The page has been translated by Gen AI.

Checklist

You can view the types of checklists provided by Config Inspection and the detailed diagnostic items for each checklist.

Checklist

A checklist is a collection of diagnostic items that serve as the basis for diagnostic results, and the types of checklists currently provided by Config Inspection are as follows.

CloudChecklist nameNumber of items
Samsung Cloud PlatformBest Practice27
Samsung Security Index (SSI)24
Table. Config Inspection checklist types
Reference
The SSI checklist can only be used in the Samsung region.

Best Practice

The detailed diagnostic items of the Best Practice checklist provided by Samsung Cloud Platform are as follows.

areaDiagnostic Items
IAM
  • The authority to manage Account users should be granted only to users who need to manage IAM Users, in accordance with the principle of least privilege.
  • There must be no long‑term inactive users.
  • A policy that allows access only from authorized IPs for all users must be applied.
  • Permissions must be granted according to the principle of least privilege, taking into account job duties and usage purposes.
Networking
  • A NAT Gateway must not be created in a Private Subnet that does not require Internet access.
  • Network integration products must use a firewall.
  • Unnecessary local subnets must not exist, and only the Virtual Server (VM) or Bare Metal Server (BM) required for operation may be connected within the created local subnet.
  • Remote access ports for each protocol must have Internet access blocked, and connections should be allowed only for specified IPs that require access.
  • Security Groups should register only the necessary rules on an IP/Port basis.
  • The firewall of network integration products should register only the necessary rules on an IP/Port basis.
Compute
  • When using a Cloud Functions function URL, you must apply access control.
Container
  • The control plane of the Kubernetes cluster must not use public endpoints.
  • Only authorized resources should be allowed to access the private endpoints of the Kubernetes cluster.
  • Restrict access to the Container Registry so that only authorized IP resources can connect.
  • Enable vulnerability scanning for Container Registry images and remediate any discovered vulnerabilities.
  • Prevent the use of vulnerable images in the Container Registry.
Database
  • DB must be deployed in a Private Subnet and have internet access blocked.
  • KMS Keys must grant the minimum necessary permissions only to entities that require access.
  • KMS Keys must be rotated periodically (within 90 days) using the automatic rotation feature.
Logging
  • Enable the Trail service of Logging&Audit and set the scope to all regions/resource types/users.
  • Set the log file verification of Logging&Audit Trail to enabled.
  • The Trail logs of Logging&Audit must be retained for at least one year.
  • Security Group must have logging enabled.
  • Enable NAT logging for Internet Gateway.
  • Enable control plane logging for Kubernetes Engine clusters.
  • Network integration products must have Firewall logging enabled.
  • DB audit logs must be stored.
Table. Samsung Cloud Platform Best Practice checklist items

Samsung Security Index (SSI)

The detailed diagnostic items of the Samsung Security Index (SSI) checklist provided by Samsung Cloud Platform are as follows.

areaDiagnostic Items
IAM
  • Have you granted the authority to manage Account users to the minimum personnel?
  • Are there any unused accounts?
  • Do you enforce access control for all Samsung Cloud Platform users?
  • Are you minimizing user permissions according to job duties and usage purposes?
Networking
  • Is a Private Subnet that does not require external system access for business prohibited from connecting to a NAT Gateway?
  • Does the network integration product use a firewall?
  • Is the local subnet connected only to the resources that are needed?
  • Have only the necessary rules at the IP/Port level been registered in all Security Groups?
  • Has the firewall of the network integration product been configured with only the necessary rules at the IP/Port level?
Container
  • Are you enforcing access control on Cloud Functions?
  • Have you set the Kubernetes Engine API Server endpoint to private?
  • Are you restricting access to the Kubernetes Engine API Server endpoint?
  • Are you enforcing access control on Container Registry?
  • Have you completed vulnerability scanning and remediation for Container Registry images?
  • Are you restricting pulls of vulnerable images?
Database
  • Is the DB configured within a dedicated private subnet and its internet access blocked?
  • Have you granted only the entities that require access to the KMS key the minimal necessary permissions?
  • Is the KMS key automatically rotated on a regular basis?
Logging
  • Have you enabled the Trail service of Logging&Audit and set its scope to all?
  • Have you configured integrity verification for log files?
  • Are you storing the Trail logs of Logging&Audit?
  • Have you enabled Security Group logging?
  • Have you enabled Firewall logging for network‑integrated products?
  • (If using DBaaS) Have you enabled DB Audit?
Table. Samsung Cloud Platform SSI checklist items
Overview
How-to guides