Conformance Package for Landing Zone
This section describes the background and the conformance package for basic scenarios of Landing Zone.
Background
To help customers better manage the cloud, Huawei Cloud provided the Landing Zone solution. This solution integrates years of experience in enterprise governance and digital transformation. Landing Zone gives you a scalable, secure, and compliant cloud environment. If you run a large enterprise with diverse services in the finance sector, Landing Zone is a wise choice for cloud migration and digital transformation. Landing Zone helps enterprises build cloud environments in a number of different ways based on best practices. For instance, there is multi-account organization management, network planning, identity and permissions, data boundaries, security protection, compliance audit, O&M monitoring, and cost management.
Exemption Clauses
This package provides you with general guide to help you quickly create scenario-based conformance packages. The conformance package and rules included only apply to cloud service and do not represent any legal advice. This conformance package does not ensure compliance with specific laws, regulations, or industry standards. You are responsible for the compliance and legality of your business and technical operations and assume all related responsibilities.
Conformance Rules
The following table describes the compliance rules and solutions in the sample template.
|
Module |
Rule |
|---|---|
|
Design of organization units and accounts |
account-part-of-organizations |
|
Design of organization units and accounts |
iam-user-group-membership-check |
|
Design of organization units and accounts |
iam-group-has-users-check |
|
Identity and permissions |
root-account-mfa-enabled |
|
Identity and permissions |
mfa-enabled-for-iam-console-access |
|
Identity and permissions |
iam-root-access-key-check |
|
Identity and permissions |
iam-user-single-access-key |
|
Identity and permissions |
iam-password-policy |
|
Identity and permissions |
access-keys-rotated |
|
Identity and permissions |
iam-user-last-login-check |
|
Identity and permissions |
iam-policy-no-statements-with-admin-access |
|
Unified network architecture |
eip-unbound-check |
|
Unified network architecture |
elb-tls-https-listeners-only |
|
Unified network architecture |
vpc-acl-unused-check |
|
Unified network architecture |
vpc-sg-restricted-ssh |
|
Unified network architecture |
vpc-default-sg-closed |
|
Unified network architecture |
vpc-sg-ports-check |
|
Unified network architecture |
vpn-connections-active |
|
Unified operations monitoring |
alarm-obs-bucket-policy-change |
|
Unified operations monitoring |
alarm-vpc-change |
|
Unified operations monitoring |
alarm-kms-disable-or-delete-key |
|
Unified compliance audit |
cts-lts-enable |
|
Unified compliance audit |
cts-support-validate-check |
|
Unified compliance audit |
cts-kms-encrypted-check |
|
Unified compliance audit |
multi-region-cts-tracker-exists |
|
Unified security management |
cce-endpoint-public-access |
|
Unified security management |
ecs-instance-no-public-ip |
|
Unified security management |
rds-instance-no-public-ip |
|
Unified security management |
pca-certificate-authority-expiration-check |
|
Unified security management |
pca-certificate-expiration-check |
|
Unified security management |
volumes-encrypted-check |
|
Unified security management |
rds-instances-enable-kms |
|
Reliable architecture |
rds-instance-enable-backup |
|
Reliable architecture |
rds-instance-multi-az-support |
|
Reliable architecture |
volume-unused-check |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
