Updated on 2024-12-10 GMT+08:00

Architecture Security Best Practices

The following table describes the compliance rules and solutions in the sample template.

Table 1 Conformance package description

Rule

Cloud Service

Description

access-keys-rotated

iam

If an IAM user's access key is not rotated within the specified number of days, this user is noncompliant.

pca-certificate-authority-expiration-check

pca

If the validity period of a private CA is not within the specified period, this CA is noncompliant.

pca-certificate-expiration-check

pca

If the validity period of a private CA is not within the specified period, this CA is noncompliant.

apig-instances-execution-logging-enabled

apig

If logging is not enabled for a dedicated APIG gateway, this gateway is considered non-compliant.

apig-instances-ssl-enabled

apig

If no SSL certificates are attached to an APIG gateway, this gateway is considered noncompliant.

cts-lts-enable

cts

If a CTS tracker does not have trace transfer to LTS enabled, this tracker is noncompliant.

cts-kms-encrypted-check

cts

If a CTS tracker is not encrypted using KMS, this tracker is noncompliant.

cts-support-validate-check

cts

If a CTS tracker does not have trace file verification enabled, this tacker is noncompliant.

cts-obs-bucket-track

cts

If there are no CTS trackers created for the specified OBS bucket, the current account is noncompliant.

ecs-multiple-public-ip-check

ecs

If an ECS has multiple EIPs attached, this ECS is noncompliant.

ecs-instance-no-public-ip

ecs

If an ECS has an EIP attached, this ECS is noncompliant.

stopped-ecs-date-diff

ecs

If an ECS has been stopped for longer than the time allowed, and no operations have been performed on it, this ECS is noncompliant.

evs-use-in-specified-days

evs

If an EVS disk has not been attached to any resources within the specified number of days after being created, this disk is noncompliant.

volume-unused-check

evs

If an EVS disk is not mounted to any cloud server, this disk is noncompliant.

cce-cluster-end-of-maintenance-version

cce

If the version of a CCE cluster is no longer supported for maintenance, this cluster is noncompliant.

cce-cluster-oldest-supported-version

cce

If a CCE cluster is running the oldest supported version, this cluster is noncompliant.

sfsturbo-encrypted-check

sfsturbo

If KMS encryption is not enabled for an SFS Turbo file system, this file system is noncompliant.

css-cluster-in-vpc

css

If a CSS cluster is not in the specified VPCs, this cluster is noncompliant.

css-cluster-disk-encryption-check

css

If disk encryption is not enabled for a CSS cluster, this cluster is noncompliant.

elb-tls-https-listeners-only

elb

If any listener of a load balancer does not have the frontend protocol set to HTTPS, this load balancer is noncompliant.

mrs-cluster-kerberos-enabled

mrs

If kerberos is not enabled for an MRS cluster, this cluster is noncompliant.

mrs-cluster-no-public-ip

mrs

If an MRS cluster has an EIP attached, this cluster is noncompliant.

volumes-encrypted-check

ecs, evs

If a mounted EVS disk is not encrypted, this disk is noncompliant.

iam-customer-policy-blocked-kms-actions

iam, access-analyzer-verified

If an IAM policy allows any blocked actions on KMS keys, this policy is noncompliant.

iam-group-has-users-check

iam

If an IAM user group has no user, this user group is noncompliant.

iam-password-policy

iam

If the password of an IAM user does not meet the password strength requirements, this IAM user is noncompliant.

iam-policy-no-statements-with-admin-access

iam

If a custom policy or role allows all actions (with the action element set to *:*:*, *:*, or *) for all cloud services, this policy or role is noncompliant.

iam-role-has-all-permissions

iam

If a custom policy or role allows all actions for a cloud service, this policy or role is noncompliant.

iam-root-access-key-check

iam

If the root user access key is available, the account is noncompliant.

iam-user-group-membership-check

iam

If an IAM user is not in any of the specified IAM user groups, this user is noncompliant.

iam-user-mfa-enabled

iam

If multi-factor authentication is not enabled for an IAM user, this user is noncompliant.

iam-user-last-login-check

iam

If an IAM user does not log in to the system within the specified time range, this user is non-compliant.

vpc-sg-restricted-ssh

vpc

If a security group allows all inbound traffic (with the source address set to 0.0.0.0/0 or ::/0) and opens the TCP 22 port, this security group is noncompliant.

ecs-instance-in-vpc

ecs, vpc

If an ECS is not within the specified VPC, this ECS is noncompliant.

kms-not-scheduled-for-deletion

kms

If a KMS key is scheduled for deletion, this key is noncompliant.

function-graph-public-access-prohibited

fgs

If a function can be accessed over a public network, this function is noncompliant.

function-graph-inside-vpc

fgs

If a function is not in the specified VPC, this function is noncompliant.

mfa-enabled-for-iam-console-access

iam

If an IAM user who is allowed to access Huawei Cloud console does not have MFA enabled, this IAM user is noncompliant.

css-cluster-https-required

css

If a CSS cluster does not have HTTPS enabled, this cluster is noncompliant.

rds-instance-no-public-ip

rds

If an RDS instance has an EIP attached, this RDS instance is noncompliant.

rds-instance-logging-enabled

rds

If an RDS instance does not have the collection of any types of logs enabled, this instance is noncompliant.

rds-instances-enable-kms

rds

If KMS encryption is not enabled for an RDS instance, this instance is noncompliant.

dws-enable-kms

dws

If KMS encryption is not enabled for a DWS cluster, this cluster is noncompliant.

gaussdb-nosql-enable-disk-encryption

gemini db

If a GeminiDB instance does not have disk encryption enabled, this instance is noncompliant.

dws-enable-ssl

dws

If SSL is not enabled for a DWS cluster, this cluster is noncompliant.

vpc-sg-restricted-common-ports

vpc

If a security group allows all IPv4 and IPv6 traffic (with the source address set to 0.0.0.0/0 or ::/0) to the specified ports, this security group is noncompliant.

root-account-mfa-enabled

iam

If the root user does not have MFA enabled, this root user is noncompliant.

vpc-default-sg-closed

vpc

If a default security group allows all inbound or outbound traffic, this security group is noncompliant.

vpc-flow-logs-enabled

vpc

If a VPC does not have the flow log enabled, this VPC is noncompliant.

vpc-acl-unused-check

vpc

If a network ACL is not attached to any subnets, this ACL is noncompliant.

vpc-sg-ports-check

vpc

If a security group has the source address set to 0.0.0.0/0 or ::/0 and opens all TCP/UDP ports, this security group is noncompliant.

waf-instance-policy-not-empty

waf

If a WAF instance does not have a protection policy attached, this instance is noncompliant.