Help Center/ Resource Governance Center/ User Guide/ Governance Policy Management/ Governance Policy Guidance/ Strongly Recommended Governance Policies

Updated on 2024-05-24 GMT+08:00

View PDF

Strongly Recommended Governance Policies

Cloud Trace Service (CTS)

Policy Name	Function	Scenario	Severity	Resource
RGC-GR_CONFIG_MULTI_REGION_CTS_TRACKER_EXISTS	This policy checks whether a CTS tracker has been created and enabled for the specified region list for an account. If not, the account is considered non-compliant.	Establishing logging and monitoring	High	cts:::tracker

Identity and Access Management (IAM)

Policy Name	Function	Scenario	Severity	Resource
RGC-GR_CONFIG_IAM_ROOT_ACCESS_KEY_CHECK	This policy checks whether there are available access keys for an account. If yes, the account is considered non-compliant.	Enforcing the least privilege	Critical	identity:::accessKey
RGC-GR_CONFIG_ROOT_ACCOUNT_MFA_ENABLED	This policy checks whether multi-factor authentication (MFA) is enabled for an account. If not, the account is considered non-compliant.	Enforcing the least privilege	High	identity:::acl
RGC-GR_CONFIG_IAM_POLICY_NO_STATEMENTS_WITH_ADMIN_ACCESS	This policy checks whether an IAM policy grants the admin permission (::, :, or ). If yes, the IAM policy is considered non-compliant.	Enforcing the least privilege	High	identity:::protectionPolicy
RGC-GR_CONFIG_IAM_ROLE_HAS_ALL_PERMISSIONS	This policy checks whether an IAM custom policy grants the allow : permission. If yes, the IAM policy is considered non-compliant.	Enforcing the least privilege	Low	identity:::role
RGC-GR_CONFIG_IAM_USER_MFA_ENABLED	This policy checks whether MFA is enabled for an IAM user. If not, the user is considered non-compliant.	Enforcing the least privilege	Medium	identity:::user

Relational Database Service (RDS)

Policy Name	Function	Scenario	Severity	Resource
RGC-GR_CONFIG_RDS_INSTANCE_NO_PUBLIC_IP	This policy checks whether a public IP address is bound to an RDS instance. If yes, the instance is considered non-compliant.	Controlling network access	High	rds:::instance

Elastic Volume Service (EVS)

Policy Name	Function	Scenario	Severity	Resource
RGC-GR_CONFIG_VOLUME_UNUSED_CHECK	This policy checks whether an EVS disk is attached to a cloud server. If not, the EVS disk is considered non-compliant.	Optimizing costs	High	evs:::volume

Virtual Private Cloud (VPC)

Policy Name	Function	Scenario	Severity	Resource
RGC-GR_CONFIG_VPC_SG_PORTS_CHECK	This policy checks whether the inbound source IP address of a security group is set to 0.0.0.0/0 and all TCP/UDP ports are enabled. If yes, the security group is considered non-compliant.	Controlling network access	High	networking:::secgroup
RGC-GR_CONFIG_VPC_DEFAULT_SG_CLOSED	This policy checks whether the default security group of a VPC allows inbound or outbound traffic. If yes, the default security group is considered non-compliant.	Controlling network access	High	networking:::secgroup
RGC-GR_CONFIG_VPC_FLOW_LOGS_ENABLED	This policy checks whether flow logs are enabled for a VPC. If not, the VPC is considered non-compliant.	Establishing logging and monitoring	Medium	vpc:::flowLog
RGC-GR_CONFIG_VPC_SG_RESTRICTED_SSH	This policy checks whether the inbound source IP address of a security group is set to 0.0.0.0/0 and TCP port 22 is enabled. If yes, the security group is considered non-compliant.	Controlling network access	High	networking:::secgroup

Cloud Container Engine (CCE)

Policy Name	Function	Scenario	Severity	Resource
RGC-GR_CONFIG_CCE_ENDPOINT_PUBLIC_ACCESS	This policy checks whether a public IP address is bound to a CCE cluster. If yes, the CCE cluster is considered non-compliant.	Controlling network access	Medium	cce:::cluster

Cloud Search Service (CSS)

Policy Name	Function	Scenario	Severity	Resource
RGC-GR_CONFIG_CSS_CLUSTER_HTTPS_REQUIRED	This policy checks whether HTTPS access is enabled for a CSS cluster. If not, the cluster is considered non-compliant.	Encrypting data in transit	Medium	css:::cluster

Data Warehouse Service (DWS)

Policy Name	Function	Scenario	Severity	Resource
RGC-GR_CONFIG_DWS_ENABLE_LOG_DUMP	This policy checks whether log dump is enabled for a DWS cluster. If not, the cluster is considered non-compliant.	Establishing logging and monitoring	Medium	dws:::cluster

Elastic Cloud Server (ECS)

Policy Name	Function	Scenario	Severity	Resource
RGC-GR_CONFIG_ECS_INSTANCE_NO_PUBLIC_IP	This policy checks whether a public IP address is bound to an ECS. If yes, the ECS is considered non-compliant.	Controlling network access	Medium	compute:::instance
RGC-GR_CONFIG_ECS_MULTIPLE_PUBLIC_IP_CHECK	This policy checks whether multiple public IP addresses are bound to an ECS. If yes, the ECS is considered non-compliant.	Controlling network access	Low	compute:::instance

Elastic Load Balance (ELB)

Policy Name	Function	Scenario	Severity	Resource
RGC-GR_CONFIG_ELB_TLS_HTTPS_LISTENERS_ONLY	This policy checks whether HTTPS is configured for any listener of a load balancer. If not, the load balancer is considered non-compliant.	Encrypting data in transit	Medium	elb:::listener

MapReduce Service (MRS)

Policy Name	Function	Scenario	Severity	Resource
RGC-GR_CONFIG_MRS_CLUSTER_NO_PUBLIC_IP	This policy checks whether a public IP address is bound to an MRS cluster. If yes, the cluster is considered non-compliant.	Controlling network access	Medium	mrs:::cluster

API Gateway (APIG)

Policy Name	Function	Scenario	Severity	Resource
RGC-GR_CONFIG_APIG_INSTANCES_EXECUTION_LOGGING_ENABLED	This policy checks whether a dedicated API gateway is configured with access logs. If not, the gateway is considered non-compliant.	Establishing logging and monitoring	Medium	apig:::instance
RGC-GR_CONFIG_APIG_INSTANCES_AUTHORIZATION_TYPE_CONFIGURED	This policy checks whether security authentication is provided for a dedicated API gateway. If not, the gateway is considered non-compliant.	Encrypting data in transit	Medium	apig:::instance
RGC-GR_CONFIG_APIG_INSTANCES_SSL_ENABLED	This policy checks whether any domain name of a dedicated API gateway is associated with an SSL certificate. If not, the gateway is considered non-compliant.	Encrypting data in transit	Medium	apig:::instance

FunctionGraph

Policy Name	Function	Scenario	Severity	Resource
RGC-GR_CONFIG_FUNCTION_GRAPH_PUBLIC_ACCESS_PROHIBITED	This policy checks whether functions in FunctionGraph allow public access. If yes, the functions are considered non-compliant.	Controlling network access	Critical	fgs:::function

Simple Message Notification (SMN)

Policy Name	Function	Scenario	Severity	Resource
RGC-GR_CONFIG_SMN_LTS_ENABLE	This policy checks whether event analysis is enabled for an SMN topic. If not, the topic is considered non-compliant.	Establishing logging and monitoring	Medium	smn:::topic

Parent topic: Governance Policy Guidance

Previous topic: Mandatory Governance Policies

Next topic: Elective Governance Policies

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.