检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
Evaluating Resources By Region Scenario: If you do not want your OBS buckets in the regions outside of the Chinese mainland to be publicly accessed, you can create a rule to check if your OBS buckets are correctly configured to meet your exceptions.
If you want to use a template in your OBS bucket to create a conformance package, configure a proper IAM policy and an OBS bucket policy to ensure that the template can be accessed.
OBS related configurations.
cce-cluster-oldest-supported-version cce If a CCE cluster is running the oldest supported version, this cluster is noncompliant. cce-endpoint-public-access cce If a CCE cluster has an EIP attached, this CCE cluster is noncompliant. cts-obs-bucket-track cts If no trackers are created for the specified OBS
Topping Up Your Account Config is free of charge, but the SMN topic and the OBS bucket that you configured for the resource recorder will be charged. For details, see SMN billing and OBS billing.
) OBS Bucket Policies Do Not Allow Blacklisted Actions Configuration change obs.buckets OBS Bucket Policies Only Allow Access from the Specified Objects Configuration change obs.buckets Permission Boundary Check Configuration change obs.buckets OBS Bucket Policies Do Not Allow Public
If you need longer storage, you can dump the logs into an OBS bucket. For details, see Modifying Basic Log Configurations. Rule Logic If a CSS cluster has slow query log disabled, this cluster is noncompliant.
Tag obs, access-analyzer-verified Trigger Type Configuration change Filter Type iam.roles, iam.policies Configure Rule Parameters blockedActionsPatterns: indicates blocked actions for KMS. The value must be an array.
cts-kms-encrypted-check cts If a CTS tracker is not encrypted using KMS, this tracker is noncompliant. cts-lts-enable cts If Transfer to LTS is not enabled for a CTS tracker, this tracker is noncompliant. cts-obs-bucket-track cts If no CTS trackers are created for the specified OBS
Topping Up Your Account Config is free of charge, but the SMN topic and the OBS bucket that you configured for the resource recorder will be charged. For details, see SMN billing and OBS billing.
If you want to use a template in your OBS bucket to create a conformance package, configure a proper IAM policy and an OBS bucket policy to ensure that the template can be accessed.
as-group-elb-healthcheck-required as If an AS group is not using Elastic Load Balancing health check, this rule is noncompliant. cts-lts-enable cts If Transfer to LTS is not enabled for a CTS tracker, this tracker is noncompliant. cts-obs-bucket-track cts If no CTS trackers are created for the specified OBS
Configuring the resource recorder You can set the monitoring scope, select an SMN topic, and configure the data storage path (OBS bucket).
css-cluster-security-mode-enable css If a CSS cluster does not support the security mode, this cluster is noncompliant. cts-kms-encrypted-check cts If a CTS tracker is not encrypted using KMS, this tracker is noncompliant. cts-obs-bucket-track cts If no CTS trackers are created for the specified OBS
function-graph-inside-vpc fgs If a function is not in the specified VPC, this function is noncompliant. 3.3 function-graph-public-access-prohibited fgs If a function can be accessed over a public network, this function is noncompliant. 3.3 iam-customer-policy-blocked-kms-actions obs
If you have enabled the resource recorder and specified an OBS bucket and an SMN topic when you configure the resource recorder, Config will notify you if there is a change (creation, modification, deletion, relationship change) to the resources within the monitoring scope and periodically
cts-kms-encrypted-check cts If a CTS tracker is not encrypted using KMS, this tracker is noncompliant. cts-lts-enable cts If Transfer to LTS is not enabled for a CTS tracker, this tracker is noncompliant. cts-obs-bucket-track cts If no CTS trackers are created for the specified OBS
Public services, such as Elastic Cloud Server (ECS), Elastic Volume Service (EVS), Object Storage Service (OBS), Virtual Private Cloud (VPC), Elastic IP (EIP), and Image Management Service (IMS), are shared within the same region.
OPS-15 cts-obs-bucket-track Create at least one CTS tracker for each OBS bucket. OPS-15 multi-region-cts-tracker-exists Create CTS trackers for different regions where your services are deployed.
cts-kms-encrypted-check cts If a CTS tracker is not encrypted using KMS, this tracker is noncompliant. cts-lts-enable cts If Transfer to LTS is not enabled for a CTS tracker, this tracker is noncompliant. cts-obs-bucket-track cts If no CTS trackers are created for the specified OBS
