没有合适的资源?快使用搜索试试~ 我知道了~
资源推荐
资源详情
资源评论
CIS Alibaba Cloud Foundation Benchmark
v1.0.0 - 12-11-2020
2 | P a g e
Table of Contents
Terms of Use ........................................................................................................................................................... 1
Overview .................................................................................................................................................................. 7
Intended Audience ........................................................................................................................................... 7
Consensus Guidance ........................................................................................................................................ 7
Typographical Conventions ......................................................................................................................... 9
Assessment Status............................................................................................................................................ 9
Profile Definitions ......................................................................................................................................... 10
Acknowledgements ...................................................................................................................................... 11
Recommendations ............................................................................................................................................. 12
1 Identity and Access Management ........................................................................................................ 12
1.1 Avoid the use of the "root" account (Manual) .............................................................. 13
1.2 Ensure no root account access key exists (Manual) ................................................... 15
1.3 Ensure MFA is enabled for the "root" account (Manual) ......................................... 17
1.4 Ensure that multi-factor authentication is enabled for all RAM users that have
a console password (Automated) ............................................................................................. 19
1.5 Ensure users not logged on for 90 days or longer are disabled for console
logon (Automated) ......................................................................................................................... 22
1.6 Ensure access keys are rotated every 90 days or less (Automated) ................... 24
1.7 Ensure RAM password policy requires at least one uppercase letter
(Automated) ...................................................................................................................................... 27
1.8 Ensure RAM password policy requires at least one lowercase letter
(Automated) ...................................................................................................................................... 29
1.9 Ensure RAM password policy require at least one symbol (Automated).......... 31
1.10 Ensure RAM password policy require at least one number (Automated) ...... 33
1.11 Ensure RAM password policy requires minimum length of 14 or greater
(Automated) ...................................................................................................................................... 35
1.12 Ensure RAM password policy prevents password reuse (Automated) ........... 37
1.13 Ensure RAM password policy expires passwords within 90 days or less
(Automated) ...................................................................................................................................... 39
1.14 Ensure RAM password policy temporarily blocks logon after 5 incorrect
logon attempts within an hour (Automated) ....................................................................... 41
3 | P a g e
1.15 Ensure RAM policies that allow full "*:*" administrative privileges are not
created (Automated) ..................................................................................................................... 43
1.16 Ensure RAM policies are attached only to groups or roles (Automated) ....... 46
2 Logging and Monitoring .......................................................................................................................... 49
2.1 Ensure that ActionTrail are configured to export copies of all Log entries
(Automated) ...................................................................................................................................... 50
2.2 Ensure the OSS used to store ActionTrail logs is not publicly accessible
(Automated) ...................................................................................................................................... 53
2.3 Ensure audit logs for multiple cloud resources are integrated with Log Service
(Manual) ............................................................................................................................................. 55
2.4 Ensure Log Service is enabled for Container Service for Kubernetes (Manual)
................................................................................................................................................................ 58
2.5 Ensure virtual network flow log service is enabled (Manual) ............................... 60
2.6 Ensure Anti-DDoS access and security log service is enabled (Manual) ............ 62
2.7 Ensure Web Application Firewall access and security log service is enabled
(Manual) ............................................................................................................................................. 64
2.8 Ensure Cloud Firewall access and security log analysis is enabled (Manual) . 66
2.9 Ensure Security Center Network, Host and Security log analysis is enabled
(Manual) ............................................................................................................................................. 68
2.10 Ensure log monitoring and alerts are set up for RAM Role changes (Manual)
................................................................................................................................................................ 71
2.11 Ensure log monitoring and alerts are set up for Cloud Firewall changes
(Manual) ............................................................................................................................................. 73
2.12 Ensure log monitoring and alerts are set up for VPC network route changes
(Manual) ............................................................................................................................................. 75
2.13 Ensure log monitoring and alerts are set up for VPC changes (Manual) ......... 77
2.14 Ensure log monitoring and alerts are set up for OSS permission changes
(Manual) ............................................................................................................................................. 79
2.15 Ensure log monitoring and alerts are set up for RDS instance configuration
changes (Manual) ............................................................................................................................ 81
2.16 Ensure a log monitoring and alerts are set up for unauthorized API calls
(Manual) ............................................................................................................................................. 84
2.17 Ensure a log monitoring and alerts are set up for Management Console sign-
in without MFA (Manual) ............................................................................................................. 86
4 | P a g e
2.18 Ensure a log monitoring and alerts are set up for usage of "root" account
(Manual) ............................................................................................................................................. 88
2.19 Ensure a log monitoring and alerts are set up for Management Console
authentication failures (Manual) .............................................................................................. 90
2.20 Ensure a log monitoring and alerts are set up for disabling or deletion of
customer created CMKs (Manual) ............................................................................................ 92
2.21 Ensure a log monitoring and alerts are set up for OSS bucket policy changes
(Manual) ............................................................................................................................................. 94
2.22 Ensure a log monitoring and alerts are set up for security group changes
(Manual) ............................................................................................................................................. 96
2.23 Ensure that Logstore data retention period is set 365 days or greater
(Manual) ............................................................................................................................................. 98
3 Networking ................................................................................................................................................ 100
3.1 Ensure legacy networks does not exist (Manual) ..................................................... 101
3.2 Ensure that SSH access is restricted from the internet (Manual) ....................... 103
3.3 Ensure VPC flow logging is enabled in all VPCs (Manual) ..................................... 105
3.4 Ensure routing tables for VPC peering are "least access" (Manual) .................. 107
3.5 Ensure the security group are configured with fine grained rules (Manual) 109
4 Virtual Machines ...................................................................................................................................... 111
4.1 Ensure that 'Unattached disks' are encrypted (Manual) ........................................ 112
4.2 Ensure that ‘Virtual Machine’s disk’ are encrypted (Manual) .............................. 114
4.3 Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 (Manual)
.............................................................................................................................................................. 116
4.4 Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 (Manual)
.............................................................................................................................................................. 118
4.5 Ensure that the latest OS Patches for all Virtual Machines are applied (Manual)
.............................................................................................................................................................. 120
4.6 Ensure that the endpoint protection for all Virtual Machines is installed
(Manual) ........................................................................................................................................... 122
5 Storage ......................................................................................................................................................... 124
5.1 Ensure that OSS bucket is not anonymously or publicly accessible
(Automated) .................................................................................................................................... 125
剩余204页未读,继续阅读
资源评论
FEI891225
- 粉丝: 2
- 资源: 37
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功