Strongly Recommended Governance Policies
API Gateway (APIG)
|
Policy Name |
Function |
Scenario |
Severity |
Resource |
Mandatory |
|---|---|---|---|---|---|
|
RGC-GR_CONFIG_APIG_INSTANCES_AUTHORIZATION_TYPE_CONFIGURED |
Checks whether security authentication is provided for a dedicated API gateway. This policy is non-compliant if security authentication is not provided. |
Encrypting data in transit |
Medium |
apig:::instance |
N/A |
|
RGC-GR_CONFIG_APIG_INSTANCES_SSL_ENABLED |
Checks whether any domain name of a dedicated API gateway is associated with an SSL certificate. This policy is non-compliant if any domain name is not associated with an SSL certificate. |
Encrypting data in transit |
Medium |
apig:::instance |
N/A |
AS
|
Policy Name |
Function |
Scenario |
Severity |
Resource |
Mandatory |
|---|---|---|---|---|---|
|
RGC-GR_CONFIG_AS_GROUP_IN_VPC |
Checks whether an AS group is in the specified VPC. This policy is non-compliant if an AS group is not in the specified VPC. |
Controlling network access |
High |
as:::group |
BMS
|
Policy Name |
Function |
Scenario |
Severity |
Resource |
Mandatory |
|---|---|---|---|---|---|
|
RGC-GR_CONFIG_BMS_KEY_PAIR_SECURITY_LOGIN |
Checks whether a key pair is used for BMS login. This policy is non-compliant if a key pair is not used. |
Using strong authentication |
High |
bms:::instance |
N/A |
CBR
|
Policy Name |
Function |
Scenario |
Severity |
Resource |
Mandatory |
|---|---|---|---|---|---|
|
RGC-GR_CONFIG_CBR_BACKUP_ENCRYPTED_CHECK |
Checks whether CBR backup is encrypted. This policy is non-compliant if the backup is not encrypted. |
Encrypting data at rest |
High |
cbr:::checkpoint |
N/A |
Cloud Container Engine (CCE)
|
Policy Name |
Function |
Scenario |
Severity |
Resource |
Mandatory |
|---|---|---|---|---|---|
|
RGC-GR_CONFIG_CCE_ENDPOINT_PUBLIC_ACCESS |
Checks whether a public IP address is bound to a CCE cluster. This policy is non-compliant if a public IP address is bound. |
Controlling network access |
Medium |
cce:::cluster |
N/A |
|
RGC-GR_CONFIG_CCE_CLUSTER_IN_VPC |
Checks whether a CCE cluster is in the specified VPC. This policy is non-compliant if the cluster is not in the specified VPC. |
Controlling network access |
High |
cce:::cluster |
CCM
|
Policy Name |
Function |
Scenario |
Severity |
Resource |
Mandatory |
|---|---|---|---|---|---|
|
RGC-GR_CONFIG_PCA_CERTIFICATE_AUTHORITY_EXPIRATION_CHECK |
Checks whether a private CA expires within a specified period. This policy is non-compliant if it expires within a specified period. |
Encrypting data in transit |
Medium |
ccm:::privateCertificate |
N/A |
|
RGC-GR_CONFIG_PCA_CERTIFICATE_EXPIRATION_CHECK |
Checks whether a private certificate expires within a specified period. This policy is non-compliant if it expires within a specified period. |
Encrypting data in transit |
Medium |
ccm:::privateCertificate |
N/A |
Content Delivery Network (CDN)
|
Policy Name |
Function |
Scenario |
Severity |
Resource |
Mandatory |
|---|---|---|---|---|---|
|
RGC-GR_CONFIG_CDN_ENABLE_HTTPS_CERTIFICATE |
Checks whether an HTTPS certificate is configured for CDN. This policy is non-compliant if an HTTPS certificate is not configured. |
Encrypting data in transit |
Critical |
cdn:::domain |
N/A |
|
RGC-GR_CONFIG_CDN_ORIGIN_PROTOCOL_NO_HTTP |
Checks whether CDN uses HTTPS for origin pull. This policy is non-compliant if HTTPS is not used. |
Encrypting data in transit |
Critical |
cdn:::domain |
N/A |
|
RGC-GR_CONFIG_CDN_SECURITY_POLICY_CHECK |
Checks whether a Transport Layer Security (TLS) version earlier than v1.2 is used for CDN. This policy is non-compliant if a TLS version earlier than v1.2 is used. |
Encrypting data in transit |
High |
cdn:::domain |
N/A |
|
RGC-GR_CONFIG_CDN_USE_MY_CERTIFICATE |
Checks whether CDN uses your own certificates. This policy is non-compliant if CDN uses your own certificates. |
Encrypting data in transit |
High |
cdn:::domain |
N/A |
CFW
|
Policy Name |
Function |
Scenario |
Severity |
Resource |
Mandatory |
|---|---|---|---|---|---|
|
RGC-GR_CONFIG_CFW_POLICY_NOT_EMPTY |
Checks whether a CFW instance has protection policies configured. This policy is non-compliant if no protection policies are configured. |
Controlling network access |
Medium |
cfw:::eipProtection |
N/A |
CodeArts Build
|
Policy Name |
Function |
Scenario |
Severity |
Resource |
Mandatory |
|---|---|---|---|---|---|
|
RGC-GR_CONFIG_CLOUDBUILDSERVER_ENCRYPTION_PARAMETER_CHECK |
Checks whether encryption is enabled for custom parameters (except for predefined parameters) of a CodeArts project. This policy is non-compliant if encryption is not enabled. |
Encrypting data at rest |
Medium |
codearts:::deployApplication |
N/A |
Cloud Search Service (CSS)
|
Policy Name |
Function |
Scenario |
Severity |
Resource |
Mandatory |
|---|---|---|---|---|---|
|
RGC-GR_CONFIG_CSS_CLUSTER_AUTHORITY_ENABLE |
Checks whether authentication is enabled for a CSS cluster. This policy is non-compliant if authentication is not enabled. |
Using strong authentication |
Critical |
css:::cluster |
N/A |
|
RGC-GR_CONFIG_CSS_CLUSTER_DISK_ENCRYPTION_CHECK |
Checks whether disk encryption is enabled for a CSS cluster. This policy is non-compliant if disk encryption is not enabled. |
Encrypting data at rest |
High |
css:::cluster |
N/A |
|
RGC-GR_CONFIG_CSS_CLUSTER_KIBANA_NOT_ENABLE_WHITE_LIST |
Checks whether all IP addresses are whitelisted for Kibana to access a CSS cluster. This policy is non-compliant if all IP addresses are whitelisted. |
Controlling network access |
Critical |
css:::cluster |
N/A |
|
RGC-GR_CONFIG_CSS_CLUSTER_NO_PUBLIC_ZONE |
Checks whether public network access is enabled for a CSS cluster. This policy is non-compliant if public network access is enabled. |
Encrypting data at rest |
High |
css:::cluster |
N/A |
|
RGC-GR_CONFIG_CSS_CLUSTER_NOT_ENABLE_WHITE_LIST |
Checks whether all IP addresses are whitelisted for a CSS cluster. This policy is non-compliant if all addresses are whitelisted. |
Controlling network access |
Critical |
css:::cluster |
N/A |
|
RGC-GR_CONFIG_CSS_CLUSTER_SECURITY_MODE_ENABLE |
Checks whether security mode is enabled for a CSS cluster. This policy is non-compliant if security mode is not enabled. |
Enforcing the least privilege |
High |
css:::cluster |
N/A |
|
RGC-GR_CONFIG_CSS_CLUSTER_HTTPS_REQUIRED |
Checks whether HTTPS access is enabled for a CSS cluster. This policy is non-compliant if HTTPS access is not enabled. |
Encrypting data in transit |
Medium |
css:::cluster |
N/A |
Cloud Trace Service (CTS)
|
Policy Name |
Function |
Scenario |
Severity |
Resource |
Mandatory |
|---|---|---|---|---|---|
|
RGC-GR_CONFIG_CTS_KMS_ENCRYPTED_CHECK |
Checks whether a CTS tracker is encrypted using KMS. This policy is non-compliant if the tracker is not encrypted. |
Encrypting data at rest |
Medium |
cts:::tracker |
N/A |
|
RGC-GR_CONFIG_CTS_SUPPORT_VALIDATE_CHECK |
Checks whether trace file verification is enabled for a CTS tracker. This policy is non-compliant if the verification is not enabled. |
Protecting data integrity |
Medium |
cts:::tracker |
N/A |
Distributed Cache Service (DCS)
|
Policy Name |
Function |
Scenario |
Severity |
Resource |
Mandatory |
|---|---|---|---|---|---|
|
RGC-GR_CONFIG_DCS_MEMCACHED_ENABLE_SSL |
Checks whether a DCS Memcached instance supports public access but not SSL. This policy is non-compliant if the instance supports public access but not SSL. |
Encrypting data in transit |
High |
dcs:::instance |
N/A |
|
RGC-GR_CONFIG_DCS_MEMCACHED_NO_PUBLIC_IP |
Checks whether a public IP address is bound to a DCS Memcached instance. This policy is non-compliant if a public IP address is bound. |
Controlling network access |
High |
dcs:::instance |
N/A |
|
RGC-GR_CONFIG_DCS_MEMCACHED_PASSWORD_ACCESS |
Checks whether a DCS Memcached instance can be accessed without a password. This policy is non-compliant if the instance can be accessed without a password. |
Using strong authentication |
Medium |
dcs:::instance |
N/A |
|
RGC-GR_CONFIG_DCS_REDIS_ENABLE_SSL |
Checks whether a DCS Redis instance supports public access but not SSL. This policy is non-compliant if the instance supports public access but not SSL. |
Controlling network access |
High |
dcs:::instance |
N/A |
|
RGC-GR_CONFIG_DCS_REDIS_HIGH_TOLERANCE |
Checks whether a DCS Redis instance is highly available. This policy is non-compliant if the instance is not highly available. |
Improving availability |
Low |
dcs:::instance |
N/A |
|
RGC-GR_CONFIG_DCS_REDIS_NO_PUBLIC_IP |
Checks whether a public IP address is bound to a DCS Redis instance. This policy is non-compliant if a public IP address is bound. |
Controlling network access |
High |
dcs:::instance |
N/A |
|
RGC-GR_CONFIG_DCS_REDIS_PASSWORD_ACCESS |
Checks whether a DCS Redis instance can be accessed without a password. This policy is non-compliant if the instance can be accessed without a password. |
Using strong authentication |
Medium |
dcs:::instance |
N/A |
|
RGC-GR_CONFIG_DCS_MEMCACHED_IN_VPC |
Checks whether a DCS Memcached instance is in the specified VPC. This policy is non-compliant if the instance is not in the specified VPC. |
Controlling network access |
Medium |
dcs:::instance |
|
|
RGC-GR_CONFIG_DCS_REDIS_IN_VPC |
Checks whether a DCS Redis instance is in the specified VPC. This policy is non-compliant if the instance is not in the specified VPC. |
Controlling network access |
Medium |
dcs:::instance |
Document Database Service (DDS)
|
Policy Name |
Function |
Scenario |
Severity |
Resource |
Mandatory |
|---|---|---|---|---|---|
|
RGC-GR_CONFIG_DDS_INSTANCE_ENABLE_SSL |
Checks whether SSL is enabled for a DDS instance. This policy is non-compliant if SSL is not enabled. |
Encrypting data in transit |
High |
dds:::instance |
N/A |
|
RGC-GR_CONFIG_DDS_INSTANCE_HAS_EIP |
Checks whether a public IP address is bound to a DDS instance. This policy is non-compliant if a public IP address is bound. |
Controlling network access |
High |
dds:::instance |
N/A |
|
RGC-GR_CONFIG_DDS_INSTANCE_PORT_CHECK |
Checks whether a DDS instance has forbidden ports enabled. This policy is non-compliant if the instance has forbidden ports enabled. |
Controlling network access |
High |
dds:::instance |
N/A |
DEW
|
Policy Name |
Function |
Scenario |
Severity |
Resource |
Mandatory |
|---|---|---|---|---|---|
|
RGC-GR_CONFIG_CSMS_SECRETS_ROTATION_SUCCESS_CHECK |
Checks whether a CSMS secret rotation is successful. This policy is non-compliant if the rotation fails. |
Enforcing the least privilege |
High |
csms:::secret |
N/A |
|
RGC-GR_CONFIG_KMS_NOT_SCHEDULED_FOR_DELETION |
Checks whether a KMS key is scheduled to be deleted. This policy is non-compliant if the key is scheduled to be deleted. |
Protecting data integrity |
Critical |
kms:::key |
N/A |
|
RGC-GR_CONFIG_KMS_ROTATION_ENABLED |
Checks whether key rotation is enabled for a KMS key. This policy is non-compliant if rotation is not enabled. |
Encrypting data at rest |
Medium |
kms:::key |
N/A |
Distributed Message Service (DMS)
|
Policy Name |
Function |
Scenario |
Severity |
Resource |
Mandatory |
|---|---|---|---|---|---|
|
RGC-GR_CONFIG_DMS_KAFKA_NOT_ENABLE_PRIVATE_SSL |
Checks whether SSL encryption is enabled for accessing a DMS Kafka instance over a private network. This policy is non-compliant if SSL encryption is not enabled. |
Encrypting data in transit |
Medium |
dms:::kafkaInstance |
N/A |
|
RGC-GR_CONFIG_DMS_KAFKA_NOT_ENABLE_PUBLIC_SSL |
Checks whether SSL encryption is enabled for accessing a DMS Kafka instance over a public network. This policy is non-compliant if SSL encryption is not enabled. |
Encrypting data in transit |
Medium |
dms:::kafkaInstance |
N/A |
|
RGC-GR_CONFIG_DMS_KAFKA_PUBLIC_ACCESS_ENABLED_CHECK |
Checks whether a DMS Kafka instance can be accessed over a public network. This policy is non-compliant if the instance can be accessed over a public network. |
Controlling network access |
High |
dms:::kafkaIZnstance |
N/A |
|
RGC-GR_CONFIG_DMS_RABBITMQ_NOT_ENABLE_SSL |
Checks whether SSL encryption is enabled for a DMS RabbitMQ instance. This policy is non-compliant if SSL encryption is not enabled. |
Encrypting data at rest |
High |
dms:::rabbitmqInstance |
N/A |
|
RGC-GR_CONFIG_DMS_ROCKETMQ_NOT_ENABLE_SSL |
Checks whether SSL encryption is enabled for a DMS Reliability instance. This policy is non-compliant if SSL encryption is not enabled. |
Encrypting data at rest |
High |
dms:::rocketmqInstance |
N/A |
|
RGC-GR_CONFIG_DMS_RABBITMQ_PUBLIC_ACCESS_ENABLED_CHECK |
Checks whether a DMS RabbitMQ instance can be accessed over a public network. This policy is non-compliant if the instance can be accessed over a public network. |
Controlling network access |
Medium |
dms:::rabbitmqInstance |
N/A |
|
RGC-GR_CONFIG_DMS_RELIABILITY_PUBLIC_ACCESS_ENABLED_CHECK |
Checks whether a DMS RocketMQ instance can be accessed over a public network. This policy is non-compliant if the instance can be accessed over a public network. |
Controlling network access |
Medium |
dms:::rocketmqInstance |
N/A |
Data Replication Service (DRS)
|
Policy Name |
Function |
Scenario |
Severity |
Resource |
Mandatory |
|---|---|---|---|---|---|
|
RGC-GR_CONFIG_DRS_DATA_GUARD_JOB_NOT_PUBLIC |
Checks whether DRS supports real-time disaster recovery through a public network. This policy is non-compliant if real-time disaster recovery through a public network is supported. |
Controlling network access |
High |
drs:::job |
N/A |
|
RGC-GR_CONFIG_DRS_MIGRATION_JOB_NOT_PUBLIC |
Checks whether DRS supports real-time migration through a public network. This policy is non-compliant if real-time migration through a public network is supported. |
Controlling network access |
High |
drs:::job |
N/A |
|
RGC-GR_CONFIG_DRS_SYNCHRONIZATION_JOB_NOT_PUBLIC |
Checks whether DRS supports real-time synchronization through a public network. This policy is non-compliant if real-time synchronization through a public network is supported. |
Controlling network access |
High |
drs:::job |
N/A |
Data Warehouse Service (DWS)
|
Policy Name |
Function |
Scenario |
Severity |
Resource |
Mandatory |
|---|---|---|---|---|---|
|
RGC-GR_CONFIG_DWS_ENABLE_KMS |
Checks whether KMS encryption is enabled for a DWS cluster. This policy is non-compliant if KMS encryption is not enabled. |
Encrypting data at rest |
Medium |
dws:::cluster |
N/A |
|
RGC-GR_CONFIG_DWS_ENABLE_SSL |
Checks whether SSL connection is enabled for a DWS cluster. This policy is non-compliant if SSL connection is not enabled. |
Encrypting data in transit |
Medium |
dws:::cluster |
N/A |
|
RGC-GR_CONFIG_DWS_CLUSTERS_NO_PUBLIC_IP |
Checks whether a DWS cluster has a public IP address bound. This policy is non-compliant if the cluster has a public IP address bound. |
Controlling network access |
High |
dws:::cluster |
N/A |
|
RGC-GR_CONFIG_DWS_CLUSTERS_IN_VPC |
Checks whether a DWS cluster is in the specified VPC. This policy is non-compliant if the cluster is not in the specified VPC. |
Controlling network access |
High |
dws:::cluster |
Elastic Cloud Server (ECS)
|
Policy Name |
Function |
Scenario |
Severity |
Resource |
Mandatory |
|---|---|---|---|---|---|
|
RGC-GR_CONFIG_ECS_INSTANCE_KEY_PAIR_LOGIN |
Checks whether an ECS has a key pair configured. This policy is non-compliant if no key pair is configured. |
Controlling network access |
High |
ecs:::instanceV1 |
N/A |
|
RGC-GR_CONFIG_ECS_INSTANCE_NO_PUBLIC_IP |
Checks whether a public IP address is bound to an ECS. This policy is non-compliant if a public IP address is bound. |
Controlling network access |
Medium |
compute:::instance |
N/A |
|
RGC-GR_CONFIG_ECS_MULTIPLE_PUBLIC_IP_CHECK |
Checks whether multiple public IP addresses are bound to an ECS. This policy is non-compliant if multiple public IP addresses are bound. |
Controlling network access |
Low |
compute:::instance |
N/A |
|
RGC-GR_CONFIG_ECS_INSTANCE_AGENCY_ATTACH_IAM_AGENCY |
Checks whether an ECS has any IAM agencies. This policy is non-compliant if an ECS has no IAM agencies. |
Enforcing the least privilege |
Low |
ecs:::instanceV1 |
N/A |
|
RGC-GR_CONFIG_ECS_IN_ALLOWED_SECURITY_GROUPS |
Checks whether an ECS not attached with specified tags is associated with the specified high-risk security groups. This policy is non-compliant if these ECSs are associated with the specified high-risk security groups. |
Controlling network access |
High |
ecs:::instanceV1 |
ECS and VPC
|
Policy Name |
Function |
Scenario |
Severity |
Resource |
Mandatory |
|---|---|---|---|---|---|
|
RGC-GR_CONFIG_ECS_INSTANCE_IN_VPC |
Checks whether an ECS is in the specified VPC. This policy is non-compliant if the ECS is not in the specified VPC. |
Controlling network access |
Medium |
ecs:::instanceV1 |
Elastic Load Balance (ELB)
|
Policy Name |
Function |
Scenario |
Severity |
Resource |
Mandatory |
|---|---|---|---|---|---|
|
RGC-GR_CONFIG_ELB_LOADBALANCERS_NO_PUBLIC_IP |
Checks whether a public IP address is bound to a load balancer. This policy is non-compliant if a public IP address is bound. |
Controlling network access |
Medium |
elb:::loadBalancer |
N/A |
|
RGC-GR_CONFIG_ELB_TLS_HTTPS_LISTENERS_ONLY |
Checks whether HTTPS is configured for any listener of a load balancer. This policy is non-compliant if HTTPS is not configured for any listener. |
Encrypting data in transit |
Medium |
elb:::listener |
N/A |
|
RGC-GR_CONFIG_ELB_PREDEFINED_SECURITY_POLICY_HTTPS_CHECK |
Checks whether a predefined security policy is configured for the HTTPS listener of a dedicated load balancer. This policy is non-compliant if the predefined security policy is not configured. |
Controlling network access |
Medium |
elb:::loadBalancer |
N/A |
|
RGC-GR_CONFIG_ELB_HTTP_TO_HTTPS_REDIRECTION_CHECK |
Checks whether requests to an HTTP listener can be redirected to an HTTPS listener. This policy is non-compliant if requests cannot be redirected. |
Controlling network access |
Medium |
elb:::listener |
N/A |
Elastic Volume Service (EVS)
|
Policy Name |
Function |
Scenario |
Severity |
Resource |
Mandatory |
|---|---|---|---|---|---|
|
RGC-GR_CONFIG_VOLUMES_ENCRYPTED_CHECK_BY_DEFAULT |
Checks whether an EVS disk is encrypted. This policy is non-compliant if the disk is not encrypted. |
Encrypting data at rest |
High |
evs:::volume |
N/A |
EVS and ECS
|
Policy Name |
Function |
Scenario |
Severity |
Resource |
Mandatory |
|---|---|---|---|---|---|
|
RGC-GR_CONFIG_VOLUMES_ENCRYPTED_CHECK |
Checks whether an EVS disk attached to a cloud server is encrypted. This policy is non-compliant if the disk is not encrypted. |
Encrypting data at rest |
Low |
evs:::volume |
N/A |
FunctionGraph
|
Policy Name |
Function |
Scenario |
Severity |
Resource |
Mandatory |
|---|---|---|---|---|---|
|
RGC-GR_CONFIG_FUNCTION_GRAPH_PUBLIC_ACCESS_PROHIBITED |
Checks whether functions in FunctionGraph allow public access. This policy is non-compliant if the functions allow public access. |
Controlling network access |
Critical |
fgs:::function |
N/A |
GaussDB
|
Policy Name |
Function |
Scenario |
Severity |
Resource |
Mandatory |
|---|---|---|---|---|---|
|
RGC-GR_CONFIG_GAUSSDB_INSTANCE_IN_VPC |
Checks whether a GaussDB instance is in the specified VPC. This policy is non-compliant if the instance is not in the specified VPC. |
Controlling network access |
Medium |
gaussdb:::opengaussInstance |
|
|
RGC-GR_CONFIG_GAUSSDB_INSTANCE_NO_PUBLIC_IP_CHECK |
Checks whether a GaussDB instance has any EIPs associated. This policy is non-compliant if the instance has any EIPs associated. |
Controlling network access |
High |
gaussdb:::opengaussInstance |
N/A |
|
RGC-GR_CONFIG_GAUSSDB_INSTANCE_SSL_ENABLE |
Checks whether SSL encryption is enabled for a GaussDB instance. This policy is non-compliant if SSL encryption is not enabled. |
Encrypting data in transit |
High |
gaussdb:::opengaussInstance |
N/A |
GeminiDB
|
Policy Name |
Function |
Scenario |
Severity |
Resource |
Mandatory |
|---|---|---|---|---|---|
|
RGC-GR_CONFIG_GAUSSDB_NOSQL_ENABLE_DISK_ENCRYPTION |
Checks whether disk encryption is enabled for a GeminiDB instance. This policy is non-compliant if disk encryption is not enabled. |
Encrypting data at rest |
Medium |
gaussdb:::mongoInstance |
N/A |
Identity and Access Management (IAM)
|
Policy Name |
Function |
Scenario |
Severity |
Resource |
Mandatory |
|---|---|---|---|---|---|
|
RGC-GR_CONFIG_IAM_ROOT_ACCESS_KEY_CHECK |
Checks whether there are available access keys for an account. This policy is non-compliant if there are available access keys. |
Enforcing the least privilege |
Critical |
identity:::accessKey |
N/A |
|
RGC-GR_CONFIG_ROOT_ACCOUNT_MFA_ENABLED |
Checks whether multi-factor authentication (MFA) is enabled for an account. This policy is non-compliant if MFA is not enabled. |
Enforcing the least privilege |
High |
identity:::acl |
N/A |
|
RGC-GR_CONFIG_IAM_GROUP_HAS_USERS_CHECK |
Checks whether IAM users are added to an IAM user group. This policy is non-compliant if no users are added to the user group. |
Enforcing the least privilege |
Medium |
identity:::group |
N/A |
|
RGC-GR_CONFIG_IAM_USER_ACCESS_MODE |
Checks whether an IAM user can gain access to both the console and APIs. This policy is non-compliant if the user can gain access to both the console and APIs. |
Enforcing the least privilege |
Medium |
identity:::user |
N/A |
|
RGC-GR_CONFIG_IAM_USER_CONSOLE_AND_API_ACCESS_AT_CREATION |
Checks whether access keys are set for an IAM user accessing from the console. This policy is non-compliant if access keys are set. |
Managing confidentiality |
Medium |
identity:::user |
N/A |
|
RGC-GR_CONFIG_IAM_USER_SINGLE_ACCESS_KEY |
Checks whether an IAM user has multiple access keys in the active state. This policy is non-compliant if the user has multiple access keys in the active state. |
Managing confidentiality |
High |
identity:::user |
N/A |
|
RGC-GR_CONFIG_MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS |
Checks whether MFA is enabled for an IAM user accessing from the console. This policy is non-compliant if MFA is not enabled. |
Enforcing the least privilege |
Medium |
identity:::user |
N/A |
|
RGC-GR_CONFIG_IAM_POLICY_NO_STATEMENTS_WITH_ADMIN_ACCESS |
Checks whether an IAM policy grants the admin permission (*:*:*, *:*, or *). This policy is non-compliant if the IAM policy grants the admin permission. |
Enforcing the least privilege |
High |
identity:::protectionPolicy |
N/A |
|
RGC-GR_CONFIG_IAM_ROLE_HAS_ALL_PERMISSIONS |
Checks whether an IAM custom policy grants the allow permission (*:*). This policy is non-compliant if the IAM policy grants the allow permission. |
Enforcing the least privilege |
Low |
identity:::role |
N/A |
|
RGC-GR_CONFIG_IAM_USER_MFA_ENABLED |
Checks whether MFA is enabled for an IAM user. This policy is non-compliant if MFA is not enabled. |
Enforcing the least privilege |
Medium |
identity:::user |
N/A |
|
RGC-GR_CONFIG_ACCESS_KEYS_ROTATED |
Checks whether an IAM user's access key is rotated within the specified number of days. This policy is non-compliant if the key is not rotated within the specified number of days. |
Enforcing the least privilege |
High |
identity:::accessKey |
N/A |
|
RGC-GR_CONFIG_IAM_PASSWORD_POLICY |
Checks whether the password of an IAM user meets the password strength requirements. This policy is non-compliant if the password does not meet the requirements. |
Using strong authentication |
High |
identity:::user |
N/A |
|
RGC-GR_CONFIG_IAM_USER_LAST_LOGIN_CHECK |
Checks whether an IAM user logs in to the system within a specified period. This policy is non-compliant if the user does not log in to the system within the specified period. |
Enforcing the least privilege |
Low |
identity:::user |
N/A |
|
RGC-GR_CONFIG_IAM_POLICY_IN_USE |
Checks whether an IAM policy has been attached to any IAM users, user groups, or agencies. This policy is non-compliant if the IAM policy has not been attached. |
Enforcing the least privilege |
Low |
identity:::protectionPolicy |
N/A |
|
RGC-GR_CONFIG_IAM_ROLE_IN_USE |
Checks whether an IAM permission has been granted to any IAM users, user groups, or agencies. This policy is non-compliant if the permission has not been granted. |
Enforcing the least privilege |
Low |
identity:::role |
N/A |
|
RGC-GR_CONFIG_IAM_USER_LOGIN_PROTECTION_ENABLED |
Checks whether login protection is enabled for an IAM user. This policy is non-compliant if protection is not enabled. |
Using strong authentication |
Medium |
identity:::user |
N/A |
|
RGC-GR_CONFIG_IAM_POLICY_BLACKLISTED_CHECK |
Checks whether an IAM user, a user group, or an agency uses a specified permission or policy. This policy is non-compliant if they use a specified permission or policy. |
Enforcing the least privilege |
High |
|
|
|
RGC-GR_CONFIG_IAM_USER_GROUP_MEMBERSHIP_CHECK |
Checks whether an IAM user is in a specified IAM user group. This policy is non-compliant if the user is not in a specified user group. |
Enforcing the least privilege |
Medium |
identity:::user |
|
|
RGC-GR_CONFIG_IAM_AGENCIES_MANAGED_POLICY_CHECK |
Checks whether an IAM agency has specified IAM policies and permissions. This policy is non-compliant if the agency has no specified IAM policies and permissions. |
Enforcing the least privilege |
High |
identity:::agency |
IMS
|
Policy Name |
Function |
Scenario |
Severity |
Resource |
Mandatory |
|---|---|---|---|---|---|
|
RGC-GR_CONFIG_IMS_IMAGES_ENABLE_ENCRYPTION |
Checks whether encryption is enabled for a private image. This policy is non-compliant if encryption is not enabled. |
Encrypting data at rest |
High |
images:::image |
N/A |
MapReduce Service (MRS)
|
Policy Name |
Function |
Scenario |
Severity |
Resource |
Mandatory |
|---|---|---|---|---|---|
|
RGC-GR_CONFIG_MRS_CLUSTER_KERBEROS_ENABLED |
Checks whether Kerberos authentication is enabled for an MRS cluster. This policy is non-compliant if authentication is not enabled. |
Using strong authentication |
Medium |
mrs:::cluster |
N/A |
|
RGC-GR_CONFIG_MRS_CLUSTER_NO_PUBLIC_IP |
Checks whether a public IP address is bound to an MRS cluster. This policy is non-compliant if a public IP address is bound. |
Controlling network access |
Medium |
mrs:::cluster |
N/A |
|
RGC-GR_CONFIG_MRS_CLUSTER_IN_ALLOWED_SECURITY_GROUPS |
Checks whether an MRS cluster is in the specified security group. This policy is non-compliant if the cluster is not in the specified security group. |
Controlling network access |
Medium |
mrs:::cluster |
|
|
RGC-GR_CONFIG_MRS_CLUSTER_IN_VPC |
Checks whether an MRS cluster is in the specified VPC. This policy is non-compliant if the cluster is not in the specified VPC. |
Controlling network access |
Medium |
mrs:::cluster |
NAT
|
Policy Name |
Function |
Scenario |
Severity |
Resource |
Mandatory |
|---|---|---|---|---|---|
|
RGC-GR_CONFIG_PRIVATE_NAT_GATEWAY_AUTHORIZED_VPC_ONLY |
Checks whether a private NAT gateway is in a specified VPC. This policy is non-compliant if the NAT gateway is not in the specified VPC. |
Controlling network access |
High |
nat:::privateGateway |
Object Storage Service (OBS)
|
Policy Name |
Function |
Scenario |
Severity |
Resource |
Mandatory |
|---|---|---|---|---|---|
|
RGC-GR_CONFIG_OBS_BUCKET_POLICY_GRANTEE_CHECK |
Checks whether an OBS bucket policy allows a prohibited access action. This policy is non-compliant if the bucket policy allows a prohibited access action. |
Enforcing the least privilege |
High |
obs:::bucket |
Relational Database Service (RDS)
|
Policy Name |
Function |
Scenario |
Severity |
Resource |
Mandatory |
|---|---|---|---|---|---|
|
RGC-GR_CONFIG_RDS_INSTANCE_NO_PUBLIC_IP |
Checks whether a public IP address is bound to an RDS instance. This policy is non-compliant if a public IP address is bound. |
Controlling network access |
High |
rds:::instance |
N/A |
|
RGC-GR_CONFIG_RDS_INSTANCES_ENABLE_KMS |
Checks whether storage encryption is enabled for an RDS instance. This policy is non-compliant if storage encryption is not enabled. |
Encrypting data at rest |
Low |
rds:::instance |
N/A |
|
RGC-GR_CONFIG_RDS_INSTANCE_PORT_CHECK |
Checks whether an RDS instance has forbidden ports. This policy is non-compliant if the instance has forbidden ports. |
Controlling network access |
High |
rds:::instance |
N/A |
|
RGC-GR_CONFIG_RDS_INSTANCE_SSL_ENABLE |
Checks whether SSL encryption is enabled for an RDS instance. This policy is non-compliant if SSL encryption is not enabled. |
Encrypting data at rest |
High |
rds:::instance |
N/A |
Scalable File Service Turbo (SFS Turbo)
|
Policy Name |
Function |
Scenario |
Severity |
Resource |
Mandatory |
|---|---|---|---|---|---|
|
RGC-GR_CONFIG_SFSTURBO_ENCRYPTED_CHECK |
Checks whether SFS Turbo is configured to encrypt files using KMS. This policy is non-compliant if SFS Turbo is not configured to encrypt files using KMS. |
Encrypting data at rest |
Low |
sfsturbo:::dir |
N/A |
TaurusDB
|
Policy Name |
Function |
Scenario |
Severity |
Resource |
Mandatory |
|---|---|---|---|---|---|
|
RGC-GR_CONFIG_GAUSSDB_MYSQL_INSTANCE_IN_VPC |
Checks whether a TaurusDB instance is in the specified VPC. This policy is non-compliant if the instance is not in the specified VPC. |
Controlling network access |
High |
gaussdb:::mysqlInstance |
|
|
RGC-GR_CONFIG_GAUSSDB_MYSQL_INSTANCE_NO_PUBLIC_IP_CHECK |
Checks whether a TaurusDB instance has an EIP associated. This policy is non-compliant if the instance has an EIP associated. |
Controlling network access |
High |
gaussdb:::mysqlInstance |
N/A |
|
RGC-GR_CONFIG_GAUSSDB_MYSQL_INSTANCE_SSL_ENABLE |
Checks whether SSL encryption is enabled for a TaurusDB instance. This policy is non-compliant if SSL encryption is not enabled. |
Encrypting data in transit |
High |
gaussdb:::mysqlInstance |
N/A |
Virtual Private Cloud (VPC)
|
Policy Name |
Function |
Scenario |
Severity |
Resource |
Mandatory |
|---|---|---|---|---|---|
|
RGC-GR_CONFIG_VPC_SG_PORTS_CHECK |
Checks whether the inbound source IP address of a security group is set to 0.0.0.0/0 and all TCP/UDP ports are enabled. This policy is non-compliant if the inbound source IP address is set to 0.0.0.0/0 and all TCP/UDP ports are enabled. |
Controlling network access |
High |
networking:::secgroup |
N/A |
|
RGC-GR_CONFIG_VPC_ACL_UNUSED_CHECK |
Checks whether a network ACL is associated with any subnets. This policy is non-compliant if the network ACL is not associated with any subnets. |
Protecting configurations |
Low |
vpc:::networkAcl |
N/A |
|
RGC-GR_CONFIG_VPC_DEFAULT_SG_CLOSED |
Checks whether the default security group of a VPC allows inbound or outbound traffic. This policy is non-compliant if the default security group allows inbound or outbound traffic. |
Controlling network access |
High |
networking:::secgroup |
N/A |
|
RGC-GR_CONFIG_VPC_SG_RESTRICTED_SSH |
Checks whether the inbound source IP address of a security group is set to 0.0.0.0/0 and TCP port 22 is enabled. This policy is non-compliant if the inbound source IP address is set to 0.0.0.0/0 and TCP port 22 is enabled. |
Controlling network access |
High |
networking:::secgroup |
N/A |
|
RGC-GR_CONFIG_VPC_SG_ATTACHED_PORTS |
Checks whether a security group (not the default one) is connected to any elastic network interfaces (ports). This policy is non-compliant if the security group is not connected. |
Controlling network access |
Medium |
vpc:::eip |
N/A |
|
RGC-GR_CONFIG_VPC_SG_BY_WHITE_LIST_PORTS_CHECK |
Checks whether a security group allows traffic to any non-whitelisted ports. This policy is non-compliant if the security group allows traffic to any non-whitelisted ports. |
Controlling network access |
High |
vpc:::eip |
|
|
RGC-GR_CONFIG_VPC_SG_RESTRICTED_COMMON_PORTS |
Checks whether a security group allows all IPv4 and IPv6 traffic (with the source address set to 0.0.0.0/0 or ::/0) to the specified ports. This policy is non-compliant if the security group allows all IPv4 and IPv6 traffic to the specified ports. |
Controlling network access |
High |
vpc:::eip |
N/A |
Web Application Firewall (WAF)
|
Policy Name |
Function |
Scenario |
Severity |
Resource |
Mandatory |
|---|---|---|---|---|---|
|
RGC-GR_CONFIG_WAF_INSTANCE_POLICY_NOT_EMPTY |
Checks whether a WAF domain name has protection policies configured. This policy is non-compliant if the domain name has no protection policies configured. |
Controlling network access |
Medium |
waf:::cloudInstance |
N/A |
|
RGC-GR_CONFIG_WAF_POLICY_NOT_EMPTY |
Checks whether a WAF protection policy has rules configured. This policy is non-compliant if the protection policy has no rules configured. |
Controlling network access |
Medium |
waf:::policy |
N/A |
|
RGC-GR_CONFIG_WAF_INSTANCE_ENABLE_BLOCK_POLICY |
Checks whether a WAF instance has a block policy attached. This policy is non-compliant if the instance has no block policies attached. |
Controlling network access |
Medium |
waf:::cloudInstance |
N/A |
|
RGC-GR_CONFIG_WAF_INSTANCE_ENABLE_PROTECT |
Checks whether an account is enabled and configured with domain name protection by WAF protection policies. This policy is non-compliant if the account is not enabled with domain name protection. |
Controlling network access |
Medium |
waf:::cloudInstance |
N/A |
|
RGC-GR_CONFIG_WAF_POLICY_ENABLE_GEOIP |
Checks whether an account has a WAF protection policy with the geolocation access control rule enabled. This policy is non-compliant if the account has no such protection policy. |
Controlling network access |
Medium |
waf:::policy |
N/A |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
