Compliance Package for Germany Cloud Computing Compliance Criteria Catalogue
This section describes the background, applicable scenarios, and the compliance package to meet requirements by Germany Cloud Computing Compliance Criteria Catalogue (C5).
Background
C5 is a guide on how to adopt cloud computing. It provides best practices on data protection, data sovereignty, transparency, responsibility, and cloud service provider selection. For more information about this guide, see C5_2020.
Applicable Scenarios
This compliance package is intended to help enterprises to develop cloud computing in Germany and meet C5 requirements related laws and regulations. This package needs to be reviewed and implemented based on specific conditions.
Exemption Clauses
This package provides you with general guide to help you quickly create scenario-based conformance packages. The conformance package and rules included only apply to cloud service and do not represent any legal advice. This conformance package does not ensure compliance with specific laws, regulations, or industry standards. You are responsible for the compliance and legality of your business and technical operations and assume all related responsibilities.
Rules
The guideline No. in the following table are in consistent with the chapter No. in C5_2020.
Guideline No. |
Rule |
Solution |
|---|---|---|
COS-03 |
drs-data-guard-job-not-public |
Block public access to DRS real-time DR tasks. |
COS-03 |
drs-migration-job-not-public |
Block public access to DRS real-time migration tasks. |
COS-03 |
drs-synchronization-job-not-public |
Block public access to DRS real-time synchronization tasks. |
COS-03 |
ecs-instance-no-public-ip |
Block public access to ECSs to protect sensitive data. |
COS-03 |
ecs-instance-in-vpc |
Include all ECSs in VPCs. |
COS-03 |
css-cluster-in-vpc |
Include all CSS clusters in VPCs. |
COS-03 |
css-cluster-in-vpc |
Include all CSS clusters in VPCs. |
COS-03 |
mrs-cluster-no-public-ip |
Block access to MRS clusters through public networks to protect sensitive data. |
COS-03 |
function-graph-public-access-prohibited |
Block public access to FunctionGraph functions. Public access may reduce resource availability. |
COS-03 |
rds-instance-no-public-ip |
Block access to cloud databases from public networks to protect sensitive data. |
COS-03 |
vpc-sg-restricted-common-ports |
Configure security groups to control connections to common ports in a VPC. |
COS-03 |
vpc-sg-restricted-ssh |
Configure security groups to only allow connections to SSH port 22 of ECSs with specified IPs, so remote access to ECS can be secure. |
COS-03 |
vpc-default-sg-closed |
Use security groups to control access within a VPC. You can directly use the default security group for resource access control. |
COS-03 |
vpc-sg-ports-check |
Use security groups to control prot connections for VPCs. |
COS-05 |
iam-user-mfa-enabled |
Enable MFA for all IAM users to prevent account theft. |
COS-05 |
mfa-enabled-for-iam-console-access |
Enable MFA for all IAM users who can access Huawei Cloud management console. MFA enhances account security to prevent account theft and protect sensitive data. |
COS-05 |
root-account-mfa-enabled |
Enable MFA for root users. MFA enhances account security. |
COS-05 |
ecs-instance-no-public-ip |
Block public access to ECSs to protect sensitive data. |
COS-05 |
mrs-cluster-no-public-ip |
Block access to MRS clusters through public networks to protect sensitive data. |
COS-05 |
rds-instance-no-public-ip |
Block access to cloud databases from public networks to protect sensitive data. |
COS-05 |
vpc-sg-restricted-common-ports |
Configure security groups to control connections to common ports in a VPC. |
COS-05 |
vpc-sg-restricted-ssh |
Configure security groups to only allow connections to SSH port 22 of ECSs with specified IPs, so remote access to ECS can be secure. |
COS-05 |
vpc-default-sg-closed |
Use security groups to control access within a VPC. You can directly use the default security group for resource access control. |
COS-05 |
vpc-sg-ports-check |
Use security groups to control connections to specified ports. |
CRY-02 |
apig-instances-ssl-enabled |
Enable SSL for APIG REST APIs to authenticate API requests. |
CRY-02 |
elb-predefined-security-policy-https-check |
Ensure that your dedicated load balancers are configured with specified security policy to enhance service security. |
CRY-02 |
css-cluster-https-required |
After HTTPS is enabled for a CSS cluster, communication is encrypted when you access this cluster. If HTTPS is disabled, HTTP protocol is used for cluster communication. In this case, data security cannot be ensured and public address is not allowed. |
CRY-02 |
css-cluster-disk-encryption-check |
Enable disk encryption for CSS clusters to protect sensitive data. |
CRY-02 |
elb-tls-https-listeners-only |
Ensure that your load balancer listeners are configured with the HTTPS protocol. |
CRY-02 |
dws-enable-ssl |
Enable SSL for DWS clusters to protect data. |
CRY-02 |
css-cluster-disk-encryption-check |
Enable disk encryption for CSS clusters to protect sensitive data. |
CRY-03 |
cts-kms-encrypted-check |
Enable trace file encryption for CTS trackers. |
CRY-03 |
sfsturbo-encrypted-check |
Enable KMS encryption for SFS Turbo file systems. |
CRY-03 |
volumes-encrypted-check |
Enable encryption for EVS to protect data. |
CRY-03 |
rds-instances-enable-kms |
Enable KMS encryption for RDS instances to protect sensitive data. |
CRY-04 |
kms-rotation-enabled |
Enable KMS key rotation. |
DEV-07 |
cts-lts-enable |
Use LTS to centrally collect CTS data. |
DEV-07 |
cts-tracker-exists |
Ensure that a CTS tracker has been created for your account to record operations on the Huawei Cloud management console. |
DEV-07 |
multi-region-cts-tracker-exists |
Create CTS trackers for different regions where your services are deployed. When you enable CTS for the first time, a management tracker named system is created automatically. You can create multiple trackers for different regions to help make services better satisfy customer needs as well as legal or regulatory requirements. |
DEV-07 |
cts-obs-bucket-track |
Create at least one CTS tracker for specified OBS buckets |
DEV-07 |
multi-region-cts-tracker-exists |
Create CTS trackers for different regions to satisfy different customer requirements and meets the laws and regulations of different regions. |
IDM-01 |
access-keys-rotated |
Enable key rotation. |
IDM-01 |
mrs-cluster-kerberos-enabled |
Enable Kerberos for MRS clusters. |
IDM-01 |
iam-password-policy |
Set thresholds for IAM user password strength. |
IDM-01 |
iam-root-access-key-check |
Ensure that the root access key has been deleted. |
IDM-01 |
iam-user-group-membership-check |
Add IAM users to user groups so that users can inherit permissions attached to user groups that they are in. |
IDM-01 |
iam-user-mfa-enabled |
Enable MFA for all IAM users to prevent account theft. |
IDM-01 |
mfa-enabled-for-iam-console-access |
Enable MFA for all IAM users who can access Huawei Cloud management console. MFA enhances account security to prevent account theft and protect sensitive data. |
IDM-01 |
root-account-mfa-enabled |
Enable MFA for root users. MFA enhances account security. |
IDM-01 |
iam-group-has-users-check |
Add IAM users to at least one user group so that users can inherit permissions attached to the user group that they are in. |
IDM-01 |
iam-role-has-all-permissions |
Grant IAM users only necessary permissions to perform required operations to ensure compliance with the least privilege and SOD principles |
IDM-08 |
iam-password-policy |
Set thresholds for IAM user password strength. |
CRY-01 |
iam-password-policy |
Set thresholds for IAM user password strength. |
IDM-09 |
iam-user-mfa-enabled |
Enable MFA for all IAM users to prevent account theft. |
IDM-09 |
mfa-enabled-for-iam-console-access |
Enable MFA for all IAM users who can access Huawei Cloud management console. MFA enhances account security to prevent account theft and protect sensitive data. |
IDM-09 |
root-account-mfa-enabled |
Enable MFA for root users. MFA enhances account security. |
OPS-01 |
rds-instance-multi-az-support |
Deploy RDS instance across AZs to increase service availability. RDS automatically creates a primary DB instance and replicates data to standby DB instances in different AZs that are physically separate. If an infrastructure fault occurs, RDS automatically fails over to the standby database so that you can restore databases in a timely manner. |
OPS-02 |
as-group-elb-healthcheck-required |
Enable health check for AS groups. Elastic Load Balance (ELB) automatically distributes incoming traffic across multiple backend cloud servers based on forwarding policies. |
OPS-02 |
rds-instance-multi-az-support |
Deploy RDS instance across AZs to increase service availability. RDS automatically creates a primary DB instance and replicates data to standby DB instances in different AZs that are physically separate. If an infrastructure fault occurs, RDS automatically fails over to the standby database so that you can restore databases in a timely manner. |
OPS-07 |
rds-instance-enable-backup |
Enable backups for RDS instances. |
OPS-07 |
dws-enable-snapshot |
Enable snapshots for DWS clusters. Automated snapshots are enabled by default when a cluster is created. Snapshots are periodically taken of a cluster based on the specified time and interval, usually every eight hours. Users can configure one or more automated snapshot policies for the cluster as needed. |
OPS-07 |
gaussdb-nosql-enable-backup |
Enable backups for GaussDB NoSQL. |
OPS-14 |
cts-support-validate-check |
Enable file verification for CTS trackers to prevent log files from being modified or deleted after being stored. |
OPS-14 |
cts-kms-encrypted-check |
Enable trace file encryption for CTS trackers. |
OPS-15 |
apig-instances-execution-logging-enabled |
Enable CTS for your dedicated API gateways. APIG supports custom log analysis templates, which you can use to collect and manage logs and trace and analyze API request exceptions. |
OPS-15 |
cts-lts-enable |
Use LTS to centrally collect CTS data. |
OPS-15 |
dws-enable-log-dump |
Enable log dumps to obtain access information for DWS clusters. |
OPS-15 |
vpc-flow-logs-enabled |
Enable flow logs for VPCs to monitor network traffic, analyze network attacks, and optimize security group and ACL configurations. |
OPS-15 |
cts-tracker-exists |
Ensure that a CTS tracker has been created for your account to record operations on the Huawei Cloud management console. |
OPS-15 |
multi-region-cts-tracker-exists |
Create CTS trackers for different regions where your services are deployed. When you enable CTS for the first time, a management tracker named system is created automatically. You can create multiple trackers for different regions to help make services better satisfy customer needs as well as legal or regulatory requirements. |
OPS-15 |
cts-obs-bucket-track |
Create at least one CTS tracker for each OBS bucket. |
OPS-15 |
multi-region-cts-tracker-exists |
Create CTS trackers for different regions where your services are deployed. When you enable CTS for the first time, a management tracker named system is created automatically. You can create multiple trackers for different regions to help make services better satisfy customer needs as well as legal or regulatory requirements. |
PSS-05 |
iam-user-mfa-enabled |
Enable MFA for all IAM users to prevent account theft. |
PSS-05 |
mfa-enabled-for-iam-console-access |
Enable MFA for all IAM users who can access Huawei Cloud management console. MFA enhances account security to prevent account theft and protect sensitive data. |
PSS-05 |
root-account-mfa-enabled |
Enable MFA for root users. MFA enhances account security. |
PSS-07 |
iam-password-policy |
Set thresholds for IAM user password strength. |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
