Checklist
You can view the types of checklists provided by Config Inspection and the detailed diagnostic items for each checklist.
Checklist
A checklist is a collection of diagnostic items that serve as the basis for diagnostic results, and the types of checklists currently provided by Config Inspection are as follows.
| Cloud | Checklist name | Number of items |
|---|
| Samsung Cloud Platform | Best Practice | 27 |
Table. Config Inspection checklist types
Best Practice
The detailed diagnostic items of the Best Practice checklist provided by Samsung Cloud Platform are as follows.
| area | Diagnostic Items |
|---|
| IAM | - The authority to manage Account users should be granted only to users who need to manage IAM Users, in accordance with the principle of least privilege.
- There must be no long‑term inactive users.
- A policy that allows access only from authorized IPs for all users must be applied.
- Permissions must be granted according to the principle of least privilege, considering job duties and usage purpose.
|
| Networking | - A NAT Gateway must not be created in a Private Subnet that does not require Internet access.
- Network integration products must use a firewall.
- No unnecessary local subnets should exist, and only the Virtual Server (VM) or Bare Metal Server (BM) required for operation may be connected within the created local subnet.
- Remote access ports for each protocol must have Internet access blocked, and connections should be allowed only for specified IPs that require access.
- Security Groups should register only the necessary rules on an IP/Port basis.
- The firewall of network integration products should register only the necessary rules on an IP/Port basis.
|
| Compute | - When using Cloud Functions function URLs, you must apply access control.
|
| Container | - The control plane of the Kubernetes cluster must not use public endpoints.
- Only authorized resources should be allowed to access the private endpoints of the Kubernetes cluster.
- Restrict access to the Container Registry to authorized IP resources only.
- Enable vulnerability scanning for Container Registry images and remediate any discovered vulnerabilities.
- Restrict the use of vulnerable images in the Container Registry.
|
| Database | - The DB must be deployed in a private subnet and have internet access blocked.
- KMS keys should grant the minimum necessary permissions only to entities that require access.
- KMS keys must be rotated periodically (within 90 days) using the automatic rotation feature.
|
| Logging | - Enable the Trail service of Logging&Audit and set the scope to all regions/resource types/users.
- Set the log file verification of Logging&Audit Trail to enabled.
- The Trail logs of Logging&Audit must be retained for at least one year.
- Security Groups must have logging enabled.
- Enable NAT logging for the Internet Gateway.
- Enable control plane logging for Kubernetes Engine clusters.
- Network integration products must enable Firewall logging.
- DB audit logs must be stored.
|
Table. Samsung Cloud Platform Best Practice checklist items