检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
Table 1 Conformance package description Rule Cloud Service Description cts-kms-encrypted-check cts If a CTS tracker is not encrypted using KMS, this tracker is noncompliant. cts-lts-enable cts If Transfer to LTS is not enabled for a CTS tracker, this tracker is noncompliant. cts-support-validate-check
C.CS.FOUNDATION.G_5_2.R_1 Ensuring that EVS encryption is enabled volumes-encrypted-check ecs, evs If a mounted EVS disk is not encrypted, this disk is noncompliant.
Backups are encrypted, especially if they are going to be moved between locations. 4. The ability to regularly restore data from the backups is tested.
C.CS.FOUNDATION.G_7_3.R_6 Enabling SSL encrypted transmission dws-enable-ssl dws If SSL is not enabled for a DWS cluster, this cluster is noncompliant.
alarm-obs-bucket-policy-change ces, obs If there are no alarm rules configured for OBS bucket policy changes, this rule is noncompliant. alarm-vpc-change ces, vpc If there are no alarm rules configured for VPC changes, the current account is noncompliant. cts-kms-encrypted-check cts If a CTS tracker is not encrypted
an ECS has multiple EIPs attached, this ECS is noncompliant. stopped-ecs-date-diff ecs If an ECS has been stopped for longer than the time allowed, and no operations have been performed on it, this ECS is noncompliant. volumes-encrypted-check ecs, evs If a mounted EVS disk is not encrypted
HTTPS consists of communication over HTTP within a connection encrypted by Secure Sockets Layer (SSL). With SSL, severs are authenticated using certificates, and communications between browsers and servers are encrypted. Solution Configure an HTTPS certificate.
is noncompliant. css-cluster-https-required css If HTTPS is not enabled for a CSS cluster, this cluster is noncompliant. css-cluster-in-vpc css If a CSS cluster is not in any of the specified VPCs, this cluster is noncompliant. cts-kms-encrypted-check cts If a CTS tracker is not encrypted
Cloud service interruption: If a CA expires, cloud services that depend on the CA for encrypted communication may be interrupted. Solution Rotate a Private CA, or renew the private CA in the Billing Center.
For example, you can check if the configurations (public IPs attached or disks encrypted) of your resources meet security requirements. Optimize costs. For example, you can list all EVS disks that have not been attached to any ECS to avoid unnecessary expenditures.
If the key is disabled, data encrypted using the key cannot be decrypted, and the data will be permanently unavailable. Solution Create related alarm rules. Rule Logic If there are no alarm rules configured for disabling KMS or deleting keys, this rule is non-compliant.
If logging is not enabled for a dedicated APIG gateway, this gateway is considered non-compliant. as-group-elb-healthcheck-required as If an AS group is not using Elastic Load Balancing health check, this rule is noncompliant. cts-kms-encrypted-check cts If a CTS tracker is not encrypted
been stopped for longer than the time allowed, and no operations have been performed on it, this ECS is noncompliant. volume-unused-check evs If an EVS disk is not mounted to any cloud server, this disk is noncompliant. volumes-encrypted-check ecs, evs If a mounted EVS disk is not encrypted
Encrypted communication: Key pairs use asymmetric encryption technology to ensure SSH communication security and prevent man-in-the-middle (MITM) attacks. Solution On the management console, create a key pair and clear the password for an ECS. For details, see Key Pairs.
Solution Configure TLS security policies for encrypted communication. Rule Logic If a specified security policy is not configured for the HTTPS listener of a load balancer, this load balancer is non-compliant.
Encrypted communication: Key pairs use asymmetric encryption technology to ensure SSH communication security and prevent man-in-the-middle (MITM) attacks. Solution Create a key pair for the bare metal server on the management console and server's password.
Rule Rule Name C.CS.FOUNDATION.G_5_1.R_5 obs-bucket-ssl-requests-only OBS Buckets Should Deny Requests Not Encrypted with SSL C.CS.FOUNDATION.G_5_2.R_1 volumes-encrypted-check-by-default Disk Encryption Are Enabled C.CS.FOUNDATION.G_5_3.R_1 sfsturbo-encrypted-check KMS Encryption
You used an encrypted OBS bucket, but the agency assigned to the resource recorder did not contain related KMS permissions. For more details, see Storing Resource Change Notifications and Resource Snapshots to an Encrypted OBS Bucket.
If you want to store resource change messages and resource snapshots in an OBS bucket encrypted using KMS, you will also need the KMS Administrator permission.
Data leakage: If backend services are not encrypted or are incorrectly configured, attackers may steal sensitive data through the EIP. Solution If your load balancer needs to work over the public network, you do not need this check policy.
