【免费】CIS-Alibaba-Cloud-Foundation-Benchmark-v1.0.0.pdf资源-CSDN文库

阿里云

安全测评

需积分: 0 26 浏览量 2023-08-12 11:46:54 上传评论收藏 2.01MB PDF 举报

资源推荐

资源详情

资源评论

CIS Alibaba Cloud Foundation Benchmark

v1.0.0 - 12-11-2020

2 | P a g e  
 
Table of Contents 
Terms of Use ........................................................................................................................................................... 1 
Overview .................................................................................................................................................................. 7 
Intended Audience ........................................................................................................................................... 7 
Consensus Guidance ........................................................................................................................................ 7 
Typographical Conventions ......................................................................................................................... 9 
Assessment Status............................................................................................................................................ 9 
Profile Definitions ......................................................................................................................................... 10 
Acknowledgements ...................................................................................................................................... 11 
Recommendations ............................................................................................................................................. 12 
1 Identity and Access Management ........................................................................................................ 12 
1.1 Avoid the use of the "root" account (Manual) .............................................................. 13 
1.2 Ensure no root account access key exists (Manual) ................................................... 15 
1.3 Ensure MFA is enabled for the "root" account (Manual) ......................................... 17 
1.4 Ensure that multi-factor authentication is enabled for all RAM users that have 
a console password (Automated) ............................................................................................. 19 
1.5 Ensure users not logged on for 90 days or longer are disabled for console 
logon (Automated) ......................................................................................................................... 22 
1.6 Ensure access keys are rotated every 90 days or less (Automated) ................... 24 
1.7 Ensure RAM password policy requires at least one uppercase letter 
(Automated) ...................................................................................................................................... 27 
1.8 Ensure RAM password policy requires at least one lowercase letter 
(Automated) ...................................................................................................................................... 29 
1.9 Ensure RAM password policy require at least one symbol (Automated).......... 31 
1.10 Ensure RAM password policy require at least one number (Automated) ...... 33 
1.11 Ensure RAM password policy requires minimum length of 14 or greater 
(Automated) ...................................................................................................................................... 35 
1.12 Ensure RAM password policy prevents password reuse (Automated) ........... 37 
1.13 Ensure RAM password policy expires passwords within 90 days or less 
(Automated) ...................................................................................................................................... 39 
1.14 Ensure RAM password policy temporarily blocks logon after 5 incorrect 
logon attempts within an hour (Automated) ....................................................................... 41 

3 | P a g e  
 
1.15 Ensure RAM policies that allow full "*:*" administrative privileges are not 
created (Automated) ..................................................................................................................... 43 
1.16 Ensure RAM policies are attached only to groups or roles (Automated) ....... 46 
2 Logging and Monitoring .......................................................................................................................... 49 
2.1 Ensure that ActionTrail are configured to export copies of all Log entries 
(Automated) ...................................................................................................................................... 50 
2.2 Ensure the OSS used to store ActionTrail logs is not publicly accessible 
(Automated) ...................................................................................................................................... 53 
2.3 Ensure audit logs for multiple cloud resources are integrated with Log Service 
(Manual) ............................................................................................................................................. 55 
2.4 Ensure Log Service is enabled for Container Service for Kubernetes (Manual)
 ................................................................................................................................................................ 58 
2.5 Ensure virtual network flow log service is enabled (Manual) ............................... 60 
2.6 Ensure Anti-DDoS access and security log service is enabled (Manual) ............ 62 
2.7 Ensure Web Application Firewall access and security log service is enabled 
(Manual) ............................................................................................................................................. 64 
2.8 Ensure Cloud Firewall access and security log analysis is enabled (Manual) . 66 
2.9 Ensure Security Center Network, Host and Security log analysis is enabled 
(Manual) ............................................................................................................................................. 68 
2.10 Ensure log monitoring and alerts are set up for RAM Role changes (Manual)
 ................................................................................................................................................................ 71 
2.11 Ensure log monitoring and alerts are set up for Cloud Firewall changes 
(Manual) ............................................................................................................................................. 73 
2.12 Ensure log monitoring and alerts are set up for VPC network route changes 
(Manual) ............................................................................................................................................. 75 
2.13 Ensure log monitoring and alerts are set up for VPC changes (Manual) ......... 77 
2.14 Ensure log monitoring and alerts are set up for OSS permission changes 
(Manual) ............................................................................................................................................. 79 
2.15 Ensure log monitoring and alerts are set up for RDS instance configuration 
changes (Manual) ............................................................................................................................ 81 
2.16 Ensure a log monitoring and alerts are set up for unauthorized API calls 
(Manual) ............................................................................................................................................. 84 
2.17 Ensure a log monitoring and alerts are set up for Management Console sign-
in without MFA (Manual) ............................................................................................................. 86 

4 | P a g e  
 
2.18 Ensure a log monitoring and alerts are set up for usage of "root" account 
(Manual) ............................................................................................................................................. 88 
2.19 Ensure a log monitoring and alerts are set up for Management Console 
authentication failures (Manual) .............................................................................................. 90 
2.20 Ensure a log monitoring and alerts are set up for disabling or deletion of 
customer created CMKs (Manual) ............................................................................................ 92 
2.21 Ensure a log monitoring and alerts are set up for OSS bucket policy changes 
(Manual) ............................................................................................................................................. 94 
2.22 Ensure a log monitoring and alerts are set up for security group changes 
(Manual) ............................................................................................................................................. 96 
2.23 Ensure that Logstore data retention period is set 365 days or greater 
(Manual) ............................................................................................................................................. 98 
3 Networking ................................................................................................................................................ 100 
3.1 Ensure legacy networks does not exist (Manual) ..................................................... 101 
3.2 Ensure that SSH access is restricted from the internet (Manual) ....................... 103 
3.3 Ensure VPC flow logging is enabled in all VPCs (Manual) ..................................... 105 
3.4 Ensure routing tables for VPC peering are "least access" (Manual) .................. 107 
3.5 Ensure the security group are configured with fine grained rules (Manual) 109 
4 Virtual Machines ...................................................................................................................................... 111 
4.1 Ensure that 'Unattached disks' are encrypted (Manual) ........................................ 112 
4.2 Ensure that ‘Virtual Machine’s disk’ are encrypted (Manual) .............................. 114 
4.3 Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 (Manual)
 .............................................................................................................................................................. 116 
4.4 Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 (Manual)
 .............................................................................................................................................................. 118 
4.5 Ensure that the latest OS Patches for all Virtual Machines are applied (Manual)
 .............................................................................................................................................................. 120 
4.6 Ensure that the endpoint protection for all Virtual Machines is installed 
(Manual) ........................................................................................................................................... 122 
5 Storage ......................................................................................................................................................... 124 
5.1 Ensure that OSS bucket is not anonymously or publicly accessible 
(Automated) .................................................................................................................................... 125 