Conformance Package for the Financial Industry
The following table lists the compliance rules and solutions included in the conformance package dedicated to the financial industry.
Rule Identifier |
Cloud Service |
Rule Content |
---|---|---|
access-keys-rotated |
iam |
If there is an access key that has not been rotated for longer than the specified time, the result is noncompliant. |
as-group-elb-healthcheck-required |
as |
If an AS group is not using Elastic Load Balancing health check, the result is noncompliant. |
css-cluster-https-required |
css |
If HTTPS is not enabled for a CSS cluster, this cluster is noncompliant. |
css-cluster-in-vpc |
css |
If a CSS cluster is not in any of the specified VPCs, this cluster is noncompliant. |
cts-kms-encrypted-check |
cts |
If a CTS tracker is not encrypted using KMS, this tracker is noncompliant. |
cts-lts-enable |
cts |
If Transfer to LTS is not enabled for a CTS tracker, this tracker is noncompliant. |
cts-obs-bucket-track |
cts |
If there is no tracker created for the specified OBS bucket, the result is noncompliant. |
cts-support-validate-check |
cts |
If Verify Trace File is not enabled for a CTS tracker, this tacker is noncompliant. |
cts-tracker-exists |
cts |
If there are no trackers in the current account, the result is noncompliant. |
ecs-instance-in-vpc |
ecs, vpc |
If there is an ECS that is not within the specified VPC, the result is noncompliant. |
ecs-instance-no-public-ip |
ecs |
If there is an ECS that is configured with a public IP, the result is noncompliant. |
eip-unbound-check |
vpc |
If an EIP has not been attached to any resource, this EIP is noncompliant. |
elb-tls-https-listeners-only |
elb |
If any listener of a load balancer is not configured with HTTPS, this load balancer is noncompliant. |
function-graph-concurrency-check |
fgs |
If the number of concurrent requests of a function is not within the specified range, this function is noncompliant. |
iam-group-has-users-check |
iam |
If an IAM user group has no user, this user group is noncompliant. |
iam-password-policy |
iam |
If there is a user whose password does not meet the password complexity requirements, the result is noncompliant. |
iam-root-access-key-check |
iam |
If the root access key is available, the result is noncompliant. |
iam-user-group-membership-check |
iam |
If an IAM user is not added to any IAM user groups, this user is noncompliant. |
iam-user-last-login-check |
iam |
If an IAM user does not log in to the system within the specified time range, the result is non-compliant. |
iam-user-mfa-enabled |
iam |
If multi-factor authentication is not enabled for an IAM user, this user is noncompliant. |
kms-rotation-enabled |
kms |
If key rotation is not enabled for a KMS key, this key is noncompliant. |
mfa-enabled-for-iam-console-access |
iam |
If MFA is not enabled for an IAM user who has a console password, this IAM user is noncompliant. |
mrs-cluster-in-vpc |
mrs |
If there is an MRS cluster that is not within the specified VPC, the result is noncompliant. |
mrs-cluster-kerberos-enabled |
mrs |
If kerberos is not enabled for an MRS cluster, this cluster is noncompliant. |
mrs-cluster-no-public-ip |
mrs |
If an MRS cluster is attached with a public IP, this cluster is noncompliant. |
private-nat-gateway-authorized-vpc-only |
nat |
If a private NAT gateway is not in a specified VPC, this gateway is noncompliant. |
rds-instance-multi-az-support |
rds |
If an RDS cluster is deployed in a single availability zone, this cluster is noncompliant. |
rds-instance-no-public-ip |
rds |
If an RDS instance is attached with an EIP, this instance is noncompliant. |
root-account-mfa-enabled |
iam |
If multi-factor authentication is not enabled for the root user, the root user is noncompliant. |
stopped-ecs-date-diff |
ecs |
If there is an ECS that has been stopped for longer than the time allowed, and no operations have been performed on it, the result is noncompliant. |
volume-unused-check |
evs |
If an EVS disk is not mounted to any cloud server, this disk is noncompliant. |
volumes-encrypted-check |
ecs, evs |
If a mounted EVS disk is not encrypted, this disk is noncompliant. |
vpc-acl-unused-check |
vpc |
If there is a network ACL that has not been associated with any subnets, the result is noncompliant. |
vpc-flow-logs-enabled |
vpc |
If there is a flow log that has not been enabled for a VPC, this VPC is noncompliant. |
vpc-sg-ports-check |
vpc |
If a security group allows all inbound traffic (Source: 0.0.0.0/0) and has no port specified, this security group is noncompliant. |
vpn-connections-active |
vpnaas |
If the state of a VPN connection is not connected, the result is noncompliant. |
waf-instance-policy-not-empty |
waf |
If no conditions are configured for a WAF protection rule, the result is noncompliant. |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot