Help Center/ Config/ User Guide/ Conformance Packages/ Conformance Package Templates/ Best Practices for Secure Identity and Compliance Operations
Updated on 2024-10-28 GMT+08:00

Best Practices for Secure Identity and Compliance Operations

The following table describes the compliance rules and solutions in the sample template.

Table 1 Conformance package description

Rule

Cloud Service

Description

access-keys-rotated

iam

If an IAM user's access key is not rotated within the specified number of days, this user is noncompliant.

pca-certificate-authority-expiration-check

pca

If the validity period of a private CA is not within the specified period, this CA is noncompliant.

pca-certificate-expiration-check

pca

If the validity period of a private certificate is not within the specified range, this certificate is noncompliant.

apig-instances-execution-logging-enabled

apig

If logging is not enabled for a dedicated APIG gateway, this gateway is considered non-compliant.

cts-lts-enable

cts

If a CTS tracker does not have trace transfer to LTS enabled, this tracker is noncompliant.

cts-tracker-exists

cts

If there are no trackers or all trackers are disabled in an account, this account is noncompliant.

cts-kms-encrypted-check

cts

If a CTS tracker does not have KMS encryption enabled, this tracker is noncompliant.

cts-support-validate-check

cts

If a CTS tracker does not have trace file verification enabled, this tacker is noncompliant.

kms-rotation-enabled

kms

If key rotation is not enabled for a KMS key, this key is noncompliant.

iam-customer-policy-blocked-kms-actions

iam, access-analyzer-verified

If an IAM policy allows any blocked actions on KMS keys, this policy is noncompliant.

iam-group-has-users-check

iam

If an IAM user group has no user, this user group is noncompliant.

iam-password-policy

iam

If the password of an IAM user does not meet the password strength requirements, this IAM user is noncompliant.

iam-policy-no-statements-with-admin-access

iam

If a custom policy or role allows all actions (with the action element set to *:*:*, *:*, or *) for all cloud services, this policy or role is noncompliant.

iam-role-has-all-permissions

iam

If a custom policy or role allows all actions for a cloud service, this policy or role is noncompliant.

iam-root-access-key-check

iam

If the root user access key is available, the account is noncompliant.

iam-user-group-membership-check

iam

If an IAM user is not in any of the specified IAM user groups, this user is noncompliant.

iam-user-mfa-enabled

iam

If multi-factor authentication is not enabled for an IAM user, this user is noncompliant.

iam-user-last-login-check

iam

If an IAM user does not log in to the system within the specified period, this user is non-compliant.

vpc-sg-restricted-ssh

vpc

If a security group allows all inbound traffic (with the source address set to 0.0.0.0/0 or ::/0) and opens the TCP 22 port, this security group is noncompliant.

kms-not-scheduled-for-deletion

kms

If a KMS key is scheduled for deletion, this key is noncompliant.

mfa-enabled-for-iam-console-access

iam

If an IAM user who is allowed to access Huawei Cloud console does not have MFA enabled, this IAM user is noncompliant.

rds-instance-logging-enabled

rds

If an RDS instance does not have the collection of any types of logs enabled, this instance is noncompliant.

vpc-sg-restricted-common-ports

vpc

If a security group allows all IPv4 and IPv6 traffic (with the source address set to 0.0.0.0/0 or ::/0) to the specified ports, this security group is noncompliant.

root-account-mfa-enabled

iam

If the root user does not have MFA enabled, this root user is noncompliant.

vpc-default-sg-closed

vpc

If a default security group allows all inbound or outbound traffic, this security group is noncompliant.

vpc-sg-ports-check

vpc

If a security group has the source address set to 0.0.0.0/0 or ::/0 and opens all TCP/UDP ports, this security group is noncompliant.