Elective Governance Policies

RGC-GR_CONFIG_REGULAR_MATCHING_OF_NAMES

Checks whether a resource name matches a regular expression pattern. This policy is non-compliant if the resource name does not match.

Protecting configurations

Low

*

Yes

RGC-GR_CONFIG_RESOURCE_IN_ENTERPRISE_PROJECT

Checks whether a resource is for a specified enterprise project. This policy is non-compliant if the resource is not for a specified enterprise project.

Protecting configurations

Low

*

Yes

RGC-GR_CONFIG_RESOURCES_IN_ALLOWED_TYPES

Checks whether a user creates a resource of an unspecified type. This policy is non-compliant if the user creates such resources.

Protecting configurations

Low

*

No

RGC-GR_CONFIG_RESOURCES_IN_NOT_ALLOWED_TYPES

Checks whether a user creates a resource of a specified type. This policy is non-compliant if the user creates such resources.

Protecting configurations

Low

*

No

RGC-GR_CONFIG_RESOURCES_IN_SUPPORTED_REGION

Checks whether a resource is in a specified region. This policy is non-compliant if the resource is not in the specified region.

Protecting configurations

Low

*

No

RGC-GR_CONFIG_APIG_INSTANCES_EXECUTION_LOGGING_ENABLED

Checks whether a dedicated API gateway is configured with access logs. This policy is non-compliant if the gateway is not configured with access logs.

Establishing logging and monitoring

Medium

apig:::instance

N/A

RGC-GR_CONFIG_AS_CAPACITY_REBALANCING

Checks whether the scaling policy of EQUILIBRIUM_DISTRIBUTE is applied when an AS group scales in or out. This policy is non-compliant if this scaling policy is not applied.

Improving availability

Medium

as:::group

N/A

RGC-GR_CONFIG_AS_GROUP_ELB_HEALTHCHECK_REQUIRED

Checks whether ELB health check is enabled for an AS group associated with load balancers. This policy is non-compliant if health check is not enabled.

Improving availability

Low

as:::group

N/A

RGC-GR_CONFIG_AS_MULTIPLE_AZ

Checks whether an auto scaling (AS) group is deployed in multiple AZs. This policy is non-compliant if the group is not deployed in multiple AZs.

Improving availability

Medium

as:::group

N/A

RGC-GR_CONFIG_AS_GROUP_IPV6_DISABLED

Checks whether an IPv6 shared bandwidth is assigned to an AS group. This policy is non-compliant if an IPv6 shared bandwidth is assigned.

Optimizing costs

Low

as:::group

N/A

RGC-GR_RFS_AS_GROUP_MULTIPLE_AZ_CHECK

Requires an AS group to have multiple AZs.

Improving availability

Medium

as:::group

N/A

RGC-GR_CONFIG_CBR_POLICY_MINIMUM_FREQUENCY_CHECK

Checks whether the execution frequency of a backup policy is within the specified range. This policy is non-compliant if the frequency is lower than the specified range.

Preparing for disaster recovery

Medium

cbr:::policy

N/A

RGC-GR_CONFIG_CBR_VAULT_MINIMUM_RETENTION_CHECK

Checks whether a CBR vault has policies attached or has any policies that can be retained within the required number of days. This policy is non-compliant if the vault has no policies attached or has no such policies.

Preparing for disaster recovery

Medium

cbr:::vault

N/A

RGC-GR_CONFIG_ECS_PROTECTED_BY_CBR

Checks whether an ECS has backup vaults attached. This policy is non-compliant if the ECS has no backup vaults attached.

Preparing for disaster recovery

Medium

ecs:::instanceV1

N/A

RGC-GR_CONFIG_ECS_LAST_BACKUP_CREATED

Checks whether an ECS has a backup created within the specified time period. This policy is non-compliant if the ECS has a backup created beyond the specified time period.

Preparing for disaster recovery

Low

ecs:::instanceV1

N/A

RGC-GR_CONFIG_EVS_PROTECTED_BY_CBR

Checks whether an EVS disk has backup vaults attached. This policy is non-compliant if the disk has no backup vaults attached.

Preparing for disaster recovery

Medium

evs:::volume

N/A

RGC-GR_CONFIG_EVS_LAST_BACKUP_CREATED

Checks whether an EVS disk has a backup created within the specified time period. This policy is non-compliant if the disk has a backup created beyond the specified time period.

Preparing for disaster recovery

Low

evs:::volume

N/A

RGC-GR_CONFIG_SFSTURBO_PROTECTED_BY_CBR

Checks whether an SFS Turbo system has backup vaults attached. This policy is non-compliant if the system has no backup vaults attached.

Preparing for disaster recovery

Medium

sfs:::turbo

N/A

RGC-GR_CONFIG_CCE_CLUSTER_END_OF_MAINTENANCE_VERSION

Checks whether a CCE cluster version is end of maintenance (EOM). This policy is non-compliant if the version is EOM.

Managing vulnerabilities

Medium

cce:::cluster

N/A

RGC-GR_CONFIG_CCE_CLUSTER_OLDEST_SUPPORTED_VERSION

Checks whether a CCE cluster is using the oldest supported version. This policy is non-compliant if the cluster is using the oldest supported version.

Managing vulnerabilities

Medium

cce:::cluster

N/A

RGC-GR_CONFIG_ALLOWED_CCE_FLAVORS

Checks whether the flavors of a CCE cluster match any of the specified flavors. This policy is non-compliant if the flavors do not match.

Protecting configurations

Low

cce:::cluster

No

RGC-GR_RFS_CCE_SECRETS_ENCRYPTED_CHECK

Requires a CCE cluster to be encrypted using KMS keys.

Encrypting data at rest

Medium

cce:::cluster

N/A

RGC-GR_CONFIG_PCA_CERTIFICATE_AUTHORITY_ROOT_DISABLE

Checks whether private root CAs are disabled. This policy is non-compliant if CAs are not disabled.

Managing confidentiality

Medium

scm:::certificate

N/A

RGC-GR_CONFIG_PCA_ALGORITHM_CHECK

Checks whether CCM uses a prohibited key algorithm or signature hash algorithm. This policy is non-compliant if CCM uses such algorithms.

Encrypting data in transit

High

ccm:::privateCertificate

• blockedKeyAlgorithm: No
• blockedSignatureAlgorithm: No

RGC-GR_CONFIG_ALARM_ACTION_ENABLED_CHECK

Checks whether Cloud Eye alarming is enabled. This policy is non-compliant if alarming is not enabled.

Establishing logging and monitoring

Medium

ces:::alarmRule

N/A

RGC-GR_CONFIG_ALARM_RESOURCE_CHECK

Checks whether a resource has specified metrics associated for alarming. This policy is non-compliant if the resource has no specified metrics associated.

Establishing logging and monitoring

Low

ces:::alarmRule

• provider: Yes
• resourceType: Yes
• metricName: Yes

RGC-GR_CONFIG_ALARM_SETTINGS_CHECK

Checks whether the settings of a specified metric meet the requirements. This policy is non-compliant if the requirements are not met.

Establishing logging and monitoring

Low

ces:::alarmRule

• metricName: Yes
• threshold: Yes
• count: Yes
• period: Yes
• comparisonOperator: Yes
• filter: Yes

RGC-GR_RFS_CES_ALARM_ACTION_CHECK

Requires an action to be configured for a Cloud Eye alarming state.

Establishing logging and monitoring

High

ces:::alarmRule

N/A

RGC-GR_RFS_CES_ALARM_ACTION_ENABLED_CHECK

Requires a Cloud Eye alarming action to be enabled.

Establishing logging and monitoring

Critical

ces:::alarmRule

N/A

RGC-GR_CONFIG_ALARM_KMS_DISABLE_OR_DELETE_KEY

Checks whether alarms are configured to monitor the operation of disabling KMS or scheduling to delete a key. This policy is non-compliant if no alarms are configured.

Establishing logging and monitoring

Critical

ces:::alarmRule

N/A

RGC-GR_CONFIG_ALARM_OBS_BUCKET_POLICY_CHANGE

Checks whether alarms are configured to monitor the changes of OBS bucket policies. This policy is non-compliant if no alarms are configured.

Establishing logging and monitoring

Critical

ces:::alarmRule

N/A

RGC-GR_CONFIG_ALARM_VPC_CHANGE

Checks whether alarms are configured to monitor VPC changes. This policy is non-compliant if no alarms are configured.

Establishing logging and monitoring

High

ces:::alarmRule

N/A

RGC-GR_RFS_CFW_POLICY_RULE_GROUP_ASSOCIATED_CHECK

Requires any firewall policy to be associated with a rule group.

Controlling network access

Medium

cfw:::aclRule

N/A

RGC-GR_CONFIG_CODEARTSDEPLOY_HOST_CLUSTER_RESOURCE_STATUS

Checks whether a host cluster in the CodeArts project is available. This policy is non-compliant if the cluster is unavailable.

Improving availability

Low

codeartsDeploy:::host

N/A

RGC-GR_CONFIG_TRACKER_CONFIG_ENABLED_CHECK

Checks whether the resource recorder is enabled for an account. This policy is non-compliant if the resource recorder is not enabled.

Establishing logging and monitoring

Medium

rms:::resourceRecorder

N/A

RGC-GR_CONFIG_CSS_CLUSTER_BACKUP_AVAILABLE

Checks whether the snapshot function is enabled for a CSS cluster. This policy is non-compliant if this function is not enabled.

Improving resiliency

Medium

css:::cluster

N/A

RGC-GR_CONFIG_CSS_CLUSTER_MULTIPLE_AZ_CHECK

Checks whether a CSS cluster is deployed in multiple AZs for disaster recovery. This policy is non-compliant if the cluster is not deployed in multiple AZs.

Improving availability

Medium

css:::cluster

N/A

RGC-GR_CONFIG_CSS_CLUSTER_MULTIPLE_INSTANCES_CHECK

Checks whether a CSS cluster has multiple nodes deployed for disaster recovery. This policy is non-compliant if the cluster does not have multiple nodes deployed.

Improving availability

Medium

css:::cluster

N/A

RGC-GR_CONFIG_CSS_CLUSTER_IN_VPC

Checks whether a CSS cluster is in the specified VPC. This policy is non-compliant if the cluster is not in the specified VPC.

Controlling network access

Critical

css:::cluster

No

RGC-GR_CONFIG_CSS_CLUSTER_SLOWLOG_ENABLE

Checks whether slow query log is enabled for a CSS cluster. This policy is non-compliant if this function is not enabled.

Establishing logging and monitoring

Medium

css:::cluster

N/A

RGC-GR_CONFIG_MULTI_REGION_CTS_TRACKER_EXISTS

Checks whether a CTS tracker has been created and enabled for the specified region list for an account. This policy is non-compliant if no trackers are created and enabled for the specified region list.

Establishing logging and monitoring

High

cts:::tracker

No

RGC-GR_CONFIG_CTS_OBS_BUCKET_TRACK

Checks whether all CTS trackers in an account track specified OBS buckets. This policy is non-compliant if all trackers do not track specified OBS buckets.

Establishing logging and monitoring

High

cts:::tracker

Yes

RGC-GR_CONFIG_CTS_TRACKER_ENABLED_SECURITY

Checks whether there are CTS trackers that comply with security best practices. This policy is non-compliant if no such trackers exist.

Establishing logging and monitoring

High

cts:::tracker

No

RGC-GR_RFS_CTS_LOG_FILE_VALIDATION_ENABLED_CHECK

Requires log file verification to be enabled for a CTS tracker.

Protecting data integrity

High

cts:::tracker

N/A

RGC-GR_RFS_CTS_LOGS_ENABLED_CHECK

Requires a CTS tracker to be configured with an LTS log group.

Establishing logging and monitoring

Low

cts:::tracker

N/A

RGC-GR_CONFIG_DDS_INSTANCE_HAMODE

Checks whether a DDS instance matches the specified type. This policy is non-compliant if the instance does not match.

Protecting configurations

Low

dds:::instance

No

RGC-GR_CONFIG_DDS_INSTANCE_ENGINE_VERSION_CHECK

Checks whether a DDS instance uses the specified version or higher. This policy is non-compliant if the instance uses an unspecified version or earlier.

Managing vulnerabilities

Low

dds:::instance

No

RGC-GR_RFS_DDS_INSTANCE_ENCRYPTED_CHECK

Requires a DDS instance to be encrypted at rest.

Encrypting data at rest

Medium

dds:::instance

N/A

RGC-GR_RFS_DEW_KEY_ROTATION_ENABLED_CHECK

Requires rotation to be configured for all KMS keys.

Encrypting data at rest

Medium

kms:::key

N/A

RGC-GR_CONFIG_CSMS_SECRETS_AUTO_ROTATION_ENABLED

Checks whether automatic rotation is enabled for CSMS secrets. This policy is non-compliant if automatic rotation is not enabled.

Managing confidentiality

Medium

csms:::secret

N/A

RGC-GR_CONFIG_CSMS_SECRETS_PERIODIC_ROTATION

Checks whether a CSMS secret is rotated within the specified number of days. This policy is non-compliant if the secret is not rotated within the specified number of days.

Managing confidentiality

Medium

csms:::secret

N/A

RGC-GR_CONFIG_CSMS_SECRETS_USING_CMK

Checks whether a CSMS secret uses the specified KMS keys. This policy is non-compliant if the secret does not use such keys.

Encrypting data at rest

High

csms:::secret

No

RGC-GR_RFS_KAFKA_MULTIPLE_AZ_CHECK

Requires a Kafka instance to be configured in multiple AZs to achieve HA.

Improving availability

Low

dms:::kafkaInstance

N/A

RGC-GR_RFS_ROCKETMQ_MULTIPLE_AZ_CHECK

Requires a RocketMQ instance to be configured in multiple AZs to achieve HA.

Improving availability

Low

dms:::rocketmqInstance

N/A

RGC-GR_RFS_RABBITMQ_MULTIPLE_AZ_CHECK

Requires a RabbitMQ instance to be configured in multiple AZs to achieve HA.

Improving availability

Low

dms:::rabbitmqInstance

N/A

RGC-GR_RFS_KAFKA_INSTANCE_TLS_CHECK

Requires a Kafka instance to provide TLS connections for supported engines.

Encrypting data in transit

Medium

dms:::kafkaInstance

N/A

RGC-GR_RFS_RABBITMQ_INSTANCE_TLS_CHECK

Requires a RabbitMQ instance to provide TLS connections for supported engines.

Encrypting data in transit

Medium

dms:::rabbitmqInstance

N/A

RGC-GR_RFS_ROCKETMQ_INSTANCE_TLS_CHECK

Requires a RocketMQ instance to provide TLS connections for supported engines.

Encrypting data in transit

Medium

dms:::rocketmqInstance

N/A

RGC-GR_RFS_RABBITMQ_DLQ_CHECK

Requires all RabbitMQ queues to be configured with dead letter queues.

Improving resiliency

High

dms:::rabbitmqInstance

N/A

RGC-GR_CONFIG_DWS_ENABLE_SNAPSHOT

Checks whether automated snapshots are enabled for a DWS cluster. This policy is non-compliant if automated snapshots are not enabled.

Improving resiliency

Medium

dws:::cluster

N/A

RGC-GR_CONFIG_DWS_MAINTAIN_WINDOW_CHECK

Checks whether the O&M time window of a DWS cluster is consistent with the specified time window. This policy is non-compliant if the time window is not consistent with the specified one.

Preparing for incident response

Medium

dws:::cluster

N/A

RGC-GR_CONFIG_DWS_ENABLE_LOG_DUMP

Checks whether log dump is enabled for a DWS cluster. This policy is non-compliant if log dump is not enabled.

Establishing logging and monitoring

Medium

dws:::cluster

N/A

RGC-GR_RFS_DWS_CLUSTER_ENCRYPTION_ENABLED_CHECK

Requires all DWS clusters to be encrypted at rest.

Encrypting data at rest

Medium

dws:::cluster

N/A

RGC-GR_CONFIG_ALLOWED_ECS_FLAVORS

Checks whether an ECS flavor matches the specified one. This policy is non-compliant if the flavor does not match.

Protecting configurations

Low

ecs:::instanceV1

No

RGC-GR_CONFIG_ALLOWED_IMAGES_BY_NAME

Checks whether the name of an ECS image matches one of the specified names. This policy is non-compliant if the image name does not match.

Managing vulnerabilities

High

ecs:::instanceV1

Yes

RGC-GR_CONFIG_STOPPED_ECS_DATE_DIFF

Checks whether the period during which no operations are performed on stopped ECSs exceeds the specified number of days. This policy is non-compliant if this period exceeds.

Optimizing costs

Medium

ecs:::instanceV1ecs:::instanceV1

Yes

RGC-GR_CONFIG_ECS_ATTACHED_HSS_AGENTS_CHECK

Checks whether an ECS has an HSS agent attached and has protection enabled. This policy is non-compliant if the ECS has no HSS agent attached and has no protection enabled.

Managing vulnerabilities

Medium

ecs:::instanceV1

N/A

RGC-GR_CONFIG_ALLOWED_IMAGES_BY_ID

Checks whether the image ID of an ECS matches one of the specified image IDs. This policy is non-compliant if the image ID does not match.

Managing vulnerabilities

High

ecs:::instanceV1

No

RGC-GR_CONFIG_APPROVED_IMS_BY_TAG

Checks whether an ECS uses any of the IMS images with the specified tag. This policy is non-compliant if the ECS does not use such images.

Managing vulnerabilities

Medium

ecs:::instanceV1

• specifiedIMSTagKey: Yes
• specifiedIMSTagValue: No

RGC-GR_CONFIG_EIP_USE_IN_SPECIFIED_DAYS

Checks whether an EIP is bound to any instances in specified number of days. This policy is non-compliant if the EIP is not bound in specified number of days.

Optimizing costs

Medium

vpc:::eipAssociate

N/A

RGC-GR_CONFIG_ELB_MULTIPLE_AZ_CHECK

Checks whether the load balancer has registered with instances in multiple AZs. This policy is non-compliant if the load balancer has registered with instances in fewer than two AZs.

Balancing loads

Medium

elb:::loadbalancer

N/A

RGC-GR_CONFIG_ELB_MEMBERS_WEIGHT_CHECK

Checks whether the weight of a backend server is 0 and the load balancing algorithm used by its associated backend server group is not SOURCE_IP. This policy is non-compliant if the weight is 0 and the algorithm is not SOURCE_IP.

Improving availability

Low

elb:::member

N/A

RGC-GR_RFS_ELB_PREDEFINED_SECURITY_POLICY_CHECK

Requires a predefined security policy to be configured for the HTTPS listener of a dedicated load balancer.

Controlling network access

Medium

elb:::listener

N/A

RGC-GR_RFS_LB_TLS_HTTPS_LISTENERS_ONLY_CHECK

Requires HTTPS termination to be configured for the listener of a load balancer on a private network.

Encrypting data in transit

Medium

lb:::listener

N/A

RGC-GR_RFS_ELB_TLS_HTTPS_LISTENERS_ONLY_CHECK

Requires HTTPS termination to be configured for the listener of a dedicated load balancer application or a classic load balancer.

Encrypting data in transit

Medium

elb:::listener

N/A

RGC-GR_RFS_ELB_DELETION_PROTECTION_ENABLED_CHECK

Requires deletion protection to be activated for an application load balancer.

Improving availability

Medium

elb:::loadbalancer

N/A

RGC-GR_RFS_ELB_MULTIPLE_AZ_CHECK

Requires all classic load balancers to be configured in multiple AZs.

Improving availability

Medium

elb:::loadbalancer

N/A

RGC-GR_RFS_ER_INSTANCE_AUTO_VPC_ATTACH_DISABLED_CHECK

Requires an enterprise router to reject the creation of automatically accepted shared attachments.

Controlling network access

High

er:::instance

N/A

RGC-GR_CONFIG_EVS_USE_IN_SPECIFIED_DAYS

Checks whether an EVS disk is bound to any instances in specified number of days. This policy is non-compliant if the disk is not bound in specified number of days.

Optimizing costs

Medium

evs:::volume

N/A

RGC-GR_CONFIG_VOLUME_UNUSED_CHECK

Checks whether an EVS disk is attached to a cloud server. This policy is non-compliant if the disk is not attached.

Optimizing costs

High

evs:::volume

N/A

RGC-GR_CONFIG_ALLOWED_VOLUME_SPECS

Checks whether the type of an EVS disk is within the allowed type list. This policy is non-compliant if the disk type is not within the list.

Protecting configurations

Low

evs:::volume

No

RGC-GR_EVS_ALL_OPERATION_PROHIBITED

Prohibits EVS APIs from being called.

Protecting configurations

Critical

evs:::volume

N/A

RGC-GR_ECS_ATTACH_NO_ENCRYPTED_EVS_PROHIBITED

Prohibits an ECS from having an unencrypted EVS disk attached.

Protecting configurations

Critical

evs:::volume

N/A

RGC-GR_CONFIG_FUNCTION_GRAPH_CONCURRENCY_CHECK

Checks whether the number of concurrent requests of a FunctionGraph function is within the specified range. This policy is non-compliant if the number is not within the specified range.

Improving availability

Medium

fgs:::function

N/A

RGC-GR_CONFIG_FUNCTION_GRAPH_INSIDE_VPC

Checks whether a FunctionGraph function is in the specified VPC. This policy is non-compliant if the function is not in the specified VPC.

Controlling network access

Low

fgs:::function

No

RGC-GR_CONFIG_FUNCTION_GRAPH_SETTINGS_CHECK

Checks whether the runtime, timeout duration, or memory limit of a FunctionGraph function is within the specified range. This policy is non-compliant if they are not within the specified range.

Managing vulnerabilities

Medium

fgs:::function

No

RGC-GR_CONFIG_FUNCTION_GRAPH_LOGGING_ENABLED

Checks whether logging is enabled for a FunctionGraph function. This policy is non-compliant if logging is not enabled.

Establishing logging and monitoring

Medium

fgs:::function

N/A

RGC-GR_CONFIG_GAUSSDB_INSTANCE_ENABLE_AUDITLOG

Checks whether audit logging is enabled for a GaussDB instance. This policy is non-compliant if audit logging is not enabled.

Establishing logging and monitoring

Medium

gaussdb:::opengaussInstance

N/A

RGC-GR_CONFIG_GAUSSDB_INSTANCE_ENABLE_BACKUP

Checks whether backup is enabled for a GaussDB instance. This policy is non-compliant if backup is not enabled.

Improving resiliency

Medium

gaussdb:::opengaussInstance

N/A

RGC-GR_CONFIG_GAUSSDB_INSTANCE_ENABLE_ERRORLOG

Checks whether error log collection is enabled for a GaussDB instance. This policy is non-compliant if error log collection is not enabled.

Establishing logging and monitoring

Low

gaussdb:::opengaussInstance

N/A

RGC-GR_CONFIG_GAUSSDB_INSTANCE_ENABLE_SLOWLOG

Checks whether slow-query logging is enabled for a GaussDB instance. This policy is non-compliant if slow-query logging is not enabled.

Establishing logging and monitoring

Low

gaussdb:::opengaussInstance

N/A

RGC-GR_CONFIG_GAUSSDB_INSTANCE_MULTIPLE_AZ_CHECK

Checks whether a GaussDB resource is deployed across AZs. This policy is non-compliant if the resource is not deployed across AZs.

Improving availability

Medium

gaussdb:::opengaussInstance

N/A

RGC-GR_CONFIG_GAUSSDB_NOSQL_DEPLOY_IN_SINGLE_AZ

Checks whether GeminiDB is deployed in a single AZ. This policy is non-compliant if GeminiDB is deployed in a single AZ.

Improving availability

Medium

gaussdb:::mongoInstance

N/A

RGC-GR_CONFIG_GAUSSDB_NOSQL_ENABLE_BACKUP

Checks whether backup is enabled for GeminiDB. This policy is non-compliant if backup is not enabled.

Improving resiliency

Medium

gaussdb:::mongoInstance

N/A

RGC-GR_CONFIG_GAUSSDB_NOSQL_ENABLE_ERROR_LOG

Checks whether error logging is enabled for GeminiDB. This policy is non-compliant if error logging is not enabled.

Establishing logging and monitoring

Low

gaussdb:::mongoInstance

N/A

RGC-GR_CONFIG_GAUSSDB_NOSQL_SUPPORT_SLOW_LOG

Checks whether GeminiDB supports slow-query logging. This policy is non-compliant if slow-query logging is not supported.

Establishing logging and monitoring

Low

gaussdb:::mongoInstance

N/A

RGC-GR_RFS_GAUSSDB_MONGO_INSTANCE_TLS_CHECK

Requires a GaussDB(for Mongo) instance to provide TLS connections for supported engines.

Encrypting data in transit

Medium

gaussdb:::mongoInstance

N/A

RGC-GR_RFS_GAUSSDB_MONGO_INSTANCE_AUTO_BACKUP_CHECK

Requires automatic backup to be configured for a GaussDB(for Mongo) instance.

Improving resiliency

Medium

gaussdb:::mongoInstance

N/A

RGC-GR_RFS_GAUSSDB_REDIS_INSTANCE_AUTO_BACKUP_CHECK

Requires a GaussDB Redis instance to be automatically backed up.

Improving resiliency

Medium

gaussdb:::redisInstance

N/A

RGC-GR_RFS_GAUSSDB_REDIS_INSTANCE_TLS_CHECK

Requires a GaussDB Redis instance to provide TLS connections for supported engines.

Encrypting data in transit

Medium

gaussdb:::redisInstance

N/A

RGC-GR_CONFIG_GES_GRAPHS_LTS_ENABLE

Checks whether LTS is enabled for GES graphs. This policy is non-compliant if LTS is not enabled.

Establishing logging and monitoring

Medium

ges:::graph

N/A

RGC-GR_CONFIG_GES_GRAPHS_MULTI_AZ_SUPPORT

Checks whether GES supports cross-AZ HA. This policy is non-compliant if cross-AZ HA is not supported.

Improving availability

Medium

ges:::graph

N/A

RGC-GR_CONFIG_IAM_CUSTOMER_POLICY_BLOCKED_KMS_ACTIONS

Checks whether an IAM policy allows any blocked action on KMS keys. This policy is non-compliant if the IAM policy allows such actions.

Enforcing the least privilege

Medium

• identity:::role
• identity:::protectionPolicy

N/A

RGC-GR_CONFIG_IAM_USER_CHECK_NON_ADMIN_GROUP

Checks whether a non-root user is added to the admin user group. This policy is non-compliant if such users are added.

Enforcing the least privilege

Low

identity:::user

N/A

RGC-GR_CONFIG_IAM_USER_NO_POLICIES_CHECK

Checks whether an IAM user is directly assigned a policy or permission. This policy is non-compliant if the user is directly assigned a policy or permission.

Enforcing the least privilege

Low

identity:::user

N/A

RGC-GR_RFS_LTS_GROUP_RETENTION_PERIOD_CHECK

Requires a log group to be retained for at least 180 days.

Establishing logging and monitoring

Medium

lts:::group

N/A

RGC-GR_CONFIG_MRS_CLUSTER_MULTIAZ_DEPLOYMENT

Checks whether an MRS cluster is deployed in multiple AZs. This policy is non-compliant if the cluster is not deployed in multiple AZs.

Improving availability

Medium

mrs:::cluster

N/A

RGC-GR_CONFIG_MRS_CLUSTER_ENCRYPT_ENABLE

Requires KMS keys be not in a "pending deletion" state.

Protecting data integrity

Medium

mrs:::cluster

N/A

RGC-GR_RFS_NACL_NO_UNRESTRICTED_SSH_RDP_CHECK

Requires any network ACL to prevent access to port 22 or 3389 from 0.0.0.0/0.

Controlling network access

Medium

network:::aclRule

N/A

RGC-GR_CONFIG_RDS_INSTANCE_ENABLE_BACKUP

Checks whether backup is enabled for an RDS instance. This policy is non-compliant if backup is not enabled.

Improving resiliency

Medium

rds:::instance

N/A

RGC-GR_CONFIG_RDS_INSTANCE_ENABLE_ERRORLOG

Checks whether error log collection is enabled for an RDS instance. This policy is non-compliant if error log collection is not enabled.

Establishing logging and monitoring

Low

rds:::instance

N/A

RGC-GR_CONFIG_RDS_INSTANCE_ENABLE_SLOWLOG

Checks whether slow-query logging is enabled for an RDS instance. This policy is non-compliant if slow-query logging is not enabled.

Establishing logging and monitoring

Low

rds:::instance

N/A

RGC-GR_CONFIG_RDS_INSTANCE_LOGGING_ENABLED

Checks whether logs are collected for an RDS instance. This policy is non-compliant if no logs are collected.

Establishing logging and monitoring

Medium

rds:::instance

N/A

RGC-GR_CONFIG_RDS_INSTANCE_MULTI_AZ_SUPPORT

Checks whether an RDS instance can only be deployed in one AZ. This policy is non-compliant if the instance can only be deployed in one AZ.

Improving availability

Medium

rds:::instance

N/A

RGC-GR_CONFIG_ALLOWED_RDS_FLAVORS

Checks whether the flavor of an RDS instance is within the specified range. This policy is non-compliant if the flavor is not within the specified range.

Protecting configurations

Low

rds:::instance

N/A

RGC-GR_CONFIG_RDS_INSTANCES_IN_VPC

Checks whether an RDS resource is in the specified VPC. This policy is non-compliant if the resource is not in the specified VPC.

Controlling network access

High

rds:::instance

No

RGC-GR_CONFIG_RDS_INSTANCE_ENABLE_AUDITLOG

Checks whether an RDS resource has audit logging enabled or the audit logs can be stored for a specified period of time. This policy is non-compliant if audit logging is not enabled or audit logs cannot be stored for a specified period of time.

Establishing logging and monitoring

Medium

rds:::instance

N/A

RGC-GR_CONFIG_RDS_INSTANCE_ENGINE_VERSION_CHECK

Checks whether the version of the database engine for an RDS instance is earlier than the specified version. This policy is non-compliant if the version is earlier than the specified one.

Managing vulnerabilities

Low

rds:::instance

• postgresqlVersion: No
• mariadbVersion: No
• mysqlVersion: No
• sqlserverVersion: No

RGC-GR_RFS_RDS_INSTANCE_DEPLOYED_IN_VPC_CHECK

Requires a VPC to be configured for an RDS instance.

Controlling network access

High

rds:::instance

N/A

RGC-GR_RFS_RDS_DB_SECURITY_GROUP_NOT_ALLOWED_CHECK

Requires a database security group to be configured for an RDS instance.

Controlling network access

Medium

rds:::instance

N/A

RGC-GR_RFS_RDS_INSTANCE_MULTIPLE_AZ_CHECK

Requires an RDS instance to be configured in multiple AZs to achieve HA.

Improving availability

Medium

rds:::instance

N/A

RGC-GR_RFS_RDS_INSTANCE_TLS_CHECK

Requires an RDS instance to provide TLS connections for supported engines.

Encrypting data in transit

Medium

rds:::instance

N/A

RGC-GR_RFS_RDS_INSTANCE_BACKUP_ENABLED_CHECK

Requires automatic backup to be configured for an RDS instance.

Improving resiliency

Medium

rds:::instance

N/A

RGC-GR_RFS_OBS_BUCKET_DEFAULT_ENCRYPTION_KMS_CHECK

Requires an OBS bucket to use KMS keys to configure server-side encryption.

Encrypting data at rest

Medium

obs:::bucket

N/A

RGC-GR_RFS_OBS_BUCKET_VERSIONING_ENABLED_CHECK

Requires versioning to be enabled for an OBS bucket.

Improving availability

Low

obs:::bucket

N/A

RGC-GR_RFS_OBS_BUCKET_LOGGING_ENABLED_CHECK

Requires logging to be enabled for an OBS bucket.

Establishing logging and monitoring

Medium

obs:::bucket

N/A

RGC-GR_CONFIG_OBS_BUCKET_BLACKLISTED_ACTIONS_PROHIBITED

Checks whether an OBS bucket policy allows any blacklisted action to external users. This policy is non-compliant if the bucket policy allows such actions.

Enforcing the least privilege

High

obs:::bucket

No

RGC-GR_CONFIG_OBS_BUCKET_SSL_REQUESTS_ONLY

Checks whether an OBS bucket policy allows actions without SSL encryption. This policy is non-compliant if the bucket policy allows such actions.

Encrypting data in transit

Medium

obs:::bucket

N/A

RGC-GR_CONFIG_ACCOUNT_PART_OF_ORGANIZATIONS

Checks whether an account joins an organization. This policy is non-compliant if the account does not join an organization.

Enforcing the least privilege

High

organizations:::accountAssociate

No

RGC-GR_RFS_SFS_ENCRYPTED_CHECK

Requires an SFS file system to use KMS keys to encrypt file data at rest.

Encrypting data at rest

Medium

sfs:::fileSystem

N/A

RGC-GR_CONFIG_SMN_LTS_ENABLE

Checks whether trace analysis is enabled for an SMN topic. This policy is non-compliant if trace analysis is not enabled.

Establishing logging and monitoring

Medium

smn:::topic

N/A

RGC-GR_RFS_SWR_PRIVATE_IMAGE_CHECK

Requires SWR to provide private image repositories.

Managing vulnerabilities

High

swr:::repository

N/A

RGC-GR_CONFIG_REQUIRED_ALL_TAGS

Checks whether the tag keys of a resource match the specified ones. This policy is non-compliant if the tag keys do not match.

Protecting configurations

Low

tms:::resourceTags

• TagKeys: Yes
• TagValues: No

RGC-GR_CONFIG_REQUIRED_TAG_CHECK

Checks whether a resource is attached with a specified tag. This policy is non-compliant if the resource is not attached with a specified tag.

Protecting configurations

Low

tms:::resourceTags

• specifiedTagKey: Yes
• specifiedTagValue: No

RGC-GR_CONFIG_REQUIRED_TAG_EXIST

Checks whether a resource is attached with any of the specified tags. This policy is non-compliant if the resource is not attached with any of the specified tags.

Protecting configurations

Low

tms:::resourceTags

• TagKeys: Yes
• TagValues: No

RGC-GR_CONFIG_RESOURCE_TAG_KEY_PREFIX_SUFFIX

Checks whether a resource is attached with any tag keys with the specified tag prefix and suffix. This policy is non-compliant if the resource is not attached with any such tag keys.

Protecting configurations

Low

tms:::resourceTags

• tagKeyPrefix: No
• tagKeySuffix: No

RGC-GR_CONFIG_RESOURCE_TAG_NOT_EMPTY

Checks whether a resource is tagged. This policy is non-compliant if the resource is not tagged.

Protecting configurations

Low

tms:::resourceTags

N/A

RGC-GR_CONFIG_GAUSSDB_MYSQL_INSTANCE_ENABLE_AUDITLOG

Checks whether audit logging is enabled for a TaurusDB instance. This policy is non-compliant if audit logging is not enabled.

Establishing logging and monitoring

Medium

gaussdb:::mysqlInstance

N/A

RGC-GR_CONFIG_GAUSSDB_MYSQL_INSTANCE_ENABLE_BACKUP

Checks whether backup is enabled for a TaurusDB instance. This policy is non-compliant if backup is not enabled.

Improving resiliency

Medium

gaussdb:::mysqlInstance

N/A

RGC-GR_CONFIG_GAUSSDB_MYSQL_INSTANCE_ENABLE_ERRORLOG

Checks whether error logging is enabled for a TaurusDB instance. This policy is non-compliant if error logging is not enabled.

Establishing logging and monitoring

Low

gaussdb:::mysqlInstance

N/A

RGC-GR_CONFIG_GAUSSDB_MYSQL_INSTANCE_ENABLE_SLOWLOG

Checks whether slow-query logging is enabled for a TaurusDB instance. This policy is non-compliant if slow-query logging is not enabled.

Establishing logging and monitoring

Low

gaussdb:::mysqlInstance

N/A

RGC-GR_CONFIG_GAUSSDB_MYSQL_INSTANCE_MULTIPLE_AZ_CHECK

Checks whether a TaurusDB instance is deployed across AZs. This policy is non-compliant if the instance is not deployed across AZs.

Improving availability

Medium

gaussdb:::mysqlInstance

N/A

RGC-GR_CONFIG_EIP_UNBOUND_CHECK

Checks whether an EIP is bound to any resources. This policy is non-compliant if the EIP is not bound.

Optimizing costs

Medium

vpc:::eipAssociate

N/A

RGC-GR_CONFIG_VPC_FLOW_LOGS_ENABLED

Checks whether flow logs are enabled for a VPC. This policy is non-compliant if flow logs are not enabled.

Establishing logging and monitoring

Medium

vpc:::flowLog

N/A

RGC-GR_CONFIG_EIP_BANDWIDTH_LIMIT

Checks whether the bandwidth of an EIP is less than the specified value. This policy is non-compliant if the bandwidth is less than the specified value.

Improving availability

Medium

vpc:::eip

Yes

RGC-GR_RFS_VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS_CHECK

Prohibits any VPC security group rule from using the source IP address ranges (0.0.0.0/0 or ::/0) for ports other than ports 80 and 443.

Controlling network access

High

networking:::secgroupRule

N/A

RGC-GR_RFS_VPC_SG_RESTRICTED_COMMON_PORTS_CHECK

Prohibits any VPC security group rule from using the source IP address ranges (0.0.0.0/0 or ::/0) for specific high-risk ports.

Controlling network access

Critical

networking:::secgroupRule

N/A

RGC-GR_CONFIG_VPCEP_ENDPOINT_ENABLED

Checks whether there are VPC endpoints for the specified services. This policy is non-compliant if there are no VPC endpoints.

Controlling network access

Medium

vpcep:::endpoint

Yes

RGC-GR_CONFIG_VPN_CONNECTIONS_ACTIVE

Checks whether the VPN connection is normal. This policy is non-compliant if the connection is not normal.

Improving availability

Medium

vpnaas:::siteConnectionV2

N/A

RGC-GR_VPN_CONNECTION_PROHIBITED

Prohibits VPN subscriptions.

Protecting configurations

Critical

• vpn:::connection
• vpn:::gateway
• vpn:::customerGateway

N/A

RGC-GR_RFS_WAF_GLOBAL_ACL_NOT_EMPTY_CHECK

Requires all WAF global web to have valid ACL rules.

Controlling network access

Medium

waf:::ruleGlobalProtectionWhitelist

N/A

RGC-GR_RFS_WAF_RULEGROUP_NOT_EMPTY_CHECK

Prohibits WAF rule groups from being empty.

Controlling network access

Medium

waf:::addressGroup

N/A