Conformance Package for Huawei Cloud Security Configuration Guide (Level 1)
This section describes the background, applicable scenarios, and the conformance package to meet requirements of Huawei Cloud Security Configuration Guide at level 1.
Applicable Scenario
Huawei Cloud Security Configuration Guide provides you with baseline configuration guidance for important cloud services. For more details, see Security.
Exemption Clauses
This package provides you with general guide to help you quickly create scenario-based conformance packages. The conformance package and rules included only apply to cloud service and do not represent any legal advice. This conformance package does not ensure compliance with specific laws, regulations, or industry standards. You are responsible for the compliance and legality of your business and technical operations and assume all related responsibilities.
Rules
The guideline No in the following table are in consistent with the chapter No in Huawei Cloud Security Configuration Guide.
|
Guideline No. |
Guideline Description |
Rule |
Cloud Service |
Description |
|---|---|---|---|---|
|
C.CS.FOUNDATION.G_1.R_1 |
Ensuring that AK/SK are disabled for Administrator Account |
iam-root-access-key-check |
iam |
If the root user access key is available, the account is noncompliant. |
|
C.CS.FOUNDATION.G_1.R_2 |
Enabling MFA for the administrator account |
root-account-mfa-enabled |
iam |
If the root user does not have MFA enabled, this root user is noncompliant. |
|
C.CS.FOUNDATION.G_1.R_14 |
Ensuring that no iam policy is created to allow the *:* permissions |
iam-policy-no-statements-with-admin-access |
iam |
If a custom policy or role allows all actions (with the action element set to *:*:*, *:*, or *) for all cloud services, this policy or role is noncompliant. |
|
C.CS.FOUNDATION.G_2.R_1 |
Enabling CTS |
multi-region-cts-tracker-exists |
cts |
If there are no enabled CTS trackers in any of the specified regions, the current account is noncompliant. |
|
C.CS.FOUNDATION.G_2.R_15 |
Enabling log file integrity verification |
cts-support-validate-check |
cts |
If a CTS tracker does not have trace file verification enabled, this tacker is noncompliant. |
|
C.CS.FOUNDATION.G_3_3.R_1 |
Disabling the kubernetes cluster versions that has reached EOS |
cce-cluster-end-of-maintenance-version |
cce |
If the version of a CCE cluster is no longer supported for maintenance, this cluster is noncompliant. |
|
C.CS.FOUNDATION.G_3_3.R_6 |
Preventing cluster nodes from being exposed to public networks |
cce-endpoint-public-access |
cce |
If a CCE cluster has an EIP attached, this CCE cluster is noncompliant. |
|
C.CS.FOUNDATION.G_4.R_1 |
Disabling internet access over SSH |
vpc-sg-restricted-ssh |
vpc |
If a security group allows all inbound traffic (with the source address set to 0.0.0.0/0 or ::/0) and opens the TCP 22 port, this security group is noncompliant. |
|
C.CS.FOUNDATION.G_4.R_4 |
Disabling access to remote management ports and high-risk ports over the source IP address 0.0.0.0/0 for security groups |
vpc-sg-restricted-common-ports |
vpc |
If a security group allows all IPv4 and IPv6 traffic (with the source address set to 0.0.0.0/0 or ::/0) to the specified ports, this security group is noncompliant. |
|
C.CS.FOUNDATION.G_5_1.R_2 |
Disabling anonymous access |
obs-bucket-policy-not-more-permissive |
obs |
If an OBS bucket policy allows more permissions than the specified policy, this bucket policy is noncompliant. |
|
C.CS.FOUNDATION.G_5_1.R_5 |
Using bucket policies to restrict access to obs buckets using HTTPS |
obs-bucket-ssl-requests-only |
obs |
If an OBS bucket allows HTTP requests, this bucket is noncompliant. |
|
C.CS.FOUNDATION.G_6_1.R_1 |
Enabling encrypted communication |
rds-instance-ssl-enable |
rds |
If SSL is not enabled for an RDS instance, this instance is noncompliant. |
|
C.CS.FOUNDATION.G_6_1.R_5 |
Do not bind an eip to access rds for mysql through internet |
rds-instance-no-public-ip |
rds |
If an RDS instance has an EIP attached, this RDS instance is noncompliant. |
|
C.CS.FOUNDATION.G_6_2.R_1 |
Enabling encrypted communication |
dds-instance-enable-ssl |
dds |
If SSL is not enabled for a DDS instance, this instance is noncompliant. |
|
C.CS.FOUNDATION.G_6_2.R_7 |
Do not use the default port |
dds-instance-port-check |
dds |
If a DDS instance has unallowed ports enabled, this instance is noncompliant. |
|
C.CS.FOUNDATION.G_6_2.R_8 |
Patch upgrade |
dds-instance-engine-version-check |
dds |
If the version of a DDS instance is earlier than the specified version, this instance is noncompliant. |
|
C.CS.FOUNDATION.G_6_3.R_2 |
Enabling the backup function and configuring a backup policy |
rds-instance-enable-backup |
rds |
If backup is not enabled for an RDS instance, this instance is noncompliant. |
|
C.CS.FOUNDATION.G_6_3.R_4 |
Do not use the default port |
rds-instance-port-check |
rds |
If an RDS instance has unallowed ports enabled, this instance is noncompliant. |
|
C.CS.FOUNDATION.G_6_3.R_8 |
Update the database version to the latest version |
rds-instance-engine-version-check |
rds |
If the version of an RDS instance engine is earlier than the specified version, this instance is noncompliant. |
|
C.CS.FOUNDATION.G_7_2.R_1 |
Enabling kerberos authentication |
mrs-cluster-kerberos-enabled |
mrs |
If an MRS cluster does not have Kerberos authentication enabled, this cluster is noncompliant. |
|
C.CS.FOUNDATION.G_7_2.R_3 |
EIP security group management and control |
mrs-cluster-no-public-ip |
mrs |
If an MRS cluster has an EIP attached, this cluster is noncompliant. |
|
C.CS.FOUNDATION.G_7_2.R_3 |
EIP security group management and control |
mrs-cluster-in-vpc |
mrs |
If an MRS cluster is not in the specified VPC, this cluster is noncompliant. |
|
C.CS.FOUNDATION.G_7_3.R_6 |
Enabling SSL encrypted transmission |
dws-enable-ssl |
dws |
If SSL is not enabled for a DWS cluster, this cluster is noncompliant. |
|
C.CS.FOUNDATION.G_8.R_1 |
Enabling WAF |
waf-instance-enable-protect |
waf |
If domain name protection is not enabled for a WAF instance, this instance is noncompliant. |
|
C.CS.FOUNDATION.G_8.R_2 |
Configuring a geolocation access rule in WAF |
waf-policy-enable-geoip |
waf |
If there is a WAF protection policy that does not have geolocation access control configured or enabled, the current account is noncompliant. |
|
C.CS.FOUNDATION.G_8.R_5 |
Enabling WAF basic web protection block mode |
waf-instance-enable-block-policy |
waf |
If a WAF instance does not have a block policy associated, this instance is noncompliant. |
|
C.CS.FOUNDATION.G_8.R_7 |
Enabling HSS (basic/professional/enterprise/premium edition) |
ecs-attached-hss-agents-check |
ecs |
If an ECS Does not have an HSS agent attached, this ECS is noncompliant. |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
