Conformance Package for Network Security
The following table lists the rules and solutions included in this conformance package template.
|
Rule |
Cloud Service |
Description |
|---|---|---|
|
access-keys-rotated |
iam |
If an IAM user's access key is not rotated within the specified number of days, this user is noncompliant. |
|
alarm-kms-disable-or-delete-key |
ces, kms |
If there are no alarm rules configured for disabling or deleting KMS keys, this rule is noncompliant. |
|
alarm-obs-bucket-policy-change |
ces, obs |
If there are no alarm rules configured for OBS bucket policy changes, this rule is noncompliant. |
|
alarm-vpc-change |
ces, vpc |
If there are no alarm rules configured for VPC changes, the current account is noncompliant. |
|
css-cluster-https-required |
css |
If HTTPS is not enabled for a CSS cluster, this cluster is noncompliant. |
|
css-cluster-in-vpc |
css |
If a CSS cluster is not in the specified VPCs, this cluster is noncompliant. |
|
cts-kms-encrypted-check |
cts |
If a CTS tracker is not encrypted using KMS, this tracker is noncompliant. |
|
cts-lts-enable |
cts |
If a CTS tracker does not have trace transfer to LTS enabled, this tracker is noncompliant. |
|
cts-obs-bucket-track |
cts |
If no trackers are created for the specified OBS bucket, this rule is noncompliant. |
|
cts-support-validate-check |
cts |
If Verify Trace File is not enabled for a CTS tracker, this tacker is noncompliant. |
|
cts-tracker-exists |
cts |
If there are no trackers or all trackers are disabled in an account, the current account is noncompliant. |
|
ecs-instance-in-vpc |
ecs, vpc |
If an ECS is not within the specified VPC, this ECS is noncompliant. |
|
ecs-instance-no-public-ip |
ecs |
If an ECS has an EIP attached, this ECS is noncompliant. |
|
eip-unbound-check |
vpc |
If an EIP has not been attached to any resource, this EIP is noncompliant. |
|
elb-tls-https-listeners-only |
elb |
If any listener of a load balancer does not have the frontend protocol set to HTTPS, this load balancer is noncompliant. |
|
iam-group-has-users-check |
iam |
If an IAM user group has no user, this user group is noncompliant. |
|
iam-password-policy |
iam |
If the password of an IAM user does not meet the password strength requirements, this IAM user is noncompliant. |
|
iam-root-access-key-check |
iam |
If the account root user has an available access key, the account is noncompliant. |
|
iam-user-console-and-api-access-at-creation |
iam |
If an IAM user who is allowed to access Huawei Cloud console has AK/SK created, this user is noncompliant. |
|
iam-user-group-membership-check |
iam |
If an IAM user is not in any of the specified IAM user groups, this user is noncompliant. |
|
iam-user-last-login-check |
iam |
If an IAM user does not log in to the system within the specified time range, the result is non-compliant. |
|
iam-user-mfa-enabled |
iam |
If multi-factor authentication is not enabled for an IAM user, this user is noncompliant. |
|
iam-user-single-access-key |
iam |
If multiple access keys are in the active state for an IAM user, this user is noncompliant. |
|
mfa-enabled-for-iam-console-access |
iam |
If an IAM user who is allowed to access Huawei Cloud console does not have MFA enabled, this IAM user is noncompliant. |
|
mrs-cluster-kerberos-enabled |
mrs |
If kerberos is not enabled for an MRS cluster, this cluster is noncompliant. |
|
mrs-cluster-no-public-ip |
mrs |
If an MRS cluster has an EIP attached, this cluster is noncompliant. |
|
private-nat-gateway-authorized-vpc-only |
nat |
If a private NAT gateway is not in a specified VPC, this gateway is noncompliant. |
|
rds-instance-multi-az-support |
rds |
If an RDS instance does not support multi-AZ deployment, this RDS instance is noncompliant. |
|
rds-instance-no-public-ip |
rds |
If an RDS instance has an EIP attached, this RDS instance is noncompliant. |
|
root-account-mfa-enabled |
iam |
If the root user does not have MFA enabled, this root user is noncompliant. |
|
stopped-ecs-date-diff |
ecs |
If an ECS has been stopped for longer than the time allowed, and no operations have been performed on it, this ECS is noncompliant. |
|
volume-unused-check |
evs |
If an EVS disk is not mounted to any cloud server, this disk is noncompliant. |
|
volumes-encrypted-check |
ecs, evs |
If a mounted EVS disk is not encrypted, this disk is noncompliant. |
|
vpn-connections-active |
vpnaas |
If a VPN is not normally connected, this rule is noncompliant. |
|
bms-key-pair-security-login |
bms |
If a BMS does not have key pair login enabled, ths BMS is noncompliant. |
|
cbr-backup-encrypted-check |
cbr |
If a CBR backup is not encrypted, this backup is noncompliant. |
|
cfw-policy-not-empty |
cfw |
If a CFW instance does not have a protection policy attached, this instance is noncompliant. |
|
csms-secrets-auto-rotation-enabled |
csms |
If a CSMS secret does not have automatic rotation enabled, this secret is noncompliant. |
|
csms-secrets-rotation-success-check |
csms |
If a CSMS secret fails to be rotated, this secret is noncompliant. |
|
csms-secrets-using-cmk |
csms |
If a CSMS secret has not been configured with one of the specified KMS keys, this secret is noncompliant. |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
