Conformance Package for Huawei Cloud Security Configuration Guide (Level 2)
This section describes the background, applicable scenarios, and the conformance package to meet requirements of Huawei Cloud Security Configuration Guide at level 2.
Applicable Scenario
Huawei Cloud Security Configuration Guide provides you with baseline configuration guidance for important cloud services. For more details, see Security.
Exemption Clauses
This package provides you with general guide to help you quickly create scenario-based conformance packages. The conformance package and rules included only apply to cloud service and do not represent any legal advice. This conformance package does not ensure compliance with specific laws, regulations, or industry standards. You are responsible for the compliance and legality of your business and technical operations and assume all related responsibilities.
Rules
The guideline No in the following table are in consistent with the chapter No in Huawei Cloud Security Configuration Guide.
|
Guideline No. |
Guideline Description |
Rule |
Cloud Service |
Description |
|---|---|---|---|---|
|
C.CS.FOUNDATION.G_1.R_3 |
Ensuring that no IAM users created in admin user group |
iam-user-check-non-admin-group |
iam |
If a non-root user was added to the admin user group, this user is noncompliant. |
|
C.CS.FOUNDATION.G_1.R_9 |
Enabling login protection |
iam-user-login-protection-enabled |
iam |
If login protection is not enabled for an IAM user, this user is noncompliant. |
|
C.CS.FOUNDATION.G_1.R_12 |
Avoiding setting access keys for users with console passwords when setting initial iam users |
iam-user-console-and-api-access-at-creation |
iam |
If an IAM user who is allowed to access Huawei Cloud console has AK/SK created, this user is noncompliant. |
|
C.CS.FOUNDATION.G_1.R_13 |
Ensuring that only one active access key is available for an IAM user |
iam-user-single-access-key |
iam |
If multiple access keys are in the active state for an IAM user, this user is noncompliant. |
|
C.CS.FOUNDATION.G_2.R_5 |
Enabling VPC flow logs |
vpc-flow-logs-enabled |
vpc |
If a VPC does not have the flow log enabled, this VPC is noncompliant. |
|
C.CS.FOUNDATION.G_2.R_11 |
Enabling FunctionGraph logging |
function-graph-logging-enabled |
fgs |
If a function does not have log collection enabled, this function is noncompliant. |
|
C.CS.FOUNDATION.G_2.R_16 |
Enabling encrypted storage of log files |
cts-kms-encrypted-check |
cts |
If a CTS tracker does not have KMS encryption enabled, this tracker is noncompliant. |
|
C.CS.FOUNDATION.G_3_1.R_1 |
Using a key pair to securely log in to BMS |
ecs-instance-key-pair-login |
ecs |
If key pair authentication is not required for ECS logging, this ECS is noncompliant. |
|
C.CS.FOUNDATION.G_3_1.R_4 |
Enabling encryption for private images |
ims-images-enable-encryption |
ims |
If a private image does not have encryption enabled, this image is noncompliant. |
|
C.CS.FOUNDATION.G_3_2.R_1 |
Using a key pair to securely log in to BMS |
bms-key-pair-security-login |
bms |
If a BMS does not have key pair login enabled, ths BMS is noncompliant. |
|
C.CS.FOUNDATION.G_5_1.R_4 |
Controlling permissions of OBS resources using both VPC endpoint and OBS bucket policies |
obs-bucket-policy-grantee-check |
obs |
If an OBS bucket has a policy that allows access from an object that is not within the specified scope, this bucket is noncompliant. |
|
C.CS.FOUNDATION.G_5_2.R_1 |
Ensuring that EVS encryption is enabled |
volumes-encrypted-check |
ecs, evs |
If a mounted EVS disk is not encrypted, this disk is noncompliant. |
|
C.CS.FOUNDATION.G_5_3.R_1 |
Ensuring that the SFS Turbo file system encryption is enabled |
sfsturbo-encrypted-check |
sfsturbo |
If KMS encryption is not enabled for an SFS Turbo file system, this file system is noncompliant. |
|
C.CS.FOUNDATION.G_5_4.R_1 |
Selecting an encryption disk for EVS that carries the backup data |
cbr-backup-encrypted-check |
cbr |
If a CBR backup is not encrypted, this backup is noncompliant. |
|
C.CS.FOUNDATION.G_5_4.R_4 |
Enabling forcible backup |
ecs-protected-by-cbr |
cbr, ecs |
If an ECS does not have a backup vault attached, this ECS is noncompliant. |
|
C.CS.FOUNDATION.G_5_4.R_4 |
Enabling forcible backup |
evs-protected-by-cbr |
cbr, evs |
If an EVS disk does not have a backup vault attached, this disk is noncompliant. |
|
C.CS.FOUNDATION.G_5_4.R_4 |
Enabling forcible backup |
sfsturbo-protected-by-cbr |
cbr, sfsturbo |
Checks whether an SFS Turbo system has a backup vault attached. If no, the system is considered non-compliant. |
|
C.CS.FOUNDATION.G_6_1.R_7 |
Enabling the database audit logs |
rds-instance-enable-auditLog |
rds |
If an RDS instance does not have the audit log enabled or the audit logs are kept for less than the specified number of days, this instance is noncompliant. |
|
C.CS.FOUNDATION.G_6_4.R_5 |
Enabling the database audit logs |
gaussdb-instance-enable-auditLog |
gaussdb |
If a GaussDB instance does not have audit log collection enabled, this instance is noncompliant. |
|
C.CS.FOUNDATION.G_6_4.R_5 |
Enabling the database audit logs |
gaussdb-mysql-instance-enable-auditlog |
gaussdbformysql |
Checks whether audit logging is enabled for a GaussDB(for MySQL) instance. If no, the instance is considered non-compliant. |
|
C.CS.FOUNDATION.G_6_4.R_7 |
Enabling the backup function and configuring a backup policy |
gaussdb-instance-enable-backup |
gaussdb |
If a GaussDB instance does not have the backup enabled, this instance is noncompliant. |
|
C.CS.FOUNDATION.G_7_3.R_1 |
Enabling cluster data encryption |
dws-enable-kms |
dws |
If KMS encryption is not enabled for a DWS cluster, this cluster is noncompliant. |
|
C.CS.FOUNDATION.G_7_3.R_4 |
Enabling Audit Log Dumping for a DWS Database |
dws-enable-log-dump |
dws |
If a DWS cluster does not have log transfer enabled, this cluster is noncompliant. |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
