_NAMES |
Checks whether a resource name matches a regular expression pattern. This policy is non-compliant if the resource name does not match. |
Protecting configurations |
Low |
* |
APIG
Policy Name |
Function |
Scenario |
Severity |
Resource |
---|---|---|---|---|
RGC-GR_CONFIG_APIG_INSTANCES_EXECUTION_LOGGING_ENABLED |
Checks whether a dedicated API gateway is configured with access logs. This policy is non-compliant if the gateway is not configured with access logs. |
Establishing logging and monitoring |
Medium |
apig:::instance |
Auto Scaling
Policy Name |
Function |
Scenario |
Severity |
Resource |
---|---|---|---|---|
RGC-GR_CONFIG_AS_CAPACITY_REBALANCING |
Checks whether the scaling policy of EQUILIBRIUM_DISTRIBUTE is applied when an AS group scales in or out. This policy is non-compliant if this scaling policy is not applied. |
Improving availability |
Medium |
as:::group |
RGC-GR_CONFIG_AS_GROUP_ELB_HEALTHCHECK_REQUIRED |
Checks whether ELB health check is enabled for an AS group associated with load balancers. This policy is non-compliant if health check is not enabled. |
Improving availability |
Low |
as:::group |
RGC-GR_CONFIG_AS_MULTIPLE_AZ |
Checks whether an auto scaling (AS) group is deployed in multiple AZs. This policy is non-compliant if the group is not deployed in multiple AZs. |
Improving availability |
Medium |
as:::group |
RGC-GR_CONFIG_AS_GROUP_IPV6_DISABLED |
Checks whether an IPv6 shared bandwidth is assigned to an AS group. This policy is non-compliant if an IPv6 shared bandwidth is assigned. |
Optimizing costs |
Low |
as:::group |
CBR
Policy Name |
Function |
Scenario |
Severity |
Resource |
---|---|---|---|---|
RGC-GR_CONFIG_CBR_POLICY_MINIMUM_FREQUENCY_CHECK |
Checks whether the execution frequency of a backup policy is within the specified range. This policy is non-compliant if the frequency is lower than the specified range. |
Preparing for disaster recovery |
Medium |
cbr:::policy |
RGC-GR_CONFIG_CBR_VAULT_MINIMUM_RETENTION_CHECK |
Checks whether a CBR vault has policies attached or has any policies that can be retained within the required number of days. This policy is non-compliant if the vault has no policies attached or has no such policies. |
Preparing for disaster recovery |
Medium |
cbr:::vault |
CBR and ECS
Policy Name |
Function |
Scenario |
Severity |
Resource |
---|---|---|---|---|
RGC-GR_CONFIG_ECS_PROTECTED_BY_CBR |
Checks whether an ECS has a backup vault attached. This policy is non-compliant if the ECS has no backup vault attached. |
Preparing for disaster recovery |
Medium |
ecs:::instanceV1 |
RGC-GR_CONFIG_ECS_LAST_BACKUP_CREATED |
Checks whether an ECS has a backup created within the specified time period. This policy is non-compliant if the ECS has a backup created beyond the specified time period. |
Preparing for disaster recovery |
Low |
ecs:::instanceV1 |
CBR and EVS
Policy Name |
Function |
Scenario |
Severity |
Resource |
---|---|---|---|---|
RGC-GR_CONFIG_EVS_PROTECTED_BY_CBR |
Checks whether an EVS disk has a backup vault attached. This policy is non-compliant if the disk has no backup vaults attached. |
Preparing for disaster recovery |
Medium |
evs:::volume |
RGC-GR_CONFIG_EVS_LAST_BACKUP_CREATED |
Checks whether an EVS disk has a backup created within the specified time period. This policy is non-compliant if the disk has a backup created beyond the specified time period. |
Preparing for disaster recovery |
Low |
evs:::volume |
CBR and SFS Turbo
Policy Name |
Function |
Scenario |
Severity |
Resource |
---|---|---|---|---|
RGC-GR_CONFIG_SFSTURBO_PROTECTED_BY_CBR |
Checks whether an SFS Turbo system has a backup vault attached. This policy is non-compliant if the system has no backup vaults attached. |
Preparing for disaster recovery |
Medium |
sfs:::turbo |
CCE
Policy Name |
Function |
Scenario |
Severity |
Resource |
---|---|---|---|---|
RGC-GR_CONFIG_CCE_CLUSTER_END_OF_MAINTENANCE_VERSION |
Checks whether a CCE cluster version is end of maintenance (EOM). This policy is non-compliant if the version is EOM. |
Managing vulnerabilities |
Medium |
cce:::cluster |
RGC-GR_CONFIG_CCE_CLUSTER_OLDEST_SUPPORTED_VERSION |
Checks whether a CCE cluster is using the oldest supported version. This policy is non-compliant if the cluster is using the oldest supported version. |
Managing vulnerabilities |
Medium |
cce:::cluster |
RGC-GR_CONFIG_ALLOWED_CCE_FLAVORS |
Checks whether the flavors of a CCE cluster match any of the specified flavors. This policy is non-compliant if the flavors do not match. |
Protecting configurations |
Low |
cce:::cluster |
CCM
Policy Name |
Function |
Scenario |
Severity |
Resource |
---|---|---|---|---|
RGC-GR_CONFIG_PCA_CERTIFICATE_AUTHORITY_ROOT_DISABLE |
Checks whether private root CAs are disabled. This policy is non-compliant if CAs are not disabled. |
Managing confidentiality |
Medium |
scm:::certificate |
RGC-GR_CONFIG_PCA_ALGORITHM_CHECK |
Checks whether CCM uses a prohibited key algorithm or signature hash algorithm. This policy is non-compliant if CCM uses such algorithms. |
Encrypting data in transit |
High |
ccm:::privateCertificate |
Cloud Eye
Policy Name |
Function |
Scenario |
Severity |
Resource |
---|---|---|---|---|
RGC-GR_CONFIG_ALARM_ACTION_ENABLED_CHECK |
Checks whether Cloud Eye alarming is enabled. This policy is non-compliant if alarming is not enabled. |
Establishing logging and monitoring |
Medium |
ces:::alarmRule |
RGC-GR_CONFIG_ALARM_RESOURCE_CHECK |
Checks whether a resource has specified metrics associated for alarming. This policy is non-compliant if the resource has no specified metrics associated. |
Establishing logging and monitoring |
Low |
ces:::alarmRule |
RGC-GR_CONFIG_ALARM_SETTINGS_CHECK |
Checks whether the settings of a specified metric meet the requirements. This policy is non-compliant if the requirements are not met. |
Establishing logging and monitoring |
Low |
ces:::alarmRule |
Cloud Eye and DEW
Policy Name |
Function |
Scenario |
Severity |
Resource |
---|---|---|---|---|
RGC-GR_CONFIG_ALARM_KMS_DISABLE_OR_DELETE_KEY |
Checks whether alarms are configured to monitor the operation of disabling KMS or scheduling to delete a key. This policy is non-compliant if no alarms are configured. |
Establishing logging and monitoring |
Critical |
ces:::alarmRule |
Cloud Eye and OBS
Policy Name |
Function |
Scenario |
Severity |
Resource |
---|---|---|---|---|
RGC-GR_CONFIG_ALARM_OBS_BUCKET_POLICY_CHANGE |
Checks whether alarms are configured to monitor the changes of OBS bucket policies. This policy is non-compliant if no alarms are configured. |
Establishing logging and monitoring |
Critical |
ces:::alarmRule |
Cloud Eye and VPC
Policy Name |
Function |
Scenario |
Severity |
Resource |
---|---|---|---|---|
RGC-GR_CONFIG_ALARM_VPC_CHANGE |
Checks whether alarms are configured to monitor VPC changes. This policy is non-compliant if no alarms are configured. |
Establishing logging and monitoring |
High |
ces:::alarmRule |
CodeArts Deploy
Policy Name |
Function |
Scenario |
Severity |
Resource |
---|---|---|---|---|
RGC-GR_CONFIG_CODEARTSDEPLOY_HOST_CLUSTER_RESOURCE_STATUS |
Checks whether a host cluster in the CodeArts project is available. This policy is non-compliant if the cluster is unavailable. |
Improving availability |
Low |
codeartsDeploy:::host |
Config
Policy Name |
Function |
Scenario |
Severity |
Resource |
---|---|---|---|---|
RGC-GR_CONFIG_TRACKER_CONFIG_ENABLED_CHECK |
Checks whether the resource recorder is enabled for an account. This policy is non-compliant if the resource recorder is not enabled. |
Establishing logging and monitoring |
Medium |
rms:::resourceRecorder |
CSS
Policy Name |
Function |
Scenario |
Severity |
Resource |
---|---|---|---|---|
RGC-GR_CONFIG_CSS_CLUSTER_BACKUP_AVAILABLE |
Checks whether the snapshot function is enabled for a CSS cluster. This policy is non-compliant if this function is not enabled. |
Improving resiliency |
Medium |
css:::cluster |
RGC-GR_CONFIG_CSS_CLUSTER_MULTIPLE_AZ_CHECK |
Checks whether a CSS cluster is deployed in multiple AZs for disaster recovery. This policy is non-compliant if the cluster is not deployed in multiple AZs. |
Improving availability |
Medium |
css:::cluster |
RGC-GR_CONFIG_CSS_CLUSTER_MULTIPLE_INSTANCES_CHECK |
Checks whether a CSS cluster has multiple nodes deployed for disaster recovery. This policy is non-compliant if the cluster does not have multiple nodes deployed. |
Improving availability |
Medium |
css:::cluster |
RGC-GR_CONFIG_CSS_CLUSTER_IN_VPC |
Checks whether a CSS cluster is in the specified VPC. This policy is non-compliant if the cluster is not in the specified VPC. |
Controlling network access |
Critical |
css:::cluster |
RGC-GR_CONFIG_CSS_CLUSTER_SLOWLOG_ENABLE |
Checks whether slow query log is enabled for a CSS cluster. This policy is non-compliant if this function is not enabled. |
Establishing logging and monitoring |
Medium |
css:::cluster |
CTS
Policy Name |
Function |
Scenario |
Severity |
Resource |
---|---|---|---|---|
RGC-GR_CONFIG_MULTI_REGION_CTS_TRACKER_EXISTS |
Checks whether a CTS tracker has been created and enabled for the specified region list for an account. This policy is non-compliant if no trackers are created and enabled for the specified region list. |
Establishing logging and monitoring |
High |
cts:::tracker |
RGC-GR_CONFIG_CTS_OBS_BUCKET_TRACK |
Checks whether all CTS trackers in an account track specified OBS buckets. This policy is non-compliant if all trackers do not track specified OBS buckets. |
Establishing logging and monitoring |
High |
cts:::tracker |
RGC-GR_CONFIG_CTS_TRACKER_ENABLED_SECURITY |
Checks whether there are CTS trackers that comply with security best practices. This policy is non-compliant if no such trackers exist. |
Establishing logging and monitoring |
High |
cts:::tracker |
DEW
Policy Name |
Function |
Scenario |
Severity |
Resource |
---|---|---|---|---|
RGC-GR_CONFIG_CSMS_SECRETS_AUTO_ROTATION_ENABLED |
Checks whether automatic rotation is enabled for CSMS secrets. This policy is non-compliant if automatic rotation is not enabled. |
Managing confidentiality |
Medium |
csms:::secret |
RGC-GR_CONFIG_CSMS_SECRETS_PERIODIC_ROTATION |
Checks whether a CSMS secret is rotated within the specified number of days. This policy is non-compliant if the secret is not rotated within the specified number of days. |
Managing confidentiality |
Medium |
csms:::secret |
RGC-GR_CONFIG_CSMS_SECRETS_USING_CMK |
Checks whether a CSMS secret uses the specified KMS keys. This policy is non-compliant if the secret does not use such keys. |
Encrypting data at rest |
High |
csms:::secret |
DDS
Policy Name |
Function |
Scenario |
Severity |
Resource |
---|---|---|---|---|
RGC-GR_CONFIG_DDS_INSTANCE_HAMODE |
Checks whether a DDS instance matches the specified type. This policy is non-compliant if the instance does not match. |
Protecting configurations |
Low |
dds:::instance |
RGC-GR_CONFIG_DDS_INSTANCE_ENGINE_VERSION_CHECK |
Checks whether a DDS instance uses the specified version or higher. This policy is non-compliant if the instance uses an unspecified version or earlier. |
Managing vulnerabilities |
Low |
dds:::instance |
DWS
Policy Name |
Function |
Scenario |
Severity |
Resource |
---|---|---|---|---|
RGC-GR_CONFIG_DWS_ENABLE_SNAPSHOT |
Checks whether automated snapshots are enabled for a DWS cluster. This policy is non-compliant if automated snapshots are not enabled. |
Improving resiliency |
Medium |
dws:::cluster |
RGC-GR_CONFIG_DWS_MAINTAIN_WINDOW_CHECK |
Checks whether the O&M time window of a DWS cluster is consistent with the specified time window. This policy is non-compliant if the time window is not consistent with the specified one. |
Preparing for incident response |
Medium |
dws:::cluster |
RGC-GR_CONFIG_DWS_ENABLE_LOG_DUMP |
Checks whether log dump is enabled for a DWS cluster. This policy is non-compliant if log dump is not enabled. |
Establishing logging and monitoring |
Medium |
dws:::cluster |
ECS
Policy Name |
Function |
Scenario |
Severity |
Resource |
---|---|---|---|---|
RGC-GR_CONFIG_ALLOWED_ECS_FLAVORS |
Checks whether an ECS flavor matches the specified one. This policy is non-compliant if the flavor does not match. |
Protecting configurations |
Low |
ecs:::instanceV1 |
RGC-GR_CONFIG_ALLOWED_IMAGES_BY_NAME |
Checks whether the name of an ECS image matches one of the specified names. This policy is non-compliant if the image name does not match. |
Managing vulnerabilities |
High |
ecs:::instanceV1 |
RGC-GR_CONFIG_ECS_ATTACHED_HSS_AGENTS_CHECK |
Checks whether an ECS has an HSS agent attached and has protection enabled. This policy is non-compliant if the ECS has no HSS agent attached and has no protection enabled. |
Managing vulnerabilities |
Medium |
ecs:::instanceV1 |
ECS and IMS
Policy Name |
Function |
Scenario |
Severity |
Resource |
---|---|---|---|---|
RGC-GR_CONFIG_ALLOWED_IMAGES_BY_ID |
Checks whether the image ID of an ECS matches one of the specified image IDs. This policy is non-compliant if the image ID does not match. |
Managing vulnerabilities |
High |
ecs:::instanceV1 |
RGC-GR_CONFIG_APPROVED_IMS_BY_TAG |
Checks whether an ECS uses any of the IMS images with the specified tag. This policy is non-compliant if the ECS does not use such images. |
Managing vulnerabilities |
Medium |
ecs:::instanceV1 |
EIP
Policy Name |
Function |
Scenario |
Severity |
Resource |
---|---|---|---|---|
RGC-GR_CONFIG_EIP_USE_IN_SPECIFIED_DAYS |
Checks whether an EIP is bound to any instances in specified number of days. This policy is non-compliant if the EIP is not bound in specified number of days. |
Optimizing costs |
Medium |
vpc:::eipAssociate |
ELB
Policy Name |
Function |
Scenario |
Severity |
Resource |
---|---|---|---|---|
RGC-GR_CONFIG_ELB_MULTIPLE_AZ_CHECK |
Checks whether the load balancer has registered with instances in multiple AZs. This policy is non-compliant if the load balancer has registered with instances in fewer than two AZs. |
Balancing loads |
Medium |
elb:::loadbalancer |
RGC-GR_CONFIG_ELB_MEMBERS_WEIGHT_CHECK |
Checks whether the weight of a backend server is 0 and the load balancing algorithm used by its associated backend server group is not SOURCE_IP. This policy is non-compliant if the weight is 0 and the algorithm is not SOURCE_IP. |
Improving availability |
Low |
elb:::member |
EVS
Policy Name |
Function |
Scenario |
Severity |
Resource |
---|---|---|---|---|
RGC-GR_CONFIG_EVS_USE_IN_SPECIFIED_DAYS |
Checks whether an EVS disk is bound to any instances in specified number of days. This policy is non-compliant if the disk is not bound in specified number of days. |
Optimizing costs |
Medium |
evs:::volume |
RGC-GR_CONFIG_VOLUME_UNUSED_CHECK |
Checks whether an EVS disk is attached to a cloud server. This policy is non-compliant if the disk is not attached. |
Optimizing costs |
High |
evs:::volume |
RGC-GR_CONFIG_ALLOWED_VOLUME_SPECS |
Checks whether the type of an EVS disk is within the allowed type list. This policy is non-compliant if the disk type is not within the list. |
Protecting configurations |
Low |
evs:::volume |
FunctionGraph
Policy Name |
Function |
Scenario |
Severity |
Resource |
---|---|---|---|---|
RGC-GR_CONFIG_FUNCTION_GRAPH_CONCURRENCY_CHECK |
Checks whether the number of concurrent requests of a FunctionGraph function is within the specified range. This policy is non-compliant if the number is not within the specified range. |
Improving availability |
Medium |
fgs:::function |
RGC-GR_CONFIG_FUNCTION_GRAPH_INSIDE_VPC |
Checks whether a FunctionGraph function is in the specified VPC. This policy is non-compliant if the function is not in the specified VPC. |
Controlling network access |
Low |
fgs:::function |
RGC-GR_CONFIG_FUNCTION_GRAPH_SETTINGS_CHECK |
Checks whether the runtime, timeout duration, or memory limit of a FunctionGraph function is within the specified range. This policy is non-compliant if they are not within the specified range. |
Managing vulnerabilities |
Medium |
fgs:::function |
RGC-GR_CONFIG_FUNCTION_GRAPH_LOGGING_ENABLED |
Checks whether logging is enabled for a FunctionGraph function. This policy is non-compliant if logging is not enabled. |
Establishing logging and monitoring |
Medium |
fgs:::function |
GaussDB
Policy Name |
Function |
Scenario |
Severity |
Resource |
---|---|---|---|---|
RGC-GR_CONFIG_GAUSSDB_INSTANCE_ENABLE_AUDITLOG |
Checks whether audit logging is enabled for a GaussDB instance. This policy is non-compliant if audit logging is not enabled. |
Establishing logging and monitoring |
Medium |
gaussdb:::opengaussInstance |
RGC-GR_CONFIG_GAUSSDB_INSTANCE_ENABLE_BACKUP |
Checks whether backup is enabled for a GaussDB instance. This policy is non-compliant if backup is not enabled. |
Improving resiliency |
Medium |
gaussdb:::opengaussInstance |
RGC-GR_CONFIG_GAUSSDB_INSTANCE_ENABLE_ERRORLOG |
Checks whether error log collection is enabled for a GaussDB instance. This policy is non-compliant if error log collection is not enabled. |
Establishing logging and monitoring |
Low |
gaussdb:::opengaussInstance |
RGC-GR_CONFIG_GAUSSDB_INSTANCE_ENABLE_SLOWLOG |
Checks whether slow-query logging is enabled for a GaussDB instance. This policy is non-compliant if slow-query logging is not enabled. |
Establishing logging and monitoring |
Low |
gaussdb:::opengaussInstance |
RGC-GR_CONFIG_GAUSSDB_INSTANCE_MULTIPLE_AZ_CHECK |
Checks whether a GaussDB resource is deployed across AZs. This policy is non-compliant if the resource is not deployed across AZs. |
Improving availability |
Medium |
gaussdb:::opengaussInstance |
GeminiDB
Policy Name |
Function |
Scenario |
Severity |
Resource |
---|---|---|---|---|
RGC-GR_CONFIG_GAUSSDB_NOSQL_DEPLOY_IN_SINGLE_AZ |
Checks whether GeminiDB is deployed in a single AZ. This policy is non-compliant if GeminiDB is deployed in a single AZ. |
Improving availability |
Medium |
gaussdb:::mongoInstance |
RGC-GR_CONFIG_GAUSSDB_NOSQL_ENABLE_BACKUP |
Checks whether backup is enabled for GeminiDB. This policy is non-compliant if backup is not enabled. |
Improving resiliency |
Medium |
gaussdb:::mongoInstance |
RGC-GR_CONFIG_GAUSSDB_NOSQL_ENABLE_ERROR_LOG |
Checks whether error logging is enabled for GeminiDB. This policy is non-compliant if error logging is not enabled. |
Establishing logging and monitoring |
Low |
gaussdb:::mongoInstance |
RGC-GR_CONFIG_GAUSSDB_NOSQL_SUPPORT_SLOW_LOG |
Checks whether GeminiDB supports slow-query logging. This policy is non-compliant if slow-query logging is not supported. |
Establishing logging and monitoring |
Low |
gaussdb:::mongoInstance |
GES
Policy Name |
Function |
Scenario |
Severity |
Resource |
---|---|---|---|---|
RGC-GR_CONFIG_GES_GRAPHS_LTS_ENABLE |
Checks whether LTS is enabled for GES graphs. This policy is non-compliant if LTS is not enabled. |
Establishing logging and monitoring |
Medium |
ges:::graph |
RGC-GR_CONFIG_GES_GRAPHS_MULTI_AZ_SUPPORT |
Checks whether GES supports cross-AZ HA. This policy is non-compliant if cross-AZ HA is not supported. |
Improving availability |
Medium |
ges:::graph |
IAM
Policy Name |
Function |
Scenario |
Severity |
Resource |
---|---|---|---|---|
RGC-GR_CONFIG_IAM_CUSTOMER_POLICY_BLOCKED_KMS_ACTIONS |
Checks whether an IAM policy allows any blocked action on KMS keys. This policy is non-compliant if the IAM policy allows such actions. |
Enforcing the least privilege |
Medium |
|
RGC-GR_CONFIG_IAM_USER_CHECK_NON_ADMIN_GROUP |
Checks whether a non-root user is added to the admin user group. This policy is non-compliant if such users are added. |
Enforcing the least privilege |
Low |
identity:::user |
RGC-GR_CONFIG_IAM_USER_NO_POLICIES_CHECK |
Checks whether an IAM user is directly assigned a policy or permission. This policy is non-compliant if the user is directly assigned a policy or permission. |
Enforcing the least privilege |
Low |
identity:::user |
MRS
Policy Name |
Function |
Scenario |
Severity |
Resource |
---|---|---|---|---|
RGC-GR_CONFIG_MRS_CLUSTER_MULTIAZ_DEPLOYMENT |
Checks whether an MRS cluster is deployed in multiple AZs. This policy is non-compliant if the cluster is not deployed in multiple AZs. |
Improving availability |
Medium |
mrs:::cluster |
RGC-GR_CONFIG_MRS_CLUSTER_ENCRYPT_ENABLE |
Requires KMS keys be not in a "pending deletion" state. |
Protecting data integrity |
Medium |
mrs:::cluster |
RDS
Policy Name |
Function |
Scenario |
Severity |
Resource |
---|---|---|---|---|
RGC-GR_CONFIG_RDS_INSTANCE_ENABLE_BACKUP |
Checks whether backup is enabled for an RDS instance. This policy is non-compliant if backup is not enabled. |
Improving resiliency |
Medium |
rds:::instance |
RGC-GR_CONFIG_RDS_INSTANCE_ENABLE_ERRORLOG |
Checks whether error log collection is enabled for an RDS instance. This policy is non-compliant if error log collection is not enabled. |
Establishing logging and monitoring |
Low |
rds:::instance |
RGC-GR_CONFIG_RDS_INSTANCE_ENABLE_SLOWLOG |
Checks whether slow-query logging is enabled for an RDS instance. This policy is non-compliant if slow-query logging is not enabled. |
Establishing logging and monitoring |
Low |
rds:::instance |
RGC-GR_CONFIG_RDS_INSTANCE_LOGGING_ENABLED |
Checks whether logs are collected for an RDS instance. This policy is non-compliant if no logs are collected. |
Establishing logging and monitoring |
Medium |
rds:::instance |
RGC-GR_CONFIG_RDS_INSTANCE_MULTI_AZ_SUPPORT |
Checks whether an RDS instance can only be deployed in one AZ. This policy is non-compliant if the instance can only be deployed in one AZ. |
Improving availability |
Medium |
rds:::instance |
RGC-GR_CONFIG_ALLOWED_RDS_FLAVORS |
Checks whether the flavor of an RDS instance is within the specified range. This policy is non-compliant if the flavor is not within the specified range. |
Protecting configurations |
Low |
rds:::instance |
RGC-GR_CONFIG_RDS_INSTANCES_IN_VPC |
Checks whether an RDS resource is in the specified VPC. This policy is non-compliant if the resource is not in the specified VPC. |
Controlling network access |
High |
rds:::instance |
RGC-GR_CONFIG_RDS_INSTANCE_ENABLE_AUDITLOG |
Checks whether an RDS resource has audit logging enabled or the audit logs can be stored for a specified period of time. This policy is non-compliant if audit logging is not enabled or audit logs cannot be stored for a specified period of time. |
Establishing logging and monitoring |
Medium |
rds:::instance |
RGC-GR_CONFIG_RDS_INSTANCE_ENGINE_VERSION_CHECK |
Checks whether the version of the database engine for an RDS instance is earlier than the specified version. This policy is non-compliant if the version is earlier than the specified one. |
Managing vulnerabilities |
Low |
rds:::instance |
OBS and Access Analyzer
Policy Name |
Function |
Scenario |
Severity |
Resource |
---|---|---|---|---|
RGC-GR_CONFIG_OBS_BUCKET_BLACKLISTED_ACTIONS_PROHIBITED |
Checks whether an OBS bucket policy allows any blacklisted action to external users. This policy is non-compliant if the bucket policy allows such actions. |
Enforcing the least privilege |
High |
obs:::bucket |
RGC-GR_CONFIG_OBS_BUCKET_SSL_REQUESTS_ONLY |
Checks whether an OBS bucket policy allows actions without SSL encryption. This policy is non-compliant if the bucket policy allows such actions. |
Encrypting data in transit |
Medium |
obs:::bucket |
Organizations
Policy Name |
Function |
Scenario |
Severity |
Resource |
---|---|---|---|---|
RGC-GR_CONFIG_ACCOUNT_PART_OF_ORGANIZATIONS |
Checks whether an account joins an organization. This policy is non-compliant if the account does not join an organization. |
Enforcing the least privilege |
High |
organizations:::accountAssociate |
SMN
Policy Name |
Function |
Scenario |
Severity |
Resource |
---|---|---|---|---|
RGC-GR_CONFIG_SMN_LTS_ENABLE |
Checks whether trace analysis is enabled for an SMN topic. This policy is non-compliant if trace analysis is not enabled. |
Establishing logging and monitoring |
Medium |
smn:::topic |
TaurusDB
Policy Name |
Function |
Scenario |
Severity |
Resource |
---|---|---|---|---|
RGC-GR_CONFIG_GAUSSDB_MYSQL_INSTANCE_ENABLE_AUDITLOG |
Checks whether audit logging is enabled for a TaurusDB instance. This policy is non-compliant if audit logging is not enabled. |
Establishing logging and monitoring |
Medium |
gaussdb:::mysqlInstance |
RGC-GR_CONFIG_GAUSSDB_MYSQL_INSTANCE_ENABLE_BACKUP |
Checks whether backup is enabled for a TaurusDB instance. This policy is non-compliant if backup is not enabled. |
Improving resiliency |
Medium |
gaussdb:::mysqlInstance |
RGC-GR_CONFIG_GAUSSDB_MYSQL_INSTANCE_ENABLE_ERRORLOG |
Checks whether error logging is enabled for a TaurusDB instance. This policy is non-compliant if error logging is not enabled. |
Establishing logging and monitoring |
Low |
gaussdb:::mysqlInstance |
RGC-GR_CONFIG_GAUSSDB_MYSQL_INSTANCE_ENABLE_SLOWLOG |
Checks whether slow-query logging is enabled for a TaurusDB instance. This policy is non-compliant if slow-query logging is not enabled. |
Establishing logging and monitoring |
Low |
gaussdb:::mysqlInstance |
RGC-GR_CONFIG_GAUSSDB_MYSQL_INSTANCE_MULTIPLE_AZ_CHECK |
Checks whether a TaurusDB instance is deployed across AZs. This policy is non-compliant if the instance is not deployed across AZs. |
Improving availability |
Medium |
gaussdb:::mysqlInstance |
VPC
Policy Name |
Function |
Scenario |
Severity |
Resource |
---|---|---|---|---|
RGC-GR_CONFIG_EIP_UNBOUND_CHECK |
Checks whether an EIP is bound to any resources. This policy is non-compliant if the EIP is not bound. |
Optimizing costs |
Medium |
vpc:::eipAssociate |
RGC-GR_CONFIG_VPC_FLOW_LOGS_ENABLED |
Checks whether flow logs are enabled for a VPC. This policy is non-compliant if flow logs are not enabled. |
Establishing logging and monitoring |
Medium |
vpc:::flowLog |
RGC-GR_CONFIG_EIP_BANDWIDTH_LIMIT |
Checks whether the bandwidth of an EIP is less than the specified value. This policy is non-compliant if the bandwidth is less than the specified value. |
Improving availability |
Medium |
vpc:::eip |
VPN
Policy Name |
Function |
Scenario |
Severity |
Resource |
---|---|---|---|---|
RGC-GR_CONFIG_VPN_CONNECTIONS_ACTIVE |
Checks whether the VPN connection is normal. This policy is non-compliant if the connection is not normal. |
Improving availability |
Medium |
vpnaas:::siteConnectionV2 |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot