检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
Audit Log Dump Is Enabled for DWS Clusters Rule Details Table 1 Rule details Parameter Description Rule Name dws-enable-log-dump Identifier Audit Log Dump Is Enabled for DWS Clusters Description If audit log dump is not enabled for a GaussDB(DWS) cluster, this cluster is non-compliant
Solution Enable audit log reporting. For details, see Configuring Log Reporting. Rule Logic If audit log reporting is not enabled for a TaurusDB instance, this instance is non-compliant. If audit log reporting is enabled for a TaurusDB instance, this instance is compliant.
For details, see Enabling Upload Audit Logs to LTS. Rule Logic If audit logs are not uploaded to LTS, the GaussDB instance is non-compliant. If audit logs are uploaded to LTS, the GaussDB instance is compliant. Parent topic: GaussDB
C.CS.FOUNDATION.G_6_1.R_7 Enabling the database audit logs rds-instance-enable-auditLog rds If an RDS instance does not have the audit log enabled or has audit logs kept for less than the specified number of days, this instance is noncompliant.
For details, see Setting SQL Audit and Enabling SQL Audit. Rule Logic If SQL audit is enabled for an RDS instance and the audit logs are retained for at least the required period, the instance is compliant.
Solution Configure audit log policies (including slow query logs, error logs, and SQL audit logs) for the RDS instance. For details, see Setting SQL Audit and Enabling SQL Audit.
log enabled or has audit logs kept for less than the specified number of days, this instance is noncompliant. rds-instance-engine-version-check rds If the version of an RDS instance engine is earlier than the specified version, this instance is noncompliant. rds-instance-port-check
for each OBS bucket. 10.1 Implement audit trails to link all access to system components to each individual user. cts-tracker-exists Ensure that a CTS tracker has been created for your account to record operations on the Huawei Cloud management console. 10.1 Implement audit trails
Logging Is Enabled for RDS DB Instances C.CS.FOUNDATION.G_6_2.R_1 dds-instance-enable-ssl SSL Has Been Enabled for DDS DB Instances C.CS.FOUNDATION.G_6_4.R_5 gaussdb-instance-enable-auditLog Audit Logging Is Enabled for GaussDB Instances C.CS.FOUNDATION.G_7_3.R_1 dws-enable-kms KMS
Adding a Custom Rule Scenario You can create custom rules with FunctionGraph if built-in policies cannot meet your resource audit requirements. A custom policy is a function developed and published through FunctionGraph.
You can use the traces to perform security analysis, track resource changes, audit compliance, and locate faults. Security best practices must be met to avoid trace files loss, tampering, or disclosure.
cts-lts-enable Unified compliance audit cts-support-validate-check Unified compliance audit cts-kms-encrypted-check Unified compliance audit multi-region-cts-tracker-exists Unified security management cce-endpoint-public-access Unified security management ecs-instance-no-public-ip
Tag cts Trigger Type Configuration change Filter Type cts.trackers Configure Rule Parameters None Applicable Scenario Operation records can provide reliable, effective evidence for security audit and troubleshooting.
Tag obs Trigger Type Configuration change Filter Type obs.buckets Configure Rule Parameters None Applicable Scenario To analyze and audit access to OBS buckets, you can enable logging.
Table 1 Conformance package description Rule Cloud Service Description gaussdb-mysql-instance-enable-auditlog taurusdb If a TaurusDB instance does not have audit log collection enabled, this instance is noncompliant. gaussdb-mysql-instance-enable-backup taurusdb If a TaurusDB instance
Data Warehouse Service KMS Encryption Check Audit Log Dump Is Enabled for DWS Clusters Automated Snapshots are Enabled for DWS Clusters SSL Encryption Is Enabled for DWS Clusters DWS Clusters Should Not Use EIPs O&M Time Window Check DWS Clusters Are in Specified VPCs Parent topic
Supported Config Operations Scenarios Cloud Trace Service (CTS) records operations on Config for your later query, audit, and backtrack. Prerequisites You have enabled CTS. Key Operations Recorded by CTS Config can report read and write operations to CTS.
Should Not Use EIPs RDS Instances Use KMS Encryption RDS Instances Are in the Specified VPC Both Error Logs and Slow Query Logs Are Collected for RDS Instances Flavor Check RDS Instances Have SSL Enabled RDS Default Port Check Version Check for RDS Instance Engines RDS Instances Have Audit
TaurusDB The Slow Query Log Is Enabled Error Logging Is Enabled Backup Is Enabled The Audit Log Reporting Is Enabled Data Transmission Encryption Is Enabled Cross-AZ Deployment Check TaurusDB Instance EIP Check VPC Check TaurusDB Database Engine Version TaurusDB Instance Port Check
GaussDB GaussDB Instances Are in the Specified VPC Audit Log Collection Is Enabled Automated Backup Is Enabled Error Log Collection Is Enabled Slow Query Log Collection Is Enabled GaussDB Instance EIP Check Cross-AZ Deployment Check Data Transmission Encryption Is Enabled GaussDB
