規則名稱 | 規則描述 | 建議項編號 | 建議項說明 |
RDS實例開啟日志備份 | RDS實例開啟日志備份,視為“合規”。 | | The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives. The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate.
|
為NAS文件系統創建備份計劃 | 為NAS文件系統創建備份計劃,視為“合規”。 | | The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives. The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate.
|
OSS存儲空間開啟同城冗余存儲 | 如果沒有開啟同城冗余存儲,會導致當出現某個機房不可用時,OSS服務無法提供一致性服務,影響數據恢復目標。OSS存儲空間開啟同城冗余存儲,視為“合規”。 | | The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives. The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate.
|
PolarDB集群的數據一級備份保留周期滿足指定要求 | PolarDB集群一級備份保留周期大于等于指定天數,視為“合規”。參數默認值7天。 | | The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives. The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate.
|
為API分組設置調用日志存儲 | API網關中API分組設置了調用日志存儲,視為“合規”。 | | The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives. The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events. The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures.
|
OSS存儲空間開啟版本控制 | 如果沒有開啟版本控制,會導致數據被覆蓋或刪除時無法恢復。如果開啟版本控制,則視為“合規”。 | | The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives. The entity identifies and maintains confidential information to meet the entity's objectives related to confidentiality. The entity disposes of confidential information to meet the entity's objectives related to confidentiality. The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate.
|
SLB實例開啟訪問日志 | SLB傳統型負載均衡實例開啟訪問日志,視為“合規”。未啟用7層監聽的實例不支持開啟訪問日志,視為“不適用”。 | | The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives. COSO Principle 7: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events. The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures.
|
ADB集群開啟日志備份 | ADB集群開啟日志備份,視為“合規”。 | | The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives. The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate.
|
ECS磁盤設置自動快照策略 | ECS磁盤設置了自動快照策略,視為“合規”。 | CC7.4 | The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate. |
開啟操作審計全量日志跟蹤 | 操作審計中存在開啟狀態的跟蹤,且跟蹤全部地域和全部事件類型,視為“合規”。如果是資源目錄成員賬號,當管理員有創建應用到所有成員賬號的跟蹤時,視為“合規”。 | | The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives. COSO Principle 7: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities. The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events.
|
云安全中心通知項目已設置通知方式 | 云安全中心通知項目均已設置通知方式,視為“合規”。 | A1.2 | The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives. |
RDS實例開啟刪除保護 | RDS實例開啟刪除保護,視為“合規”。付費類型為包年包月的實例不支持該功能,視為“不適用”。 | C1.1 | The entity identifies and maintains confidential information to meet the entity's objectives related to confidentiality. |
PolarDB集群開啟刪除保護 | PolarDB集群開啟刪除保護,視為“合規”。預付費類型的集群視為“不適用”。 | C1.1 | The entity identifies and maintains confidential information to meet the entity's objectives related to confidentiality. |
KMS主密鑰開啟刪除保護 | KMS主密鑰開啟刪除保護,視為“合規”。如果密鑰狀態非啟用中,視為“不適用”,如果密鑰為服務密鑰,由于本身不可刪除,視為“不適用”。 | C1.1 | The entity identifies and maintains confidential information to meet the entity's objectives related to confidentiality. |
RAM用戶組非空 | RAM用戶組至少包含一個RAM用戶,視為“合規”。 | | COSO Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized. The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity's objectives.
|
不存在閑置的RAM用戶組 | RAM用戶組至少包含一個RAM用戶且綁定了至少一個RAM權限策略,視為“合規”。 | | COSO Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized. The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity's objectives.
|
不存在閑置的RAM權限策略 | RAM權限策略至少綁定一個RAM用戶組、RAM角色或RAM用戶,視為“合規”。 | CC1.3 | COSO Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. |
不存在超級管理員 | RAM用戶、RAM用戶組、RAM角色均未擁有Resource為*且Action為*的超級管理員權限,視為“合規”。 | | COSO Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized. The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity's objectives.
|
使用云安全中心企業版 | 使用云安全中心企業版或者更高級別的版本,視為“合規”。 | CC3.1 CC6.6 CC6.8 CC7.1 CC7.2 CC7.3 CC7.4
| COSO Principle 6: The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. The entity implements logical access security measures to protect against threats from sources outside its system boundaries.#The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity's objectives. To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities. The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events. The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures. The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate.
|
云防火墻中資產開啟保護 | 云防火墻中資產開啟保護,視為“合規”。本規則只對云防火墻付費用戶有效,未開通云防火墻或者免費用戶資產無檢測數據。 | | COSO Principle 6: The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. The entity implements logical access security measures to protect against threats from sources outside its system boundaries. The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity's objectives.
|
在云安全中心設置指定等級的漏洞掃描 | 在云安全中心設置指定風險等級的漏洞掃描,視為“合規”。 | | COSO Principle 6: The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. The entity implements logical access security measures to protect against threats from sources outside its system boundaries. The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity's objectives.
|
在云安全中心開啟指定類型的主動防御 | 在云安全中開啟了參數指定的主動防御類型,視為“合規”。 | | COSO Principle 6: The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. The entity implements logical access security measures to protect against threats from sources outside its system boundaries. The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity's objectives.
|
WAF3實例開啟指定防護規則 | WAF3.0實例開啟指定防護場景的規則,視為“合規”。 | | COSO Principle 6: The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. The entity implements logical access security measures to protect against threats from sources outside its system boundaries. The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity's objectives.
|
運行中的ECS實例開啟云安全中心防護 | 通過在主機上安裝云安全中心插件,提供主機的安全防護服務。如果有安裝云安全中心插件,則視為“合規”。非運行中狀態的實例不適用本規則,視為“不適用”。 | | COSO Principle 7: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities.
|
RAM用戶開啟MFA | 開啟控制臺訪問功能的RAM用戶登錄設置中必須開啟多因素認證或者已啟用MFA,視為“合規”。 | | COSO Principle 7: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity's objectives. The entity implements logical access security measures to protect against threats from sources outside its system boundaries.
|
運行中的ECS實例安裝了云監控插件 | 運行中的ECS實例安裝云監控插件而且插件狀態為運行中,視為“合規”。非運行中狀態的實例不適用本規則,視為“不適用”。 | | COSO Principle 7: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities. The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events. The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures.
|
ACK集群運行中節點安裝云監控插件 | ACK集群運行中節點均安裝了云監控插件,且監控運行狀態正常,視為“合規”。 | | COSO Principle 7: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events.
|
VPC開啟流日志記錄 | VPC已開啟流日志(Flowlog)記錄功能,視為“合規”。 | | COSO Principle 7: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. The entity implements logical access security measures to protect against threats from sources outside its system boundaries. The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures.
|
密鑰管理服務設置憑據自動輪轉 | 密鑰管理服務中的憑據設置自動輪轉,視為“合規”。如果密鑰類型為普通密鑰,視為“不適用”。 | | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized.
|
運行中的ECS實例未綁定公網地址 | 運行中的ECS實例沒有直接綁定IPv4公網IP或彈性公網IP,視為“合規”。 | | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. The entity implements logical access security measures to protect against threats from sources outside its system boundaries.
|
OSS存儲空間開啟服務端加密 | OSS存儲空間開啟服務端OSS完全托管加密,視為“合規”。 | CC6.1 | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. |
OSS存儲空間開啟日志轉存 | OSS存儲空間的日志管理中開啟日志轉存,視為“合規”。 | | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events.#The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures.
|
OSS存儲空間ACL禁止公共讀 | OSS存儲空間的ACL策略禁止公共讀,視為“合規”。 | CC6.1 | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. |
阿里云賬號不存在AccessKey | 阿里云賬號不存在任何狀態的AccessKey,視為“合規”。 | | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized. The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity's objectives.
|
ECS數據磁盤開啟加密 | ECS數據磁盤已開啟加密,視為“合規”。 | CC6.1 | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. |
KMS憑據成功輪轉 | KMS憑據開啟自動輪轉并且根據設定的輪轉周期成功進行了輪轉,視為“合規”。通用憑據不支持在KMS直接配置周期性輪轉,視為“不適用”。 | CC6.1 | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. |
OSS存儲空間權限策略設置安全訪問 | OSS存儲空間權限策略中包含了讀寫操作的訪問方式設置為HTTPS,或者拒絕訪問的訪問方式設置為HTTP,視為“合規”。權限策略為空的OSS存儲空間,視為“不適用”。 | | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives.
|
函數計算服務禁止訪問公網 | 函數計算服務設置了禁止訪問公網,視為“合規”。 | CC6.1 | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. |
SSL證書到期檢測 | SSL證書到期時間剩余天數大于參數指定的天數,視為”合規“。參數默認值為30天。 | | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives.
|
NAS文件系統設置了加密 | NAS文件系統設置了加密,視為“合規”。 | CC6.1 | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. |
Elasticsearch實例數據節點開啟云盤加密 | Elasticsearch實例數據節點開啟云盤加密,視為“合規”。 | CC6.1 | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. |
KMS主密鑰未設置為待刪除 | KMS主密鑰未設置為待刪除,視為“合規”。 | CC6.1 | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. |
ADB集群未開啟公網 | ADB實例未開啟公網訪問,視為“合規”。 | CC6.1 | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. |
OSS存儲空間ACL禁止公共讀寫 | OSS存儲空間的ACL策略禁止公共讀寫,視為“合規”。 | CC6.1 | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. |
RAM用戶的AccessKey在指定時間內輪換 | RAM用戶的AccessKey創建時間距離檢查時間不超過指定天數,視為“合規”。默認值:90天。 | | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized. The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity's objectives.
|
Elasticsearch實例未開啟公網訪問 | Elasticsearch實例未開啟公網訪問,視為“合規”。 | CC6.1、CC6.6 | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. The entity implements logical access security measures to protect against threats from sources outside its system boundaries.
|
RAM用戶密碼策略符合要求 | RAM用戶密碼策略中各項配置滿足參數設置的值,視為“合規”。 | | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives.#The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity's objectives. |
運行中的ECS實例在專有網絡 | 阿里云推薦購買的ECS放在VPC里面。如果ECS有歸屬VPC,則視為“合規”。如果指定參數,則檢查ECS實例的專有網絡實例在指定參數范圍內,視為“合規”。非運行中的ECS實例視為“不適用”。 | | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. The entity implements logical access security measures to protect against threats from sources outside its system boundaries.
|
ALB實例HTTP監聽設置移除Header的轉發功能 | ALB負載均衡運行中的HTTP監聽設置了刪除Header的轉發動作,視為“合規”。 | | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives.
|
RDS實例禁止配置公網地址 | RDS實例未配置公網地址,視為“合規”。生產環境的RDS實例不推薦配置公網直接訪問,容易被黑客攻擊。 | | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. The entity implements logical access security measures to protect against threats from sources outside its system boundaries.
|
SLB開啟HTTPS監聽 | SLB在指定端口上開啟HTTPS協議的監聽,視為“合規”。如果SLB實例只開啟TCP或者UDP協議的監聽,視為“不適用”。 | | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives.
|
安全組非白名單端口入網設置有效 | 除指定的白名單端口外,其余端口不能有授權策略設置為允許而且來源為0.0.0.0/0的入方向規則,視為“合規”。云產品或虛商所使用的安全組不適用本規則,視為“不適用”。 | | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. The entity implements logical access security measures to protect against threats from sources outside its system boundaries.
|
Elasticsearch實例使用HTTPS傳輸協議 | Elasticsearch實例使用HTTPS傳輸協議,視為“合規”。 | | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives.
|
函數服務設置為僅允許指定VPC調用 | 函數服務設置為僅允許指定VPC調用,視為“合規”。 | | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. The entity implements logical access security measures to protect against threats from sources outside its system boundaries.
|
RDS實例開啟TDE加密 | RDS實例的數據安全性設置開啟TDE加密,視為“合規”。不支持TDE加密的實例規格或版本視為“不適用”。 | | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized.
|
安全組指定協議不允許對全部網段開啟風險端口 | 當安全組入網網段設置為0.0.0.0/0時,指定協議的端口范圍不包含指定風險端口,視為“合規”。若入網網段未設置為0.0.0.0/0時,即使端口范圍包含指定的風險端口,也視為“合規”。如果檢測到的風險端口被優先級更高的授權策略拒絕,視為“合規”。云產品或虛商所使用的安全組視為“不適用”。 | | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. The entity implements logical access security measures to protect against threats from sources outside its system boundaries. The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events.
|
PolarDB實例IP白名單禁止設置為全網段 | PolarDB實例IP白名單未設置為0.0.0.0/0,視為“合規”。 | CC6.1 | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. |
PolarDB集群的所有連接地址都未開啟公網 | PolarDB集群的所有連接地址都未開啟公網,視為“合規”。 | | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. The entity implements logical access security measures to protect against threats from sources outside its system boundaries.
|
檢測閑置彈性公網IP | 彈性公網已綁定到ECS或者NAT實例,非閑置狀態,視為“合規”。 | CC6.2 | Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized. |
RAM用戶訪問設置人員和程序分離 | RAM用戶未同時開啟控制臺訪問和API調用訪問,視為“合規”。 | | Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized. The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity's objectives.
|
不直接授權給RAM用戶 | RAM用戶沒有直接綁定權限策略,視為“合規”。推薦RAM用戶從RAM組或角色繼承權限。 | | Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized. The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity's objectives.
|
RAM用戶歸屬用戶組 | 所有RAM用戶均歸屬于RAM用戶組,視為“合規”。 | | Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized. The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity's objectives.
|
RAM用戶不存在激活狀態的密鑰 | RAM用戶不存在激活狀態的密鑰,視為“合規”。 | | Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized. The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity's objectives.
|
ACK集群安裝ack-ram-authenticator組件基于RAM進行請求認證 | ACK集群安裝ack-ram-authenticator組件,實現基于RAM的鑒權,視為“合規”。 | CC6.3 | The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity's objectives. |
ECS實例被授予實例RAM角色 | ECS實例被授予了實例RAM角色,視為“合規”。 | CC6.3 | The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity's objectives. |
PolarDB集群開啟TDE | PolarDB集群開啟TDE,視為“合規”。 | CC6.6 | The entity implements logical access security measures to protect against threats from sources outside its system boundaries. |
API網關中配置API安全認證 | API網關中配置API安全認證為阿里云APP或者使用指定的插件類型,視為“合規”。 | CC6.6 | The entity implements logical access security measures to protect against threats from sources outside its system boundaries. |
API網關中API分組綁定域名接入WAF或者WAF3.0 | API網關中的API分組綁定的域名接入了WAF或者WAF3.0,視為“合規”。 | CC6.6 | The entity implements logical access security measures to protect against threats from sources outside its system boundaries. |
彈性伸縮配置中未設置分配公網IPv4地址 | 彈性伸縮配置中未設置分配公網IPv4地址,視為“合規”。 | CC6.6 | The entity implements logical access security measures to protect against threats from sources outside its system boundaries. |
運行中的ECS實例無待修復漏洞 | ECS實例在云安全中心無指定類型和等級的待修復漏洞,視為“合規”。非運行中狀態的實例不適用本規則,視為“不適用”。 | | The entity implements logical access security measures to protect against threats from sources outside its system boundaries. The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity's objectives. To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities. The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures.
|
賬號下所有ECS實例已安裝云安全中心代理 | 賬號下所有ECS實例均已安裝云安全中心代理,視為“合規”。 | CC6.6 | The entity implements logical access security measures to protect against threats from sources outside its system boundaries. |
SLB實例未綁定公網IP | SLB實例未綁定公網IP,視為“合規”。如果沒有公網需求,建議SLB實例不要直接綁定公網IP地址。如果有公網需求,建議購買EIP并和相關SLB實例進行綁定,使用EIP更加靈活、同時可使用共享帶寬降低成本。 | CC6.6 | The entity implements logical access security measures to protect against threats from sources outside its system boundaries. |
NAT網關不允許映射指定的風險端口 | NAT網關DNAT映射端口不包含指定的風險端口,視為“合規”。 | CC6.6 | The entity implements logical access security measures to protect against threats from sources outside its system boundaries. |
SLB使用證書為阿里云簽發 | SLB使用證書為阿里云簽發,視為“合規”。 | CC6.7 | The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives. |
SLB實例的HTTPS監聽使用指定的安全策略套件 | SLB實例的所有HTTPS類型監聽使用參數指定的安全策略套件版本,視為“合規”。未設置HTTPS類型監聽的SLB實例,視為“不適用”。 | CC6.7 | The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives. |
API網關中API分組的自定義域名設置了SSL證書 | API網關中的API分組綁定自定義域名并且設置了SSL證書,視為“合規”。 | CC6.7 | The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives. |
PolarDB集群設置SSL加密 | PolarDB集群設置了SSL加密,視為“合規”。 | CC6.7 | The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives. |
CDN域名開啟TLS13版本檢測 | 檢測CDN域名是否啟用TLS1.3,啟用視為“合規”。 | CC6.7 | The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives. |
DTS同步任務源庫和目標庫使用SSL安全鏈接 | DTS實例下同步任務源庫和目標庫均使用SSL安全鏈接,視為“合規”。任務類型為非同步類型的DTS實例不適用本規則,視為“不適用”。 | CC6.7 | The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives. |
ECS實例禁止綁定公網地址 | ECS實例沒有直接綁定IPv4公網IP或彈性公網IP,視為“合規”。 | CC6.7 | The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives. |
容器鏡像服務實例未打開公網訪問入口 | 容器鏡像服務實例未打開公網訪問入口,視為“合規”,適用于企業版。 | CC6.7 | The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives. |
Redis實例設置TLS或SSL加密 | Redis實例設置TLS或SSL加密,視為“合規”。 | CC6.7 | The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives. |
云安全中心無待修復的鏡像漏洞 | 云安全中心開啟鏡像掃描且無待修復的鏡像漏洞,視為“合規”。未開啟或未執行鏡像掃描時無法獲取漏洞信息,視為“不適用”。 | | The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity's objectives. To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities.
|
ACK集群節點安裝云監控插件 | ACK集群節點均已安裝云監控插件,且插件運行狀態正常,視為“合規”。 | CC7.1 | To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities. |
函數計算中函數設置滿足參數指定要求 | 函數計算2.0中的函數設置滿足參數指定的要求,視為“合規”。 | CC7.2 | The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events. |
為指定云產品設置云監控報警規則 | 在云監控為指定命名空間的云服務設置了至少一條報警規則,視為“合規”。 | | The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events. The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures. The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate.
|
ADB集群開啟SQL審計日志 | ADB集群開啟SQL審計日志,視為“合規”。 | CC7.3 | The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures. |
PolarDB集群開啟SQL審計 | PolarDB集群SQL審計狀態為開啟,視為“合規”。 | CC7.4 | The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate. |