Help Center/ Config/ User Guide/ Conformance Packages/ Conformance Package Templates/ Conformance Package for ENISA Requirements
Updated on 2024-12-10 GMT+08:00

Conformance Package for ENISA Requirements

This section describes the background, applicable scenarios, and the conformance package to meet requirements by European Union Agency for Cybersecurity (ENISA).

Background

ENISA has issued a guide for small- and medium-sized enterprises (SMEs) to enhance cyber security. The guide highlights the importance of cyber security for SMEs and describes how to implement related best practices to protect their services from cyber threats.

Applicable Scenarios

This conformance package helps SMEs to meet ENISA requirements of cyber security. It needs to be reviewed and implemented based on specific conditions and

Exemption Clauses

This package provides you with general guide to help you quickly create scenario-based conformance packages. The conformance package and rules included only apply to cloud service and do not represent any legal advice. This conformance package does not ensure compliance with specific laws, regulations, or industry standards. You are responsible for the compliance and legality of your business and technical operations and assume all related responsibilities.

Compliance Rules

The guideline numbers in the following table are in consistent with the chapter numbers in cybersecurity-guide-for-smes.

Table 1 Rules in the conformance package

Guideline No.

Guideline Description

Rule

Solution

1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION

Under the EU General Data Protection Regulation 1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place.

drs-data-guard-job-not-public

Ensure that DRS real-time DR tasks are not publicly accessible.

1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION

Under the EU General Data Protection Regulation 1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place.

drs-migration-job-not-public

Ensure that DRS real-time migration tasks are not publicly accessible.

1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION

Under the EU General Data Protection Regulation 1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place.

drs-synchronization-job-not-public

Ensure that DRS real-time synchronization tasks are not publicly accessible.

1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION

Under the EU General Data Protection Regulation 1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place.

ecs-instance-no-public-ip

Restrict public access to ECSs to protect sensitive data.

1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION

Under the EU General Data Protection Regulation 1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place.

mrs-cluster-no-public-ip

Block access to MapReduce Service (MRS) using public networks. MRS instances may contain sensitive information, so access control is required.

1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION

Under the EU General Data Protection Regulation 1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place.

function-graph-public-access-prohibited

Block public access to FunctionGraph functions and manage access to Huawei Cloud resources. Public access may reduce resource availability.

1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION

Under the EU General Data Protection Regulation 1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place.

rds-instance-no-public-ip

Block access to cloud databases from public networks and manage access to Huawei Cloud resources. Cloud databases may contain sensitive information, and access control is required.

1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION

Under the EU General Data Protection Regulation 1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place.

apig-instances-ssl-enabled

Enable SSL for APIG REST APIs to authenticate API requests.

1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION

Under the EU General Data Protection Regulation 1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place.

cts-kms-encrypted-check

Enable trace file encryption with KMS for CTS trackers.

1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION

Under the EU General Data Protection Regulation 1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place.

sfsturbo-encrypted-check

Enable KMS encryption for SFS Turbo file systems.

1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION

Under the EU General Data Protection Regulation 1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place.

volumes-encrypted-check

Enable encryption for EVS to protect data.

1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION

Under the EU General Data Protection Regulation 1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place.

cts-support-validate-check

You can enable file verification for CTS trackers to prevent log files from being modified or deleted after being stored.

1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION

Under the EU General Data Protection Regulation 1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place.

css-cluster-disk-encryption-check

Enable disk encryption for CSS clusters to protect sensitive data.

1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION

Under the EU General Data Protection Regulation 1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place.

css-cluster-disk-encryption-check

Enable disk encryption for CSS clusters to protect sensitive data.

1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION

Under the EU General Data Protection Regulation 1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place.

elb-tls-https-listeners-only

Ensure that your load balancer listeners are configured with the HTTPS protocol.

1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION

Under the EU General Data Protection Regulation 1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place.

volumes-encrypted-check

Enable encryption for EVS to protect data.

1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION

Under the EU General Data Protection Regulation 1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place.

iam-policy-no-statements-with-admin-access

Grant IAM users only necessary permissions to perform required operations to ensure compliance with the least privilege and SOD principles

1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION

Under the EU General Data Protection Regulation 1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place.

iam-role-has-all-permissions

Grant IAM users only necessary permissions to perform required operations to ensure compliance with the least privilege and SOD principles

1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION

Under the EU General Data Protection Regulation 1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place.

vpc-sg-restricted-ssh

You can configure security groups to only allow traffic from some IPs to access the SSH port 22 of ECSs to ensure secure remote access to ECSs.

1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION

Under the EU General Data Protection Regulation 1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place.

private-nat-gateway-authorized-vpc-only

Use private NAT gateways to control VPC connections.

1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION

Under the EU General Data Protection Regulation 1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place.

rds-instances-enable-kms

Enable encryption for RDS instances to protect sensitive data.

1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION

Under the EU General Data Protection Regulation 1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place.

dws-enable-ssl

Enable SSL for DWS clusters to protect sensitive data.

1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION

Under the EU General Data Protection Regulation 1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place.

dws-enable-kms

Enable KMS disk encryption for DWS clusters.

1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION

Under the EU General Data Protection Regulation 1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place.

gaussdb-nosql-enable-disk-encryption

Enable KMS disk encryption for GeminiDB instances.

1_DEVELOP GOOD CYBERSECURITY CULTURE: REMEMBER DATA PROTECTION

Under the EU General Data Protection Regulation 1 any SMEs that process or store personal data belonging to EU/EEA residents need to ensure that appropriate security controls are in place to protect that data. This includes ensuring that any third parties working on behalf of the SME have appropriate security measures in place.

vpc-sg-ports-check

You can use security groups to control port connections.

5_SECURE ACCESS TO SYSTEMS

Encourage everyone to use a passphrase, a collection of at least three random common words combined into a phrase that provide a very good combination of memorability and security.

iam-password-policy

Set thresholds for IAM user password strength.

5_SECURE ACCESS TO SYSTEMS

Encourage everyone to use a passphrase, a collection of at least three random common words combined into a phrase that provide a very good combination of memorability and security.

iam-user-mfa-enabled

Enable MFA for all IAM users to prevent account theft.

5_SECURE ACCESS TO SYSTEMS

Encourage everyone to use a passphrase, a collection of at least three random common words combined into a phrase that provide a very good combination of memorability and security.

mfa-enabled-for-iam-console-access

Enable MFA for all IAM users who can access Huawei Cloud management console. MFA enhances account security to prevent account theft and protect sensitive data.

5_SECURE ACCESS TO SYSTEMS

Encourage everyone to use a passphrase, a collection of at least three random common words combined into a phrase that provide a very good combination of memorability and security.

root-account-mfa-enabled

Enable MFA for root users. MFA enhances account security.

6_SECURE DEVICES: KEEP SOFTWARE PATCHED AND UP TO DATE

Ideally using a centralized platform to manage patching. It is highly recommended for SMEs to: Regularly update all of their software; turn on automatic updates whenever possible; identify software and hardware that requires manual updates; take into account mobile and IoT devices.

cce-cluster-end-of-maintenance-version

Ensure that CCE cluster versions can be maintained.

6_SECURE DEVICES: KEEP SOFTWARE PATCHED AND UP TO DATE

Ideally using a centralized platform to manage patching. It is highly recommended for SMEs to: Regularly update all of their software; turn on automatic updates whenever possible; identify software and hardware that requires manual updates; take into account mobile and IoT devices.

cce-cluster-oldest-supported-version

Ensure that there are no CCE cluster versions that cannot be maintained. For CCE clusters of supported versions, The system automatically deploys security patches to upgrade your CCE clusters. If any security issue is identified, Huawei Cloud will fix the issue.

6_SECURE DEVICES: ENCRYPTION

Protect data by encrypting it. SMEs should ensure the data stored on mobile devices such as laptops, smartphones, and tables are encrypted. For data transferred over public networks, such as hotel or airport Wi-Fi networks, ensure that data is encrypted, either by employing a Virtual Private Network (VPN) or accessing websites over secure connections using SSL/TLS protocol. Ensure their own websites are employing suitable encryption technology to protect client data as it travels over the Internet.

cts-kms-encrypted-check

Enable trace file encryption with KMS for CTS trackers.

6_SECURE DEVICES: ENCRYPTION

Protect data by encrypting it. SMEs should ensure the data stored on mobile devices such as laptops, smartphones, and tables are encrypted. For data transferred over public networks, such as hotel or airport Wi-Fi networks, ensure that data is encrypted, either by employing a Virtual Private Network (VPN) or accessing websites over secure connections using SSL/TLS protocol. Ensure their own websites are employing suitable encryption technology to protect client data as it travels over the Internet.

cts-support-validate-check

You can enable file verification for CTS trackers to prevent log files from being modified or deleted after being stored.

6_SECURE DEVICES: ENCRYPTION

Protect data by encrypting it. SMEs should ensure the data stored on mobile devices such as laptops, smartphones, and tables are encrypted. For data transferred over public networks, such as hotel or airport Wi-Fi networks, ensure that data is encrypted, either by employing a Virtual Private Network (VPN) or accessing websites over secure connections using SSL/TLS protocol. Ensure their own websites are employing suitable encryption technology to protect client data as it travels over the Internet.

sfsturbo-encrypted-check

Enable KMS encryption for SFS Turbo file systems.

6_SECURE DEVICES: ENCRYPTION

Protect data by encrypting it. SMEs should ensure the data stored on mobile devices such as laptops, smartphones, and tables are encrypted. For data transferred over public networks, such as hotel or airport Wi-Fi networks, ensure that data is encrypted, either by employing a Virtual Private Network (VPN) or accessing websites over secure connections using SSL/TLS protocol. Ensure their own websites are employing suitable encryption technology to protect client data as it travels over the Internet.

css-cluster-disk-encryption-check

Enable disk encryption for CSS clusters to protect sensitive data.

6_SECURE DEVICES: ENCRYPTION

Protect data by encrypting it. SMEs should ensure the data stored on mobile devices such as laptops, smartphones, and tables are encrypted. For data transferred over public networks, such as hotel or airport Wi-Fi networks, ensure that data is encrypted, either by employing a Virtual Private Network (VPN) or accessing websites over secure connections using SSL/TLS protocol. Ensure their own websites are employing suitable encryption technology to protect client data as it travels over the Internet.

css-cluster-disk-encryption-check

Enable disk encryption for CSS clusters to protect sensitive data.

6_SECURE DEVICES: ENCRYPTION

Protect data by encrypting it. SMEs should ensure the data stored on mobile devices such as laptops, smartphones, and tables are encrypted. For data transferred over public networks, such as hotel or airport Wi-Fi networks, ensure that data is encrypted, either by employing a Virtual Private Network (VPN) or accessing websites over secure connections using SSL/TLS protocol. Ensure their own websites are employing suitable encryption technology to protect client data as it travels over the Internet.

css-cluster-https-required

After HTTPS is enabled for a CSS cluster, communication is encrypted when you access this cluster. If HTTPS is disabled, HTTP protocol is used for cluster communication. In this case, data security cannot be ensured and public address is not allowed.

6_SECURE DEVICES: ENCRYPTION

Protect data by encrypting it. SMEs should ensure the data stored on mobile devices such as laptops, smartphones, and tables are encrypted. For data transferred over public networks, such as hotel or airport Wi-Fi networks, ensure that data is encrypted, either by employing a Virtual Private Network (VPN) or accessing websites over secure connections using SSL/TLS protocol. Ensure their own websites are employing suitable encryption technology to protect client data as it travels over the Internet.

volumes-encrypted-check

Enable encryption for EVS to protect data.

6_SECURE DEVICES: ENCRYPTION

Protect data by encrypting it. SMEs should ensure the data stored on mobile devices such as laptops, smartphones, and tables are encrypted. For data transferred over public networks, such as hotel or airport Wi-Fi networks, ensure that data is encrypted, either by employing a Virtual Private Network (VPN) or accessing websites over secure connections using SSL/TLS protocol. Ensure their own websites are employing suitable encryption technology to protect client data as it travels over the Internet.

rds-instances-enable-kms

Enable KMS encryption for RDS instances to protect sensitive data.

6_SECURE DEVICES: ENCRYPTION

Protect data by encrypting it. SMEs should ensure the data stored on mobile devices such as laptops, smartphones, and tables are encrypted. For data transferred over public networks, such as hotel or airport Wi-Fi networks, ensure that data is encrypted, either by employing a Virtual Private Network (VPN) or accessing websites over secure connections using SSL/TLS protocol. Ensure their own websites are employing suitable encryption technology to protect client data as it travels over the Internet.

dws-enable-kms

Enable KMS encryption for DWS clusters.

6_SECURE DEVICES: ENCRYPTION

Protect data by encrypting it. SMEs should ensure the data stored on mobile devices such as laptops, smartphones, and tables are encrypted. For data transferred over public networks, such as hotel or airport Wi-Fi networks, ensure that data is encrypted, either by employing a Virtual Private Network (VPN) or accessing websites over secure connections using SSL/TLS protocol. Ensure their own websites are employing suitable encryption technology to protect client data as it travels over the Internet.

gaussdb-nosql-enable-disk-encryption

Enable disk encryption with KMS for GeminiDB instances.

6_SECURE DEVICES: ENCRYPTION

Protect data by encrypting it. SMEs should ensure the data stored on mobile devices such as laptops, smartphones, and tables are encrypted. For data transferred over public networks, such as hotel or airport Wi-Fi networks, ensure that data is encrypted, either by employing a Virtual Private Network (VPN) or accessing websites over secure connections using SSL/TLS protocol. Ensure their own websites are employing suitable encryption technology to protect client data as it travels over the Internet.

elb-tls-https-listeners-only

Ensure that your load balancer listeners are configured with the HTTPS protocol.

6_SECURE DEVICES: ENCRYPTION

Protect data by encrypting it. SMEs should ensure the data stored on mobile devices such as laptops, smartphones, and tables are encrypted. For data transferred over public networks, such as hotel or airport Wi-Fi networks, ensure that data is encrypted, either by employing a Virtual Private Network (VPN) or accessing websites over secure connections using SSL/TLS protocol. Ensure their own websites are employing suitable encryption technology to protect client data as it travels over the Internet.

apig-instances-ssl-enabled

Enable SSL for APIG REST APIs to authenticate API requests.

6_SECURE DEVICES: ENCRYPTION

Protect data by encrypting it. SMEs should ensure the data stored on mobile devices such as laptops, smartphones, and tables are encrypted. For data transferred over public networks, such as hotel or airport Wi-Fi networks, ensure that data is encrypted, either by employing a Virtual Private Network (VPN) or accessing websites over secure connections using SSL/TLS protocol. Ensure their own websites are employing suitable encryption technology to protect client data as it travels over the Internet.

dws-enable-ssl

Enable SSL for DWS clusters to protect data.

7_SECURE YOUR NETWORK: EMPLOY FIREWALLS

Firewalls should be deployed to protect all critical systems, in particular a firewall should be employed to protect the SME's network from the Internet.

vpc-sg-restricted-ssh

You can configure security groups to only allow traffic from some IPs to access the SSH port 22 of ECSs to ensure secure remote access to ECSs.

7_SECURE YOUR NETWORK: EMPLOY FIREWALLS

Firewalls manage the traffic that enters and leaves a network and are a critical tool in protecting SME systems. Firewalls should be deployed to protect all critical systems, in particular a firewall should be employed to protect the SME's network from the Internet.

vpc-sg-restricted-common-ports

You can configure security groups to control connections to frequently used ports.

7_SECURE YOUR NETWORK: EMPLOY FIREWALLS

Firewalls manage the traffic that enters and leaves a network and are a critical tool in protecting SMEs systems. Firewalls should be deployed to protect all critical systems, in particular a firewall should be employed to protect the SME's network from the Internet.

vpc-default-sg-closed

Use security groups to control access within a VPC. You can directly use the default security group for resource access control.

7_SECURE YOUR NETWORK: EMPLOY FIREWALLS

Firewalls manage the traffic that enters and leaves a network and are a critical tool in protecting SMEs systems. Firewalls should be deployed to protect all critical systems, in particular a firewall should be employed to protect the SME's network from the Internet.

vpc-sg-ports-check

You can use security groups to control port connections.

7_SECURE YOUR NETWORK: REVIEW REMOTE ACCESS SOLUTIONS

SMEs should regularly review any remote access tools to ensure they are secure, particularly: 1. Ensure all remote access software is patched and up date. 2. Restrict remote access from suspicious geographical locations or certain IP addresses. 3. Restrict staff remote access only to the systems and computers they need for their work. 4. Enforce strong passwords for remote access and where possible enable multi-factor authentication. 5. Ensure monitoring and alerting is enabled to warn of suspected attacks or unusual suspicious activity.

iam-password-policy

Set thresholds for IAM user password strength.

7_SECURE YOUR NETWORK: REVIEW REMOTE ACCESS SOLUTIONS

SMEs should regularly review any remote access tools to ensure they are secure, particularly: - Ensure all remote access software is patched and up date. - Restrict remote access from suspicious geographical locations or certain IP addresses. - Restrict staff remote access only to the systems and computers they need for their work. - Enforce strong passwords for remote access and where possible enable multi-factor authentication. - Ensure monitoring and alerting is enabled to warn of suspected attacks or unusual suspicious activity.

iam-user-mfa-enabled

Enable MFA for all IAM users to prevent account theft.

7_SECURE YOUR NETWORK: REVIEW REMOTE ACCESS SOLUTIONS

SMEs should regularly review any remote access tools to ensure they are secure, particularly: - Ensure all remote access software is patched and up date. - Restrict remote access from suspicious geographical locations or certain IP addresses. - Restrict staff remote access only to the systems and computers they need for their work. - Enforce strong passwords for remote access and where possible enable multi-factor authentication. - Ensure monitoring and alerting is enabled to warn of suspected attacks or unusual suspicious activity.

mfa-enabled-for-iam-console-access

Enable MFA for all IAM users who can access Huawei Cloud management console. MFA enhances account security to prevent account theft and protect sensitive data.

7_SECURE YOUR NETWORK: REVIEW REMOTE ACCESS SOLUTIONS

SMEs should regularly review any remote access tools to ensure they are secure, particularly: - Ensure all remote access software is patched and up date. - Restrict remote access from suspicious geographical locations or certain IP addresses. - Restrict staff remote access only to the systems and computers they need for their work. - Enforce strong passwords for remote access and where possible enable multi-factor authentication. - Ensure monitoring and alerting is enabled to warn of suspected attacks or unusual suspicious activity.

root-account-mfa-enabled

Enable MFA for root users. MFA enhances account security.

7_SECURE YOUR NETWORK: REVIEW REMOTE ACCESS SOLUTIONS

SMEs should regularly review any remote access tools to ensure they are secure, particularly: - Ensure all remote access software is patched and up date. - Restrict remote access from suspicious geographical locations or certain IP addresses. - Restrict staff remote access only to the systems and computers they need for their work. - Enforce strong passwords for remote access and where possible enable multi-factor authentication. - Ensure monitoring and alerting is enabled to warn of suspected attacks or unusual suspicious activity.

apig-instances-execution-logging-enabled

Enable CTS for your dedicated APIG gateways. APIG supports custom log analysis templates, which you can use to collect and manage logs and trace and analyze API request exceptions.

7_SECURE YOUR NETWORK: REVIEW REMOTE ACCESS SOLUTIONS

SMEs should regularly review any remote access tools to ensure they are secure, particularly: - Ensure all remote access software is patched and up date. - Restrict remote access from suspicious geographical locations or certain IP addresses. 3. Restrict staff remote access only to the systems and computers they need for their work. - Enforce strong passwords for remote access and where possible enable multi-factor authentication. - Ensure monitoring and alerting is enabled to warn of suspected attacks or unusual suspicious activity.

cts-lts-enable

Use LTS to centrally collect CTS data.

7_SECURE YOUR NETWORK: REVIEW REMOTE ACCESS SOLUTIONS

SMEs should regularly review any remote access tools to ensure they are secure, particularly: - Ensure all remote access software is patched and up date. - Restrict remote access from suspicious geographical locations or certain IP addresses. - Restrict staff remote access only to the systems and computers they need for their work. - Enforce strong passwords for remote access and where possible enable multi-factor authentication. - Ensure monitoring and alerting is enabled to warn of suspected attacks or unusual suspicious activity.

cts-tracker-exists

Ensure that a CTS tracker has been created for your account to record operations on the Huawei Cloud management console.

7_SECURE YOUR NETWORK: REVIEW REMOTE ACCESS SOLUTIONS

SMEs should regularly review any remote access tools to ensure they are secure, particularly: - Ensure all remote access software is patched and up date. 2. Restrict remote access from suspicious geographical locations or certain IP addresses. 3. Restrict staff remote access only to the systems and computers they need for their work. 4. Enforce strong passwords for remote access and where possible enable multi-factor authentication. 5. Ensure monitoring and alerting is enabled to warn of suspected attacks or unusual suspicious activity.

multi-region-cts-tracker-exists

Create CTS trackers for different regions to satisfy different customer requirements and meets the laws and regulations of different regions.

7_SECURE YOUR NETWORK: REVIEW REMOTE ACCESS SOLUTIONS

SMEs should regularly review any remote access tools to ensure they are secure, particularly: - Ensure all remote access software is patched and up date. - Restrict remote access from suspicious geographical locations or certain IP addresses. - Restrict staff remote access only to the systems and computers they need for their work. - Enforce strong passwords for remote access and where possible enable multi-factor authentication. - Ensure monitoring and alerting is enabled to warn of suspected attacks or unusual suspicious activity.

vpc-flow-logs-enabled

Enable flow logs for VPCs to monitor network traffic, analyze network attacks, and optimize security group and ACL configurations.

9_SECURE BACKUPS

To enable the recovery of key formation, backups should be maintained as they are an effective way to recover from disasters such as a ransomware attack. The following backup rules should apply: 1. Backup is regular and automated whenever possible. 2. Backup is held separately from the SME's production environment. 3. Backups are encrypted, especially if they are going to be moved between locations. 4. The ability to regularly restore data from the backups is tested. Ideally, a regular test of a full restore from start to finish should be done.

rds-instance-enable-backup

Enable backups for RDS instances.

9_SECURE BACKUPS

To enable the recovery of key formation, backups should be maintained as they are an effective way to recover from disasters such as a ransomware attack. The following backup rules should apply: 1. Backup is regular and automated whenever possible. 2. Backup is held separately from the SME's production environment. 3. Backups are encrypted, especially if they are going to be moved between locations. 4. The ability to regularly restore data from the backups is tested. Ideally, a regular test of a full restore from start to finish should be done.

dws-enable-snapshot

Enable snapshots for DWS clusters. Automated snapshots are enabled by default when a cluster is created. Snapshots are periodically taken of a cluster based on the specified time and interval, usually every eight hours. Users can configure one or more automated snapshot policies for the cluster as needed.

9_SECURE BACKUPS

To enable the recovery of key formation, backups should be maintained as they are an effective way to recover from disasters such as a ransomware attack. The following backup rules should apply: Backup is regular and automated whenever possible; backup is held separately from the SME's production environment; backups are encrypted, especially if they are going to be moved between locations; the ability to regularly restore data from the backups is tested. Ideally, a regular test of a full restore from start to finish should be done.

gaussdb-nosql-enable-backup

Enable backups for GeminiDB.