The page has been translated by Gen AI.

Overview

Service Overview

Config Inspection is a service that diagnoses the security level of console settings for each service of Samsung Cloud Platform. It provides a security checklist organized by areas such as IAM, Networking, Database, Logging, and checks the current status via API calls to see whether the recommended security settings for each diagnostic item are applied.

Users can create a diagnostic target through service creation and then request a diagnosis, and the diagnosis request results can be checked via the Report. The Report provides the diagnosis request history and item-specific diagnosis results, and for diagnostic items that require the user’s final confirmation or action, detailed results including the resource information corresponding to each item and a remedial guide can be viewed.

Diagram
Figure. Config Inspection Diagram

Provided Features

Config Inspection provides the following features.

  • Console Diagnosis: You can diagnose the security level by calling the Console API using the authentication key method.
  • Diagnosis Target Management: Through service creation, you can create and manage the user’s Samsung Cloud Platform account as a diagnosis target.
  • Diagnosis Request: In the resource detail screen, you can request a diagnosis by clicking the Diagnosis Request button.
  • Diagnostic Result Management: In Report, you can view the list of diagnosis requests and detailed diagnosis results, and download them as an Excel file.

Components

Checklist

The checklist is a collection of diagnostic items that serve as the basis for diagnostic results, and the checklist currently provided by Config Inspection is as follows.

CloudChecklist NameNumber of Items
Samsung Cloud PlatformBest Practice18
Table. Config Inspection checklist

The detailed diagnostic items of the Best Practice checklist provided by Samsung Cloud Platform are as follows.

AreaDiagnostic Item
Networking
  • Private subnets that do not require internet access should not use a NAT Gateway.
  • Network integration services must use a Firewall.
  • Security Groups should register only the necessary rules per IP and port.
  • Remote access ports for each protocol must allow connections by specifying the IPs that need access.
  • The Firewall of network integration products should register only the necessary rules per IP/port.
    Container
    • You must use private endpoint access control for the Kubernetes cluster and allow access only to authorized resources.
    • You must use private endpoint access control for the Container Registry and allow access only to authorized resources.
    • Enable automatic vulnerability scanning for Container Registry images.
    • Do not use a vulnerability scan exclusion policy for Container Registry images.
    • Restrict pulling of unscanned images from the Container Registry.
    • Restrict pulling of vulnerable images from the Container Registry.
    Database
    • SQL-level audit logs must be stored.
    Logging
    • Activate the Trail service of Logging&Audit and set the scope to all regions/resource types/users.
    • Set the log file verification of Logging&Audit Trail to enabled.
    • Security Group must have logging enabled.
    • Network integration products must enable Firewall logging.
    • Enable NAT logging for the Internet Gateway.
    • Enable control plane logging for the Kubernetes Engine cluster.
    Table. Samsung Cloud Platform Best Practice checklist composition items

    Report

    In the Config Inspection Report, you can view the diagnostic results in the order of result list, result details, and item details.

    CategoryDetailed description
    Diagnosis Result ListAll diagnosis request history within Account
    • Completed: Diagnosis request has been successfully completed
      • Click the instance to view detailed diagnosis result
    • Error: Diagnosis request was not successfully completed
      • If the diagnosis result is an error, detailed diagnosis result is not provided.
      • The cause of the error can be found in Config Inspection detailed information
    Diagnosis Result DetailsResult of a successfully completed diagnosis request (diagnosis item list)
    • PASS: No vulnerable resources exist in the diagnosis item.
    • FAIL: Vulnerable resources exist in the diagnosis item.
    • CHECK: Final user confirmation is required regarding vulnerability.
    • ERROR: There is an error with user/authentication key permissions or API call.
    • N/A: No resources correspond to the diagnosis item.
    Diagnostic Item DetailsDetailed Results per Diagnostic Item
    Table. Config Inspection Report diagnostic configuration

    Preliminary Service

    Config Inspection has no preceding service.

    Release Note
    How-to guides