Conformance Package for Healthcare Industry
The following table describes the compliance rules and solutions in the sample template.
Rule Identifier |
Cloud Service |
Description |
---|---|---|
apig-instances-execution-logging-enabled |
apig |
If logging is not enabled for a dedicated API gateway, this gateway is considered non-compliant. |
apig-instances-ssl-enabled |
apig |
If no SSL certificates are attached to a dedicated API gateway, this gateway is considered noncompliant. |
as-group-elb-healthcheck-required |
as |
If an AS group is not using Elastic Load Balancing health check, the result is noncompliant. |
css-cluster-disk-encryption-check |
css |
If disk encryption is not enabled for a CSS cluster, this cluster is noncompliant. |
css-cluster-https-required |
css |
If HTTPS is not enabled for a CSS cluster, this cluster is noncompliant. |
css-cluster-in-vpc |
css |
If a CSS cluster is not in the specified VPCs, this cluster is noncompliant. |
cts-kms-encrypted-check |
cts |
If a CTS tracker is not encrypted using KMS, this tracker is noncompliant. |
cts-lts-enable |
cts |
If Transfer to LTS is not enabled for a CTS tracker, this tracker is noncompliant. |
cts-obs-bucket-track |
cts |
If there are no trackers created for the specified OBS bucket, the result is noncompliant. |
cts-support-validate-check |
cts |
If Verify Trace File is not enabled for a CTS tracker, this tacker is noncompliant. |
cts-tracker-exists |
cts |
If there is no tracker in the current account, the result is noncompliant. |
drs-data-guard-job-not-public |
drs |
If the network type of a DR task is not set to public network, this task is noncompliant. |
drs-migration-job-not-public |
drs |
If the network type of a migration task is not set to public network, this task is noncompliant. |
drs-synchronization-job-not-public |
drs |
If the network type of a synchronization task is not set to public network, this task is noncompliant. |
dws-enable-log-dump |
dws |
If the Audit Log Dump is not enabled for a DWS cluster, this cluster is noncompliant. |
dws-enable-snapshot |
dws |
If automated snapshots are not enabled for a DWS cluster, this cluster is noncompliant. |
dws-enable-ssl |
dws |
If SSL is not enabled for a DWS cluster, this cluster is noncompliant. |
ecs-instance-in-vpc |
ecs, vpc |
If there is an ECS that is not within the specified VPC, the result is noncompliant. |
ecs-instance-no-public-ip |
ecs |
If there is an ECS that is configured with a public IP, the result is noncompliant. |
eip-unbound-check |
vpc |
If an EIP has not been attached to any resource, this EIP is noncompliant. |
eip-use-in-specified-days |
eip |
If an EIP is not used within the specified number of days after being created, the EIP is noncompliant. |
elb-predefined-security-policy-https-check |
elb |
If a specified security policy is not configured for the HTTPS listener of a dedicated load balancer, this dedicated load balancer is noncompliant. |
elb-tls-https-listeners-only |
elb |
If any listener of a load balancer is not configured with HTTPS, this load balancer is noncompliant. |
function-graph-public-access-prohibited |
fgs |
If a function can be accessed over a public network, this function is noncompliant. |
gaussdb-nosql-enable-backup |
gaussdb nosql |
If the backup is not enabled for a GaussDB NoSQL instance, this instance is noncompliant. |
gaussdb-nosql-enable-disk-encryption |
gaussdb nosql |
If Disk Encryption is disabled for a GaussDB NoSQL instance, this instance is noncompliant. |
iam-customer-policy-blocked-kms-actions |
iam |
If there is a blocked action for KMS in an IAM policy, this policy is noncompliant. |
iam-password-policy |
iam |
If there is a user whose password does not meet the password complexity requirements, the result is noncompliant. |
iam-policy-no-statements-with-admin-access |
iam |
If there is an IAM policy or role that grants administrator permissions (the Action element is *:*:*, *:*, or *), the result is noncompliant. |
iam-role-has-all-permissions |
iam |
If an IAM custom policy contains *:* in the allow section, this policy is noncompliant. |
iam-root-access-key-check |
iam |
If the root access key is available, the result is noncompliant. |
iam-user-last-login-check |
iam |
If an IAM user does not log in to the system within the specified time range, this user is non-compliant. |
iam-user-mfa-enabled |
iam |
If multi-factor authentication is not enabled for an IAM user, this user is noncompliant. |
kms-not-scheduled-for-deletion |
kms |
If a KMS key is scheduled for deletion, this key is noncompliant. |
mfa-enabled-for-iam-console-access |
iam |
If MFA is not enabled for an IAM user who has a console password, this IAM user is noncompliant. |
mrs-cluster-kerberos-enabled |
mrs |
If kerberos is not enabled for an MRS cluster, this cluster is noncompliant. |
mrs-cluster-no-public-ip |
mrs |
If an MRS cluster is attached with a public IP, this cluster is noncompliant. |
multi-region-cts-tracker-exists |
cts |
If there are no trackers in any of the specified regions, the result is noncompliant. |
pca-certificate-authority-expiration-check |
pca |
If the validity period of a private CA is not within the specified range, this CA is noncompliant. |
pca-certificate-expiration-check |
pca |
If the validity period of a certificate is not within the specified range, this certificate is noncompliant. |
private-nat-gateway-authorized-vpc-only |
nat |
If a private NAT gateway is not in a specified VPC, this gateway is noncompliant. |
rds-instance-enable-backup |
rds |
If backup is not enabled for an RDS instance, this instance is noncompliant. |
rds-instance-multi-az-support |
rds |
If an RDS cluster is deployed in a single availability zone, this cluster is noncompliant. |
rds-instance-no-public-ip |
rds |
If an RDS instance is attached with an EIP, this instance is noncompliant. |
rds-instances-enable-kms |
rds |
If KMS encryption is not enabled for an RDS instance, this instance is noncompliant. |
root-account-mfa-enabled |
iam |
If multi-factor authentication is not enabled for the root user, the root user is noncompliant. |
sfsturbo-encrypted-check |
sfsturbo |
If KMS encryption is not enabled for an SFS Turbo file system, this file system is noncompliant. |
stopped-ecs-date-diff |
ecs |
If there is an ECS that has been stopped for longer than the time allowed, and no operations have been performed on it, the result is noncompliant. |
volumes-encrypted-check |
ecs, evs |
If a mounted EVS disk is not encrypted, this disk is noncompliant. |
vpc-acl-unused-check |
vpc |
If there is a network ACL that has not been associated with any subnets, the result is noncompliant. |
vpc-default-sg-closed |
vpc |
If a default security group allows all inbound or outbound traffic, this security group is noncompliant. |
vpc-flow-logs-enabled |
vpc |
If there is a flow log that has not been enabled for a VPC, this VPC is noncompliant. |
vpc-sg-ports-check |
vpc |
If a security group allows all inbound traffic (Source: 0.0.0.0/0) and has no port specified, this security group is noncompliant. |
vpc-sg-restricted-common-ports |
vpc |
If a security group allows all IPv4 addresses (0.0.0.0/0) to access a specified port, this security group is noncompliant. |
vpc-sg-restricted-ssh |
vpc |
If the source address is set to 0.0.0.0/0 for the TCP 22 port, this security group is non-compliant. |
vpn-connections-active |
vpnaas |
If the state of a VPN connection is not connected, the result is noncompliant. |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot