Conformance Package for SWIFT CSP
This section describes the background, applicable scenarios, and the conformance package to meet requirements by SWIFT Customer Security Program (CSP).
Background
SWIFT CSP is a cloud security solution launched by SWIFT. It aims to provide more secure and reliable transaction services for financial institutions. For more information about SWIFT CSP, visit the SWFIT official website: https://www.swift.com/.
Exemption Clauses
This package provides you with general guide to help you quickly create scenario-based conformance packages. The conformance package and rules included only apply to cloud service and do not represent any legal advice. This conformance package does not ensure compliance with specific laws, regulations, or industry standards. You are responsible for the compliance and legality of your business and technical operations and assume all related responsibilities.
Compliance Rules
The guideline No. in the following table are in consistent with the chapter No. in https://www.swift.com/.
Guideline No. |
Rule |
Solution |
---|---|---|
1.1 |
ecs-instance-no-public-ip |
Restrict public access to ECSs to protect sensitive data. |
1.1 |
ecs-instance-in-vpc |
Include all ECSs in VPCs. |
1.1 |
vpc-default-sg-closed |
Use security groups to control access within a VPC. You can directly use the default security group for resource access control. |
1.1 |
vpc-acl-unused-check |
Use this rule to identity unattached ACLs. An ACL helps control traffic in and out of a subnet. |
1.1 |
vpc-sg-ports-check |
You can use security groups to control port connections. |
1.2 |
iam-customer-policy-blocked-kms-actions |
Use this rule to identity policies that disable KMS encryption. |
1.2 |
iam-group-has-users-check |
Add IAM users to at least one user group so that users can inherit permissions attached to the user group that they are in. |
1.2 |
vpc-sg-restricted-ssh |
You can configure security groups to only allow traffic from some IPs to access the SSH port 22 of ECSs to ensure secure remote access to ECSs. |
1.2 |
smn-lts-enable |
Enable LTS for SMN topics. |
1.4 |
private-nat-gateway-authorized-vpc-only |
Use private NAT gateways to control VPC connections. |
1.4 |
vpc-sg-restricted-common-ports |
You can configure security groups to control connections to frequently used ports. |
1.4 |
function-graph-public-access-prohibited |
Block public access to FunctionGraph functions and manage access to Huawei Cloud resources. Public access may reduce resource availability. |
2.3 |
ecs-multiple-public-ip-check |
You can use this rule to identify ECSs that have multiple EIPs attached to reduce network security risks. |
2.3 |
volume-unused-check |
Use this rule to identity idle cloud disks. |
2.3 |
kms-not-scheduled-for-deletion |
Use this rule to identify KMS keys that are scheduled for deletion. |
2.5 A |
sfsturbo-encrypted-check |
Enable KMS encryption for SFS Turbo file systems. |
2.5 A |
volumes-encrypted-check |
Enable encryption for EVS to protect data. |
4.1 |
iam-password-policy |
Set thresholds for IAM user password strength. |
4.1 |
access-keys-rotated |
Enable key rotation. |
4.2 |
iam-user-mfa-enabled |
Enable MFA for all IAM users to prevent account theft. |
4.2 |
mfa-enabled-for-iam-console-access |
Enable MFA for all IAM users who can access Huawei Cloud management console. MFA enhances account security to prevent account theft and protect sensitive data. |
4.2 |
root-account-mfa-enabled |
Enable MFA for root users. MFA enhances account security. |
5.1 |
iam-role-has-all-permissions |
Grant IAM users only necessary permissions to perform required operations to ensure compliance with the least privilege and SOD principles |
5.1 |
iam-root-access-key-check |
Ensure that the root access key has been deleted. |
5.1 |
iam-user-group-membership-check |
Add IAM users to user groups so that users can inherit permissions attached to user groups that they are in. |
6.4 |
cts-lts-enable |
Use LTS to centrally collect CTS data. |
6.4 |
cts-tracker-exists |
Ensure that a CTS tracker has been created for your account to record operations on the Huawei Cloud management console. |
6.4 |
multi-region-cts-tracker-exists |
Create CTS trackers for different regions where your services are deployed. When you enable CTS for the first time, a management tracker, system, is created automatically. You can create multiple trackers for different regions to help make services better satisfy customer needs as well as legal or regulatory requirements. |
6.4 |
cts-kms-encrypted-check |
Enable trace file encryption for CTS trackers. |
6.4 |
cts-support-validate-check |
You can enable file verification for CTS trackers to prevent log files from being modified or deleted after being stored. |
6.4 |
stopped-ecs-date-diff |
Use this rule to identify ECSs that have been stopped for more than the allowed time period. |
6.4 |
vpc-flow-logs-enabled |
Enable flow logs for VPCs to monitor network traffic, analyze network attacks, and optimize security group and ACL configurations. |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot