Conformance Package for Classified Protection of Cybersecurity Level 3 (2.0)
This section describes the background, applicable scenarios, and the conformance package to meet requirements by Classified Protection of Cybersecurity Level 3 (2.0).
Background
Level-3 Information Security Protection 2.0 is a set of standards for information security by the Chinese government. It represents an important part of the classified information security protection system of China. This document is intended for information infrastructure sectors, such as the government, finance, telecommunications, and energy. It aims to ensure the security, integrity, and availability of information systems by provide guidance on how to prevent and resolve security threats and risks.
For more details about the basic requirements for classified protection of cybersecurity, see GB/T 22239-2019.
Exemption Clauses
This package provides you with general guide to help you quickly create scenario-based conformance packages. The conformance package and rules included only apply to cloud service and do not represent any legal advice. This conformance package does not ensure compliance with specific laws, regulations, or industry standards. You are responsible for the compliance and legality of your business and technical operations and assume all related responsibilities.
Compliance Rules
The guideline numbers in the following table are in consistent with the chapter numbers in GB/T 22239-2019.
Guideline No. |
Guideline Description |
Config Rule |
Solution |
---|---|---|---|
8.1.2.1 |
b. Bandwidths should be properly allocated for related networks to meet peak-hour needs. |
eip-bandwidth-limit |
Allocate sufficient bandwidth to meet peak-hour needs. |
8.1.2.1 |
c. Network shall be divided into different subnets and IP addresses shall be allocated to them. The allocation should facilitate easy management and control. |
dcs-redis-in-vpc |
Deploy DCS instances within VPCs. |
8.1.2.1 |
c. Network shall be divided into different subnets and IP addresses shall be allocated to them. The allocation should facilitate easy management and control. |
ecs-instance-in-vpc |
Deploy all ECSs within VPCs. |
8.1.2.1 |
c. Network shall be divided into different subnets and IP addresses shall be allocated to them. The allocation should facilitate easy management and control. |
rds-instances-in-vpc |
Deploy all RDS instances within VPCs. |
8.1.2.1 |
d. Important subnets shall not be deployed at borders. Reliable technical measures shall be taken to isolate important subnets from other subnets. |
dcs-redis-in-vpc |
Deploy DCS instances within VPCs. |
8.1.2.1 |
d. Important subnets shall not be deployed at borders. Reliable technical measures shall be taken to isolate important subnets from other subnets. |
ecs-instance-in-vpc |
Deploy all ECSs within VPCs. |
8.1.2.1 |
d. Important subnets shall not be deployed at borders. Reliable technical measures shall be taken to isolate important subnets from other subnets. |
rds-instances-in-vpc |
Deploy all RDS instances within VPCs. |
8.1.3.1 |
b. Unauthorized device access to the internal network shall be detected or blocked. |
ecs-instance-no-public-ip |
Block public access to ECSs to protect sensitive data. |
8.1.3.1 |
b. Unauthorized device access to the internal network shall be detected or blocked. |
elb-loadbalancers-no-public-ip |
Block public access to elastic load balancers. |
8.1.3.1 |
b. Unauthorized device access to the internal network shall be detected or blocked. |
rds-instance-no-public-ip |
Block public access to RDS instances. RDS instances may contain sensitive information, and access control is required. |
8.1.3.2 |
a. Access control policies should be configured for network-border or cross-region access. By default, controlled ports only allow specified access. |
ecs-instance-no-public-ip |
Block public access to ECSs to protect sensitive data. |
8.1.3.2 |
a. Access control policies should be configured for network-border or cross-region access. By default, controlled ports only allow specified access. |
elb-loadbalancers-no-public-ip |
Block public access to elastic load balancers. |
8.1.3.2 |
a. Access control policies should be configured for network-border or cross-region access. By default, controlled ports only allow specified access. |
rds-instance-no-public-ip |
Block public access to RDS instances. RDS instances may contain sensitive information, and access control is required. |
8.1.3.5 |
c. Audit records shall be protected and regular backup should be performed to avoid unexpected deletion, modification, or overwriting. |
cts-tracker-exists |
Ensure that a CTS tracker has been created for your account to record operations on the Huawei Cloud console. |
8.1.4.1 |
d. Two or more authentication methods, such as tokens, passwords, and biometric technologies, shall be used to authenticate user identity. Password authentication must be used. |
iam-user-mfa-enabled |
Enable MFA for all IAM users. MFA provides an additional layer of protection in addition to the username and password. |
8.1.4.7 |
a. Cryptographic techniques should be used to ensure transmission integrity for important data, including but not limited to authentication data, service data, audit data, configuration data, video data, and personal information. |
elb-tls-https-listeners-only |
Ensure that load balancer listeners have been configured with the HTTPS protocol. Transmission encryption is helpful for data protection, especially when there is sensitive data. |
8.1.4.7 |
b. Cryptographic techniques should be used to ensure the integrity of important data storage, including but not limited to authentication data, service data, audit data, configuration data, video data, and personal information. |
volumes-encrypted-check |
Encrypt mounted cloud disks to protect static data. |
8.1.4.9 |
c. Hot redundancy should be provided for critical data processing systems to ensure high availability. |
rds-instance-multi-az-support |
Deploy RDS instance across AZs to increase service availability. RDS automatically creates a primary DB instance and replicates data to standby DB instances in different AZs that are physically separate. If a fault occurs, RDS automatically fails over to the standby database so that you can restore databases in a timely manner. |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot