Conformance Package for Healthcare Industry
The following table describes the compliance rules and solutions in the sample template.
Rule Identifier |
Cloud Service |
Description |
---|---|---|
apig-instances-execution-logging-enabled |
apig |
If logging is not enabled for a dedicated APIG gateway, this gateway is considered non-compliant. |
apig-instances-ssl-enabled |
apig |
If no SSL certificates are attached to a dedicated APIG gateway, this gateway is considered noncompliant. |
as-group-elb-healthcheck-required |
as |
If an AS group is not using Elastic Load Balancing health check, this rule is noncompliant. |
css-cluster-disk-encryption-check |
css |
If disk encryption is not enabled for a CSS cluster, this cluster is noncompliant. |
css-cluster-https-required |
css |
If HTTPS is not enabled for a CSS cluster, this cluster is noncompliant. |
css-cluster-in-vpc |
css |
If a CSS cluster is not in the specified VPCs, this cluster is noncompliant. |
cts-kms-encrypted-check |
cts |
If a CTS tracker is not encrypted using KMS, this tracker is noncompliant. |
cts-lts-enable |
cts |
If Transfer to LTS is not enabled for a CTS tracker, this tracker is noncompliant. |
cts-obs-bucket-track |
cts |
If no CTS trackers are created for the specified OBS bucket, this rule is noncompliant. |
cts-support-validate-check |
cts |
If Verify Trace File is not enabled for a CTS tracker, this tacker is noncompliant. |
cts-tracker-exists |
cts |
If there is no tracker in the current account, this rule is noncompliant |
drs-data-guard-job-not-public |
drs |
If the network type of a DR task is set to public network, this DR task is noncompliant. |
drs-migration-job-not-public |
drs |
If the network type of a migration task is set to public network, this migration task is noncompliant. |
drs-synchronization-job-not-public |
drs |
If the network type of a synchronization task is not set to public network, this task is noncompliant. |
dws-enable-log-dump |
dws |
If a DWS cluster does not have log transfer enabled, this cluster is noncompliant. |
dws-enable-snapshot |
dws |
If automated snapshots are not enabled for a DWS cluster, this cluster is noncompliant. |
dws-enable-ssl |
dws |
If SSL is not enabled for a DWS cluster, this cluster is noncompliant. |
ecs-instance-in-vpc |
ecs, vpc |
If an ECS is not within the specified VPC, this ECS is noncompliant. |
ecs-instance-no-public-ip |
ecs |
If an ECS has an EIP attached, this ECS is noncompliant. |
eip-unbound-check |
vpc |
If an EIP has not been attached to any resource, this EIP is noncompliant. |
eip-use-in-specified-days |
eip |
If an EIP is not used within the specified number of days after being created, the EIP is noncompliant. |
elb-predefined-security-policy-https-check |
elb |
If a specified security policy is not configured for the HTTPS listener of a dedicated load balancer, this dedicated load balancer is noncompliant. |
elb-tls-https-listeners-only |
elb |
If any listener of a load balancer does not have the frontend protocol set to HTTPS, this load balancer is noncompliant. |
function-graph-public-access-prohibited |
fgs |
If a function can be accessed over a public network, this function is noncompliant. |
gaussdb-nosql-enable-backup |
gaussdb nosql |
If the backup is not enabled for a GeminiDB instance, this instance is noncompliant. |
gaussdb-nosql-enable-disk-encryption |
gaussdb nosql |
If Disk Encryption is disabled for a GeminiDB instance, this instance is noncompliant. |
iam-customer-policy-blocked-kms-actions |
iam |
If there is a blocked action for KMS in an IAM policy, this policy is noncompliant. |
iam-password-policy |
iam |
If the password of an IAM user does not meet the password strength requirements, this IAM user is noncompliant. |
iam-policy-no-statements-with-admin-access |
iam |
If an IAM policy grants administrator permissions (with the Action element set to *:*:*, *:*, or *), this policy is noncompliant. |
iam-role-has-all-permissions |
iam |
If an IAM custom policy contains *:* in the allow section, this policy is noncompliant. |
iam-root-access-key-check |
iam |
If the root user access key is available, this rule is noncompliant. |
iam-user-last-login-check |
iam |
If an IAM user does not log in to the system within the specified time range, this user is non-compliant. |
iam-user-mfa-enabled |
iam |
If multi-factor authentication is not enabled for an IAM user, this user is noncompliant. |
kms-not-scheduled-for-deletion |
kms |
If a KMS key is scheduled for deletion, this key is noncompliant. |
mfa-enabled-for-iam-console-access |
iam |
If MFA is not enabled for an IAM user who has a console password, this IAM user is noncompliant. |
mrs-cluster-kerberos-enabled |
mrs |
If kerberos is not enabled for an MRS cluster, this cluster is noncompliant. |
mrs-cluster-no-public-ip |
mrs |
If an MRS cluster has an EIP attached, this cluster is noncompliant. |
multi-region-cts-tracker-exists |
cts |
If there are no CTS trackers in any of the specified regions, this rule is noncompliant. |
pca-certificate-authority-expiration-check |
pca |
If the validity period of a private CA is not within the specified period, this CA is noncompliant. |
pca-certificate-expiration-check |
pca |
If the validity period of a certificate is not within the specified range, this certificate is noncompliant. |
private-nat-gateway-authorized-vpc-only |
nat |
If a private NAT gateway is not in a specified VPC, this gateway is noncompliant. |
rds-instance-enable-backup |
rds |
If backup is not enabled for an RDS instance, this instance is noncompliant. |
rds-instance-multi-az-support |
rds |
If an RDS instance does not support multi-AZ deployment, this RDS instance is noncompliant. |
rds-instance-no-public-ip |
rds |
If an RDS instance has an EIP attached, this RDS instance is noncompliant. |
rds-instances-enable-kms |
rds |
If KMS encryption is not enabled for an RDS instance, this instance is noncompliant. |
root-account-mfa-enabled |
iam |
If multi-factor authentication is not enabled for the root user, the root user is noncompliant. |
sfsturbo-encrypted-check |
sfsturbo |
If KMS encryption is not enabled for an SFS Turbo file system, this file system is noncompliant. |
stopped-ecs-date-diff |
ecs |
If an ECS has been stopped for longer than the time allowed, and no operations have been performed on it, this ECS is noncompliant. |
volumes-encrypted-check |
ecs, evs |
If a mounted EVS disk is not encrypted, this disk is noncompliant. |
vpc-acl-unused-check |
vpc |
If a network ACL is not attached to any subnets, this ACL is noncompliant. |
vpc-default-sg-closed |
vpc |
If a default security group allows all inbound or outbound traffic, this security group is noncompliant. |
vpc-flow-logs-enabled |
vpc |
If there is a flow log that has not been enabled for a VPC, this VPC is noncompliant. |
vpc-sg-ports-check |
vpc |
If a security group allows all inbound traffic (with the source address set to 0.0.0.0/0) and opens all TCP/UDP ports, this security group is noncompliant. |
vpc-sg-restricted-common-ports |
vpc |
If a security group allows all IPv4 addresses (0.0.0.0/0) to access a specified port, this security group is noncompliant. |
vpc-sg-restricted-ssh |
vpc |
If the source address is set to 0.0.0.0/0 and the TCP port 22 is opened , this security group is non-compliant. |
vpn-connections-active |
vpnaas |
If a VPN is not normally connected, this rule is noncompliant. |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot