Help Center/ Config/ User Guide/ Conformance Packages/ Conformance Package Templates/ Best Practices for Singapore Financial Industry
Updated on 2024-10-28 GMT+08:00

Best Practices for Singapore Financial Industry

Applicable Scenario

The Monetary Authority of Singapore has developed the MAS guidelines to regulate the practices of financial institutions. For more information about the guidelines, see Technology Risk Management Guidelines.

Rules

The following table lists the rules and solutions included in this conformance package template.

Table 1 Conformance package description

Rule

Cloud Service

Description

access-keys-rotated

iam

If an IAM user's access key is not rotated within the specified number of days, this user is noncompliant.

account-part-of-organizations

organizations

If an account has not been added to any organizations or to a specified organization, this account is noncompliant.

pca-certificate-authority-expiration-check

pca

If the validity period of a private CA is not within the specified period, this CA is noncompliant.

pca-certificate-expiration-check

pca

If the validity period of a private certificate is not within the specified period, this certificate is noncompliant.

elb-http-to-https-redirection-check

elb

If an HTTP listener does not have redirecting requests to an HTTPS listener enabled, this HTTP listener is noncompliant.

apig-instances-execution-logging-enabled

apig

If logging is not enabled for a dedicated APIG gateway, this gateway is considered non-compliant.

apig-instances-ssl-enabled

apig

If no SSL certificates are attached to a dedicated APIG gateway, this gateway is considered noncompliant.

as-group-elb-healthcheck-required

as

If an AS group does not have health check enabled, this AS group is noncompliant.

as-group-ipv6-disabled

as

If an AS group has an IPv6 shared bandwidth attached, this AS group is noncompliant

cts-lts-enable

cts

If a CTS tracker does not have trace transfer to LTS enabled, this tracker is noncompliant.

cts-tracker-exists

cts

If there are no trackers or all trackers are disabled in an account, this account is noncompliant.

cts-kms-encrypted-check

cts

If a CTS tracker does not have KMS encryption enabled, this tracker is noncompliant.

cts-support-validate-check

cts

If a CTS tracker does not have trace file verification enabled, this tacker is noncompliant.

cts-obs-bucket-track

cts

If no CTS trackers are created for the specified OBS bucket, this rule is noncompliant.

cts-tracker-enabled-security

cts

If there is no tracker that complies with security best practices, this rule is noncompliant.

kms-rotation-enabled

kms

If key rotation is not enabled for a KMS key, this key is noncompliant.

cloudbuildserver-encryption-parameter-check

codeartsbuild

If encryption is not enabled for custom parameters of a CodeArts build project, this project is noncompliant.

rds-instance-enable-backup

rds

If backup is not enabled for an RDS instance, this instance is noncompliant.

drs-data-guard-job-not-public

drs

If the network type of a DR task is set to public network, this DR task is noncompliant.

drs-migration-job-not-public

drs

If the network type of a migration task is set to public network, this migration task is noncompliant.

drs-synchronization-job-not-public

drs

If the network type of a synchronization task is not set to public network, this synchronization task is noncompliant.

volumes-encrypted-check-by-default

evs

If an EVS disk is not encrypted, this EVS disk is noncompliant.

ecs-instance-no-public-ip

ecs

If an ECS has an EIP attached, this ECS is noncompliant.

ecs-instance-agency-attach-iam-agency

ecs

If an ECS does not have any IAM agencies attached, this ECS is noncompliant.

sfsturbo-encrypted-check

sfsturbo

If KMS encryption is not enabled for an SFS Turbo file system, this file system is noncompliant.

css-cluster-in-vpc

css

If a CSS cluster is not in the specified VPCs, this cluster is noncompliant.

css-cluster-disk-encryption-check

css

If disk encryption is not enabled for a CSS cluster, this cluster is noncompliant.

elb-multiple-az-check

elb

If a load balancer is mapped to only one availability zone (AZ), this load balancer is noncompliant. If a load balancer is mapped to zero or only one availability zone (AZ), this load balancer is noncompliant.

elb-tls-https-listeners-only

elb

If any listener of a load balancer does not have the frontend protocol set to HTTPS, this load balancer is noncompliant.

mrs-cluster-kerberos-enabled

mrs

If an MRS cluster does not have Kerberos autentication enabled, this cluster is noncompliant.

mrs-cluster-no-public-ip

mrs

If an MRS cluster has an EIP attached, this cluster is noncompliant.

volumes-encrypted-check

ecs, evs

If a mounted EVS disk is not encrypted, this disk is noncompliant.

iam-customer-policy-blocked-kms-actions

iam, access-analyzer-verified

If an IAM policy allows any blocked actions on KMS keys, this policy is noncompliant.

iam-group-has-users-check

iam

If an IAM user group has no user, this user group is noncompliant.

iam-password-policy

iam

If the password of an IAM user does not meet the password strength requirements, this IAM user is noncompliant.

iam-policy-no-statements-with-admin-access

iam

If a custom policy or role allows all actions (with the action element set to *:*:*, *:*, or *) for all cloud services, this policy or role is noncompliant.

iam-role-has-all-permissions

iam

If a custom policy or role allows all actions for a cloud service, this policy or role is noncompliant.

iam-root-access-key-check

iam

If the root user access key is available, the account is noncompliant.

iam-user-group-membership-check

iam

If an IAM user is not in any of the specified IAM user groups, this user is noncompliant.

iam-user-mfa-enabled

iam

If multi-factor authentication is not enabled for an IAM user, this user is noncompliant.

iam-user-last-login-check

iam

If an IAM user does not log in to the system within the specified period, this user is non-compliant.

vpc-sg-restricted-ssh

vpc

If a security group allows all inbound traffic (with the source address set to 0.0.0.0/0 or ::/0) and opens the TCP 22 port, this security group is noncompliant.

ecs-instance-in-vpc

ecs, vpc

If an ECS is not within the specified VPC, this ECS is noncompliant.

kms-not-scheduled-for-deletion

kms

If a KMS key is scheduled for deletion, this key is noncompliant.

function-graph-public-access-prohibited

fgs

If a function can be accessed over a public network, this function is noncompliant.

function-graph-inside-vpc

fgs

If a function is not in the specified VPC, this function is noncompliant.

mfa-enabled-for-iam-console-access

iam

If an IAM user who is allowed to access Huawei Cloud console does not have MFA enabled, this IAM user is noncompliant.

css-cluster-https-required

css

If a CSS cluster does not have HTTPS enabled, this cluster is noncompliant.

rds-instance-no-public-ip

rds

If an RDS instance has an EIP attached, this RDS instance is noncompliant.

rds-instance-logging-enabled

rds

If an RDS instance does not have the collection of any types of logs enabled, this instance is noncompliant.

rds-instance-multi-az-support

rds

If an RDS instance does not support multi-AZ deployment, this RDS instance is noncompliant.

rds-instances-enable-kms

rds

If KMS encryption is not enabled for an RDS instance, this instance is noncompliant.

dws-enable-snapshot

dws

If automated snapshots are not enabled for a DWS cluster, this cluster is noncompliant.

gaussdb-instance-enable-backup

gaussdb

If a GaussDB instance does not have the backup enabled, this instance is noncompliant.

gaussdb-mysql-instance-enable-backup

gaussdbformysql

If a GaussDB(for MySQL) instance does not have the backup enabled, this instance is noncompliant.

gaussdb-nosql-enable-backup

gemini db

If a GeminiDB instance does not have the backup enabled, this instance is noncompliant.

dws-enable-kms

dws

If KMS encryption is not enabled for a DWS cluster, this cluster is noncompliant.

gaussdb-nosql-enable-disk-encryption

gemini db

If a GeminiDB instance does not have disk encryption enabled, this instance is noncompliant.

dws-maintain-window-check

dws

If the O&M time window of a DWS cluster is not consistent with the specified time window, this cluster is noncompliant.

dws-clusters-no-public-ip

dws

If a DWS cluster has an EIP attached, this cluster is noncompliant.

dws-enable-ssl

dws

If SSL is not enabled for a DWS cluster, this cluster is noncompliant.

vpc-sg-restricted-common-ports

vpc

If a security group allows all IPv4 and IPv6 traffic (with the source address set to 0.0.0.0/0 or ::/0) to the specified ports, this security group is noncompliant.

root-account-mfa-enabled

iam

If the root user does not have MFA enabled, this root user is noncompliant.

csms-secrets-rotation-success-check

csms

If a CSMS secret fails to be rotated, this secret is noncompliant.

vpc-default-sg-closed

vpc

If a default security group allows all inbound or outbound traffic, this security group is noncompliant.

vpc-flow-logs-enabled

vpc

If a VPC does not have the flow log enabled, this VPC is noncompliant.

vpc-sg-ports-check

vpc

If a security group has the source address set to 0.0.0.0/0 or ::/0 and opens all TCP/UDP ports, this security group is noncompliant.

vpn-connections-active

vpnaas

If a VPN is not normally connected, this rule is noncompliant.