Help Center/ Config/ User Guide/ Conformance Packages/ Conformance Package Templates/ Conformance Package for Network Security
Updated on 2024-10-28 GMT+08:00

Conformance Package for Network Security

The following table lists the rules and solutions included in this conformance package template.

Table 1 Conformance package description

Rule

Cloud Service

Description

access-keys-rotated

iam

If an IAM user's access key is not rotated within the specified number of days, this user is noncompliant.

alarm-kms-disable-or-delete-key

ces, kms

If there are no alarms configured for disabling or deleting KMS keys, this rule is noncompliant.

alarm-obs-bucket-policy-change

ces, obs

If no alarms are configured for OBS bucket policy changes, this rule is noncompliant.

alarm-vpc-change

ces, vpc

If no alarms are configured for VPC changes, this rule is noncompliant.

css-cluster-https-required

css

If HTTPS is not enabled for a CSS cluster, this cluster is noncompliant.

css-cluster-in-vpc

css

If a CSS cluster is not in the specified VPC, this cluster is noncompliant.

cts-kms-encrypted-check

cts

If a CTS tracker is not encrypted using KMS, this tracker is noncompliant.

cts-lts-enable

cts

If Transfer to LTS is not enabled for a CTS tracker, this tracker is noncompliant.

cts-obs-bucket-track

cts

If no trackers are created for the specified OBS bucket, this rule is noncompliant.

cts-support-validate-check

cts

If Verify Trace File is not enabled for a CTS tracker, this tacker is noncompliant.

cts-tracker-exists

cts

If there is no tracker in the current account, this rule is noncompliant.

ecs-instance-in-vpc

ecs, vpc

If an ECS is not within the specified VPC, this ECS is noncompliant.

ecs-instance-no-public-ip

ecs

If an ECS has an EIP attached, this ECS is noncompliant.

eip-unbound-check

vpc

If an EIP has not been attached to any resource, this EIP is noncompliant.

elb-tls-https-listeners-only

elb

If any listener of a load balancer does not have the frontend protocol set to HTTPS, this load balancer is noncompliant.

iam-group-has-users-check

iam

If an IAM user group has no user, this user group is noncompliant.

iam-password-policy

iam

If the password of an IAM user does not meet the password strength requirements, this IAM user is noncompliant.

iam-root-access-key-check

iam

If the root user access key is available, this rule is noncompliant.

iam-user-console-and-api-access-at-creation

iam

If an IAM user who is allowed to access Huawei Cloud console has AK/SK created, this user is noncompliant.

iam-user-group-membership-check

iam

If an IAM user is not in any of the specified IAM user groups, this user is noncompliant.

iam-user-last-login-check

iam

If an IAM user does not log in to the system within the specified time range, the result is non-compliant.

iam-user-mfa-enabled

iam

If multi-factor authentication is not enabled for an IAM user, this user is noncompliant.

iam-user-single-access-key

iam

If multiple access keys are in the active state for an IAM user, this user is noncompliant.

mfa-enabled-for-iam-console-access

iam

If MFA is not enabled for an IAM user who has a console password, this IAM user is noncompliant.

mrs-cluster-kerberos-enabled

mrs

If kerberos is not enabled for an MRS cluster, this cluster is noncompliant.

mrs-cluster-no-public-ip

mrs

If an MRS cluster has an EIP attached, this cluster is noncompliant.

private-nat-gateway-authorized-vpc-only

nat

If a private NAT gateway is not in a specified VPC, this gateway is noncompliant.

rds-instance-multi-az-support

rds

If an RDS instance does not support multi-AZ deployment, this RDS instance is noncompliant.

rds-instance-no-public-ip

rds

If an RDS instance has an EIP attached, this RDS instance is noncompliant.

root-account-mfa-enabled

iam

If multi-factor authentication is not enabled for the root user, the root user is noncompliant.

stopped-ecs-date-diff

ecs

If an ECS has been stopped for longer than the time allowed, and no operations have been performed on it, this ECS is noncompliant.

volume-unused-check

evs

If an EVS disk is not mounted to any cloud server, this disk is noncompliant.

volumes-encrypted-check

ecs, evs

If a mounted EVS disk is not encrypted, this disk is noncompliant.

vpc-acl-unused-check

vpc

If a network ACL is not attached to any subnets, this ACL is noncompliant.

vpc-flow-logs-enabled

vpc

If there is a flow log that has not been enabled for a VPC, this VPC is noncompliant.