检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
The following is an example policy used to check whether specified images are used for ECSs. { "id": "5fa265c0aa1e6afc05a0ff07", "name": "allowed-images-by-id", "description": "An ECS image is non-compliant if its ID is not within the specific image ID range.
C.CS.FOUNDATION.G_8.R_7 Enabling HSS (basic/professional/enterprise/premium edition) ecs-attached-hss-agents-check ecs If an ECS does not have an HSS agent installed or the protection mode enabled, this ECS is noncompliant. Parent topic: Conformance Package Templates
PUT https://{endpoint}/v1/resource-manager/domains/{domain_id}/policy-assignments { "name" : "allowed-images-by-id", "description" : "The ECS resource is non-compliant if the image it used is not in the allowed list", "parameters" : { "listOfAllowedImages" : { "value
Cloud Server (ECS) ECSs (ecs.cloudservers) Hyper Elastic Cloud Server (HECS) HECSs (hecs.hcloudservers) Virtual Private Cloud (VPC) VPCs (vpc.vpcs) EIPs (vpc.publicips) Elastic Volume Service (EVS) Disks (evs.volumes) Auto Scaling (AS) AS Groups Image Management Service (IMS) Images
Built-In Policies Predefined Policy List General Policies API Gateway CodeArts Deploy MapReduce Service NAT Gateway VPC Endpoint Web Application Firewall Elastic Load Balance Elastic IP Auto Scaling Scalable File Service Turbo (SFS Turbo) Elastic Cloud Server Distributed Cache Service
noncompliant. rds-instances-enable-kms rds If KMS encryption is not enabled for an RDS instance, this instance is noncompliant. sfsturbo-encrypted-check sfsturbo If KMS encryption is not enabled for an SFS Turbo file system, this file system is noncompliant. volumes-encrypted-check ecs
Example Requests PUT https://{endpoint}/v1/resource-manager/domains/{domain_id}/policy-assignments/{policy_assignment_id} { "name" : "allowed-images-by-id", "description" : "The ECS resource is non-compliant if the image it used is not in the allowed list", "parameters" : {
Example Requests Querying all ECS IDs in the current organization POST https://{endpoint}/v1/resource-manager/domains/{domain_id}/aggregators/{aggregator_id}/run-query { "expression" : "select id from aggregator_resources where provider = 'ecs' and type = 'cloudservers'" } Example
Public services, such as Elastic Cloud Server (ECS), Elastic Volume Service (EVS), Object Storage Service (OBS), Virtual Private Cloud (VPC), Elastic IP (EIP), and Image Management Service (IMS), are shared within the same region.
N/A The following JSON expression shows a non-compliant evaluation result: { "domain_id": "domainidforpolicy", "resource_id": "special-ecs1-with-public-ip-with-tag", "resource_name": "ecs1-with-public-ip-with-tag", "resource_provider": "ecs", "resource_type": "cloudservers
') ECS (SELECT id FROM resources WHERE provider = 'evs' AND type = 'volumes') EVS WHERE contains(ecs.evs_list, evs.id) 'contains(a, element)→boolean' determines whether an element appears in array a.
Protection of Cybersecurity Level 3 (2.0) Conformance Package for the Financial Industry Conformance Package for Network Security Conformance Package for Identity and Access Management Conformance Package for Cloud Eye Conformance Package for Compute Services Conformance Package for ECS
Protection of Cybersecurity Level 3 (2.0) Conformance Package for the Financial Industry Conformance Package for Network Security Conformance Package for Identity and Access Management Conformance Package for Cloud Eye Conformance Package for Compute Services Conformance Package for ECS
"#/ecs/manager/ecsDetail?
If you need to query ECSs (ecs.cloudservers), set the provider to ecs, and type to cloudservers for the request. For details about the cloud services (provider) and resource types (type), see the Supported Services and Resource Types section in the appendix.
SELECT ECS_EVS.id AS ecs_id, EVS.id AS evs_id FROM ( SELECT id, evs_id FROM ( SELECT id, transform(properties.ExtVolumesAttached, x -> x.id) AS evs_list FROM resources WHERE provider = 'ecs' AND type = 'cloudservers' ) ECS CROSS JOIN UNNEST(evs_list) AS t (evs_id
", "policy_type" : "builtin", "description" : "An ECS is non-compliant if it has an EIP.
ECSs Have Key Pairs Attached Configuration change ecs.cloudservers ECSs Cannot Be Accessed Through Public Networks Configuration change ecs.cloudservers An ECS Does Not Have Multiple EIPs Attached Configuration change ecs.cloudservers Idle ECS Check Periodic ecs.cloudservers ECSs
", "policy_filter": { "region_id": "regionid_1", "resource_provider": "ecs", "resource_type": "cloudservers", "tag_key": "env", "tag_value": "production" }, "period": null, "state": "Enabled", "created": "2020-12-07T01:34:14.266Z",
In this example, if the vpcId of an ECS does not match the specified VPC ID, NonCompliant is returned. Otherwise, Compliant is returned. ''' def evaluate_compliance(resource, parameter): if resource.get("provider") != "ecs" or resource.get("type") !
