Architecture Security Best Practices
The following table describes the compliance rules and solutions in the sample template.
Rule |
Cloud Service |
Description |
---|---|---|
access-keys-rotated |
iam |
If an IAM user's access key is not rotated within the specified number of days, this user is noncompliant. |
pca-certificate-authority-expiration-check |
pca |
If the validity period of a private CA is not within the specified period, this CA is noncompliant. |
pca-certificate-expiration-check |
pca |
If the validity period of a private CA is not within the specified period, this CA is noncompliant. |
apig-instances-execution-logging-enabled |
apig |
If logging is not enabled for a dedicated APIG gateway, this gateway is considered non-compliant. |
apig-instances-ssl-enabled |
apig |
If no SSL certificates are attached to an APIG gateway, this gateway is considered noncompliant. |
cts-lts-enable |
cts |
If a CTS tracker does not have trace transfer to LTS enabled, this tracker is noncompliant. |
cts-kms-encrypted-check |
cts |
If a CTS tracker is not encrypted using KMS, this tracker is noncompliant. |
cts-support-validate-check |
cts |
If a CTS tracker does not have trace file verification enabled, this tacker is noncompliant. |
cts-obs-bucket-track |
cts |
If there are no CTS trackers created for the specified OBS bucket, the current account is noncompliant. |
ecs-multiple-public-ip-check |
ecs |
If an ECS has multiple EIPs attached, this ECS is noncompliant. |
ecs-instance-no-public-ip |
ecs |
If an ECS has an EIP attached, this ECS is noncompliant. |
stopped-ecs-date-diff |
ecs |
If an ECS has been stopped for longer than the time allowed, and no operations have been performed on it, this ECS is noncompliant. |
evs-use-in-specified-days |
evs |
If an EVS disk has not been attached to any resources within the specified number of days after being created, this disk is noncompliant. |
volume-unused-check |
evs |
If an EVS disk is not mounted to any cloud server, this disk is noncompliant. |
cce-cluster-end-of-maintenance-version |
cce |
If the version of a CCE cluster is no longer supported for maintenance, this cluster is noncompliant. |
cce-cluster-oldest-supported-version |
cce |
If a CCE cluster is running the oldest supported version, this cluster is noncompliant. |
sfsturbo-encrypted-check |
sfsturbo |
If KMS encryption is not enabled for an SFS Turbo file system, this file system is noncompliant. |
css-cluster-in-vpc |
css |
If a CSS cluster is not in the specified VPCs, this cluster is noncompliant. |
css-cluster-disk-encryption-check |
css |
If disk encryption is not enabled for a CSS cluster, this cluster is noncompliant. |
elb-tls-https-listeners-only |
elb |
If any listener of a load balancer does not have the frontend protocol set to HTTPS, this load balancer is noncompliant. |
mrs-cluster-kerberos-enabled |
mrs |
If kerberos is not enabled for an MRS cluster, this cluster is noncompliant. |
mrs-cluster-no-public-ip |
mrs |
If an MRS cluster has an EIP attached, this cluster is noncompliant. |
volumes-encrypted-check |
ecs, evs |
If a mounted EVS disk is not encrypted, this disk is noncompliant. |
iam-customer-policy-blocked-kms-actions |
iam, access-analyzer-verified |
If an IAM policy allows any blocked actions on KMS keys, this policy is noncompliant. |
iam-group-has-users-check |
iam |
If an IAM user group has no user, this user group is noncompliant. |
iam-password-policy |
iam |
If the password of an IAM user does not meet the password strength requirements, this IAM user is noncompliant. |
iam-policy-no-statements-with-admin-access |
iam |
If a custom policy or role allows all actions (with the action element set to *:*:*, *:*, or *) for all cloud services, this policy or role is noncompliant. |
iam-role-has-all-permissions |
iam |
If a custom policy or role allows all actions for a cloud service, this policy or role is noncompliant. |
iam-root-access-key-check |
iam |
If the root user access key is available, the account is noncompliant. |
iam-user-group-membership-check |
iam |
If an IAM user is not in any of the specified IAM user groups, this user is noncompliant. |
iam-user-mfa-enabled |
iam |
If multi-factor authentication is not enabled for an IAM user, this user is noncompliant. |
iam-user-last-login-check |
iam |
If an IAM user does not log in to the system within the specified time range, this user is non-compliant. |
vpc-sg-restricted-ssh |
vpc |
If a security group allows all inbound traffic (with the source address set to 0.0.0.0/0 or ::/0) and opens the TCP 22 port, this security group is noncompliant. |
ecs-instance-in-vpc |
ecs, vpc |
If an ECS is not within the specified VPC, this ECS is noncompliant. |
kms-not-scheduled-for-deletion |
kms |
If a KMS key is scheduled for deletion, this key is noncompliant. |
function-graph-public-access-prohibited |
fgs |
If a function can be accessed over a public network, this function is noncompliant. |
function-graph-inside-vpc |
fgs |
If a function is not in the specified VPC, this function is noncompliant. |
mfa-enabled-for-iam-console-access |
iam |
If an IAM user who is allowed to access Huawei Cloud console does not have MFA enabled, this IAM user is noncompliant. |
css-cluster-https-required |
css |
If a CSS cluster does not have HTTPS enabled, this cluster is noncompliant. |
rds-instance-no-public-ip |
rds |
If an RDS instance has an EIP attached, this RDS instance is noncompliant. |
rds-instance-logging-enabled |
rds |
If an RDS instance does not have the collection of any types of logs enabled, this instance is noncompliant. |
rds-instances-enable-kms |
rds |
If KMS encryption is not enabled for an RDS instance, this instance is noncompliant. |
dws-enable-kms |
dws |
If KMS encryption is not enabled for a DWS cluster, this cluster is noncompliant. |
gaussdb-nosql-enable-disk-encryption |
gemini db |
If a GeminiDB instance does not have disk encryption enabled, this instance is noncompliant. |
dws-enable-ssl |
dws |
If SSL is not enabled for a DWS cluster, this cluster is noncompliant. |
vpc-sg-restricted-common-ports |
vpc |
If a security group allows all IPv4 and IPv6 traffic (with the source address set to 0.0.0.0/0 or ::/0) to the specified ports, this security group is noncompliant. |
root-account-mfa-enabled |
iam |
If the root user does not have MFA enabled, this root user is noncompliant. |
vpc-default-sg-closed |
vpc |
If a default security group allows all inbound or outbound traffic, this security group is noncompliant. |
vpc-flow-logs-enabled |
vpc |
If a VPC does not have the flow log enabled, this VPC is noncompliant. |
vpc-acl-unused-check |
vpc |
If a network ACL is not attached to any subnets, this ACL is noncompliant. |
vpc-sg-ports-check |
vpc |
If a security group has the source address set to 0.0.0.0/0 or ::/0 and opens all TCP/UDP ports, this security group is noncompliant. |
waf-instance-policy-not-empty |
waf |
If a WAF instance does not have a protection policy attached, this instance is noncompliant. |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot