检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
The Audit Log Is Enabled Rule Details Table 1 Rule details Parameter Description Rule Name gaussdb-mysql-instance-enable-auditlog Identifier gaussdb-mysql-instance-enable-auditlog Description If the audit log is not enabled for a TaurusDB instance, this instance is noncompliant.
Audit Log Collection Is Enabled Rule Details Table 1 Rule details Parameter Description Rule Name gaussdb-instance-enable-auditLog Identifier gaussdb-instance-enable-auditLog Description If the audit log is not enabled for a GaussDB instance, this instance is noncompliant.
C.CS.FOUNDATION.G_6_1.R_7 Enabling the database audit logs rds-instance-enable-auditLog rds If an RDS instance does not have the audit log enabled or has audit logs kept for less than the specified number of days, this instance is noncompliant.
RDS Instances Have Audit Log Enabled Rule Details Table 1 Rule details Parameter Description Rule Name rds-instance-enable-auditLog Identifier rds-instance-enable-auditLog Description If an RDS instance does not have the audit log enabled or has audit logs kept for less than the specified
Audit records shall be protected and regular backup should be performed to avoid unexpected deletion, modification, or overwriting. cts-tracker-exists Ensure that a CTS tracker has been created for your account to record operations on the Huawei Cloud console. 8.1.4.1 d.
log enabled or has audit logs kept for less than the specified number of days, this instance is noncompliant. rds-instance-engine-version-check rds If the version of an RDS instance engine is earlier than the specified version, this instance is noncompliant. rds-instance-port-check
for each OBS bucket. 10.1 Implement audit trails to link all access to system components to each individual user. cts-tracker-exists Ensure that a CTS tracker has been created for your account to record operations on the Huawei Cloud management console. 10.1 Implement audit trails
Table 1 Conformance package description Rule Cloud Service Description gaussdb-instance-enable-auditLog gaussdb If a GaussDB instance does not have audit log collection enabled, this instance is noncompliant. gaussdb-instance-enable-backup gaussdb If a GaussDB instance does not have
CTS helps you record operations on Config for later query, audit, and backtrack. Recording Config Operations in CTS FunctionGraph You can use FunctionGraph to create a custom policy to evaluate resource compliance. To create a custom rule, you need to use FunctionGraph.
Adding a Custom Rule Scenario You can create custom rules with FunctionGraph if built-in policies cannot meet your resource audit requirements. A custom policy is a function developed and published through FunctionGraph.
You can use the traces to perform security analysis, track resource changes, audit compliance, and locate faults. Security best practices must be met to avoid trace files loss, tampering, or disclosure.
Scenario: If you tag resources by environment, you can use these tags to audit resources in different environments. Assume that you have added the tag key: Env:Prod to all resources in the production environment and Env:Test to all resources in the test environment.
Log Enabled Configuration change rds.instances GaussDB GaussDB Instances Are in the Specified VPC Configuration change gaussdb.instance Audit Log Collection Is Enabled Configuration change gaussdb.instance Automated Backup Is Enabled Configuration change gaussdb.instance Error Log
cts-lts-enable Unified compliance audit cts-support-validate-check Unified compliance audit cts-kms-encrypted-check Unified compliance audit multi-region-cts-tracker-exists Unified security management cce-endpoint-public-access Unified security management ecs-instance-no-public-ip
Tag cts Trigger Type Configuration change Filter Type cts.trackers Configure Rule Parameters None Applicable Scenario Operation records can provide reliable, effective evidence for security audit and troubleshooting.
Table 1 Conformance package description Rule Cloud Service Description gaussdb-mysql-instance-enable-auditlog taurusdb If a TaurusDB instance does not have audit log collection enabled, this instance is noncompliant. gaussdb-mysql-instance-enable-backup taurusdb If a TaurusDB instance
Supported Config Operations Scenarios Cloud Trace Service (CTS) records operations on Config for your later query, audit, and backtrack. Prerequisites You have enabled CTS.
EIPs Attached RDS Instances Use KMS Encryption RDS Instances Are in the Specified VPC Both Error Logs and Slow Query Logs Are Collected for RDS Instances Flavor Check RDS Instances Have SSL Enabled RDS Instance Port Check Version Check for RDS Instance Engines RDS Instances Have Audit
TaurusDB The Slow Query Log Is Enabled The Error Log Is Enabled Backup Is Enabled The Audit Log Is Enabled Data Transmission Encryption Is Enabled Cross-AZ Deployment Check EIP Check VPC Check Parent topic: Built-In Policies
GaussDB GaussDB Instances Are in the Specified VPC Audit Log Collection Is Enabled Automated Backup Is Enabled Error Log Collection Is Enabled Slow Query Log Collection Is Enabled GaussDB Instances Do Not Have EIPs Attached Cross-AZ Deployment Check Data Transmission Encryption Is