检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
Application Scenarios You can enable SSE-KMS for an OBS bucket, so that each object uploaded to this bucket can be encrypted using the KMS key you specified before being stored in OBS.
css-cluster-no-public-zone css If a CSS cluster can be accessed over a public network, this cluster is noncompliant. css-cluster-security-mode-enable css If a CSS cluster does not support the security mode, this cluster is noncompliant. cts-kms-encrypted-check cts If a CTS tracker is not encrypted
Rule Logic If a GES graph is not encrypted using KMS, this graph is noncompliant. If a GES graph is encrypted using KMS, this graph is noncompliant. Parent topic: Graph Engine Service
CTS Trackers Have Traces Encrypted Rule Details Table 1 Rule details Parameter Description Rule Name cts-kms-encrypted-check Identifier cts-kms-encrypted-check Description If a CTS tracker does not have trace encryption enabled, this tracker is noncompliant.
For details, see Managing Encrypted EVS Disks Rule Logic If an EVS disk is not attached, this disk is compliant. If an EVS disk is attached and encrypted, this disk is compliant. If an EVS disk is attached but not encrypted, this disk is non-compliant.
You should ensure that SFS Turbo is encrypted using KMS. Encryption ensures data confidentiality and reduces the risk of unauthorized access to data. Solution Create an encrypted file system.
For details, see Managing Encrypted EVS Disks Rule Logic If an EVS disk is encrypted, this disk is compliant. If an EVS disk is not encrypted, this disk is non-compliant. Parent topic: Elastic Volume Service
If an OBS bucket allows requests that are not encrypted with SSL, this bucket is noncompliant. Whether an OBS bucket policy allows requests that are not encrypted with SSL is determined through the SecureTransport or g:SecureTransport parameter.
After you enable disk encryption, your data will be encrypted on disks and stored in ciphertext. When you download encrypted objects, the ciphertext will be decrypted into plain text and then sent to you.
Data will be encrypted on the server before being stored when you create a DB instance or scale up storage space. This reduces the risk of data leakage. Solution Create a key using the Data Encryption Workshop (DEW).
For details, see Managing Encrypted EVS Disks. Rule Logic If a CBR backup is encrypted, this backup is compliant. If a CBR backup is not encrypted, this backup is non-compliant. Parent topic: Cloud Backup and Recovery
The purposes of key rotation are: Reducing the amount of data encrypted by each key. The security of a key is inversely proportional to the amount of data encrypted by the key.
account is noncompliant. css-cluster-https-required css If HTTPS is not enabled for a CSS cluster, this cluster is noncompliant. css-cluster-in-vpc css If a CSS cluster is not in the specified VPCs, this cluster is noncompliant. cts-kms-encrypted-check cts If a CTS tracker is not encrypted
Application Scenarios Private certificates are deployed on service nodes and are frequently used for encrypted communication. To prevent private key leakage, the validity period of private certificates is set based on the security level requirements of service scenarios.
When you create an ECS using an encrypted image, the system disk of the ECS is automatically encrypted. For details, see Encrypting Images. Solution Create an encrypted image from an external image file or an encrypted ECS.
If you need to use an encrypted bucket, you can add required KMS Administrator permissions to the agency or use custom authorization. For details, see Storing Resource Change Notifications and Resource Snapshots to an Encrypted OBS Bucket.
Table 1 Conformance package description Rule Cloud Service Description cbr-backup-encrypted-check cbr If a CBR backup is not encrypted, this backup is noncompliant. css-cluster-disk-encryption-check css If disk encryption is not enabled for a CSS cluster, this cluster is noncompliant
Cloud Trace Service CTS Trackers Have Traces Encrypted Log Transfer to LTS Is Enabled CTS Trackers Have Been Created for the Specified OBS Bucket Trace File Verification Is Enabled At Least One Tracker Is Enabled There Are CTS Trackers In the Specified Regions CTS Trackers Comply
Graph Engine Service GES Graphs Are Encrypted Using KMS GES Graphs Have LTS Enabled GES Graphs Support Cross-AZ HA Parent topic: Built-In Policies
Elastic Volume Service EVS Disk Type Check Disks Are Used Within the Specified Time Idle EVS Disk Check EVS Disks Are Encrypted Disk Encryption Are Enabled EVS Disks Have Backup Vaults Attached EVS Backup Time Check Parent topic: Built-In Policies
