Compute
Elastic Cloud Server
Huawei Cloud Flexus
Bare Metal Server
Auto Scaling
Image Management Service
Dedicated Host
FunctionGraph
Cloud Phone Host
Huawei Cloud EulerOS
Networking
Virtual Private Cloud
Elastic IP
Elastic Load Balance
NAT Gateway
Direct Connect
Virtual Private Network
VPC Endpoint
Cloud Connect
Enterprise Router
Enterprise Switch
Global Accelerator
Management & Governance
Cloud Eye
Identity and Access Management
Cloud Trace Service
Resource Formation Service
Tag Management Service
Log Tank Service
Config
OneAccess
Resource Access Manager
Simple Message Notification
Application Performance Management
Application Operations Management
Organizations
Optimization Advisor
IAM Identity Center
Cloud Operations Center
Resource Governance Center
Migration
Server Migration Service
Object Storage Migration Service
Cloud Data Migration
Migration Center
Cloud Ecosystem
KooGallery
Partner Center
User Support
My Account
Billing Center
Cost Center
Resource Center
Enterprise Management
Service Tickets
HUAWEI CLOUD (International) FAQs
ICP Filing
Support Plans
My Credentials
Customer Operation Capabilities
Partner Support Plans
Professional Services
Analytics
MapReduce Service
Data Lake Insight
CloudTable Service
Cloud Search Service
Data Lake Visualization
Data Ingestion Service
GaussDB(DWS)
DataArts Studio
Data Lake Factory
DataArts Lake Formation
IoT
IoT Device Access
Others
Product Pricing Details
System Permissions
Console Quick Start
Common FAQs
Instructions for Associating with a HUAWEI CLOUD Partner
Message Center
Security & Compliance
Security Technologies and Applications
Web Application Firewall
Host Security Service
Cloud Firewall
SecMaster
Anti-DDoS Service
Data Encryption Workshop
Database Security Service
Cloud Bastion Host
Data Security Center
Cloud Certificate Manager
Edge Security
Managed Threat Detection
Blockchain
Blockchain Service
Web3 Node Engine Service
Media Services
Media Processing Center
Video On Demand
Live
SparkRTC
MetaStudio
Storage
Object Storage Service
Elastic Volume Service
Cloud Backup and Recovery
Storage Disaster Recovery Service
Scalable File Service Turbo
Scalable File Service
Volume Backup Service
Cloud Server Backup Service
Data Express Service
Dedicated Distributed Storage Service
Containers
Cloud Container Engine
SoftWare Repository for Container
Application Service Mesh
Ubiquitous Cloud Native Service
Cloud Container Instance
Databases
Relational Database Service
Document Database Service
Data Admin Service
Data Replication Service
GeminiDB
GaussDB
Distributed Database Middleware
Database and Application Migration UGO
TaurusDB
Middleware
Distributed Cache Service
API Gateway
Distributed Message Service for Kafka
Distributed Message Service for RabbitMQ
Distributed Message Service for RocketMQ
Cloud Service Engine
Multi-Site High Availability Service
EventGrid
Dedicated Cloud
Dedicated Computing Cluster
Business Applications
Workspace
ROMA Connect
Message & SMS
Domain Name Service
Edge Data Center Management
Meeting
AI
Face Recognition Service
Graph Engine Service
Content Moderation
Image Recognition
Optical Character Recognition
ModelArts
ImageSearch
Conversational Bot Service
Speech Interaction Service
Huawei HiLens
Video Intelligent Analysis Service
Developer Tools
SDK Developer Guide
API Request Signing Guide
Terraform
Koo Command Line Interface
Content Delivery & Edge Computing
Content Delivery Network
Intelligent EdgeFabric
CloudPond
Intelligent EdgeCloud
Solutions
SAP Cloud
High Performance Computing
Developer Services
ServiceStage
CodeArts
CodeArts PerfTest
CodeArts Req
CodeArts Pipeline
CodeArts Build
CodeArts Deploy
CodeArts Artifact
CodeArts TestPlan
CodeArts Check
CodeArts Repo
Cloud Application Engine
MacroVerse aPaaS
KooMessage
KooPhone
KooDrive

Elective Governance Policies

Updated on 2025-02-21 GMT+08:00

*

Policy Name

Function

Scenario

Severity

Resource

RGC-GR_CONFIG_REGULAR_MATCHING_OF_NAMES

Checks whether a resource name matches a regular expression pattern. This policy is non-compliant if the resource name does not match.

Protecting configurations

Low

*

APIG

Policy Name

Function

Scenario

Severity

Resource

RGC-GR_CONFIG_APIG_INSTANCES_EXECUTION_LOGGING_ENABLED

Checks whether a dedicated API gateway is configured with access logs. This policy is non-compliant if the gateway is not configured with access logs.

Establishing logging and monitoring

Medium

apig:::instance

Auto Scaling

Policy Name

Function

Scenario

Severity

Resource

RGC-GR_CONFIG_AS_CAPACITY_REBALANCING

Checks whether the scaling policy of EQUILIBRIUM_DISTRIBUTE is applied when an AS group scales in or out. This policy is non-compliant if this scaling policy is not applied.

Improving availability

Medium

as:::group

RGC-GR_CONFIG_AS_GROUP_ELB_HEALTHCHECK_REQUIRED

Checks whether ELB health check is enabled for an AS group associated with load balancers. This policy is non-compliant if health check is not enabled.

Improving availability

Low

as:::group

RGC-GR_CONFIG_AS_MULTIPLE_AZ

Checks whether an auto scaling (AS) group is deployed in multiple AZs. This policy is non-compliant if the group is not deployed in multiple AZs.

Improving availability

Medium

as:::group

RGC-GR_CONFIG_AS_GROUP_IPV6_DISABLED

Checks whether an IPv6 shared bandwidth is assigned to an AS group. This policy is non-compliant if an IPv6 shared bandwidth is assigned.

Optimizing costs

Low

as:::group

CBR

Policy Name

Function

Scenario

Severity

Resource

RGC-GR_CONFIG_CBR_POLICY_MINIMUM_FREQUENCY_CHECK

Checks whether the execution frequency of a backup policy is within the specified range. This policy is non-compliant if the frequency is lower than the specified range.

Preparing for disaster recovery

Medium

cbr:::policy

RGC-GR_CONFIG_CBR_VAULT_MINIMUM_RETENTION_CHECK

Checks whether a CBR vault has policies attached or has any policies that can be retained within the required number of days. This policy is non-compliant if the vault has no policies attached or has no such policies.

Preparing for disaster recovery

Medium

cbr:::vault

CBR and ECS

Policy Name

Function

Scenario

Severity

Resource

RGC-GR_CONFIG_ECS_PROTECTED_BY_CBR

Checks whether an ECS has a backup vault attached. This policy is non-compliant if the ECS has no backup vault attached.

Preparing for disaster recovery

Medium

ecs:::instanceV1

RGC-GR_CONFIG_ECS_LAST_BACKUP_CREATED

Checks whether an ECS has a backup created within the specified time period. This policy is non-compliant if the ECS has a backup created beyond the specified time period.

Preparing for disaster recovery

Low

ecs:::instanceV1

CBR and EVS

Policy Name

Function

Scenario

Severity

Resource

RGC-GR_CONFIG_EVS_PROTECTED_BY_CBR

Checks whether an EVS disk has a backup vault attached. This policy is non-compliant if the disk has no backup vaults attached.

Preparing for disaster recovery

Medium

evs:::volume

RGC-GR_CONFIG_EVS_LAST_BACKUP_CREATED

Checks whether an EVS disk has a backup created within the specified time period. This policy is non-compliant if the disk has a backup created beyond the specified time period.

Preparing for disaster recovery

Low

evs:::volume

CBR and SFS Turbo

Policy Name

Function

Scenario

Severity

Resource

RGC-GR_CONFIG_SFSTURBO_PROTECTED_BY_CBR

Checks whether an SFS Turbo system has a backup vault attached. This policy is non-compliant if the system has no backup vaults attached.

Preparing for disaster recovery

Medium

sfs:::turbo

CCE

Policy Name

Function

Scenario

Severity

Resource

RGC-GR_CONFIG_CCE_CLUSTER_END_OF_MAINTENANCE_VERSION

Checks whether a CCE cluster version is end of maintenance (EOM). This policy is non-compliant if the version is EOM.

Managing vulnerabilities

Medium

cce:::cluster

RGC-GR_CONFIG_CCE_CLUSTER_OLDEST_SUPPORTED_VERSION

Checks whether a CCE cluster is using the oldest supported version. This policy is non-compliant if the cluster is using the oldest supported version.

Managing vulnerabilities

Medium

cce:::cluster

RGC-GR_CONFIG_ALLOWED_CCE_FLAVORS

Checks whether the flavors of a CCE cluster match any of the specified flavors. This policy is non-compliant if the flavors do not match.

Protecting configurations

Low

cce:::cluster

CCM

Policy Name

Function

Scenario

Severity

Resource

RGC-GR_CONFIG_PCA_CERTIFICATE_AUTHORITY_ROOT_DISABLE

Checks whether private root CAs are disabled. This policy is non-compliant if CAs are not disabled.

Managing confidentiality

Medium

scm:::certificate

RGC-GR_CONFIG_PCA_ALGORITHM_CHECK

Checks whether CCM uses a prohibited key algorithm or signature hash algorithm. This policy is non-compliant if CCM uses such algorithms.

Encrypting data in transit

High

ccm:::privateCertificate

Cloud Eye

Policy Name

Function

Scenario

Severity

Resource

RGC-GR_CONFIG_ALARM_ACTION_ENABLED_CHECK

Checks whether Cloud Eye alarming is enabled. This policy is non-compliant if alarming is not enabled.

Establishing logging and monitoring

Medium

ces:::alarmRule

RGC-GR_CONFIG_ALARM_RESOURCE_CHECK

Checks whether a resource has specified metrics associated for alarming. This policy is non-compliant if the resource has no specified metrics associated.

Establishing logging and monitoring

Low

ces:::alarmRule

RGC-GR_CONFIG_ALARM_SETTINGS_CHECK

Checks whether the settings of a specified metric meet the requirements. This policy is non-compliant if the requirements are not met.

Establishing logging and monitoring

Low

ces:::alarmRule

Cloud Eye and DEW

Policy Name

Function

Scenario

Severity

Resource

RGC-GR_CONFIG_ALARM_KMS_DISABLE_OR_DELETE_KEY

Checks whether alarms are configured to monitor the operation of disabling KMS or scheduling to delete a key. This policy is non-compliant if no alarms are configured.

Establishing logging and monitoring

Critical

ces:::alarmRule

Cloud Eye and OBS

Policy Name

Function

Scenario

Severity

Resource

RGC-GR_CONFIG_ALARM_OBS_BUCKET_POLICY_CHANGE

Checks whether alarms are configured to monitor the changes of OBS bucket policies. This policy is non-compliant if no alarms are configured.

Establishing logging and monitoring

Critical

ces:::alarmRule

Cloud Eye and VPC

Policy Name

Function

Scenario

Severity

Resource

RGC-GR_CONFIG_ALARM_VPC_CHANGE

Checks whether alarms are configured to monitor VPC changes. This policy is non-compliant if no alarms are configured.

Establishing logging and monitoring

High

ces:::alarmRule

CodeArts Deploy

Policy Name

Function

Scenario

Severity

Resource

RGC-GR_CONFIG_CODEARTSDEPLOY_HOST_CLUSTER_RESOURCE_STATUS

Checks whether a host cluster in the CodeArts project is available. This policy is non-compliant if the cluster is unavailable.

Improving availability

Low

codeartsDeploy:::host

Config

Policy Name

Function

Scenario

Severity

Resource

RGC-GR_CONFIG_TRACKER_CONFIG_ENABLED_CHECK

Checks whether the resource recorder is enabled for an account. This policy is non-compliant if the resource recorder is not enabled.

Establishing logging and monitoring

Medium

rms:::resourceRecorder

CSS

Policy Name

Function

Scenario

Severity

Resource

RGC-GR_CONFIG_CSS_CLUSTER_BACKUP_AVAILABLE

Checks whether the snapshot function is enabled for a CSS cluster. This policy is non-compliant if this function is not enabled.

Improving resiliency

Medium

css:::cluster

RGC-GR_CONFIG_CSS_CLUSTER_MULTIPLE_AZ_CHECK

Checks whether a CSS cluster is deployed in multiple AZs for disaster recovery. This policy is non-compliant if the cluster is not deployed in multiple AZs.

Improving availability

Medium

css:::cluster

RGC-GR_CONFIG_CSS_CLUSTER_MULTIPLE_INSTANCES_CHECK

Checks whether a CSS cluster has multiple nodes deployed for disaster recovery. This policy is non-compliant if the cluster does not have multiple nodes deployed.

Improving availability

Medium

css:::cluster

RGC-GR_CONFIG_CSS_CLUSTER_IN_VPC

Checks whether a CSS cluster is in the specified VPC. This policy is non-compliant if the cluster is not in the specified VPC.

Controlling network access

Critical

css:::cluster

RGC-GR_CONFIG_CSS_CLUSTER_SLOWLOG_ENABLE

Checks whether slow query log is enabled for a CSS cluster. This policy is non-compliant if this function is not enabled.

Establishing logging and monitoring

Medium

css:::cluster

CTS

Policy Name

Function

Scenario

Severity

Resource

RGC-GR_CONFIG_MULTI_REGION_CTS_TRACKER_EXISTS

Checks whether a CTS tracker has been created and enabled for the specified region list for an account. This policy is non-compliant if no trackers are created and enabled for the specified region list.

Establishing logging and monitoring

High

cts:::tracker

RGC-GR_CONFIG_CTS_OBS_BUCKET_TRACK

Checks whether all CTS trackers in an account track specified OBS buckets. This policy is non-compliant if all trackers do not track specified OBS buckets.

Establishing logging and monitoring

High

cts:::tracker

RGC-GR_CONFIG_CTS_TRACKER_ENABLED_SECURITY

Checks whether there are CTS trackers that comply with security best practices. This policy is non-compliant if no such trackers exist.

Establishing logging and monitoring

High

cts:::tracker

DEW

Policy Name

Function

Scenario

Severity

Resource

RGC-GR_CONFIG_CSMS_SECRETS_AUTO_ROTATION_ENABLED

Checks whether automatic rotation is enabled for CSMS secrets. This policy is non-compliant if automatic rotation is not enabled.

Managing confidentiality

Medium

csms:::secret

RGC-GR_CONFIG_CSMS_SECRETS_PERIODIC_ROTATION

Checks whether a CSMS secret is rotated within the specified number of days. This policy is non-compliant if the secret is not rotated within the specified number of days.

Managing confidentiality

Medium

csms:::secret

RGC-GR_CONFIG_CSMS_SECRETS_USING_CMK

Checks whether a CSMS secret uses the specified KMS keys. This policy is non-compliant if the secret does not use such keys.

Encrypting data at rest

High

csms:::secret

DDS

Policy Name

Function

Scenario

Severity

Resource

RGC-GR_CONFIG_DDS_INSTANCE_HAMODE

Checks whether a DDS instance matches the specified type. This policy is non-compliant if the instance does not match.

Protecting configurations

Low

dds:::instance

RGC-GR_CONFIG_DDS_INSTANCE_ENGINE_VERSION_CHECK

Checks whether a DDS instance uses the specified version or higher. This policy is non-compliant if the instance uses an unspecified version or earlier.

Managing vulnerabilities

Low

dds:::instance

DWS

Policy Name

Function

Scenario

Severity

Resource

RGC-GR_CONFIG_DWS_ENABLE_SNAPSHOT

Checks whether automated snapshots are enabled for a DWS cluster. This policy is non-compliant if automated snapshots are not enabled.

Improving resiliency

Medium

dws:::cluster

RGC-GR_CONFIG_DWS_MAINTAIN_WINDOW_CHECK

Checks whether the O&M time window of a DWS cluster is consistent with the specified time window. This policy is non-compliant if the time window is not consistent with the specified one.

Preparing for incident response

Medium

dws:::cluster

RGC-GR_CONFIG_DWS_ENABLE_LOG_DUMP

Checks whether log dump is enabled for a DWS cluster. This policy is non-compliant if log dump is not enabled.

Establishing logging and monitoring

Medium

dws:::cluster

ECS

Policy Name

Function

Scenario

Severity

Resource

RGC-GR_CONFIG_ALLOWED_ECS_FLAVORS

Checks whether an ECS flavor matches the specified one. This policy is non-compliant if the flavor does not match.

Protecting configurations

Low

ecs:::instanceV1

RGC-GR_CONFIG_ALLOWED_IMAGES_BY_NAME

Checks whether the name of an ECS image matches one of the specified names. This policy is non-compliant if the image name does not match.

Managing vulnerabilities

High

ecs:::instanceV1

RGC-GR_CONFIG_ECS_ATTACHED_HSS_AGENTS_CHECK

Checks whether an ECS has an HSS agent attached and has protection enabled. This policy is non-compliant if the ECS has no HSS agent attached and has no protection enabled.

Managing vulnerabilities

Medium

ecs:::instanceV1

ECS and IMS

Policy Name

Function

Scenario

Severity

Resource

RGC-GR_CONFIG_ALLOWED_IMAGES_BY_ID

Checks whether the image ID of an ECS matches one of the specified image IDs. This policy is non-compliant if the image ID does not match.

Managing vulnerabilities

High

ecs:::instanceV1

RGC-GR_CONFIG_APPROVED_IMS_BY_TAG

Checks whether an ECS uses any of the IMS images with the specified tag. This policy is non-compliant if the ECS does not use such images.

Managing vulnerabilities

Medium

ecs:::instanceV1

EIP

Policy Name

Function

Scenario

Severity

Resource

RGC-GR_CONFIG_EIP_USE_IN_SPECIFIED_DAYS

Checks whether an EIP is bound to any instances in specified number of days. This policy is non-compliant if the EIP is not bound in specified number of days.

Optimizing costs

Medium

vpc:::eipAssociate

ELB

Policy Name

Function

Scenario

Severity

Resource

RGC-GR_CONFIG_ELB_MULTIPLE_AZ_CHECK

Checks whether the load balancer has registered with instances in multiple AZs. This policy is non-compliant if the load balancer has registered with instances in fewer than two AZs.

Balancing loads

Medium

elb:::loadbalancer

RGC-GR_CONFIG_ELB_MEMBERS_WEIGHT_CHECK

Checks whether the weight of a backend server is 0 and the load balancing algorithm used by its associated backend server group is not SOURCE_IP. This policy is non-compliant if the weight is 0 and the algorithm is not SOURCE_IP.

Improving availability

Low

elb:::member

EVS

Policy Name

Function

Scenario

Severity

Resource

RGC-GR_CONFIG_EVS_USE_IN_SPECIFIED_DAYS

Checks whether an EVS disk is bound to any instances in specified number of days. This policy is non-compliant if the disk is not bound in specified number of days.

Optimizing costs

Medium

evs:::volume

RGC-GR_CONFIG_VOLUME_UNUSED_CHECK

Checks whether an EVS disk is attached to a cloud server. This policy is non-compliant if the disk is not attached.

Optimizing costs

High

evs:::volume

RGC-GR_CONFIG_ALLOWED_VOLUME_SPECS

Checks whether the type of an EVS disk is within the allowed type list. This policy is non-compliant if the disk type is not within the list.

Protecting configurations

Low

evs:::volume

FunctionGraph

Policy Name

Function

Scenario

Severity

Resource

RGC-GR_CONFIG_FUNCTION_GRAPH_CONCURRENCY_CHECK

Checks whether the number of concurrent requests of a FunctionGraph function is within the specified range. This policy is non-compliant if the number is not within the specified range.

Improving availability

Medium

fgs:::function

RGC-GR_CONFIG_FUNCTION_GRAPH_INSIDE_VPC

Checks whether a FunctionGraph function is in the specified VPC. This policy is non-compliant if the function is not in the specified VPC.

Controlling network access

Low

fgs:::function

RGC-GR_CONFIG_FUNCTION_GRAPH_SETTINGS_CHECK

Checks whether the runtime, timeout duration, or memory limit of a FunctionGraph function is within the specified range. This policy is non-compliant if they are not within the specified range.

Managing vulnerabilities

Medium

fgs:::function

RGC-GR_CONFIG_FUNCTION_GRAPH_LOGGING_ENABLED

Checks whether logging is enabled for a FunctionGraph function. This policy is non-compliant if logging is not enabled.

Establishing logging and monitoring

Medium

fgs:::function

GaussDB

Policy Name

Function

Scenario

Severity

Resource

RGC-GR_CONFIG_GAUSSDB_INSTANCE_ENABLE_AUDITLOG

Checks whether audit logging is enabled for a GaussDB instance. This policy is non-compliant if audit logging is not enabled.

Establishing logging and monitoring

Medium

gaussdb:::opengaussInstance

RGC-GR_CONFIG_GAUSSDB_INSTANCE_ENABLE_BACKUP

Checks whether backup is enabled for a GaussDB instance. This policy is non-compliant if backup is not enabled.

Improving resiliency

Medium

gaussdb:::opengaussInstance

RGC-GR_CONFIG_GAUSSDB_INSTANCE_ENABLE_ERRORLOG

Checks whether error log collection is enabled for a GaussDB instance. This policy is non-compliant if error log collection is not enabled.

Establishing logging and monitoring

Low

gaussdb:::opengaussInstance

RGC-GR_CONFIG_GAUSSDB_INSTANCE_ENABLE_SLOWLOG

Checks whether slow-query logging is enabled for a GaussDB instance. This policy is non-compliant if slow-query logging is not enabled.

Establishing logging and monitoring

Low

gaussdb:::opengaussInstance

RGC-GR_CONFIG_GAUSSDB_INSTANCE_MULTIPLE_AZ_CHECK

Checks whether a GaussDB resource is deployed across AZs. This policy is non-compliant if the resource is not deployed across AZs.

Improving availability

Medium

gaussdb:::opengaussInstance

GeminiDB

Policy Name

Function

Scenario

Severity

Resource

RGC-GR_CONFIG_GAUSSDB_NOSQL_DEPLOY_IN_SINGLE_AZ

Checks whether GeminiDB is deployed in a single AZ. This policy is non-compliant if GeminiDB is deployed in a single AZ.

Improving availability

Medium

gaussdb:::mongoInstance

RGC-GR_CONFIG_GAUSSDB_NOSQL_ENABLE_BACKUP

Checks whether backup is enabled for GeminiDB. This policy is non-compliant if backup is not enabled.

Improving resiliency

Medium

gaussdb:::mongoInstance

RGC-GR_CONFIG_GAUSSDB_NOSQL_ENABLE_ERROR_LOG

Checks whether error logging is enabled for GeminiDB. This policy is non-compliant if error logging is not enabled.

Establishing logging and monitoring

Low

gaussdb:::mongoInstance

RGC-GR_CONFIG_GAUSSDB_NOSQL_SUPPORT_SLOW_LOG

Checks whether GeminiDB supports slow-query logging. This policy is non-compliant if slow-query logging is not supported.

Establishing logging and monitoring

Low

gaussdb:::mongoInstance

GES

Policy Name

Function

Scenario

Severity

Resource

RGC-GR_CONFIG_GES_GRAPHS_LTS_ENABLE

Checks whether LTS is enabled for GES graphs. This policy is non-compliant if LTS is not enabled.

Establishing logging and monitoring

Medium

ges:::graph

RGC-GR_CONFIG_GES_GRAPHS_MULTI_AZ_SUPPORT

Checks whether GES supports cross-AZ HA. This policy is non-compliant if cross-AZ HA is not supported.

Improving availability

Medium

ges:::graph

IAM

Policy Name

Function

Scenario

Severity

Resource

RGC-GR_CONFIG_IAM_CUSTOMER_POLICY_BLOCKED_KMS_ACTIONS

Checks whether an IAM policy allows any blocked action on KMS keys. This policy is non-compliant if the IAM policy allows such actions.

Enforcing the least privilege

Medium

  • identity:::role
  • identity:::protectionPolicy

RGC-GR_CONFIG_IAM_USER_CHECK_NON_ADMIN_GROUP

Checks whether a non-root user is added to the admin user group. This policy is non-compliant if such users are added.

Enforcing the least privilege

Low

identity:::user

RGC-GR_CONFIG_IAM_USER_NO_POLICIES_CHECK

Checks whether an IAM user is directly assigned a policy or permission. This policy is non-compliant if the user is directly assigned a policy or permission.

Enforcing the least privilege

Low

identity:::user

MRS

Policy Name

Function

Scenario

Severity

Resource

RGC-GR_CONFIG_MRS_CLUSTER_MULTIAZ_DEPLOYMENT

Checks whether an MRS cluster is deployed in multiple AZs. This policy is non-compliant if the cluster is not deployed in multiple AZs.

Improving availability

Medium

mrs:::cluster

RGC-GR_CONFIG_MRS_CLUSTER_ENCRYPT_ENABLE

Requires KMS keys be not in a "pending deletion" state.

Protecting data integrity

Medium

mrs:::cluster

RDS

Policy Name

Function

Scenario

Severity

Resource

RGC-GR_CONFIG_RDS_INSTANCE_ENABLE_BACKUP

Checks whether backup is enabled for an RDS instance. This policy is non-compliant if backup is not enabled.

Improving resiliency

Medium

rds:::instance

RGC-GR_CONFIG_RDS_INSTANCE_ENABLE_ERRORLOG

Checks whether error log collection is enabled for an RDS instance. This policy is non-compliant if error log collection is not enabled.

Establishing logging and monitoring

Low

rds:::instance

RGC-GR_CONFIG_RDS_INSTANCE_ENABLE_SLOWLOG

Checks whether slow-query logging is enabled for an RDS instance. This policy is non-compliant if slow-query logging is not enabled.

Establishing logging and monitoring

Low

rds:::instance

RGC-GR_CONFIG_RDS_INSTANCE_LOGGING_ENABLED

Checks whether logs are collected for an RDS instance. This policy is non-compliant if no logs are collected.

Establishing logging and monitoring

Medium

rds:::instance

RGC-GR_CONFIG_RDS_INSTANCE_MULTI_AZ_SUPPORT

Checks whether an RDS instance can only be deployed in one AZ. This policy is non-compliant if the instance can only be deployed in one AZ.

Improving availability

Medium

rds:::instance

RGC-GR_CONFIG_ALLOWED_RDS_FLAVORS

Checks whether the flavor of an RDS instance is within the specified range. This policy is non-compliant if the flavor is not within the specified range.

Protecting configurations

Low

rds:::instance

RGC-GR_CONFIG_RDS_INSTANCES_IN_VPC

Checks whether an RDS resource is in the specified VPC. This policy is non-compliant if the resource is not in the specified VPC.

Controlling network access

High

rds:::instance

RGC-GR_CONFIG_RDS_INSTANCE_ENABLE_AUDITLOG

Checks whether an RDS resource has audit logging enabled or the audit logs can be stored for a specified period of time. This policy is non-compliant if audit logging is not enabled or audit logs cannot be stored for a specified period of time.

Establishing logging and monitoring

Medium

rds:::instance

RGC-GR_CONFIG_RDS_INSTANCE_ENGINE_VERSION_CHECK

Checks whether the version of the database engine for an RDS instance is earlier than the specified version. This policy is non-compliant if the version is earlier than the specified one.

Managing vulnerabilities

Low

rds:::instance

OBS and Access Analyzer

Policy Name

Function

Scenario

Severity

Resource

RGC-GR_CONFIG_OBS_BUCKET_BLACKLISTED_ACTIONS_PROHIBITED

Checks whether an OBS bucket policy allows any blacklisted action to external users. This policy is non-compliant if the bucket policy allows such actions.

Enforcing the least privilege

High

obs:::bucket

RGC-GR_CONFIG_OBS_BUCKET_SSL_REQUESTS_ONLY

Checks whether an OBS bucket policy allows actions without SSL encryption. This policy is non-compliant if the bucket policy allows such actions.

Encrypting data in transit

Medium

obs:::bucket

Organizations

Policy Name

Function

Scenario

Severity

Resource

RGC-GR_CONFIG_ACCOUNT_PART_OF_ORGANIZATIONS

Checks whether an account joins an organization. This policy is non-compliant if the account does not join an organization.

Enforcing the least privilege

High

organizations:::accountAssociate

SMN

Policy Name

Function

Scenario

Severity

Resource

RGC-GR_CONFIG_SMN_LTS_ENABLE

Checks whether trace analysis is enabled for an SMN topic. This policy is non-compliant if trace analysis is not enabled.

Establishing logging and monitoring

Medium

smn:::topic

TaurusDB

Policy Name

Function

Scenario

Severity

Resource

RGC-GR_CONFIG_GAUSSDB_MYSQL_INSTANCE_ENABLE_AUDITLOG

Checks whether audit logging is enabled for a TaurusDB instance. This policy is non-compliant if audit logging is not enabled.

Establishing logging and monitoring

Medium

gaussdb:::mysqlInstance

RGC-GR_CONFIG_GAUSSDB_MYSQL_INSTANCE_ENABLE_BACKUP

Checks whether backup is enabled for a TaurusDB instance. This policy is non-compliant if backup is not enabled.

Improving resiliency

Medium

gaussdb:::mysqlInstance

RGC-GR_CONFIG_GAUSSDB_MYSQL_INSTANCE_ENABLE_ERRORLOG

Checks whether error logging is enabled for a TaurusDB instance. This policy is non-compliant if error logging is not enabled.

Establishing logging and monitoring

Low

gaussdb:::mysqlInstance

RGC-GR_CONFIG_GAUSSDB_MYSQL_INSTANCE_ENABLE_SLOWLOG

Checks whether slow-query logging is enabled for a TaurusDB instance. This policy is non-compliant if slow-query logging is not enabled.

Establishing logging and monitoring

Low

gaussdb:::mysqlInstance

RGC-GR_CONFIG_GAUSSDB_MYSQL_INSTANCE_MULTIPLE_AZ_CHECK

Checks whether a TaurusDB instance is deployed across AZs. This policy is non-compliant if the instance is not deployed across AZs.

Improving availability

Medium

gaussdb:::mysqlInstance

VPC

Policy Name

Function

Scenario

Severity

Resource

RGC-GR_CONFIG_EIP_UNBOUND_CHECK

Checks whether an EIP is bound to any resources. This policy is non-compliant if the EIP is not bound.

Optimizing costs

Medium

vpc:::eipAssociate

RGC-GR_CONFIG_VPC_FLOW_LOGS_ENABLED

Checks whether flow logs are enabled for a VPC. This policy is non-compliant if flow logs are not enabled.

Establishing logging and monitoring

Medium

vpc:::flowLog

RGC-GR_CONFIG_EIP_BANDWIDTH_LIMIT

Checks whether the bandwidth of an EIP is less than the specified value. This policy is non-compliant if the bandwidth is less than the specified value.

Improving availability

Medium

vpc:::eip

VPN

Policy Name

Function

Scenario

Severity

Resource

RGC-GR_CONFIG_VPN_CONNECTIONS_ACTIVE

Checks whether the VPN connection is normal. This policy is non-compliant if the connection is not normal.

Improving availability

Medium

vpnaas:::siteConnectionV2

We use cookies to improve our site and your experience. By continuing to browse our site you accept our cookie policy. Find out more

Feedback

Feedback

Feedback

0/500

Selected Content

Submit selected content with the feedback