Config
Config
- What's New
- Service Overview
- Getting Started
-
User Guide
- Resource List
- Resource Recorder
-
Resource Compliance
- Overview
- Rules
- Organization Rules
- Viewing Noncompliant Resources
- Compliance Rule Concepts
-
Built-In Policies
- Predefined Policy List
-
General Policies
- Resource Names Meet Regular Expression Requirements
- Resources Have All the Specified Tags Attached
- Resources Have One of the Specified Tags Attached
- Tag Prefixes and Suffixes Check
- Resources Have at Least One Tags Attached
- Resource Tag Check
- Resources Are in Specified Enterprise Projects
- Resources Are in Specified Regions
- Resource Type Check by Specifying Allowed Resource Types
- Resource Type Check by Specifying Unallowed Resource Types
- API Gateway
- CodeArts Deploy
- MapReduce Service
- NAT Gateway
- VPC Endpoint
- Web Application Firewall
- Elastic Load Balance
- Elastic IP
- Auto Scaling
- Scalable File Service Turbo (SFS Turbo)
-
Elastic Cloud Server
- Flavor Check
- Image Check
- Image Check by Tag
- Security Group Check by ID
- VPC Check by ID
- ECSs Have Key Pairs Attached
- ECSs Cannot Be Accessed Through Public Networks
- An ECS Does Not Have Multiple EIPs Attached
- Idle ECS Check
- ECSs Have IAM Agencies Attached
- Image Check by Name
- ECSs Have Backup Vaults Attached
- Backup Time Check
- ECSs Have HSS Agents Attached
-
Distributed Cache Service
- DCS Memcached Instances Support SSL
- DCS Memcached Instances Are in a Specified VPC
- DCS Memcached Instances Do Not Have EIPs Attached
- Access Mode Check
- DCS Redis Instances Support SSL
- Cross-AZ Deployment Check
- DCS Redis Instances Are in the Specified VPC
- DCS Redis Instances Do Not Have EIPs Attached
- Access Mode Check
- FunctionGraph
- Content Delivery Network (CDN)
- Config
- Data Warehouse Service
- Data Replication Service
- Data Encryption Workshop
-
Identity and Access Management
- Key Rotation Check
- IAM Policies Do Not Allow Blocked Actions on KMS Keys
- Each User Group Has at Least One User
- Password Strength Check
- Unintended Policy Check
- Admin Permissions Check
- Custom Policies Do Not Allow All Actions for a Service
- The Root User Does Not Have Available Access Keys
- Access Mode Check
- Access Key Check
- IAM Users Are in Specified User Groups
- Last Login Check
- Multi-Factor Authentication Check
- A User Does Not have Multiple Active Access Keys
- MFA Has Been Enabled for Console Login
- The Root User Has MFA Enabled
- All IAM Policies Are in Use
- All IAM Roles Are in Use
- Login Protection Check
- IAM Agencies Contain Specified Policies
- The Admin User Group Only Contains the Root User
- IAM Users Do Not Have Directly Assigned Policies or Permissions
- Document Database Service
- Simple Message Notification
- Virtual Private Cloud
- Virtual Private Network
- Cloud Eye
- Cloud Container Engine
-
Cloud Trace Service
- CTS Trackers Have Traces Encrypted
- CTS Trackers Have Trace Transfer to LTS Enabled
- CTS Trackers Have Been Created for the Specified OBS Bucket
- Trace File Verification Is Enabled
- At Least One Tracker Is Enabled
- There Are CTS Trackers In the Specified Regions
- CTS Trackers Comply with Security Best Practices
-
Relational Database Service
- Error Log Collection Is Enabled for RDS Instances
- Error Log Collection Is Enabled for RDS Instances
- RDS Instances Support Slow Query Logs
- Single-AZ Cluster Check
- RDS Instances Do Not Have EIPs Attached
- RDS Instances Use KMS Encryption
- RDS Instances Are in the Specified VPC
- Both Error Logs and Slow Query Logs Are Collected for RDS Instances
- Flavor Check
- RDS Instances Have SSL Enabled
- RDS Instance Port Check
- Version Check for RDS Instance Engines
- RDS Instances Have Audit Log Enabled
- GaussDB
- TaurusDB
- GeminiDB
-
Cloud Search Service
- CSS Clusters Have the Security Mode Enabled
- The Snapshot Function Is Enabled for CSS Clusters
- Disk Encryption Is Enabled for CSS Clusters
- HTTPS Access Is Enabled for CSS Clusters
- CSS Clusters Are in Specified VPCs
- Single-AZ CSS Cluster Check
- A CSS Cluster Has at Least Two Instances
- CSS Clusters Are Not Publicly Accessible
- CSS Clusters Support the Security Mode
- CSS Clusters Have Access Control Enabled
- CSS Clusters Have Kibana Public Access Control Enabled
- CSS Clusters Have Slow Query Log Enabled
- Elastic Volume Service
- Cloud Certificate Manager
- Distributed Message Service for Kafka
- Distributed Message Service for RabbitMQ
- Distributed Message Service for RocketMQ
- Organizations
- Cloud Firewall
- Cloud Backup and Recovery
- Object Storage Service
- Image Management Service
- Bare Metal Server
- Graph Engine Service
- Resource Compliance Event Monitoring
-
Conformance Packages
- Overview
- Conformance Packages
- Organization Conformance Packages
- Custom Conformance Packages
-
Conformance Package Templates
- Overview
- Conformance Package for Classified Protection of Cybersecurity Level 3 (2.0)
- Conformance Package for the Financial Industry
- Conformance Package for Network Security
- Conformance Package for Identity and Access Management
- Conformance Package for Cloud Eye
- Conformance Package for Compute Services
- Conformance Package for ECS
- Conformance Package for ELB
- Conformance Package for Management and Regulatory Services
- Conformance Package for RDS
- Conformance Package for AS
- Conformance Package for CTS
- Conformance Package for AI and Machine Learning
- Conformance Package for Autopilot
- Conformance Package for Enabling Public Access
- Conformance Package for Logging and Monitoring
- Conformance Package for Architecture Reliability
- Conformance Package for Hong Kong Monetary Authority of China Requirements
- Conformance Package for ENISA Requirements
- Conformance Package for SWIFT CSP
- Conformance Package for Germany Cloud Computing Compliance Criteria Catalogue
- Conformance Package for PCI DSS
- Conformance Package for Healthcare Industry
- Best Practices of Network and Data Security
- Conformance Package for Landing Zone
- Architecture Security Best Practices
- Best Practices for Network and Content Delivery Service Operations
- Best Practices for Idle Asset Management
- Multi-AZ Deployment Best Practices
- Resource Stability Best Practices
- Best Practices for API Gateway
- Best Practices for Cloud Container Engine
- Best Practices for Content Delivery Network
- Best Practices for FunctionGraph
- Best Practices for GaussDB
- Best Practices for GeminiDB
- Best Practices for MapReduce Service
- Best Practices for NIST Requirements
- Best Practices for Singapore Financial Industry
- Best Practices for Secure Identity and Compliance Operations
- Conformance Package for Huawei Cloud Security Configuration Guide (Level 1)
- Conformance Package for Huawei Cloud Security Configuration Guide (Level 2)
- Best Practices for Static Data Encryption
- Best Practices for Data Transmission Encryption
- Best Practices for Cloud Backup and Recovery
- Best Practices for Cloud Search Service
- Best Practices for Distributed Cache Service
- Best Practices for Distributed Message Service
- Best Practices for Data Warehouse Service
- Best Practices for TaurusDB
- Best Practices for Object Storage Service
- Best Practices for Virtual Private Cloud
- Best Practices for Web Application Firewall
- Advanced Queries
- Resource Aggregation
- Cloud Trace Service
- Appendix
-
API Reference
- Before You Start
- API Overview
- Calling APIs
-
APIs
-
Resource List
- Querying Resources of a Specific Type
- Querying Cloud Services
- Querying a Resource
- Querying All Resources Recorded by the Resource Recorder
- Querying How Many Resources Are Recorded by the Resource Recorder
- Querying Resource Tags Recorded by the Resource Recorder
- Querying Resource Overview Recorded by the Resource Recorder
- Querying a Specific Resource Recorded by the Resource Recorder
- Querying All Resources Under an Account
- Querying a Resource Under an Account
- Querying Resource Tags
- Querying the Number of Resources
- Querying Resource Overview
- Resource Recorder
- Resource Relationships
- Resource Change Records
-
Compliance
- Querying Built-in Policies
- Querying Specific Built-in Policy
- Adding a Rule
- Querying Rules
- Modifying a Rule
- Querying a Specific Rule
- Deleting a Rule
- Enabling a Rule
- Disabling a Rule
- Running a Resource Compliance Evaluation
- Querying the Evaluation Status of a Rule
- Querying the Compliance of a Resource
- Querying the Compliance of a Rule
- Querying Compliance of an Account
- Updating the Compliance Result
- Creating an Organization Rule
- Querying Organization Rules
- Querying a Specific Organization Rule
- Deleting an Organization Rule
- Updating an Organization Rule
- Querying the Deployment Status of an Organization Rule
- Querying Statuses of Organization Rule Deployment to Member Accounts
- Setting up or Updating Remediation Configurations
- Querying Remediation Configurations
- Deleting Remediation Configurations
- Batch Creating Remediation Exceptions
- Batch Deleting Remediation Exceptions
- Querying Remediation Exceptions
- Starting Remediation
- Querying Remediation Results
- Collect Remediation Results
- Region Management
- Advanced Queries
-
Resource Aggregators
- Creating a Resource Aggregator
- Querying Resource Aggregators
- Querying a Specific Resource Aggregator
- Querying Account Aggregation Statuses of a Specific Aggregator
- Updating a Resource Aggregator
- Deleting a Resource Aggregator
- Authorizing an Aggregator Account
- Querying Authorized Aggregator Accounts
- Deleting Authorization for an Aggregator Account
- Querying All Pending Aggregation Requests
- Deleting Pending Authorization Requests
- Querying the Number of Resources of an Aggregator Account
- Querying Resources of an Aggregator Account
- Querying Details About a Specific Resource in a Source Account
- Performing an Advanced Query on a Specific Aggregator
- Querying the Compliance Summary of One or More Source Accounts in an Aggregator
- Querying Aggregated Rules
- Querying Compliance Results of Aggregated Resources
- Querying Details About a Specified Aggregated Rule
-
Conformance Packages
- Querying Conformance Packages
- Creating a Conformance Package
- Querying a Specific Conformance Package
- Deleting a Conformance Package
- Updating Conformance Packages
- Querying Compliance of all Conformance Packages
- Querying Compliance of all Rules in a Conformance Package
- Querying Compliance of All Resources Evaluated with a Conformance Package
- Querying Scores of All Conformance Packages
- Querying Built-in Conformance Package Templates
- Querying the Template of a Built-in Conformance Package
- Creating organization conformance packages.
- Querying Organization Conformance Packages
- Querying an Organization Conformance Package
- Delete organization conformance packages.
- Updating Organization Conformance Packages
- Querying the Deployment Status of the Organization Conformance Package
- Querying the Statuses of Organization Conformance Package Deployment to Members.
- Resource Tags
-
Resource List
- Permissions Policies and Supported Actions
- Appendixes
- SDK Reference
-
Best Practices
- Creating Rules
- Querying Resource Details, Relationships, and Change Records
- Creating Alarm Rules for Noncompliant Resources with Cloud Eye
- Using Advanced Queries
- Querying Resources That Do Not Have Specific Tags
- Ensuring Resource Compliance by Tag, Region, and Organization
- Automating Resource Management
- FAQs
- General Reference
On this page
Copied.
Custom Conformance Packages
If you need to create a custom conformance package, you can write a package template based on the example template provided in this section. Then you can upload the template directly or through an OBS bucket to create a conformance package.
NOTE:
If you want to use a template in your OBS bucket to create a conformance package, configure a proper IAM policy and an OBS bucket policy to ensure that the template can be accessed. For more details, see Object Storage Service User Guide and Resource Formation Service User Guide.
Template Description
resource: The most important section in a template. Currently, only the huaweicloud_rms_policy_assignment resource type is supported. You can add both predefined rules and custom rules in the resource section.
variable: The parameters included of a template. By defining variable, you can flexibly modify related configurations without altering the source code. If there are no parameters, this section does not need to be declared.
terraform: The service provider. For details see Provider. The following example shows the format of a template:
"terraform": {
"required_providers": {
"huaweicloud": {
"source": "huawei.com/provider/huaweicloud",
"version": "1.66.2"
}
}
}The version must be 1.66.2 or later. For details about the supported versions, see Supported Provider Versions.
Example file: example-conformance-pack.tf.json
{
"resource": {
"huaweicloud_rms_policy_assignment": {
"AccessKeysRotated": {
"name": "access-keys-rotated",
"description": "An IAM users is noncompliant if the access keys have not been rotated for more than maxAccessKeyAge number of days.",
"policy_definition_id": "2a2938894ae786dc306a647a",
"period": "TwentyFour_Hours",
"parameters": {
"maxAccessKeyAge": "${jsonencode(var.maxAccessKeyAge)}"
}
},
"IamGroupHasUsersCheck": {
"name": "iam-group-has-users-check",
"description": "An IAM groups is noncompliant if it does not add any IAM user.",
"policy_definition_id": "f7dd9c02266297f6e8c8445e",
"policy_filter": {
"resource_provider": "iam",
"resource_type": "groups"
},
"parameters": {}
},
"IamPasswordPolicy": {
"name": "iam-password-policy",
"description": "An IAM users is noncompliant if password policy for IAM users matches the specified password strength.",
"policy_definition_id": "2d8d3502539a623ba1907644",
"policy_filter": {
"resource_provider": "iam",
"resource_type": "users"
},
"parameters": {
"pwdStrength": "${jsonencode(var.pwdStrength)}"
}
},
"IamRootAccessKeyCheck": {
"name": "iam-root-access-key-check",
"description": "An account is noncompliant if the the root iam user have active access key.",
"policy_definition_id": "66cac2ddc17b6a25ad077253",
"period": "TwentyFour_Hours",
"parameters": {}
},
"IamUserConsoleAndApiAccessAtCreation": {
"name": "iam-user-console-and-api-access-at-creation",
"description": "An IAM user with console access is noncompliant if access keys are setup during the initial user setup.",
"policy_definition_id": "a5f29eb45cddce8e6baa033d",
"policy_filter": {
"resource_provider": "iam",
"resource_type": "users"
},
"parameters": {}
},
"IamUserGroupMembershipCheck": {
"name": "iam-user-group-membership-check",
"description": "An IAM user is noncompliant if it does not belong to any IAM user group.",
"policy_definition_id": "846f5708463c1490c4eebd60",
"policy_filter": {
"resource_provider": "iam",
"resource_type": "users"
},
"parameters": {
"groupIds": "${jsonencode(var.groupIds)}"
}
},
"IamUserLastLoginCheck": {
"name": "iam-user-last-login-check",
"description": "An IAM user is noncompliant if it has never signed in within the allowed number of days.",
"policy_definition_id": "6e4bf7ee7053b683f28d7f57",
"period": "TwentyFour_Hours",
"parameters": {
"allowedInactivePeriod": "${jsonencode(var.allowedInactivePeriod)}"
}
},
"IamUserMfaEnabled": {
"name": "iam-user-mfa-enabled",
"description": "An IAM user is noncompliant if it does not have multi-factor authentication (MFA) enabled.",
"policy_definition_id": "b92372b5eb51330306cec9c2",
"policy_filter": {
"resource_provider": "iam",
"resource_type": "users"
},
"parameters": {}
},
"IamUserSingleAccessKey": {
"name": "iam-user-single-access-key",
"description": "An IAM user with console access is noncompliant if iam user have multiple active access keys.",
"policy_definition_id": "6deae3856c41b240b3c0bf8d",
"policy_filter": {
"resource_provider": "iam",
"resource_type": "users"
},
"parameters": {}
},
"MfaEnabledForIamConsoleAccess": {
"name": "mfa-enabled-for-iam-console-access",
"description": "An IAM user is noncompliant if it uses a console password and does not have multi-factor authentication (MFA) enabled.",
"policy_definition_id": "63f8301e47b122062a68b868",
"policy_filter": {
"resource_provider": "iam",
"resource_type": "users"
},
"parameters": {}
},
"RootAccountMfaEnabled": {
"name": "root-account-mfa-enabled",
"description": "An account is noncompliant if the the root iam user does not have multi-factor authentication (MFA) enabled.",
"policy_definition_id": "61d787a75cf7f5965da5d647",
"period": "TwentyFour_Hours",
"parameters": {}
}
}
},
"variable": {
"maxAccessKeyAge": {
"description": "The maximum number of days without rotation. ",
"type": "string",
"default": "90"
},
"pwdStrength": {
"description": "The requirements of password strength. The parameter value can only be 'Strong', 'Medium', or 'Low'.",
"type": "string",
"default": "Strong"
},
"groupIds": {
"description": "The list of allowed IAM group IDs. If the list is empty, all values are allowed.",
"type": "list(string)",
"default": []
},
"allowedInactivePeriod": {
"description": "Maximum number of days without login.",
"type": "number",
"default": 90
}
},
"terraform": {
"required_providers": {
"huaweicloud": {
"source": "huawei.com/provider/huaweicloud",
"version": "1.66.2"
}
}
}
}Example file: example-conformance-pack-with-custom-policy.tf.json
{
"resource": {
"huaweicloud_rms_policy_assignment": {
"CustomPolicyAssignment": {
"name": "customPolicy${var.name_suffix}",
"description": Custom rules. All resources are non-compliant.
"policy_filter": {
"resource_provider": "obs",
"resource_type": "buckets"
},
"parameters": {},
"custom_policy": {
"function_urn": "${var.function_urn}",
"auth_type": "agency",
"auth_value": {
"agency_name": "\"config_custom_policy_agency\""
}
}
}
}
},
"variable": {
"name_suffix": {
"description": "",
"type": "string"
},
"function_urn": {
"description": "",
"type": "string"
}
},
"terraform": {
"required_providers": {
"huaweicloud": {
"source": "huawei.com/provider/huaweicloud",
"version": "1.66.2"
}
}
}
}
Parent topic: Conformance Packages
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
The system is busy. Please try again later.
For any further questions, feel free to contact us through the chatbot.
Chatbot
