aws-security-mcp 0.5.1 → 0.5.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. package/dist/bin/aws-security-mcp.js +2866 -106
  2. package/dist/bin/aws-security-mcp.js.map +1 -1
  3. package/dist/src/index.js +2866 -106
  4. package/dist/src/index.js.map +1 -1
  5. package/package.json +1 -1
package/dist/bin/aws-security-mcp.js CHANGED
@@ -237,7 +237,7 @@ import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js"
237
237
  import { z } from "zod";
238
238
 
239
239
  // src/version.ts
240
- var VERSION = "0.5.1";
240
+ var VERSION = "0.5.2";
241
241
 
242
242
  // src/utils/aws-client.ts
243
243
  import { STSClient, GetCallerIdentityCommand } from "@aws-sdk/client-sts";
@@ -4300,7 +4300,2710 @@ function generateMarkdownReport(scanResults) {
4300
4300
  return lines.join("\n");
4301
4301
  }
4302
4302
 
4303
+ // src/data/mlps3-full-checklist.json
4304
+ var mlps3_full_checklist_default = [
4305
+ {
4306
+ id: "L3-PES1-01",
4307
+ categoryCn: "\u5B89\u5168\u7269\u7406\u73AF\u5883",
4308
+ categoryEn: "Physical Environment Security",
4309
+ controlCn: "\u7269\u7406\u4F4D\u7F6E\u9009\u62E9",
4310
+ controlEn: "Physical Location Alteration",
4311
+ requirementCn: "\u673A\u623F\u573A\u5730\u5E94\u9009\u62E9\u5728\u5177\u6709\u9632\u9707\u3001\u9632\u98CE\u548C\u9632\u96E8\u7B49\u80FD\u529B\u7684\u5EFA\u7B51\u5185",
4312
+ requirementEn: "The computer room should be located in buildings with the ability to be shockproof, windproof and rainproof",
4313
+ referenceStatus: "\u7B26\u5408 No Gap",
4314
+ referenceComment: "\u4E9A\u9A6C\u900A\u4E91\u79D1\u6280\u8D1F\u8D23Cloud\u672C\u8EAB\u7684\u7269\u7406\u73AF\u5883\u5B89\u5168"
4315
+ },
4316
+ {
4317
+ id: "L3-PES1-02",
4318
+ categoryCn: "\u5B89\u5168\u7269\u7406\u73AF\u5883",
4319
+ categoryEn: "Physical Environment Security",
4320
+ controlCn: "\u7269\u7406\u4F4D\u7F6E\u9009\u62E9",
4321
+ controlEn: "Physical Location Alteration",
4322
+ requirementCn: "\u673A\u623F\u573A\u5730\u5E94\u907F\u514D\u8BBE\u5728\u5EFA\u7B51\u7269\u7684\u9876\u5C42\u6216\u5730\u4E0B\u5BA4\uFF0C\u5426\u5219\u5E94\u52A0\u5F3A\u9632\u6C34\u548C\u9632\u6F6E\u63AA\u65BD",
4323
+ requirementEn: "The computer room should avoid being located at the top of the building or the basement, otherwise waterproof and moisture-proof measures should be strengthened.",
4324
+ referenceStatus: "\u7B26\u5408 No Gap",
4325
+ referenceComment: "\u4E9A\u9A6C\u900A\u4E91\u79D1\u6280\u8D1F\u8D23Cloud\u672C\u8EAB\u7684\u7269\u7406\u73AF\u5883\u5B89\u5168"
4326
+ },
4327
+ {
4328
+ id: "L3-PES1-03",
4329
+ categoryCn: "\u5B89\u5168\u7269\u7406\u73AF\u5883",
4330
+ categoryEn: "Physical Environment Security",
4331
+ controlCn: "\u7269\u7406\u8BBF\u95EE\u63A7\u5236",
4332
+ controlEn: "Physical Access Control",
4333
+ requirementCn: "\u673A\u623F\u51FA\u5165\u53E3\u5E94\u914D\u7F6E\u7535\u5B50\u95E8\u7981\u7CFB\u7EDF\uFF0C\u63A7\u5236\u3001\u9274\u522B\u548C\u8BB0\u5F55\u8FDB\u5165\u7684\u4EBA\u5458",
4334
+ requirementEn: "Entrance and exit of the computer room should be equipped with an electronic access control system to control, identify and record the incoming personnel.",
4335
+ referenceStatus: "\u7B26\u5408 No Gap",
4336
+ referenceComment: "\u4E9A\u9A6C\u900A\u4E91\u79D1\u6280\u8D1F\u8D23Cloud\u672C\u8EAB\u7684\u7269\u7406\u73AF\u5883\u5B89\u5168"
4337
+ },
4338
+ {
4339
+ id: "L3-PES1-04",
4340
+ categoryCn: "\u5B89\u5168\u7269\u7406\u73AF\u5883",
4341
+ categoryEn: "Physical Environment Security",
4342
+ controlCn: "\u9632\u76D7\u7A83\u548C\u9632\u7834\u574F",
4343
+ controlEn: "Anti-theft and Anti-vandalism",
4344
+ requirementCn: "\u5E94\u5C06\u8BBE\u5907\u6216\u4E3B\u8981\u90E8\u4EF6\u8FDB\u884C\u56FA\u5B9A\uFF0C\u5E76\u8BBE\u7F6E\u660E\u663E\u7684\u4E0D\u6613\u9664\u53BB\u7684\u6807\u8BC6",
4345
+ requirementEn: "Device or main components should be fixed and marked with obvious labels that are difficult to remove",
4346
+ referenceStatus: "\u7B26\u5408 No Gap",
4347
+ referenceComment: "\u4E9A\u9A6C\u900A\u4E91\u79D1\u6280\u8D1F\u8D23Cloud\u672C\u8EAB\u7684\u7269\u7406\u73AF\u5883\u5B89\u5168"
4348
+ },
4349
+ {
4350
+ id: "L3-PES1-05",
4351
+ categoryCn: "\u5B89\u5168\u7269\u7406\u73AF\u5883",
4352
+ categoryEn: "Physical Environment Security",
4353
+ controlCn: "\u9632\u76D7\u7A83\u548C\u9632\u7834\u574F",
4354
+ controlEn: "Anti-theft and Anti-vandalism",
4355
+ requirementCn: "\u5E94\u5C06\u901A\u4FE1\u7EBF\u7F06\u94FA\u8BBE\u5728\u9690\u853D\u5B89\u5168\u5904",
4356
+ requirementEn: "The communication cable should be laid in a safe and concealed place",
4357
+ referenceStatus: "\u7B26\u5408 No Gap",
4358
+ referenceComment: "\u4E9A\u9A6C\u900A\u4E91\u79D1\u6280\u8D1F\u8D23Cloud\u672C\u8EAB\u7684\u7269\u7406\u73AF\u5883\u5B89\u5168"
4359
+ },
4360
+ {
4361
+ id: "L3-PES1-06",
4362
+ categoryCn: "\u5B89\u5168\u7269\u7406\u73AF\u5883",
4363
+ categoryEn: "Physical Environment Security",
4364
+ controlCn: "\u9632\u76D7\u7A83\u548C\u9632\u7834\u574F",
4365
+ controlEn: "Anti-theft and Anti-vandalism",
4366
+ requirementCn: "\u5E94\u8BBE\u7F6E\u673A\u623F\u9632\u76D7\u62A5\u8B66\u7CFB\u7EDF\u6216\u8BBE\u7F6E\u6709\u4E13\u4EBA\u503C\u5B88\u7684\u89C6\u9891\u76D1\u63A7\u7CFB\u7EDF",
4367
+ requirementEn: "A computer room anti-theft alarm system or a video surveillance system with a special person should be set up.",
4368
+ referenceStatus: "\u7B26\u5408 No Gap",
4369
+ referenceComment: "\u4E9A\u9A6C\u900A\u4E91\u79D1\u6280\u8D1F\u8D23Cloud\u672C\u8EAB\u7684\u7269\u7406\u73AF\u5883\u5B89\u5168"
4370
+ },
4371
+ {
4372
+ id: "L3-PES1-07",
4373
+ categoryCn: "\u5B89\u5168\u7269\u7406\u73AF\u5883",
4374
+ categoryEn: "Physical Environment Security",
4375
+ controlCn: "\u9632\u96F7\u51FB",
4376
+ controlEn: "Lightning Protection",
4377
+ requirementCn: "\u5E94\u5C06\u5404\u7C7B\u673A\u67DC\u3001\u8BBE\u65BD\u548C\u8BBE\u5907\u7B49\u901A\u8FC7\u63A5\u5730\u7CFB\u7EDF\u5B89\u5168\u63A5\u5730",
4378
+ requirementEn: "All types of cabinets, facilities and equipment should be safely grounded through the grounding system",
4379
+ referenceStatus: "\u7B26\u5408 No Gap",
4380
+ referenceComment: "\u4E9A\u9A6C\u900A\u4E91\u79D1\u6280\u8D1F\u8D23Cloud\u672C\u8EAB\u7684\u7269\u7406\u73AF\u5883\u5B89\u5168"
4381
+ },
4382
+ {
4383
+ id: "L3-PES1-08",
4384
+ categoryCn: "\u5B89\u5168\u7269\u7406\u73AF\u5883",
4385
+ categoryEn: "Physical Environment Security",
4386
+ controlCn: "\u9632\u96F7\u51FB",
4387
+ controlEn: "Lightning Protection",
4388
+ requirementCn: "\u5E94\u91C7\u53D6\u63AA\u65BD\u9632\u6B62\u611F\u5E94\u96F7\uFF0C\u4F8B\u5982\u8BBE\u7F6E\u9632\u96F7\u4FDD\u5B89\u5668\u6216\u8FC7\u538B\u4FDD\u62A4\u88C5\u7F6E\u7B49",
4389
+ requirementEn: "Measures should be taken to prevent inductive lightning, such as set up lightning protection or overvoltage protection devices.",
4390
+ referenceStatus: "\u7B26\u5408 No Gap",
4391
+ referenceComment: "\u4E9A\u9A6C\u900A\u4E91\u79D1\u6280\u8D1F\u8D23Cloud\u672C\u8EAB\u7684\u7269\u7406\u73AF\u5883\u5B89\u5168"
4392
+ },
4393
+ {
4394
+ id: "L3-PES1-09",
4395
+ categoryCn: "\u5B89\u5168\u7269\u7406\u73AF\u5883",
4396
+ categoryEn: "Physical Environment Security",
4397
+ controlCn: "\u9632\u706B",
4398
+ controlEn: "Fire Protection",
4399
+ requirementCn: "\u673A\u623F\u5E94\u8BBE\u7F6E\u706B\u707E\u81EA\u52A8\u6D88\u9632\u7CFB\u7EDF\uFF0C\u80FD\u591F\u81EA\u52A8\u68C0\u6D4B\u706B\u60C5\u3001\u81EA\u52A8\u62A5\u8B66\uFF0C\u5E76\u81EA\u52A8\u706D\u706B",
4400
+ requirementEn: "Automatic fire protection system which can automatically detect, alarm and extinguish should be set up.",
4401
+ referenceStatus: "\u7B26\u5408 No Gap",
4402
+ referenceComment: "\u4E9A\u9A6C\u900A\u4E91\u79D1\u6280\u8D1F\u8D23Cloud\u672C\u8EAB\u7684\u7269\u7406\u73AF\u5883\u5B89\u5168"
4403
+ },
4404
+ {
4405
+ id: "L3-PES1-10",
4406
+ categoryCn: "\u5B89\u5168\u7269\u7406\u73AF\u5883",
4407
+ categoryEn: "Physical Environment Security",
4408
+ controlCn: "\u9632\u706B",
4409
+ controlEn: "Fire Protection",
4410
+ requirementCn: "\u673A\u623F\u53CA\u76F8\u5173\u7684\u5DE5\u4F5C\u623F\u95F4\u548C\u8F85\u52A9\u623F\u5E94\u91C7\u7528\u5177\u6709\u8010\u706B\u7B49\u7EA7\u7684\u5EFA\u7B51\u6750\u6599",
4411
+ requirementEn: "The computer room and related work rooms and auxiliary rooms shall be constructed of fire-resistant building materials",
4412
+ referenceStatus: "\u7B26\u5408 No Gap",
4413
+ referenceComment: "\u4E9A\u9A6C\u900A\u4E91\u79D1\u6280\u8D1F\u8D23Cloud\u672C\u8EAB\u7684\u7269\u7406\u73AF\u5883\u5B89\u5168"
4414
+ },
4415
+ {
4416
+ id: "L3-PES1-11",
4417
+ categoryCn: "\u5B89\u5168\u7269\u7406\u73AF\u5883",
4418
+ categoryEn: "Physical Environment Security",
4419
+ controlCn: "\u9632\u706B",
4420
+ controlEn: "Fire Protection",
4421
+ requirementCn: "\u5E94\u5BF9\u673A\u623F\u5212\u5206\u533A\u57DF\u8FDB\u884C\u7BA1\u7406\uFF0C\u533A\u57DF\u548C\u533A\u57DF\u4E4B\u95F4\u8BBE\u7F6E\u9694\u79BB\u9632\u706B\u63AA\u65BD",
4422
+ requirementEn: "The computer room should be managed dividedly, and set fire prevention measures for each region",
4423
+ referenceStatus: "\u7B26\u5408 No Gap",
4424
+ referenceComment: "\u4E9A\u9A6C\u900A\u4E91\u79D1\u6280\u8D1F\u8D23Cloud\u672C\u8EAB\u7684\u7269\u7406\u73AF\u5883\u5B89\u5168"
4425
+ },
4426
+ {
4427
+ id: "L3-PES1-12",
4428
+ categoryCn: "\u5B89\u5168\u7269\u7406\u73AF\u5883",
4429
+ categoryEn: "Physical Environment Security",
4430
+ controlCn: "\u9632\u6C34\u548C\u9632\u6F6E",
4431
+ controlEn: "Waterproof and Moisture Proof",
4432
+ requirementCn: "\u5E94\u91C7\u53D6\u63AA\u65BD\u9632\u6B62\u96E8\u6C34\u901A\u8FC7\u673A\u623F\u7A97\u6237\u3001\u5C4B\u9876\u548C\u5899\u58C1\u6E17\u900F",
4433
+ requirementEn: "Measures should be taken to avoid rainwater penetrating through the windows, roof and walls of the computer room",
4434
+ referenceStatus: "\u7B26\u5408 No Gap",
4435
+ referenceComment: "\u4E9A\u9A6C\u900A\u4E91\u79D1\u6280\u8D1F\u8D23Cloud\u672C\u8EAB\u7684\u7269\u7406\u73AF\u5883\u5B89\u5168"
4436
+ },
4437
+ {
4438
+ id: "L3-PES1-13",
4439
+ categoryCn: "\u5B89\u5168\u7269\u7406\u73AF\u5883",
4440
+ categoryEn: "Physical Environment Security",
4441
+ controlCn: "\u9632\u6C34\u548C\u9632\u6F6E",
4442
+ controlEn: "Waterproof and Moisture Proof",
4443
+ requirementCn: "\u5E94\u91C7\u53D6\u63AA\u65BD\u9632\u6B62\u673A\u623F\u5185\u6C34\u84B8\u6C14\u7ED3\u9732\u548C\u5730\u4E0B\u79EF\u6C34\u7684\u8F6C\u79FB\u4E0E\u6E17\u900F",
4444
+ requirementEn: "Measures should be taken to prevent water vapor condensation, and to prevent transfer and penetration of underground water in the computer room",
4445
+ referenceStatus: "\u7B26\u5408 No Gap",
4446
+ referenceComment: "\u4E9A\u9A6C\u900A\u4E91\u79D1\u6280\u8D1F\u8D23Cloud\u672C\u8EAB\u7684\u7269\u7406\u73AF\u5883\u5B89\u5168"
4447
+ },
4448
+ {
4449
+ id: "L3-PES1-14",
4450
+ categoryCn: "\u5B89\u5168\u7269\u7406\u73AF\u5883",
4451
+ categoryEn: "Physical Environment Security",
4452
+ controlCn: "\u9632\u6C34\u548C\u9632\u6F6E",
4453
+ controlEn: "Waterproof and Moisture Proof",
4454
+ requirementCn: "\u5E94\u5B89\u88C5\u5BF9\u6C34\u654F\u611F\u7684\u68C0\u6D4B\u4EEA\u8868\u6216\u5143\u4EF6\uFF0C\u5BF9\u673A\u623F\u8FDB\u884C\u9632\u6C34\u68C0\u6D4B\u548C\u62A5\u8B66",
4455
+ requirementEn: "Water-sensitive detection instruments or components should be installed to conduct waterproof detection and alarm for the computer room.",
4456
+ referenceStatus: "\u7B26\u5408 No Gap",
4457
+ referenceComment: "\u4E9A\u9A6C\u900A\u4E91\u79D1\u6280\u8D1F\u8D23Cloud\u672C\u8EAB\u7684\u7269\u7406\u73AF\u5883\u5B89\u5168"
4458
+ },
4459
+ {
4460
+ id: "L3-PES1-15",
4461
+ categoryCn: "\u5B89\u5168\u7269\u7406\u73AF\u5883",
4462
+ categoryEn: "Physical Environment Security",
4463
+ controlCn: "\u9632\u9759\u7535",
4464
+ controlEn: "Anti-static",
4465
+ requirementCn: "\u5E94\u91C7\u7528\u9632\u9759\u7535\u5730\u677F\u6216\u5730\u9762\u5E76\u91C7\u7528\u5FC5\u8981\u7684\u63A5\u5730\u9632\u9759\u7535\u63AA\u65BD",
4466
+ requirementEn: "Anti-static floor or ground should be used and necessary grounding anti-static measures should be adopted",
4467
+ referenceStatus: "\u7B26\u5408 No Gap",
4468
+ referenceComment: "\u4E9A\u9A6C\u900A\u4E91\u79D1\u6280\u8D1F\u8D23Cloud\u672C\u8EAB\u7684\u7269\u7406\u73AF\u5883\u5B89\u5168"
4469
+ },
4470
+ {
4471
+ id: "L3-PES1-16",
4472
+ categoryCn: "\u5B89\u5168\u7269\u7406\u73AF\u5883",
4473
+ categoryEn: "Physical Environment Security",
4474
+ controlCn: "\u9632\u9759\u7535",
4475
+ controlEn: "Anti-static",
4476
+ requirementCn: "\u5E94\u91C7\u53D6\u63AA\u65BD\u9632\u6B62\u9759\u7535\u7684\u4EA7\u751F\uFF0C\u4F8B\u5982\u91C7\u7528\u9759\u7535\u6D88\u9664\u5668\u3001\u4F69\u6234\u9632\u9759\u7535\u624B\u73AF\u7B49",
4477
+ requirementEn: "Measures such as use static eliminators and wear anti-static wrist straps should be taken to prevent from generating static electricity.",
4478
+ referenceStatus: "\u7B26\u5408 No Gap",
4479
+ referenceComment: "\u4E9A\u9A6C\u900A\u4E91\u79D1\u6280\u8D1F\u8D23Cloud\u672C\u8EAB\u7684\u7269\u7406\u73AF\u5883\u5B89\u5168"
4480
+ },
4481
+ {
4482
+ id: "L3-PES1-17",
4483
+ categoryCn: "\u5B89\u5168\u7269\u7406\u73AF\u5883",
4484
+ categoryEn: "Physical Environment Security",
4485
+ controlCn: "\u6E29\u6E7F\u5EA6\u63A7\u5236",
4486
+ controlEn: "Temperature and Humidity Control",
4487
+ requirementCn: "\u5E94\u8BBE\u7F6E\u6E29\u6E7F\u5EA6\u81EA\u52A8\u8C03\u8282\u8BBE\u65BD\uFF0C\u4F7F\u673A\u623F\u6E29\u6E7F\u5EA6\u7684\u53D8\u5316\u5728\u8BBE\u5907\u8FD0\u884C\u6240\u5141\u8BB8\u7684\u8303\u56F4\u4E4B\u5185",
4488
+ requirementEn: "Temperature and humidity automatic adjustment facilities should be set up so that the temperature and humidity changes are within the allowable range of equipment operation.",
4489
+ referenceStatus: "\u7B26\u5408 No Gap",
4490
+ referenceComment: "\u4E9A\u9A6C\u900A\u4E91\u79D1\u6280\u8D1F\u8D23Cloud\u672C\u8EAB\u7684\u7269\u7406\u73AF\u5883\u5B89\u5168"
4491
+ },
4492
+ {
4493
+ id: "L3-PES1-18",
4494
+ categoryCn: "\u5B89\u5168\u7269\u7406\u73AF\u5883",
4495
+ categoryEn: "Physical Environment Security",
4496
+ controlCn: "\u7535\u529B\u4F9B\u5E94",
4497
+ controlEn: "Electricity Supply",
4498
+ requirementCn: "\u5E94\u5728\u673A\u623F\u4F9B\u7535\u7EBF\u8DEF\u4E0A\u914D\u7F6E\u7A33\u538B\u5668\u548C\u8FC7\u7535\u538B\u9632\u62A4\u8BBE\u5907",
4499
+ requirementEn: "Voltage stabilizer and overvoltage protection equipment should be configured for the power supply line of the computer room",
4500
+ referenceStatus: "\u7B26\u5408 No Gap",
4501
+ referenceComment: "\u4E9A\u9A6C\u900A\u4E91\u79D1\u6280\u8D1F\u8D23Cloud\u672C\u8EAB\u7684\u7269\u7406\u73AF\u5883\u5B89\u5168"
4502
+ },
4503
+ {
4504
+ id: "L3-PES1-19",
4505
+ categoryCn: "\u5B89\u5168\u7269\u7406\u73AF\u5883",
4506
+ categoryEn: "Physical Environment Security",
4507
+ controlCn: "\u7535\u529B\u4F9B\u5E94",
4508
+ controlEn: "Electricity Supply",
4509
+ requirementCn: "\u5E94\u63D0\u4F9B\u77ED\u671F\u7684\u5907\u7528\u7535\u529B\u4F9B\u5E94\uFF0C\u81F3\u5C11\u6EE1\u8DB3\u8BBE\u5907\u5728\u65AD\u7535\u60C5\u51B5\u4E0B\u7684\u6B63\u5E38\u8FD0\u884C\u8981\u6C42",
4510
+ requirementEn: "A short-term backup power supply shall be provided to meet the normal operational requirements of the equipment in the event of a power outage",
4511
+ referenceStatus: "\u7B26\u5408 No Gap",
4512
+ referenceComment: "\u4E9A\u9A6C\u900A\u4E91\u79D1\u6280\u8D1F\u8D23Cloud\u672C\u8EAB\u7684\u7269\u7406\u73AF\u5883\u5B89\u5168"
4513
+ },
4514
+ {
4515
+ id: "L3-PES1-20",
4516
+ categoryCn: "\u5B89\u5168\u7269\u7406\u73AF\u5883",
4517
+ categoryEn: "Physical Environment Security",
4518
+ controlCn: "\u7535\u529B\u4F9B\u5E94",
4519
+ controlEn: "Electricity Supply",
4520
+ requirementCn: "\u5E94\u8BBE\u7F6E\u5197\u4F59\u6216\u5E76\u884C\u7684\u7535\u529B\u7535\u7F06\u7EBF\u8DEF\u4E3A\u8BA1\u7B97\u673A\u7CFB\u7EDF\u4F9B\u7535",
4521
+ requirementEn: "Equip backup or parallel power cable lines to power the computer system when necessary.",
4522
+ referenceStatus: "\u7B26\u5408 No Gap",
4523
+ referenceComment: "\u4E9A\u9A6C\u900A\u4E91\u79D1\u6280\u8D1F\u8D23Cloud\u672C\u8EAB\u7684\u7269\u7406\u73AF\u5883\u5B89\u5168"
4524
+ },
4525
+ {
4526
+ id: "L3-PES1-21",
4527
+ categoryCn: "\u5B89\u5168\u7269\u7406\u73AF\u5883",
4528
+ categoryEn: "Physical Environment Security",
4529
+ controlCn: "\u7535\u78C1\u9632\u62A4",
4530
+ controlEn: "Electromagnetic Protection",
4531
+ requirementCn: "\u7535\u6E90\u7EBF\u548C\u901A\u4FE1\u7EBF\u7F06\u5E94\u9694\u79BB\u94FA\u8BBE\uFF0C\u907F\u514D\u4E92\u76F8\u5E72\u6270",
4532
+ requirementEn: "Power cables and communication cables should be laid isolated to avoid mutual interference",
4533
+ referenceStatus: "\u7B26\u5408 No Gap",
4534
+ referenceComment: "\u4E9A\u9A6C\u900A\u4E91\u79D1\u6280\u8D1F\u8D23Cloud\u672C\u8EAB\u7684\u7269\u7406\u73AF\u5883\u5B89\u5168"
4535
+ },
4536
+ {
4537
+ id: "L3-PES1-22",
4538
+ categoryCn: "\u5B89\u5168\u7269\u7406\u73AF\u5883",
4539
+ categoryEn: "Physical Environment Security",
4540
+ controlCn: "\u7535\u78C1\u9632\u62A4",
4541
+ controlEn: "Electromagnetic Protection",
4542
+ requirementCn: "\u5E94\u5BF9\u5173\u952E\u8BBE\u5907\u5B9E\u65BD\u7535\u78C1\u5C4F\u853D",
4543
+ requirementEn: "Electromagnetic shielding should be implemented for critical equipment.",
4544
+ referenceStatus: "\u7B26\u5408 No Gap",
4545
+ referenceComment: "\u4E9A\u9A6C\u900A\u4E91\u79D1\u6280\u8D1F\u8D23Cloud\u672C\u8EAB\u7684\u7269\u7406\u73AF\u5883\u5B89\u5168"
4546
+ },
4547
+ {
4548
+ id: "L3-CNS1-01",
4549
+ categoryCn: "\u5B89\u5168\u901A\u4FE1\u7F51\u7EDC",
4550
+ categoryEn: "Communication Network Security",
4551
+ controlCn: "\u7F51\u7EDC\u67B6\u6784",
4552
+ controlEn: "Network Architecture",
4553
+ requirementCn: "\u5E94\u4FDD\u8BC1\u7F51\u7EDC\u8BBE\u5907\u7684\u4E1A\u52A1\u5904\u7406\u80FD\u529B\u6EE1\u8DB3\u4E1A\u52A1\u9AD8\u5CF0\u671F\u9700\u8981",
4554
+ requirementEn: "Service processing capability of network should be guaranteed to meet the peak business needs",
4555
+ referenceStatus: "\u7B26\u5408 No Gap",
4556
+ referenceComment: "\u4E9A\u9A6C\u900A\u4E91\u79D1\u6280\u8D1F\u8D23Cloud\u672C\u8EAB\u7684\u4E92\u8054\u7F51\u63A5\u5165\u6EE1\u8DB3\u4E1A\u52A1\u9AD8\u5CF0\u9700\u6C42\uFF1B\u5BA2\u6237\u6570\u636E\u4E2D\u5FC3\u548C\u4E9A\u9A6C\u900A\u4E91\u4E4B\u95F4\u7684\u8FDE\u63A5\u4F8B\u5982VPN\uFF0C\u4E13\u7EBF\u7684\u5904\u7406\u80FD\u529B\u9700\u8981\u5BA2\u6237\u6839\u636E\u4E1A\u52A1\u89C4\u5212\uFF1BVPC\u5185\u90E8\u7F51\u7EDC\u670D\u52A1\u6709\u81EA\u8EAB\u7684\u9650\u5236\uFF0C\u5F00Case\u63D0\u5347\u9650\u5236\uFF1BEC2\u81EA\u8EAB\u7684\u7F51\u7EDC\u5904\u7406\u80FD\u529B\u53EF\u4EE5\u6839\u636E\u4E1A\u52A1\u9700\u6C42\u8FDB\u884C\u9009\u62E9"
4557
+ },
4558
+ {
4559
+ id: "L3-CNS1-02",
4560
+ categoryCn: "\u5B89\u5168\u901A\u4FE1\u7F51\u7EDC",
4561
+ categoryEn: "Communication Network Security",
4562
+ controlCn: "\u7F51\u7EDC\u67B6\u6784",
4563
+ controlEn: "Network Architecture",
4564
+ requirementCn: "\u5E94\u4FDD\u8BC1\u7F51\u7EDC\u5404\u4E2A\u90E8\u5206\u7684\u5E26\u5BBD\u6EE1\u8DB3\u4E1A\u52A1\u9AD8\u5CF0\u671F\u9700\u8981",
4565
+ requirementEn: "Ensure that the bandwidth of each part of the network meets the peak business needs",
4566
+ referenceStatus: "\u7B26\u5408 No Gap",
4567
+ referenceComment: "\u4E9A\u9A6C\u900A\u4E91\u79D1\u6280\u8D1F\u8D23Cloud\u672C\u8EAB\u7684\u4E92\u8054\u7F51\u63A5\u5165\u6EE1\u8DB3\u4E1A\u52A1\u9AD8\u5CF0\u9700\u6C42\uFF1B\u5BA2\u6237\u6570\u636E\u4E2D\u5FC3\u548C\u4E9A\u9A6C\u900A\u4E91\u4E4B\u95F4\u7684\u8FDE\u63A5\u4F8B\u5982VPN\uFF0C\u4E13\u7EBF\u7684\u5904\u7406\u80FD\u529B\u9700\u8981\u5BA2\u6237\u6839\u636E\u4E1A\u52A1\u89C4\u5212\uFF1BVPC\u5185\u90E8\u7F51\u7EDC\u670D\u52A1\u6709\u81EA\u8EAB\u7684\u9650\u5236\uFF0C\u5F00Case\u63D0\u5347\u9650\u5236\uFF1BEC2\u81EA\u8EAB\u7684\u7F51\u7EDC\u5904\u7406\u80FD\u529B\u53EF\u4EE5\u6839\u636E\u4E1A\u52A1\u9700\u6C42\u8FDB\u884C\u9009\u62E9"
4568
+ },
4569
+ {
4570
+ id: "L3-CNS1-03",
4571
+ categoryCn: "\u5B89\u5168\u901A\u4FE1\u7F51\u7EDC",
4572
+ categoryEn: "Communication Network Security",
4573
+ controlCn: "\u7F51\u7EDC\u67B6\u6784",
4574
+ controlEn: "Network Architecture",
4575
+ requirementCn: "\u5E94\u5212\u5206\u4E0D\u540C\u7684\u7F51\u7EDC\u533A\u57DF\uFF0C\u5E76\u6309\u7167\u65B9\u4FBF\u7BA1\u7406\u548C\u63A7\u5236\u7684\u539F\u5219\u4E3A\u5404\u7F51\u7EDC\u533A\u57DF\u5206\u914D\u5730\u5740",
4576
+ requirementEn: "Different network areas should be divided, and addresses should be assigned to each network area in accordance with the principle of convenient management and control",
4577
+ referenceStatus: "\u7B26\u5408 No Gap",
4578
+ referenceComment: "\u5229\u7528VPC\u8FDB\u884C\u533A\u57DF\u548C\u5730\u5740\u5212\u5206"
4579
+ },
4580
+ {
4581
+ id: "L3-CNS1-04",
4582
+ categoryCn: "\u5B89\u5168\u901A\u4FE1\u7F51\u7EDC",
4583
+ categoryEn: "Communication Network Security",
4584
+ controlCn: "\u7F51\u7EDC\u67B6\u6784",
4585
+ controlEn: "Network Architecture",
4586
+ requirementCn: "\u5E94\u907F\u514D\u5C06\u91CD\u8981\u7F51\u7EDC\u533A\u57DF\u90E8\u7F72\u5728\u8FB9\u754C\u5904\uFF0C\u91CD\u8981\u7F51\u7EDC\u533A\u57DF\u4E0E\u5176\u4ED6\u7F51\u7EDC\u533A\u57DF\u4E4B\u95F4\u5E94\u91C7\u53D6\u53EF\u9760\u7684\u6280\u672F\u9694\u79BB\u624B\u6BB5",
4587
+ requirementEn: "Critical network areas should not be deployed at the network boundaries or without border protection, and reliable technical isolation should be used between important network areas and other network areas",
4588
+ referenceStatus: "\u90E8\u5206\u7B26\u5408 Partially",
4589
+ referenceComment: "1. AWS\u4FA7\u91C7\u7528\u9632\u706B\u5899\u6216\u8005Network ACL\uFF08\u5EFA\u8BAE\u786E\u8BA4global region\u8BBE\u8BA1\uFF09\n2. On-premise\u91C7\u7528\u9632\u706B\u5899"
4590
+ },
4591
+ {
4592
+ id: "L3-CNS1-05",
4593
+ categoryCn: "\u5B89\u5168\u901A\u4FE1\u7F51\u7EDC",
4594
+ categoryEn: "Communication Network Security",
4595
+ controlCn: "\u7F51\u7EDC\u67B6\u6784",
4596
+ controlEn: "Network Architecture",
4597
+ requirementCn: "\u5E94\u63D0\u4F9B\u901A\u4FE1\u7EBF\u8DEF\u3001\u5173\u952E\u7F51\u7EDC\u8BBE\u5907\u548C\u5173\u952E\u8BA1\u7B97\u8BBE\u5907\u7684\u786C\u4EF6\u5197\u4F59\uFF0C\u4FDD\u8BC1\u7CFB\u7EDF\u7684\u53EF\u7528\u6027",
4598
+ requirementEn: "The communication lines and hardware of critical network equipment should be adequately backed up to ensure system availability.",
4599
+ referenceStatus: "\u7B26\u5408 No Gap",
4600
+ referenceComment: "\u670D\u52A1\u786E\u4FDD\u591A\u53EF\u7528\u533A\u90E8\u7F72\u4EE5\u53CA\u591A\u533A\u57DF\u90E8\u7F72\uFF1B\u591A\u6761\u4E13\u7EBF\u63A5\u5165\u5230\u4E0D\u540C\u7684\u4E13\u7EBF\u63A5\u5165\u70B9\u786E\u4FDD\u9AD8\u53EF\u7528"
4601
+ },
4602
+ {
4603
+ id: "L3-CNS1-06",
4604
+ categoryCn: "\u5B89\u5168\u901A\u4FE1\u7F51\u7EDC",
4605
+ categoryEn: "Communication Network Security",
4606
+ controlCn: "\u901A\u4FE1\u4F20\u8F93",
4607
+ controlEn: "Communication",
4608
+ requirementCn: "\u5E94\u91C7\u7528\u6821\u9A8C\u6280\u672F\u6216\u5BC6\u7801\u6280\u672F\u4FDD\u8BC1\u901A\u4FE1\u8FC7\u7A0B\u4E2D\u6570\u636E\u7684\u5B8C\u6574\u6027",
4609
+ requirementEn: "Verification techniques or cryptographic techniques should be used to ensure the integrity of the data during communication",
4610
+ referenceStatus: "\u7B26\u5408 No Gap",
4611
+ referenceComment: "\u5F00\u542F\u4F20\u8F93\u52A0\u5BC6"
4612
+ },
4613
+ {
4614
+ id: "L3-CNS1-07",
4615
+ categoryCn: "\u5B89\u5168\u901A\u4FE1\u7F51\u7EDC",
4616
+ categoryEn: "Communication Network Security",
4617
+ controlCn: "\u901A\u4FE1\u4F20\u8F93",
4618
+ controlEn: "Communication",
4619
+ requirementCn: "\u5E94\u91C7\u7528\u5BC6\u7801\u6280\u672F\u4FDD\u8BC1\u901A\u4FE1\u8FC7\u7A0B\u4E2D\u6570\u636E\u7684\u4FDD\u5BC6\u6027",
4620
+ requirementEn: "Cryptographic techniques should be used to ensure the confidentiality of the data during communication",
4621
+ referenceStatus: "\u7B26\u5408 No Gap",
4622
+ referenceComment: "\u542F\u7528SSL/TLS\u4F20\u8F93\u52A0\u5BC6\uFF0C\u5229\u7528ACM\u7BA1\u7406\u4F20\u8F93\u52A0\u5BC6\u7684\u5BC6\u94A5"
4623
+ },
4624
+ {
4625
+ id: "L3-CNS1-08",
4626
+ categoryCn: "\u5B89\u5168\u901A\u4FE1\u7F51\u7EDC",
4627
+ categoryEn: "Communication Network Security",
4628
+ controlCn: "\u53EF\u4FE1\u9A8C\u8BC1",
4629
+ controlEn: "Trusted Verification",
4630
+ requirementCn: "\u53EF\u57FA\u4E8E\u53EF\u4FE1\u6839\u5BF9\u901A\u4FE1\u8BBE\u5907\u7684\u7CFB\u7EDF\u5F15\u5BFC\u7A0B\u5E8F\u3001\u7CFB\u7EDF\u7A0B\u5E8F\u3001\u91CD\u8981\u914D\u7F6E\u53C2\u6570\u548C\u901A\u4FE1\u5E94\u7528\u7A0B\u5E8F\u7B49\u8FDB\u884C\u53EF\u4FE1\u9A8C\u8BC1\uFF0C\u5E76\u5728\u5E94\u7528\u7A0B\u5E8F\u7684\u5173\u952E\u6267\u884C\u73AF\u8282\u8FDB\u884C\u52A8\u6001\u53EF\u4FE1\u9A8C\u8BC1\uFF0C\u5728\u68C0\u6D4B\u5230\u5176\u53EF\u4FE1\u6027\u53D7\u5230\u7834\u574F\u540E\u8FDB\u884C\u62A5\u8B66\uFF0C\u5E76\u5C06\u9A8C\u8BC1\u7ED3\u679C\u5F62\u6210\u5BA1\u8BA1\u8BB0\u5F55\u9001\u81F3\u5B89\u5168\u7BA1\u7406\u4E2D\u5FC3",
4631
+ requirementEn: "Trusted verification, based on the trusted root, can be applied to system boot program, system program, important configuration parameters, and communication applications of the communication device, and dynamic trusted verification can be used in the key execution of the application, and when detecting the credibility thereof. After being damaged, an alarm is issued, and after detecting that its credibility has been damaged, an alarm should be issued and the verification result should be sent to the Security Management Center.",
4632
+ referenceStatus: "\u4E0D\u9002\u7528 N/A",
4633
+ referenceComment: ""
4634
+ },
4635
+ {
4636
+ id: "L3-ABS1-01",
4637
+ categoryCn: "\u5B89\u5168\u533A\u57DF\u8FB9\u754C",
4638
+ categoryEn: "Area Boundary Security",
4639
+ controlCn: "\u8FB9\u754C\u9632\u62A4",
4640
+ controlEn: "Border Protection",
4641
+ requirementCn: "\u5E94\u4FDD\u8BC1\u8DE8\u8D8A\u8FB9\u754C\u7684\u8BBF\u95EE\u548C\u6570\u636E\u6D41\u901A\u8FC7\u8FB9\u754C\u9632\u62A4\u8BBE\u5907\u63D0\u4F9B\u7684\u53D7\u63A7\u63A5\u53E3\u8FDB\u884C\u901A\u4FE1",
4642
+ requirementEn: "It should be ensured that access and data flows across the boundary are communicated through a controlled interface provided by the border protection device.",
4643
+ referenceStatus: "\u7B26\u5408 No Gap",
4644
+ referenceComment: "1. \u91C7\u7528\u5B89\u5168\u7EC4\u6216\u8005Network ACL\n2. \u542F\u7528WAF\n3. \u4F7F\u7528\u7B2C\u4E09\u65B9\u7684\u4E0B\u4E00\u4EE3\u9632\u706B\u5899\uFF0C\u5E76\u7ED3\u5408GLWB\u8FDB\u884C\u9AD8\u53EF\u7528\u90E8\u7F72"
4645
+ },
4646
+ {
4647
+ id: "L3-ABS1-02",
4648
+ categoryCn: "\u5B89\u5168\u533A\u57DF\u8FB9\u754C",
4649
+ categoryEn: "Area Boundary Security",
4650
+ controlCn: "\u8FB9\u754C\u9632\u62A4",
4651
+ controlEn: "Border Protection",
4652
+ requirementCn: "\u5E94\u80FD\u591F\u5BF9\u975E\u6388\u6743\u8BBE\u5907\u79C1\u81EA\u8054\u5230\u5185\u90E8\u7F51\u7EDC\u7684\u884C\u4E3A\u8FDB\u884C\u9650\u5236\u6216\u68C0\u67E5",
4653
+ requirementEn: "It should be able to restrict or check the behavior of unauthorized devices connected to the internal network",
4654
+ referenceStatus: "\u7B26\u5408 No Gap",
4655
+ referenceComment: "1. \u6309\u7167\u4E0D\u540C\u5B50\u7F51\u8BBE\u7F6E\uFF0C\u91C7\u7528\u5B89\u5168\u7EC4\u6216\u8005Network ACL\n2. \u542F\u7528WAF\n3. \u4F7F\u7528\u7B2C\u4E09\u65B9\u7684\u4E0B\u4E00\u4EE3\u9632\u706B\u5899\uFF0C\u5E76\u7ED3\u5408GLWB\u8FDB\u884C\u9AD8\u53EF\u7528\u90E8\u7F72"
4656
+ },
4657
+ {
4658
+ id: "L3-ABS1-03",
4659
+ categoryCn: "\u5B89\u5168\u533A\u57DF\u8FB9\u754C",
4660
+ categoryEn: "Area Boundary Security",
4661
+ controlCn: "\u8FB9\u754C\u9632\u62A4",
4662
+ controlEn: "Border Protection",
4663
+ requirementCn: "\u5E94\u80FD\u591F\u5BF9\u5185\u90E8\u7528\u6237\u975E\u6388\u6743\u8054\u5230\u5916\u90E8\u7F51\u7EDC\u7684\u884C\u4E3A\u8FDB\u884C\u9650\u5236\u6216\u68C0\u67E5",
4664
+ requirementEn: "It should be able to restrict or inspect the behavior of internal users who are privately linked to the external network",
4665
+ referenceStatus: "\u90E8\u5206\u7B26\u5408 Partially",
4666
+ referenceComment: "1. \u6309\u7167\u4E0D\u540C\u5B50\u7F51\u8BBE\u7F6E\uFF0C\u91C7\u7528\u5B89\u5168\u7EC4\u6216\u8005Network ACL\n2. \u5229\u7528NAT \u6216\u8005 NAT Gateway\n3. \u4F7F\u7528\u7B2C\u4E09\u65B9\u7684\u4E0B\u4E00\u4EE3\u9632\u706B\u5899\uFF0C\u5E76\u7ED3\u5408GLWB\u8FDB\u884C\u9AD8\u53EF\u7528\u90E8\u7F72\n4. \u542F\u7528VPC Endpoint \u4FDD\u8BC1\u901A\u8FC7\u79C1\u6709\u7F51\u7EDC\u8BBF\u95EEAWS\u670D\u52A1"
4667
+ },
4668
+ {
4669
+ id: "L3-ABS1-04",
4670
+ categoryCn: "\u5B89\u5168\u533A\u57DF\u8FB9\u754C",
4671
+ categoryEn: "Area Boundary Security",
4672
+ controlCn: "\u8FB9\u754C\u9632\u62A4",
4673
+ controlEn: "Border Protection",
4674
+ requirementCn: "\u5E94\u9650\u5236\u65E0\u7EBF\u7F51\u7EDC\u7684\u4F7F\u7528\uFF0C\u786E\u4FDD\u65E0\u7EBF\u7F51\u7EDC\u901A\u8FC7\u53D7\u63A7\u7684\u8FB9\u754C\u9632\u62A4\u8BBE\u5907\u63A5\u5165\u5185\u90E8\u7F51\u7EDC",
4675
+ requirementEn: "The use of the wireless network should be limited to ensure that the wireless network accesses the internal network through controlled border protection equipment.",
4676
+ referenceStatus: "\u4E0D\u9002\u7528 N/A",
4677
+ referenceComment: ""
4678
+ },
4679
+ {
4680
+ id: "L3-ABS1-05",
4681
+ categoryCn: "\u5B89\u5168\u533A\u57DF\u8FB9\u754C",
4682
+ categoryEn: "Area Boundary Security",
4683
+ controlCn: "\u8BBF\u95EE\u63A7\u5236",
4684
+ controlEn: "Access Control",
4685
+ requirementCn: "\u5E94\u5728\u7F51\u7EDC\u8FB9\u754C\u6216\u533A\u57DF\u4E4B\u95F4\u6839\u636E\u8BBF\u95EE\u63A7\u5236\u7B56\u7565\u8BBE\u7F6E\u8BBF\u95EE\u63A7\u5236\u89C4\u5219\uFF0C\u9ED8\u8BA4\u60C5\u51B5\u4E0B\u9664\u5141\u8BB8\u901A\u4FE1\u5916\u53D7\u63A7\u63A5\u53E3\u62D2\u7EDD\u6240\u6709\u901A\u4FE1",
4686
+ requirementEn: "Access control rules should be set between network boundaries or regions based on access control policies, and the controlled interfaces should reject any communication by default except for those that allow communication",
4687
+ referenceStatus: "\u7B26\u5408 No Gap",
4688
+ referenceComment: "\u91C7\u7528\u5B89\u5168\u7EC4\u6216\u8005Network ACL\uFF0C\u6309\u7167\u6700\u5C0F\u66B4\u9732\u539F\u5219\u8BBE\u7F6E"
4689
+ },
4690
+ {
4691
+ id: "L3-ABS1-06",
4692
+ categoryCn: "\u5B89\u5168\u533A\u57DF\u8FB9\u754C",
4693
+ categoryEn: "Area Boundary Security",
4694
+ controlCn: "\u8BBF\u95EE\u63A7\u5236",
4695
+ controlEn: "Access Control",
4696
+ requirementCn: "\u5E94\u5220\u9664\u591A\u4F59\u6216\u65E0\u6548\u7684\u8BBF\u95EE\u63A7\u5236\u89C4\u5219\uFF0C\u4F18\u5316\u8BBF\u95EE\u63A7\u5236\u5217\u8868\uFF0C\u5E76\u4FDD\u8BC1\u8BBF\u95EE\u63A7\u5236\u89C4\u5219\u6570\u91CF\u6700\u5C0F\u5316",
4697
+ requirementEn: "Extra or invalid access control rules should be removed to optimize the access control lists, and the number of access control rules should be minimized",
4698
+ referenceStatus: "\u7B26\u5408 No Gap",
4699
+ referenceComment: "\u91C7\u7528\u5B89\u5168\u7EC4\u6216\u8005Network ACL\uFF0C\u6309\u7167\u6700\u5C0F\u66B4\u9732\u539F\u5219\u8BBE\u7F6E"
4700
+ },
4701
+ {
4702
+ id: "L3-ABS1-07",
4703
+ categoryCn: "\u5B89\u5168\u533A\u57DF\u8FB9\u754C",
4704
+ categoryEn: "Area Boundary Security",
4705
+ controlCn: "\u8BBF\u95EE\u63A7\u5236",
4706
+ controlEn: "Access Control",
4707
+ requirementCn: "\u5E94\u5BF9\u6E90\u5730\u5740\u3001\u76EE\u7684\u5730\u5740\u3001\u6E90\u7AEF\u53E3\u3001\u76EE\u7684\u7AEF\u53E3\u548C\u534F\u8BAE\u7B49\u8FDB\u884C\u68C0\u67E5\uFF0C\u4EE5\u5141\u8BB8/\u62D2\u7EDD\u6570\u636E\u5305\u8FDB\u51FA",
4708
+ requirementEn: "Check the source address, destination address, source port, destination port, protocol, etc. to allow/deny packets in and out",
4709
+ referenceStatus: "\u7B26\u5408 No Gap",
4710
+ referenceComment: "1. \u6309\u7167\u4E0D\u540C\u5B50\u7F51\u8BBE\u7F6E\uFF0C\u91C7\u7528\u5B89\u5168\u7EC4\u6216\u8005Network ACL\n2. \u542F\u7528WAF\n3. \u4F7F\u7528\u7B2C\u4E09\u65B9\u7684\u4E0B\u4E00\u4EE3\u9632\u706B\u5899\uFF0C\u5E76\u7ED3\u5408GLWB\u8FDB\u884C\u9AD8\u53EF\u7528\u90E8\u7F72\n4. \u5229\u7528VPC Flow log \u5BF9\u8FDB\u51FAVPC\u7684\u901A\u8BAF\u8FDB\u884C\u5206\u6790\n5. \u5FC5\u8981\u65F6\u53EF\u4EE5\u542F\u7528VPC Traffic Mirror\uFF0C\u5E76\u5229\u7528\u4E13\u4E1A\u5206\u6790\u8F6F\u4EF6\u8FDB\u884C\u6D41\u91CF\u5206\u6790"
4711
+ },
4712
+ {
4713
+ id: "L3-ABS1-08",
4714
+ categoryCn: "\u5B89\u5168\u533A\u57DF\u8FB9\u754C",
4715
+ categoryEn: "Area Boundary Security",
4716
+ controlCn: "\u8BBF\u95EE\u63A7\u5236",
4717
+ controlEn: "Access Control",
4718
+ requirementCn: "\u5E94\u80FD\u6839\u636E\u4F1A\u8BDD\u72B6\u6001\u4FE1\u606F\u4E3A\u8FDB\u51FA\u6570\u636E\u6D41\u63D0\u4F9B\u660E\u786E\u7684\u5141\u8BB8/\u62D2\u7EDD\u8BBF\u95EE\u7684\u80FD\u529B",
4719
+ requirementEn: "Explicit ability to allow/deny access to incoming and outgoing data streams should be provided based on session state information",
4720
+ referenceStatus: "\u90E8\u5206\u7B26\u5408 Partially",
4721
+ referenceComment: "1. \u6309\u7167\u4E0D\u540C\u5B50\u7F51\u8BBE\u7F6E\uFF0C\u91C7\u7528\u5B89\u5168\u7EC4\u6216\u8005Network ACL\n2. \u542F\u7528WAF\n3. \u4F7F\u7528\u7B2C\u4E09\u65B9\u7684\u4E0B\u4E00\u4EE3\u9632\u706B\u5899\uFF0C\u5E76\u7ED3\u5408GLWB\u8FDB\u884C\u9AD8\u53EF\u7528\u90E8\u7F72"
4722
+ },
4723
+ {
4724
+ id: "L3-ABS1-09",
4725
+ categoryCn: "\u5B89\u5168\u533A\u57DF\u8FB9\u754C",
4726
+ categoryEn: "Area Boundary Security",
4727
+ controlCn: "\u8BBF\u95EE\u63A7\u5236",
4728
+ controlEn: "Access Control",
4729
+ requirementCn: "\u5E94\u5BF9\u8FDB\u51FA\u7F51\u7EDC\u7684\u6570\u636E\u6D41\u5B9E\u73B0\u57FA\u4E8E\u5E94\u7528\u534F\u8BAE\u548C\u5E94\u7528\u5185\u5BB9\u7684\u8BBF\u95EE\u63A7\u5236",
4730
+ requirementEn: "Access control based on application protocols and application content should be applied to data flows to and from the network.",
4731
+ referenceStatus: "\u90E8\u5206\u7B26\u5408 Partially",
4732
+ referenceComment: '"1. \u6309\u7167\u4E0D\u540C\u5B50\u7F51\u8BBE\u7F6E\uFF0C\u91C7\u7528\u5B89\u5168\u7EC4\u6216\u8005Network ACL\n2. \u542F\u7528WAF\n3. \u4F7F\u7528\u7B2C\u4E09\u65B9\u7684\u4E0B\u4E00\u4EE3\u9632\u706B\u5899\uFF0C\u5E76\u7ED3\u5408GLWB\u8FDB\u884C\u9AD8\u53EF\u7528\u90E8\u7F72"'
4733
+ },
4734
+ {
4735
+ id: "L3-ABS1-10",
4736
+ categoryCn: "\u5B89\u5168\u533A\u57DF\u8FB9\u754C",
4737
+ categoryEn: "Area Boundary Security",
4738
+ controlCn: "\u5165\u4FB5\u9632\u8303",
4739
+ controlEn: "Intrusion Prevention",
4740
+ requirementCn: "\u5E94\u5728\u5173\u952E\u7F51\u7EDC\u8282\u70B9\u5904\u68C0\u6D4B\u3001\u9632\u6B62\u6216\u9650\u5236\u4ECE\u5916\u90E8\u53D1\u8D77\u7684\u7F51\u7EDC\u653B\u51FB\u884C\u4E3A",
4741
+ requirementEn: "Externally initiated cyber attacks should be detected, prevented or restricted at critical network nodes",
4742
+ referenceStatus: "\u90E8\u5206\u7B26\u5408 Partially",
4743
+ referenceComment: "1. \u6309\u7167\u4E0D\u540C\u5B50\u7F51\u8BBE\u7F6E\uFF0C\u91C7\u7528\u5B89\u5168\u7EC4\u6216\u8005Network ACL\n2. \u542F\u7528WAF\n3. \u542F\u7528GuardDuty\n4. \u4F7F\u7528\u7B2C\u4E09\u65B9\u7684\u4E0B\u4E00\u4EE3\u9632\u706B\u5899\uFF0C\u5E76\u7ED3\u5408GLWB\u8FDB\u884C\u9AD8\u53EF\u7528\u90E8\u7F72"
4744
+ },
4745
+ {
4746
+ id: "L3-ABS1-11",
4747
+ categoryCn: "\u5B89\u5168\u533A\u57DF\u8FB9\u754C",
4748
+ categoryEn: "Area Boundary Security",
4749
+ controlCn: "\u5165\u4FB5\u9632\u8303",
4750
+ controlEn: "Intrusion Prevention",
4751
+ requirementCn: "\u5E94\u5728\u5173\u952E\u7F51\u7EDC\u8282\u70B9\u5904\u68C0\u6D4B\u3001\u9632\u6B62\u6216\u9650\u5236\u4ECE\u5185\u90E8\u53D1\u8D77\u7684\u7F51\u7EDC\u653B\u51FB\u884C\u4E3A",
4752
+ requirementEn: "Internally initiated cyber attacks should be detected, prevented or restricted at critical network nodes",
4753
+ referenceStatus: "\u90E8\u5206\u7B26\u5408 Partially",
4754
+ referenceComment: "1. \u6309\u7167\u4E0D\u540C\u5B50\u7F51\u8BBE\u7F6E\uFF0C\u91C7\u7528\u5B89\u5168\u7EC4\u6216\u8005Network ACL\n2. \u542F\u7528GuardDuty\n3. \u4F7F\u7528\u7B2C\u4E09\u65B9\u7684\u4E0B\u4E00\u4EE3\u9632\u706B\u5899\uFF0C\u5E76\u7ED3\u5408GLWB\u8FDB\u884C\u9AD8\u53EF\u7528\u90E8\u7F72"
4755
+ },
4756
+ {
4757
+ id: "L3-ABS1-12",
4758
+ categoryCn: "\u5B89\u5168\u533A\u57DF\u8FB9\u754C",
4759
+ categoryEn: "Area Boundary Security",
4760
+ controlCn: "\u5165\u4FB5\u9632\u8303",
4761
+ controlEn: "Intrusion Prevention",
4762
+ requirementCn: "\u5E94\u91C7\u53D6\u6280\u672F\u63AA\u65BD\u5BF9\u7F51\u7EDC\u884C\u4E3A\u8FDB\u884C\u5206\u6790\uFF0C\u5B9E\u73B0\u5BF9\u7F51\u7EDC\u653B\u51FB\u7279\u522B\u662F\u65B0\u578B\u7F51\u7EDC\u653B\u51FB\u884C\u4E3A\u7684\u5206\u6790",
4763
+ requirementEn: "Technical measures should be taken to analyze the network behavior, as well as analyze network attacks, especially the new types of attacks.",
4764
+ referenceStatus: "\u90E8\u5206\u7B26\u5408 Partially",
4765
+ referenceComment: "1. \u6309\u7167\u4E0D\u540C\u5B50\u7F51\u8BBE\u7F6E\uFF0C\u91C7\u7528\u5B89\u5168\u7EC4\u6216\u8005Network ACL\n2. \u542F\u7528WAF\n3. \u542F\u7528GuardDuty\n4. \u4F7F\u7528\u7B2C\u4E09\u65B9\u7684\u4E0B\u4E00\u4EE3\u9632\u706B\u5899\uFF0C\u5E76\u7ED3\u5408GLWB\u8FDB\u884C\u9AD8\u53EF\u7528\u90E8\u7F72\n5. \u7B2C\u4E09\u65B9\u5165\u4FB5\u9632\u8303\u4EA7\u54C1"
4766
+ },
4767
+ {
4768
+ id: "L3-ABS1-13",
4769
+ categoryCn: "\u5B89\u5168\u533A\u57DF\u8FB9\u754C",
4770
+ categoryEn: "Area Boundary Security",
4771
+ controlCn: "\u5165\u4FB5\u9632\u8303",
4772
+ controlEn: "Intrusion Prevention",
4773
+ requirementCn: "\u5F53\u68C0\u6D4B\u5230\u653B\u51FB\u884C\u4E3A\u65F6\uFF0C\u8BB0\u5F55\u653B\u51FB\u6E90IP\u3001\u653B\u51FB\u7C7B\u578B\u3001\u653B\u51FB\u76EE\u7684\u3001\u653B\u51FB\u65F6\u95F4\uFF0C\u5728\u53D1\u751F\u4E25\u91CD\u5165\u4FB5\u4E8B\u4EF6\u65F6\u5E94\u63D0\u4F9B\u62A5\u8B66",
4774
+ requirementEn: "When an attack is detected, the attack source IP, attack type, attack purpose, and attack time should be recorded, and alarm when a serious intrusion occurs.",
4775
+ referenceStatus: "\u7B26\u5408 No Gap",
4776
+ referenceComment: "1. \u6309\u7167\u4E0D\u540C\u5B50\u7F51\u8BBE\u7F6E\uFF0C\u91C7\u7528\u5B89\u5168\u7EC4\u6216\u8005Network ACL\n2. \u542F\u7528WAF\n3. \u542F\u7528GuardDuty\n4. \u4F7F\u7528\u7B2C\u4E09\u65B9\u7684\u4E0B\u4E00\u4EE3\u9632\u706B\u5899\uFF0C\u5E76\u7ED3\u5408GLWB\u8FDB\u884C\u9AD8\u53EF\u7528\u90E8\u7F72"
4777
+ },
4778
+ {
4779
+ id: "L3-ABS1-14",
4780
+ categoryCn: "\u5B89\u5168\u533A\u57DF\u8FB9\u754C",
4781
+ categoryEn: "Area Boundary Security",
4782
+ controlCn: "\u6076\u610F\u4EE3\u7801\u548C\u5783\u573E\u90AE\u4EF6\u9632\u8303",
4783
+ controlEn: "Malicious Code and Spam Prevention",
4784
+ requirementCn: "\u5E94\u5728\u5173\u952E\u7F51\u7EDC\u8282\u70B9\u5904\u5BF9\u6076\u610F\u4EE3\u7801\u8FDB\u884C\u68C0\u6D4B\u548C\u6E05\u9664\uFF0C\u5E76\u7EF4\u62A4\u6076\u610F\u4EE3\u7801\u9632\u62A4\u673A\u5236\u7684\u5347\u7EA7\u548C\u66F4\u65B0",
4785
+ requirementEn: "Malicious code should be detected and purged at key network nodes, and the upgrade and update of malicious code protection mechanism should be maintained.",
4786
+ referenceStatus: "\u4E0D\u7B26\u5408 Gap Exist",
4787
+ referenceComment: "1.\u4F7F\u7528\u7B2C\u4E09\u65B9\u7684\u4E0B\u4E00\u4EE3\u9632\u706B\u5899\uFF0C\u5E76\u7ED3\u5408GLWB\u8FDB\u884C\u9AD8\u53EF\u7528\u90E8\u7F72\n2.\u5728\u64CD\u4F5C\u7CFB\u7EDF\u5B89\u88C5\u7B2C\u4E09\u65B9\u5B89\u5168\u9632\u62A4\u548C\u6740\u6BD2\u8F6F\u4EF6"
4788
+ },
4789
+ {
4790
+ id: "L3-ABS1-15",
4791
+ categoryCn: "\u5B89\u5168\u533A\u57DF\u8FB9\u754C",
4792
+ categoryEn: "Area Boundary Security",
4793
+ controlCn: "\u6076\u610F\u4EE3\u7801\u548C\u5783\u573E\u90AE\u4EF6\u9632\u8303",
4794
+ controlEn: "Malicious Code and Spam Prevention",
4795
+ requirementCn: "\u5E94\u5728\u5173\u952E\u7F51\u7EDC\u8282\u70B9\u5904\u5BF9\u5783\u573E\u90AE\u4EF6\u8FDB\u884C\u68C0\u6D4B\u548C\u9632\u62A4\uFF0C\u5E76\u7EF4\u62A4\u5783\u573E\u90AE\u4EF6\u9632\u62A4\u673A\u5236\u7684\u5347\u7EA7\u548C\u66F4\u65B0",
4796
+ requirementEn: "Spam should be detected and protect at critical network nodes and upgrades and update of spam protection mechanisms should be maintained.",
4797
+ referenceStatus: "\u4E0D\u9002\u7528 N/A",
4798
+ referenceComment: ""
4799
+ },
4800
+ {
4801
+ id: "L3-ABS1-16",
4802
+ categoryCn: "\u5B89\u5168\u533A\u57DF\u8FB9\u754C",
4803
+ categoryEn: "Area Boundary Security",
4804
+ controlCn: "\u5B89\u5168\u5BA1\u8BA1",
4805
+ controlEn: "Security Audit",
4806
+ requirementCn: "\u5E94\u5728\u7F51\u7EDC\u8FB9\u754C\u3001\u91CD\u8981\u7F51\u7EDC\u8282\u70B9\u8FDB\u884C\u5B89\u5168\u5BA1\u8BA1\uFF0C\u5BA1\u8BA1\u8986\u76D6\u5230\u6BCF\u4E2A\u7528\u6237\uFF0C\u5BF9\u91CD\u8981\u7684\u7528\u6237\u884C\u4E3A\u548C\u91CD\u8981\u5B89\u5168\u4E8B\u4EF6\u8FDB\u884C\u5BA1\u8BA1",
4807
+ requirementEn: "Security audits should be conducted at network borders and important network nodes, and audits should be covered to each user to audit important user behaviors and important security incidents",
4808
+ referenceStatus: "\u90E8\u5206\u7B26\u5408 Partially",
4809
+ referenceComment: "1. IAM\n2,\u5821\u5792\u673A\uFF08session manager\u6216\u8005\u7B2C\u4E09\u65B9\u7684\u5821\u5792\u673A)"
4810
+ },
4811
+ {
4812
+ id: "L3-ABS1-17",
4813
+ categoryCn: "\u5B89\u5168\u533A\u57DF\u8FB9\u754C",
4814
+ categoryEn: "Area Boundary Security",
4815
+ controlCn: "\u5B89\u5168\u5BA1\u8BA1",
4816
+ controlEn: "Security Audit",
4817
+ requirementCn: "\u5BA1\u8BA1\u8BB0\u5F55\u5E94\u5305\u62EC\u4E8B\u4EF6\u7684\u65E5\u671F\u548C\u65F6\u95F4\u3001\u7528\u6237\u3001\u4E8B\u4EF6\u7C7B\u578B\u3001\u4E8B\u4EF6\u662F\u5426\u6210\u529F\u53CA\u5176\u4ED6\u4E0E\u5BA1\u8BA1\u76F8\u5173\u7684\u4FE1\u606F",
4818
+ requirementEn: "The audit record should include the event date and time, user, event type, success or failure of the event, and other audit-related information",
4819
+ referenceStatus: "\u7B26\u5408 No Gap",
4820
+ referenceComment: "CloudTrail"
4821
+ },
4822
+ {
4823
+ id: "L3-ABS1-18",
4824
+ categoryCn: "\u5B89\u5168\u533A\u57DF\u8FB9\u754C",
4825
+ categoryEn: "Area Boundary Security",
4826
+ controlCn: "\u5B89\u5168\u5BA1\u8BA1",
4827
+ controlEn: "Security Audit",
4828
+ requirementCn: "\u5E94\u5BF9\u5BA1\u8BA1\u8BB0\u5F55\u8FDB\u884C\u4FDD\u62A4\uFF0C\u5B9A\u671F\u5907\u4EFD\uFF0C\u907F\u514D\u53D7\u5230\u672A\u9884\u671F\u7684\u5220\u9664\u3001\u4FEE\u6539\u6216\u8986\u76D6\u7B49",
4829
+ requirementEn: "Audit records should be protected and backed up regularly to avoid unintended deletions, modifications or overwrites.",
4830
+ referenceStatus: "\u7B26\u5408 No Gap",
4831
+ referenceComment: "CloudTrail"
4832
+ },
4833
+ {
4834
+ id: "L3-ABS1-19",
4835
+ categoryCn: "\u5B89\u5168\u533A\u57DF\u8FB9\u754C",
4836
+ categoryEn: "Area Boundary Security",
4837
+ controlCn: "\u5B89\u5168\u5BA1\u8BA1",
4838
+ controlEn: "Security Audit",
4839
+ requirementCn: "\u5E94\u80FD\u5BF9\u8FDC\u7A0B\u8BBF\u95EE\u7684\u7528\u6237\u884C\u4E3A\u3001\u8BBF\u95EE\u4E92\u8054\u7F51\u7684\u7528\u6237\u884C\u4E3A\u7B49\u5355\u72EC\u8FDB\u884C\u884C\u4E3A\u5BA1\u8BA1\u548C\u6570\u636E\u5206\u6790",
4840
+ requirementEn: "It should be possible to conduct separate behavioral audits and data analysis on user behaviors of remote access, user behaviors of accessing the Internet, and so on.",
4841
+ referenceStatus: "\u90E8\u5206\u7B26\u5408 Partially",
4842
+ referenceComment: "1. CloudTraiil\n2. S3\u548CALB Access Logs\n3.\u4F7F\u7528\u7B2C\u4E09\u65B9\u7684\u4E0B\u4E00\u4EE3\u9632\u706B\u5899\uFF0C\u5E76\u7ED3\u5408GLWB\u8FDB\u884C\u9AD8\u53EF\u7528\u90E8\u7F72\u6216\u8005\u4E0A\u7F51\u884C\u4E3A\u7BA1\u7406\u4EA7\u54C1"
4843
+ },
4844
+ {
4845
+ id: "L3-ABS1-20",
4846
+ categoryCn: "\u5B89\u5168\u533A\u57DF\u8FB9\u754C",
4847
+ categoryEn: "Area Boundary Security",
4848
+ controlCn: "\u53EF\u4FE1\u9A8C\u8BC1",
4849
+ controlEn: "Trusted Verification",
4850
+ requirementCn: "\u53EF\u57FA\u4E8E\u53EF\u4FE1\u6839\u5BF9\u8FB9\u754C\u8BBE\u5907\u7684\u7CFB\u7EDF\u5F15\u5BFC\u7A0B\u5E8F\u3001\u7CFB\u7EDF\u7A0B\u5E8F\u3001\u91CD\u8981\u914D\u7F6E\u53C2\u6570\u548C\u8FB9\u754C\u9632\u62A4\u5E94\u7528\u7A0B\u5E8F\u7B49\u8FDB\u884C\u53EF\u4FE1\u9A8C\u8BC1\uFF0C\u5E76\u5728\u5E94\u7528\u7A0B\u5E8F\u7684\u5173\u952E\u6267\u884C\u73AF\u8282\u8FDB\u884C\u52A8\u6001\u53EF\u4FE1\u9A8C\u8BC1\uFF0C\u5728\u68C0\u6D4B\u5230\u5176\u53EF\u4FE1\u6027\u53D7\u5230\u7834\u574F\u540E\u8FDB\u884C\u62A5\u8B66\uFF0C \u5E76\u5C06\u9A8C\u8BC1\u7ED3\u679C\u5F62\u6210\u5BA1\u8BA1\u8BB0\u5F55\u9001\u81F3\u5B89\u5168\u7BA1\u7406\u4E2D\u5FC3",
4851
+ requirementEn: "Trusted verification, based on the trusted root, can be applied to system boot program, system program, important configuration parameters, and network border protection applications of the network border devices, and dynamic trusted verification can be used in the key execution of the application, and when detecting the credibility thereof. After being damaged, an alarm is issued, and after detecting that its credibility has been damaged, an alarm should be issued and the verification result should be sent to the Security Management Center.",
4852
+ referenceStatus: "\u4E0D\u9002\u7528 N/A",
4853
+ referenceComment: ""
4854
+ },
4855
+ {
4856
+ id: "L3-CES1-01",
4857
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
4858
+ categoryEn: "Computing Environment Security",
4859
+ controlCn: "\u8EAB\u4EFD\u9274\u522B",
4860
+ controlEn: "Identification and Authentication",
4861
+ requirementCn: "\u5E94\u5BF9\u767B\u5F55\u7684\u7528\u6237\u8FDB\u884C\u8EAB\u4EFD\u6807\u8BC6\u548C\u9274\u522B\uFF0C\u8EAB\u4EFD\u6807\u8BC6\u5177\u6709\u552F\u4E00\u6027\uFF0C\u8EAB\u4EFD\u9274\u522B\u4FE1\u606F\u5177\u6709\u590D\u6742\u5EA6\u8981\u6C42\u5E76\u5B9A\u671F\u66F4\u6362",
4862
+ requirementEn: "The logged-in user should be identified and authenticated. And the identity shall be unique. The identity authentication information should have complexity requirements and be replaced periodically.",
4863
+ referenceStatus: "\u7B26\u5408 No Gap",
4864
+ referenceComment: "1. IAM\n2. \u5355\u70B9\u767B\u5F55\uFF08Tesla Bounce\u4EA7\u54C1\u6216\u8005AWS SSO \u670D\u52A1\u5C06\u4E8EQ2,2022\u63A8\u51FA\uFF09"
4865
+ },
4866
+ {
4867
+ id: "L3-CES1-02",
4868
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
4869
+ categoryEn: "Computing Environment Security",
4870
+ controlCn: "\u8EAB\u4EFD\u9274\u522B",
4871
+ controlEn: "Identification and Authentication",
4872
+ requirementCn: "\u5E94\u5177\u6709\u767B\u5F55\u5931\u8D25\u5904\u7406\u529F\u80FD\uFF0C\u5E94\u914D\u7F6E\u5E76\u542F\u7528\u7ED3\u675F\u4F1A\u8BDD\u3001\u9650\u5236\u975E\u6CD5\u767B\u5F55\u6B21\u6570\u548C\u5F53\u767B\u5F55\u8FDE\u63A5\u8D85\u65F6\u81EA\u52A8\u9000\u51FA\u7B49\u76F8\u5173\u63AA\u65BD",
4873
+ requirementEn: "It should have the login failure processing function, and configure and enable the functions of end session, limit the number of illegal logins, and automatically exit when the login connection times out",
4874
+ referenceStatus: "\u90E8\u5206\u7B26\u5408 Partially",
4875
+ referenceComment: "1. \u7B2C\u4E09\u65B9\u7684\u5821\u5792\u673A\n2.AWS\u5E73\u53F0\u53EF\u8003\u8651\u57FA\u4E8ECLoudTrail\u65E5\u5FD7+Cloudwatch Alarm + Lambda\u5B9E\u73B0"
4876
+ },
4877
+ {
4878
+ id: "L3-CES1-03",
4879
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
4880
+ categoryEn: "Computing Environment Security",
4881
+ controlCn: "\u8EAB\u4EFD\u9274\u522B",
4882
+ controlEn: "Identification and Authentication",
4883
+ requirementCn: "\u5F53\u8FDB\u884C\u8FDC\u7A0B\u7BA1\u7406\u65F6\uFF0C\u5E94\u91C7\u53D6\u5FC5\u8981\u63AA\u65BD\u9632\u6B62\u9274\u522B\u4FE1\u606F\u5728\u7F51\u7EDC\u4F20\u8F93\u8FC7\u7A0B\u4E2D\u88AB\u7A83\u542C",
4884
+ requirementEn: "Necessary measures should be taken to prevent the authentication information from being eavesdropped during network transmission when performing remote management.",
4885
+ referenceStatus: "\u7B26\u5408 No Gap",
4886
+ referenceComment: "1. \u542F\u7528\u4F20\u8F93\u5C42\u52A0\u5BC6\n2. \u5229\u7528SSH\u548C\u52A0\u5BC6\u7684RDP\u8FDB\u884C\u8BBF\u95EEEC2"
4887
+ },
4888
+ {
4889
+ id: "L3-CES1-04",
4890
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
4891
+ categoryEn: "Computing Environment Security",
4892
+ controlCn: "\u8EAB\u4EFD\u9274\u522B",
4893
+ controlEn: "Identification and Authentication",
4894
+ requirementCn: "\u5E94\u91C7\u7528\u53E3\u4EE4\u3001\u5BC6\u7801\u6280\u672F\u3001\u751F\u7269\u6280\u672F\u7B49\u4E24\u79CD\u6216\u4E24\u79CD\u4EE5\u4E0A\u7EC4\u5408\u7684\u9274\u522B\u6280\u672F\u5BF9\u7528\u6237\u8FDB\u884C\u8EAB\u4EFD\u9274\u522B\uFF0C \u4E14\u5176\u4E2D\u4E00\u79CD\u9274\u522B\u6280\u672F\u81F3\u5C11\u5E94\u4F7F\u7528\u5BC6\u7801\u6280\u672F\u6765\u5B9E\u73B0",
4895
+ requirementEn: "Two or more authentication technologies, e.g. password, cryptography, biotechnology and etc., should be used to identify users, and at least one of them should be implemented by cryptography.",
4896
+ referenceStatus: "\u7B26\u5408 No Gap",
4897
+ referenceComment: "\u542F\u7528MFA"
4898
+ },
4899
+ {
4900
+ id: "L3-CES1-05",
4901
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
4902
+ categoryEn: "Computing Environment Security",
4903
+ controlCn: "\u8BBF\u95EE\u63A7\u5236",
4904
+ controlEn: "Access Control",
4905
+ requirementCn: "\u5E94\u5BF9\u767B\u5F55\u7684\u7528\u6237\u5206\u914D\u8D26\u53F7\u548C\u6743\u9650",
4906
+ requirementEn: "Accounts and permissions should be assigned to the logged in user",
4907
+ referenceStatus: "\u7B26\u5408 No Gap",
4908
+ referenceComment: '"1. IAM\n2. \u5355\u70B9\u767B\u5F55\uFF08Tesla Bounce\u4EA7\u54C1\u6216\u8005AWS SSO \u670D\u52A1\u5C06\u4E8EQ2,2022\u63A8\u51FA\uFF09"'
4909
+ },
4910
+ {
4911
+ id: "L3-CES1-06",
4912
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
4913
+ categoryEn: "Computing Environment Security",
4914
+ controlCn: "\u8BBF\u95EE\u63A7\u5236",
4915
+ controlEn: "Access Control",
4916
+ requirementCn: "\u5E94\u91CD\u547D\u540D\u6216\u5220\u9664\u9ED8\u8BA4\u8D26\u6237\uFF0C\u4FEE\u6539\u9ED8\u8BA4\u8D26\u6237\u7684\u9ED8\u8BA4\u53E3\u4EE4",
4917
+ requirementEn: "The default account should be renamed or deleted, and the default password of the default account should be changed.",
4918
+ referenceStatus: "\u7B26\u5408 No Gap",
4919
+ referenceComment: "\u7BA1\u7406\u6D41\u7A0B"
4920
+ },
4921
+ {
4922
+ id: "L3-CES1-07",
4923
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
4924
+ categoryEn: "Computing Environment Security",
4925
+ controlCn: "\u8BBF\u95EE\u63A7\u5236",
4926
+ controlEn: "Access Control",
4927
+ requirementCn: "\u5E94\u53CA\u65F6\u5220\u9664\u6216\u505C\u7528\u591A\u4F59\u7684\u3001\u8FC7\u671F\u7684\u8D26\u53F7\uFF0C\u907F\u514D\u5171\u4EAB\u8D26\u53F7\u7684\u5B58\u5728",
4928
+ requirementEn: "The redundant and expired accounts should be deleted or deactivated in time and share accounts is not allowed",
4929
+ referenceStatus: "\u7B26\u5408 No Gap",
4930
+ referenceComment: "1. IAM\n2. \u5355\u70B9\u767B\u5F55\uFF08Tesla Bounce\u4EA7\u54C1\u6216\u8005AWS SSO \u670D\u52A1\u5C06\u4E8EQ2,2022\u63A8\u51FA\uFF09"
4931
+ },
4932
+ {
4933
+ id: "L3-CES1-08",
4934
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
4935
+ categoryEn: "Computing Environment Security",
4936
+ controlCn: "\u8BBF\u95EE\u63A7\u5236",
4937
+ controlEn: "Access Control",
4938
+ requirementCn: "\u5E94\u6388\u4E88\u7BA1\u7406\u7528\u6237\u6240\u9700\u7684\u6700\u5C0F\u6743\u9650\uFF0C\u5B9E\u73B0\u7BA1\u7406\u7528\u6237\u7684\u6743\u9650\u5206\u79BB",
4939
+ requirementEn: "Administrator access should be reduced to an absolute minimum to achieve separation of administrator privileges",
4940
+ referenceStatus: "\u7B26\u5408 No Gap",
4941
+ referenceComment: "1. IAM\n2. \u5355\u70B9\u767B\u5F55\uFF08Tesla Bounce\u4EA7\u54C1\u6216\u8005AWS SSO \u670D\u52A1\u5C06\u4E8EQ2,2022\u63A8\u51FA\uFF09"
4942
+ },
4943
+ {
4944
+ id: "L3-CES1-09",
4945
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
4946
+ categoryEn: "Computing Environment Security",
4947
+ controlCn: "\u8BBF\u95EE\u63A7\u5236",
4948
+ controlEn: "Access Control",
4949
+ requirementCn: "\u5E94\u7531\u6388\u6743\u4E3B\u4F53\u914D\u7F6E\u8BBF\u95EE\u63A7\u5236\u7B56\u7565\uFF0C\u8BBF\u95EE\u63A7\u5236\u7B56\u7565\u89C4\u5B9A\u4E3B\u4F53\u5BF9\u5BA2\u4F53\u7684\u8BBF\u95EE\u89C4\u5219",
4950
+ requirementEn: "The access control policy should be configured by the authorized subject, and the access control policy stipulates the access rules of the subject to the object",
4951
+ referenceStatus: "\u7B26\u5408 No Gap",
4952
+ referenceComment: "\u652F\u6301\u57FA\u4E8E\u4EBA\u5458\u548C\u57FA\u4E8E\u8D44\u6E90\u7684\u6743\u9650\u5206\u914D"
4953
+ },
4954
+ {
4955
+ id: "L3-CES1-10",
4956
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
4957
+ categoryEn: "Computing Environment Security",
4958
+ controlCn: "\u8BBF\u95EE\u63A7\u5236",
4959
+ controlEn: "Access Control",
4960
+ requirementCn: "\u8BBF\u95EE\u63A7\u5236\u7684\u7C92\u5EA6\u5E94\u8FBE\u5230\u4E3B\u4F53\u4E3A\u7528\u6237\u7EA7\u6216\u8FDB\u7A0B\u7EA7\uFF0C\u5BA2\u4F53\u4E3A\u6587\u4EF6\u3001\u6570\u636E\u5E93\u8868\u7EA7",
4961
+ requirementEn: "The granularity of access control should be at the user level or process level, and the object is at the file and database table level",
4962
+ referenceStatus: "\u7B26\u5408 No Gap",
4963
+ referenceComment: "1. IAM\n2. \u5355\u70B9\u767B\u5F55\uFF08Tesla Bounce\u4EA7\u54C1\u6216\u8005AWS SSO \u670D\u52A1\u5C06\u4E8EQ2,2022\u63A8\u51FA\uFF09"
4964
+ },
4965
+ {
4966
+ id: "L3-CES1-11",
4967
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
4968
+ categoryEn: "Computing Environment Security",
4969
+ controlCn: "\u8BBF\u95EE\u63A7\u5236",
4970
+ controlEn: "Access Control",
4971
+ requirementCn: "\u5E94\u5BF9\u654F\u611F\u4FE1\u606F\u8D44\u6E90\u8BBE\u7F6E\u5B89\u5168\u6807\u8BB0\uFF0C\u5E76\u63A7\u5236\u4E3B\u4F53\u5BF9\u6709\u5B89\u5168\u6807\u8BB0\u4FE1\u606F\u8D44\u6E90\u7684\u8BBF\u95EE",
4972
+ requirementEn: "Set security tokens for sensitive information resources and control the subject's access to resources with security-tagged information.",
4973
+ referenceStatus: "\u90E8\u5206\u7B26\u5408 Partially",
4974
+ referenceComment: "\u9700\u8981\u5E94\u7528\u5C42\u9762\u5148\u8FDB\u884C\u654F\u611F\u4FE1\u606F\u7684\u5206\u7C7B\uFF0C\u7136\u540E\u5229\u7528Tag\u6216\u8005Metadata\u5BF9\u6570\u636E\u8FDB\u884C\u6807\u8BB0\uFF0C\u7136\u540E\u5229\u7528\u63A7\u5236\u8BBF\u95EE\u7B56\u7565\u8FDB\u884C\u7BA1\u63A7"
4975
+ },
4976
+ {
4977
+ id: "L3-CES1-12",
4978
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
4979
+ categoryEn: "Computing Environment Security",
4980
+ controlCn: "\u5B89\u5168\u5BA1\u8BA1",
4981
+ controlEn: "Security Audit",
4982
+ requirementCn: "\u5E94\u542F\u7528\u5B89\u5168\u5BA1\u8BA1\u529F\u80FD\uFF0C\u5BA1\u8BA1\u8986\u76D6\u5230\u6BCF\u4E2A\u7528\u6237\uFF0C\u5BF9\u91CD\u8981\u7684\u7528\u6237\u884C\u4E3A\u548C\u91CD\u8981\u5B89\u5168\u4E8B\u4EF6\u8FDB\u884C\u5BA1\u8BA1",
4983
+ requirementEn: "Security auditing should be enabled, and covers each user, important user behaviors and security incidents",
4984
+ referenceStatus: "\u7B26\u5408 No Gap",
4985
+ referenceComment: "1. CloudTrail \n2. CloudWatch\n3. AWS Config \u6216\u8005 Palo Alto\u7684Prisma Cloud"
4986
+ },
4987
+ {
4988
+ id: "L3-CES1-13",
4989
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
4990
+ categoryEn: "Computing Environment Security",
4991
+ controlCn: "\u5B89\u5168\u5BA1\u8BA1",
4992
+ controlEn: "Security Audit",
4993
+ requirementCn: "\u5BA1\u8BA1\u8BB0\u5F55\u5E94\u5305\u62EC\u4E8B\u4EF6\u7684\u65E5\u671F\u548C\u65F6\u95F4\u3001\u7528\u6237\u3001\u4E8B\u4EF6\u7C7B\u578B\u3001\u4E8B\u4EF6\u662F\u5426\u6210\u529F\u53CA\u5176\u4ED6\u4E0E\u5BA1\u8BA1\u76F8\u5173\u7684\u4FE1\u606F",
4994
+ requirementEn: "The audit record should include the event date and time, user, event type, success or failure of the event, and other audit-related information",
4995
+ referenceStatus: "\u7B26\u5408 No Gap",
4996
+ referenceComment: "1. CloudTrail \n2. CloudWatch\n3. AWS Config \u6216\u8005 Palo Alto\u7684Prisma Cloud"
4997
+ },
4998
+ {
4999
+ id: "L3-CES1-14",
5000
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
5001
+ categoryEn: "Computing Environment Security",
5002
+ controlCn: "\u5B89\u5168\u5BA1\u8BA1",
5003
+ controlEn: "Security Audit",
5004
+ requirementCn: "\u5E94\u5BF9\u5BA1\u8BA1\u8BB0\u5F55\u8FDB\u884C\u4FDD\u62A4\uFF0C\u5B9A\u671F\u5907\u4EFD\uFF0C\u907F\u514D\u53D7\u5230\u672A\u9884\u671F\u7684\u5220\u9664\u3001\u4FEE\u6539\u6216\u8986\u76D6\u7B49",
5005
+ requirementEn: "Audit records should be protected and backed up regularly to avoid unintended deletions, modifications or overwrites.",
5006
+ referenceStatus: "\u7B26\u5408 No Gap",
5007
+ referenceComment: "1. CloudTrail \n2. CloudWatch\n3. AWS Config \u6216\u8005 Palo Alto\u7684Prisma Cloud"
5008
+ },
5009
+ {
5010
+ id: "L3-CES1-15",
5011
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
5012
+ categoryEn: "Computing Environment Security",
5013
+ controlCn: "\u5B89\u5168\u5BA1\u8BA1",
5014
+ controlEn: "Security Audit",
5015
+ requirementCn: "\u5E94\u5BF9\u5BA1\u8BA1\u8FDB\u7A0B\u8FDB\u884C\u4FDD\u62A4\uFF0C\u9632\u6B62\u672A\u7ECF\u6388\u6743\u7684\u4E2D\u65AD",
5016
+ requirementEn: "The audit record time shall be synchronized with an accurate time source within the system to ensure the correctness of the audit analysis.",
5017
+ referenceStatus: "\u7B26\u5408 No Gap",
5018
+ referenceComment: "1. CloudTrail \n2. CloudWatch\n3. AWS Config \u6216\u8005 Palo Alto\u7684Prisma Cloud"
5019
+ },
5020
+ {
5021
+ id: "L3-CES1-17",
5022
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
5023
+ categoryEn: "Computing Environment Security",
5024
+ controlCn: "\u5165\u4FB5\u9632\u8303",
5025
+ controlEn: "Intrusion Prevention",
5026
+ requirementCn: "\u5E94\u9075\u5FAA\u6700\u5C0F\u5B89\u88C5\u7684\u539F\u5219\uFF0C\u4EC5\u5B89\u88C5\u9700\u8981\u7684\u7EC4\u4EF6\u548C\u5E94\u7528\u7A0B\u5E8F",
5027
+ requirementEn: "Follow the principle of minimum installation, and install only the required components and applications.",
5028
+ referenceStatus: "\u7B26\u5408 No Gap",
5029
+ referenceComment: "1. \u6309\u7167\u4E0D\u540C\u5B50\u7F51\u8BBE\u7F6E\uFF0C\u91C7\u7528\u5B89\u5168\u7EC4\u6216\u8005Network ACL\n2. \u542F\u7528WAF\n3. \u542F\u7528GuardDuty\n4. \u4F7F\u7528\u7B2C\u4E09\u65B9\u7684\u4E0B\u4E00\u4EE3\u9632\u706B\u5899\uFF0C\u5E76\u7ED3\u5408GLWB\u8FDB\u884C\u9AD8\u53EF\u7528\u90E8\u7F72\n5. \u7B2C\u4E09\u65B9\u5165\u4FB5\u9632\u8303\u4EA7\u54C1"
5030
+ },
5031
+ {
5032
+ id: "L3-CES1-18",
5033
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
5034
+ categoryEn: "Computing Environment Security",
5035
+ controlCn: "\u5165\u4FB5\u9632\u8303",
5036
+ controlEn: "Intrusion Prevention",
5037
+ requirementCn: "\u5E94\u5173\u95ED\u4E0D\u9700\u8981\u7684\u7CFB\u7EDF\u670D\u52A1\u3001\u9ED8\u8BA4\u5171\u4EAB\u548C\u9AD8\u5371\u7AEF\u53E3",
5038
+ requirementEn: "Unneeded system services, default shares, and high-risk ports should be turned off",
5039
+ referenceStatus: "\u7B26\u5408 No Gap",
5040
+ referenceComment: "1. \u6309\u7167\u4E0D\u540C\u5B50\u7F51\u8BBE\u7F6E\uFF0C\u91C7\u7528\u5B89\u5168\u7EC4\u6216\u8005Network ACL\uFF0C\u5E76\u6309\u7167\u6700\u5C0F\u5316\u539F\u5219\u673A\u8FDB\u884C\u914D\u7F6E\n2. \u542F\u7528WAF\n3. \u542F\u7528GuardDuty\n4. \u4F7F\u7528\u7B2C\u4E09\u65B9\u7684\u4E0B\u4E00\u4EE3\u9632\u706B\u5899\uFF0C\u5E76\u7ED3\u5408GLWB\u8FDB\u884C\u9AD8\u53EF\u7528\u90E8\u7F72\n5. \u7B2C\u4E09\u65B9\u5165\u4FB5\u9632\u8303\u4EA7\u54C1"
5041
+ },
5042
+ {
5043
+ id: "L3-CES1-19",
5044
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
5045
+ categoryEn: "Computing Environment Security",
5046
+ controlCn: "\u5165\u4FB5\u9632\u8303",
5047
+ controlEn: "Intrusion Prevention",
5048
+ requirementCn: "\u5E94\u901A\u8FC7\u8BBE\u5B9A\u7EC8\u7AEF\u63A5\u5165\u65B9\u5F0F\u6216\u7F51\u7EDC\u5730\u5740\u8303\u56F4\u5BF9\u901A\u8FC7\u7F51\u7EDC\u8FDB\u884C\u7BA1\u7406\u7684\u7BA1\u7406\u7EC8\u7AEF\u8FDB\u884C\u9650\u5236",
5049
+ requirementEn: "The management terminal managed through the network should be restricted by setting the terminal access mode or network address range",
5050
+ referenceStatus: "\u7B26\u5408 No Gap",
5051
+ referenceComment: '1. \u6309\u7167\u4E0D\u540C\u5B50\u7F51\u8BBE\u7F6E\uFF0C\u91C7\u7528\u5B89\u5168\u7EC4\u6216\u8005Network ACL\uFF0C\u5E76\u6309\u7167\u6700\u5C0F\u5316\u539F\u5219\u673A\u8FDB\u884C\u914D\u7F6E\n2. \u542F\u7528WAF\n3. \u542F\u7528GuardDuty\n4. \u4F7F\u7528\u7B2C\u4E09\u65B9\u7684\u4E0B\u4E00\u4EE3\u9632\u706B\u5899\uFF0C\u5E76\u7ED3\u5408GLWB\u8FDB\u884C\u9AD8\u53EF\u7528\u90E8\u7F72\n5. \u7B2C\u4E09\u65B9\u5165\u4FB5\u9632\u8303\u4EA7\u54C1"'
5052
+ },
5053
+ {
5054
+ id: "L3-CES1-20",
5055
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
5056
+ categoryEn: "Computing Environment Security",
5057
+ controlCn: "\u5165\u4FB5\u9632\u8303",
5058
+ controlEn: "Intrusion Prevention",
5059
+ requirementCn: "\u5E94\u63D0\u4F9B\u6570\u636E\u6709\u6548\u6027\u68C0\u9A8C\u529F\u80FD\uFF0C\u4FDD\u8BC1\u901A\u8FC7\u4EBA\u673A\u63A5\u53E3\u8F93\u5165\u6216\u901A\u8FC7\u901A\u4FE1\u63A5\u53E3\u8F93\u5165\u7684\u5185\u5BB9\u7B26\u5408\u7CFB\u7EDF\u8BBE\u5B9A\u8981\u6C42",
5060
+ requirementEn: "The data validity check function shall be provided to ensure that the content input through the human machine interface or input through the communication interface complies with the system setting requirements",
5061
+ referenceStatus: "\u90E8\u5206\u7B26\u5408 Partially",
5062
+ referenceComment: '"1. \u6309\u7167\u4E0D\u540C\u5B50\u7F51\u8BBE\u7F6E\uFF0C\u91C7\u7528\u5B89\u5168\u7EC4\u6216\u8005Network ACL\uFF0C\u5E76\u6309\u7167\u6700\u5C0F\u5316\u539F\u5219\u673A\u8FDB\u884C\u914D\u7F6E\n2. \u542F\u7528WAF\n3. \u542F\u7528GuardDuty\n4. \u4F7F\u7528\u7B2C\u4E09\u65B9\u7684\u4E0B\u4E00\u4EE3\u9632\u706B\u5899\uFF0C\u5E76\u7ED3\u5408GLWB\u8FDB\u884C\u9AD8\u53EF\u7528\u90E8\u7F72\n5. \u7B2C\u4E09\u65B9\u5165\u4FB5\u9632\u8303\u4EA7\u54C1"'
5063
+ },
5064
+ {
5065
+ id: "L3-CES1-21",
5066
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
5067
+ categoryEn: "Computing Environment Security",
5068
+ controlCn: "\u5165\u4FB5\u9632\u8303",
5069
+ controlEn: "Intrusion Prevention",
5070
+ requirementCn: "\u5E94\u80FD\u53D1\u73B0\u53EF\u80FD\u5B58\u5728\u7684\u6F0F\u6D1E\uFF0C\u5E76\u5728\u7ECF\u8FC7\u5145\u5206\u6D4B\u8BD5\u8BC4\u4F30\u540E\uFF0C\u53CA\u65F6\u4FEE\u8865\u6F0F\u6D1E",
5071
+ requirementEn: "It should be able to identify possible vulnerabilities and fix the vulnerabilities in time after thorough testing and evaluation",
5072
+ referenceStatus: "\u90E8\u5206\u7B26\u5408 Partially",
5073
+ referenceComment: '1. \u542F\u7528WAF\n2. \u542F\u7528GuardDuty\n3. \u4F7F\u7528\u7B2C\u4E09\u65B9\u7684\u4E0B\u4E00\u4EE3\u9632\u706B\u5899\uFF0C\u5E76\u7ED3\u5408GLWB\u8FDB\u884C\u9AD8\u53EF\u7528\u90E8\u7F72\n4. \u7B2C\u4E09\u65B9\u5165\u4FB5\u9632\u8303\u4EA7\u54C1"'
5074
+ },
5075
+ {
5076
+ id: "L3-CES1-22",
5077
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
5078
+ categoryEn: "Computing Environment Security",
5079
+ controlCn: "\u5165\u4FB5\u9632\u8303",
5080
+ controlEn: "Intrusion Prevention",
5081
+ requirementCn: "\u5E94\u80FD\u591F\u68C0\u6D4B\u5230\u5BF9\u91CD\u8981\u8282\u70B9\u8FDB\u884C\u5165\u4FB5\u7684\u884C\u4E3A\uFF0C\u5E76\u5728\u53D1\u751F\u4E25\u91CD\u5165\u4FB5\u4E8B\u4EF6\u65F6\u63D0\u4F9B\u62A5\u8B66",
5082
+ requirementEn: "It should be able to detect intrusions on important nodes and alert when there is serious intrusion.",
5083
+ referenceStatus: "\u7B26\u5408 No Gap",
5084
+ referenceComment: "1. \u542F\u7528WAF\n2. \u542F\u7528GuardDuty\n3. \u4F7F\u7528\u7B2C\u4E09\u65B9\u7684\u4E0B\u4E00\u4EE3\u9632\u706B\u5899\uFF0C\u5E76\u7ED3\u5408GLWB\u8FDB\u884C\u9AD8\u53EF\u7528\u90E8\u7F72\n4. \u64CD\u4F5C\u7CFB\u7EDF\u5C42\u5B89\u88C5\u7B2C\u4E09\u65B9\u5B89\u5168\u9632\u62A4\u8F6F\u4EF6"
5085
+ },
5086
+ {
5087
+ id: "L3-CES1-23",
5088
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
5089
+ categoryEn: "Computing Environment Security",
5090
+ controlCn: "\u6076\u610F\u4EE3\u7801\u9632\u8303",
5091
+ controlEn: "Malicious Code Prevention",
5092
+ requirementCn: "\u5E94\u91C7\u7528\u514D\u53D7\u6076\u610F\u4EE3\u7801\u653B\u51FB\u7684\u6280\u672F\u63AA\u65BD\u6216\u4E3B\u52A8\u514D\u75AB\u53EF\u4FE1\u9A8C\u8BC1\u673A\u5236\u53CA\u65F6\u8BC6\u522B\u5165\u4FB5\u548C\u75C5\u6BD2\u884C\u4E3A\uFF0C\u5E76\u5C06\u5176\u6709\u6548\u963B\u65AD",
5093
+ requirementEn: "Intrusion and virus behavior should be identified and effectively blocked by technical measures against malicious code attacks or active immune trusted authentication mechanisms.",
5094
+ referenceStatus: "\u90E8\u5206\u7B26\u5408 Partially",
5095
+ referenceComment: "1. \u542F\u7528WAF\n2. \u542F\u7528GuardDuty\n3. \u4F7F\u7528\u7B2C\u4E09\u65B9\u7684\u4E0B\u4E00\u4EE3\u9632\u706B\u5899\uFF0C\u5E76\u7ED3\u5408GLWB\u8FDB\u884C\u9AD8\u53EF\u7528\u90E8\u7F72\n4. \u64CD\u4F5C\u7CFB\u7EDF\u5C42\u5B89\u88C5\u7B2C\u4E09\u65B9\u6740\u6BD2\u4EA7\u54C1"
5096
+ },
5097
+ {
5098
+ id: "L3-CES1-24",
5099
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
5100
+ categoryEn: "Computing Environment Security",
5101
+ controlCn: "\u53EF\u4FE1\u9A8C\u8BC1",
5102
+ controlEn: "Trusted Verification",
5103
+ requirementCn: "\u53EF\u57FA\u4E8E\u53EF\u4FE1\u6839\u5BF9\u8BA1\u7B97\u8BBE\u5907\u7684\u7CFB\u7EDF\u5F15\u5BFC\u7A0B\u5E8F\u3001\u7CFB\u7EDF\u7A0B\u5E8F\u3001\u91CD\u8981\u914D\u7F6E\u53C2\u6570\u548C\u5E94\u7528\u7A0B\u5E8F\u7B49\u8FDB\u884C\u53EF\u4FE1\u9A8C\u8BC1\uFF0C \u5E76\u5728\u5E94\u7528\u7A0B\u5E8F\u7684\u5173\u952E\u6267\u884C\u73AF\u8282\u8FDB\u884C\u52A8\u6001\u53EF\u4FE1\u9A8C\u8BC1\uFF0C\u5728\u68C0\u6D4B\u5230\u5176\u53EF\u4FE1\u6027\u53D7\u5230\u7834\u574F\u540E\u8FDB\u884C\u62A5\u8B66\uFF0C\u5E76\u5C06\u9A8C\u8BC1 \u7ED3\u679C\u5F62\u6210\u5BA1\u8BA1\u8BB0\u5F55\u9001\u81F3\u5B89\u5168\u7BA1\u7406\u4E2D\u5FC3",
5104
+ requirementEn: "Trusted verification, based on the trusted root, can be applied to system boot program, system program, important configuration parameters, and applications of the computing devices, and dynamic trusted verification can be used in the key execution of the application, and when detecting the credibility thereof. After being damaged, an alarm is issued, and after detecting that its credibility has been damaged, an alarm should be issued and the verification result should be sent to the Security Management Center.",
5105
+ referenceStatus: "\u4E0D\u9002\u7528 N/A",
5106
+ referenceComment: ""
5107
+ },
5108
+ {
5109
+ id: "L3-CES1-25",
5110
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
5111
+ categoryEn: "Computing Environment Security",
5112
+ controlCn: "\u6570\u636E\u5B8C\u6574\u6027",
5113
+ controlEn: "Data Confidentiality",
5114
+ requirementCn: "\u5E94\u91C7\u7528\u6821\u9A8C\u6280\u672F\u6216\u5BC6\u7801\u6280\u672F\u4FDD\u8BC1\u91CD\u8981\u6570\u636E\u5728\u4F20\u8F93\u8FC7\u7A0B\u4E2D\u7684\u5B8C\u6574\u6027\uFF0C\u5305\u62EC\u4F46\u4E0D\u9650\u4E8E\u9274\u522B\u6570\u636E\u3001\u91CD\u8981\u4E1A\u52A1\u6570\u636E\u3001\u91CD\u8981\u5BA1\u8BA1\u6570\u636E\u3001\u91CD\u8981\u914D\u7F6E\u6570\u636E\u3001\u91CD\u8981\u89C6\u9891\u6570\u636E\u548C\u91CD\u8981\u4E2A\u4EBA\u4FE1\u606F\u7B49",
5115
+ requirementEn: "Verification techniques or cryptographic techniques should be used to ensure the integrity of important data during transmission, including but not limited to authentication data, important business data, important audit data, important configuration data, important video data and important personal information",
5116
+ referenceStatus: "\u90E8\u5206\u7B26\u5408 Partially",
5117
+ referenceComment: "1. \u542F\u7528\u4F20\u8F93\u52A0\u5BC6\uFF0C\u5E76\u4E14\u53EF\u4EE5\u5229\u7528Amazon ACM\u7BA1\u7406\u5BC6\u94A5\n2. S3 \u4F1A\u9A8C\u8BC1\u5DF2\u4E0A\u4F20\u5BF9\u8C61\u7684\u5B8C\u6574\u6027\n3. \u6309\u7167\u7B2C\u4E09\u65B9\u9632\u7BE1\u6539\u8F6F\u4EF6"
5118
+ },
5119
+ {
5120
+ id: "L3-CES1-26",
5121
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
5122
+ categoryEn: "Computing Environment Security",
5123
+ controlCn: "\u6570\u636E\u5B8C\u6574\u6027",
5124
+ controlEn: "Data Confidentiality",
5125
+ requirementCn: "\u5E94\u91C7\u7528\u6821\u9A8C\u6280\u672F\u6216\u5BC6\u7801\u6280\u672F\u4FDD\u8BC1\u91CD\u8981\u6570\u636E\u5728\u5B58\u50A8\u8FC7\u7A0B\u4E2D\u7684\u5B8C\u6574\u6027\uFF0C\u5305\u62EC\u4F46\u4E0D\u9650\u4E8E\u9274\u522B\u6570\u636E\u3001\u91CD\u8981\u4E1A\u52A1\u6570\u636E\u3001\u91CD\u8981\u5BA1\u8BA1\u6570\u636E\u3001\u91CD\u8981\u914D\u7F6E\u6570\u636E\u3001\u91CD\u8981\u89C6\u9891\u6570\u636E\u548C\u91CD\u8981\u4E2A\u4EBA\u4FE1\u606F\u7B49",
5126
+ requirementEn: "Verification techniques or cryptographic techniques should be used to ensure the integrity of important data when stored including but not limited to authentication data, important business data, important audit data, important configuration data, important video data and important personal information",
5127
+ referenceStatus: "\u90E8\u5206\u7B26\u5408 Partially",
5128
+ referenceComment: "1. \u542F\u7528\u4F20\u8F93\u52A0\u5BC6\uFF0C\u5E76\u4E14\u53EF\u4EE5\u5229\u7528Amazon ACM\u7BA1\u7406\u5BC6\u94A5\n2. S3 \u4F1A\u9A8C\u8BC1\u5DF2\u4E0A\u4F20\u5BF9\u8C61\u7684\u5B8C\u6574\u6027\n3. \u6309\u7167\u7B2C\u4E09\u65B9\u9632\u7BE1\u6539\u8F6F\u4EF6"
5129
+ },
5130
+ {
5131
+ id: "L3-CES1-27",
5132
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
5133
+ categoryEn: "Computing Environment Security",
5134
+ controlCn: "\u6570\u636E\u4FDD\u5BC6\u6027",
5135
+ controlEn: "Data Integrity",
5136
+ requirementCn: "\u5E94\u91C7\u7528\u5BC6\u7801\u6280\u672F\u4FDD\u8BC1\u91CD\u8981\u6570\u636E\u5728\u4F20\u8F93\u8FC7\u7A0B\u4E2D\u7684\u4FDD\u5BC6\u6027\uFF0C\u5305\u62EC\u4F46\u4E0D\u9650\u4E8E\u9274\u522B\u6570\u636E\u3001\u91CD\u8981\u4E1A\u52A1\u6570\u636E\u548C\u91CD\u8981\u4E2A\u4EBA\u4FE1\u606F\u7B49",
5137
+ requirementEn: "Cryptographic technology should be used to ensure the confidentiality of important data during transmission, including but not limited to authentication data, important business data and important personal information",
5138
+ referenceStatus: "\u7B26\u5408 No Gap",
5139
+ referenceComment: "\u542F\u7528KMS"
5140
+ },
5141
+ {
5142
+ id: "L3-CES1-28",
5143
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
5144
+ categoryEn: "Computing Environment Security",
5145
+ controlCn: "\u6570\u636E\u4FDD\u5BC6\u6027",
5146
+ controlEn: "Data Integrity",
5147
+ requirementCn: "\u5E94\u91C7\u7528\u5BC6\u7801\u6280\u672F\u4FDD\u8BC1\u91CD\u8981\u6570\u636E\u5728\u5B58\u50A8\u8FC7\u7A0B\u4E2D\u7684\u4FDD\u5BC6\u6027\uFF0C\u5305\u62EC\u4F46\u4E0D\u9650\u4E8E\u9274\u522B\u6570\u636E\u3001\u91CD\u8981\u4E1A\u52A1\u6570\u636E\u548C\u91CD\u8981\u4E2A\u4EBA\u4FE1\u606F\u7B49",
5148
+ requirementEn: "Cryptographic technology should be used to ensure the confidentiality of important data when stored, including but not limited to authentication data, important business data and important personal information",
5149
+ referenceStatus: "\u7B26\u5408 No Gap",
5150
+ referenceComment: "\u542F\u7528KMS"
5151
+ },
5152
+ {
5153
+ id: "L3-CES1-29",
5154
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
5155
+ categoryEn: "Computing Environment Security",
5156
+ controlCn: "\u6570\u636E\u5907\u4EFD\u6062\u590D",
5157
+ controlEn: "Data Backup and Recovery",
5158
+ requirementCn: "\u5E94\u63D0\u4F9B\u91CD\u8981\u6570\u636E\u7684\u672C\u5730\u6570\u636E\u5907\u4EFD\u4E0E\u6062\u590D\u529F\u80FD",
5159
+ requirementEn: "Local data backup and recovery functions for important data should be provided",
5160
+ referenceStatus: "\u7B26\u5408 No Gap",
5161
+ referenceComment: "1. \u5B58\u50A8\u670D\u52A1\u539F\u751F\u652F\u6301\u591A\u526F\u672C\uFF0C\u5BA2\u6237\u53EF\u4EE5\u901A\u8FC7\u5FEB\u7167\u7684\u65B9\u5F0F\u5BF9\u6570\u636E\u8FDB\u884C\u989D\u5916\u5907\u4EFD\n2. \u5229\u7528AWS Backup \u4E2D\u5FC3\u5316\u7BA1\u7406\u5907\u4EFD\u7684\u5DE5\u5177\u3002\u4E5F\u53EF\u4EE5\u4F7F\u7528AWS\u5404\u670D\u52A1\u4E2D\u76F8\u5E94\u7684\u5907\u4EFD\u529F\u80FD\uFF0C\u5355\u72EC\u7BA1\u7406"
5162
+ },
5163
+ {
5164
+ id: "L3-CES1-30",
5165
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
5166
+ categoryEn: "Computing Environment Security",
5167
+ controlCn: "\u6570\u636E\u5907\u4EFD\u6062\u590D",
5168
+ controlEn: "Data Backup and Recovery",
5169
+ requirementCn: "\u5E94\u63D0\u4F9B\u5F02\u5730\u5B9E\u65F6\u5907\u4EFD\u529F\u80FD\uFF0C\u5229\u7528\u901A\u4FE1\u7F51\u7EDC\u5C06\u91CD\u8981\u6570\u636E\u5B9E\u65F6\u5907\u4EFD\u81F3\u5907\u4EFD\u573A\u5730",
5170
+ requirementEn: "Remote real-time backup function should be provided, and use the communication network to back up important data to the backup site in real time",
5171
+ referenceStatus: "\u7B26\u5408 No Gap",
5172
+ referenceComment: "1. \u5B58\u50A8\u670D\u52A1\u539F\u751F\u652F\u6301\u591A\u526F\u672C\uFF0C\u5BA2\u6237\u53EF\u4EE5\u901A\u8FC7\u5FEB\u7167\u7684\u65B9\u5F0F\u5BF9\u6570\u636E\u8FDB\u884C\u989D\u5916\u5907\u4EFD\n2. \u5229\u7528AWS Backup \u4E2D\u5FC3\u5316\u7BA1\u7406\u5907\u4EFD\u7684\u5DE5\u5177\u3002\u4E5F\u53EF\u4EE5\u4F7F\u7528AWS\u5404\u670D\u52A1\u4E2D\u76F8\u5E94\u7684\u5907\u4EFD\u529F\u80FD\uFF0C\u5355\u72EC\u7BA1\u7406\n3. \u914D\u7F6E\u5FEB\u7167\u548CS3\u8DE8\u533A\u57DF\u6570\u636E\u590D\u5236"
5173
+ },
5174
+ {
5175
+ id: "L3-CES1-31",
5176
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
5177
+ categoryEn: "Computing Environment Security",
5178
+ controlCn: "\u6570\u636E\u5907\u4EFD\u6062\u590D",
5179
+ controlEn: "Data Backup and Recovery",
5180
+ requirementCn: "\u5E94\u63D0\u4F9B\u91CD\u8981\u6570\u636E\u5904\u7406\u7CFB\u7EDF\u7684\u70ED\u5197\u4F59\uFF0C\u4FDD\u8BC1\u7CFB\u7EDF\u7684\u9AD8\u53EF\u7528\u6027",
5181
+ requirementEn: "Redundancy of critical data processing systems should be provided to ensure high system availability.",
5182
+ referenceStatus: "\u7B26\u5408 No Gap",
5183
+ referenceComment: '"1. \u5B58\u50A8\u670D\u52A1\u539F\u751F\u652F\u6301\u591A\u526F\u672C\uFF0C\u5BA2\u6237\u53EF\u4EE5\u901A\u8FC7\u5FEB\u7167\u7684\u65B9\u5F0F\u5BF9\u6570\u636E\u8FDB\u884C\u989D\u5916\u5907\u4EFD\n2. \u5229\u7528AWS Backup \u4E2D\u5FC3\u5316\u7BA1\u7406\u5907\u4EFD\u7684\u5DE5\u5177\u3002\u4E5F\u53EF\u4EE5\u4F7F\u7528AWS\u5404\u670D\u52A1\u4E2D\u76F8\u5E94\u7684\u5907\u4EFD\u529F\u80FD\uFF0C\u5355\u72EC\u7BA1\u7406"'
5184
+ },
5185
+ {
5186
+ id: "L3-CES1-32",
5187
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
5188
+ categoryEn: "Computing Environment Security",
5189
+ controlCn: "\u5269\u4F59\u4FE1\u606F\u4FDD\u62A4",
5190
+ controlEn: "Residual Information Protection",
5191
+ requirementCn: "\u5E94\u4FDD\u8BC1\u9274\u522B\u4FE1\u606F\u6240\u5728\u7684\u5B58\u50A8\u7A7A\u95F4\u88AB\u91CA\u653E\u6216\u91CD\u65B0\u5206\u914D\u524D\u5F97\u5230\u5B8C\u5168\u6E05\u9664",
5192
+ requirementEn: "Ensure that the storage space where the authentication information is located is completely cleared before being released or redistributed",
5193
+ referenceStatus: "\u7B26\u5408 No Gap",
5194
+ referenceComment: "1. AWS \u5B58\u50A8\u670D\u52A1\u7684\u6570\u636E\u6E05\u9664\u7B56\u7565\u5728\u7B49\u4FDD\u4E91\u6269\u5C55\u8981\u6C42\u4E2D\u8986\u76D6"
5195
+ },
5196
+ {
5197
+ id: "L3-CES1-33",
5198
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
5199
+ categoryEn: "Computing Environment Security",
5200
+ controlCn: "\u5269\u4F59\u4FE1\u606F\u4FDD\u62A4",
5201
+ controlEn: "Residual Information Protection",
5202
+ requirementCn: "\u5E94\u4FDD\u8BC1\u5B58\u6709\u654F\u611F\u6570\u636E\u7684\u5B58\u50A8\u7A7A\u95F4\u88AB\u91CA\u653E\u6216\u91CD\u65B0\u5206\u914D\u524D\u5F97\u5230\u5B8C\u5168\u6E05\u9664",
5203
+ requirementEn: "Ensure that the storage space containing sensitive data is completely cleared before being released or redistributed.",
5204
+ referenceStatus: "\u7B26\u5408 No Gap",
5205
+ referenceComment: "1. AWS \u5B58\u50A8\u670D\u52A1\u7684\u6570\u636E\u6E05\u9664\u7B56\u7565\u5728\u7B49\u4FDD\u4E91\u6269\u5C55\u8981\u6C42\u4E2D\u8986\u76D6"
5206
+ },
5207
+ {
5208
+ id: "L3-CES1-34",
5209
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
5210
+ categoryEn: "Computing Environment Security",
5211
+ controlCn: "\u4E2A\u4EBA\u4FE1\u606F\u4FDD\u62A4",
5212
+ controlEn: "Personal Information Protection",
5213
+ requirementCn: "\u5E94\u4EC5\u91C7\u96C6\u548C\u4FDD\u5B58\u4E1A\u52A1\u5FC5\u9700\u7684\u7528\u6237\u4E2A\u4EBA\u4FE1\u606F",
5214
+ requirementEn: "Only personal information necessary for the business should be collected and stored",
5215
+ referenceStatus: "\u7B26\u5408 No Gap",
5216
+ referenceComment: "\u5E94\u7528\u4FA7\u884C\u4E3A\uFF0CAWS\u4E0D\u4E3B\u52A8\u91C7\u96C6\u548C\u4FDD\u5B58\u7528\u6237\u4E2A\u4EBA\u4FE1\u606F"
5217
+ },
5218
+ {
5219
+ id: "L3-CES1-35",
5220
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
5221
+ categoryEn: "Computing Environment Security",
5222
+ controlCn: "\u4E2A\u4EBA\u4FE1\u606F\u4FDD\u62A4",
5223
+ controlEn: "Personal Information Protection",
5224
+ requirementCn: "\u5E94\u7981\u6B62\u672A\u6388\u6743\u8BBF\u95EE\u548C\u975E\u6CD5\u4F7F\u7528\u7528\u6237\u4E2A\u4EBA\u4FE1\u606F",
5225
+ requirementEn: "Unauthorized access and illegal use of user's personal information should be prohibited.",
5226
+ referenceStatus: "\u7B26\u5408 No Gap",
5227
+ referenceComment: "\u5E94\u7528\u4FA7\u884C\u4E3A\uFF0CAWS\u4E0D\u4E3B\u52A8\u91C7\u96C6\u548C\u4FDD\u5B58\u7528\u6237\u4E2A\u4EBA\u4FE1\u606F"
5228
+ },
5229
+ {
5230
+ id: "L3-SMC1-01",
5231
+ categoryCn: "\u5B89\u5168\u7BA1\u7406\u4E2D\u5FC3",
5232
+ categoryEn: "Security Management Center",
5233
+ controlCn: "\u7CFB\u7EDF\u7BA1\u7406",
5234
+ controlEn: "System Management",
5235
+ requirementCn: "\u5E94\u5BF9\u7CFB\u7EDF\u7BA1\u7406\u5458\u8FDB\u884C\u8EAB\u4EFD\u9274\u522B\uFF0C\u53EA\u5141\u8BB8\u5176\u901A\u8FC7\u7279\u5B9A\u7684\u547D\u4EE4\u6216\u64CD\u4F5C\u754C\u9762\u8FDB\u884C\u7CFB\u7EDF\u7BA1\u7406\u64CD\u4F5C\uFF0C\u5E76\u5BF9\u8FD9\u4E9B\u64CD\u4F5C\u8FDB\u884C\u5BA1\u8BA1",
5236
+ requirementEn: "The system administrator should be authenticated and only allowed to perform system management operations through specific commands or operation interfaces. These operations need to be audited",
5237
+ referenceStatus: "\u7B26\u5408 No Gap",
5238
+ referenceComment: "1. IAM\n2. \u5355\u70B9\u767B\u5F55\uFF08Tesla Bounce\u4EA7\u54C1\u6216\u8005AWS SSO \u670D\u52A1\u5C06\u4E8EQ2,2022\u63A8\u51FA\uFF09"
5239
+ },
5240
+ {
5241
+ id: "L3-SMC1-02",
5242
+ categoryCn: "\u5B89\u5168\u7BA1\u7406\u4E2D\u5FC3",
5243
+ categoryEn: "Security Management Center",
5244
+ controlCn: "\u7CFB\u7EDF\u7BA1\u7406",
5245
+ controlEn: "System Management",
5246
+ requirementCn: "\u5E94\u901A\u8FC7\u7CFB\u7EDF\u7BA1\u7406\u5458\u5BF9\u7CFB\u7EDF\u7684\u8D44\u6E90\u548C\u8FD0\u884C\u8FDB\u884C\u914D\u7F6E\u3001\u63A7\u5236\u548C\u7BA1\u7406\uFF0C\u5305\u62EC\u7528\u6237\u8EAB\u4EFD\u3001\u7CFB\u7EDF\u8D44\u6E90\u914D\u7F6E\u3001\u7CFB\u7EDF\u52A0\u8F7D\u548C\u542F\u52A8\u3001\u7CFB\u7EDF\u8FD0\u884C\u7684\u5F02\u5E38\u5904\u7406\u3001\u6570\u636E\u548C\u8BBE\u5907\u7684\u5907\u4EFD\u4E0E\u6062\u590D\u7B49",
5247
+ requirementEn: "The configuration, control, and management of system resources and operations should be performed by system administrators, including user identity, system resource configuration, system loading and startup, system operation exception handling, data and device backup and recovery.",
5248
+ referenceStatus: "\u7B26\u5408 No Gap",
5249
+ referenceComment: "1. IAM\n2. \u5355\u70B9\u767B\u5F55\uFF08Tesla Bounce\u4EA7\u54C1\u6216\u8005AWS SSO \u670D\u52A1\u5C06\u4E8EQ2,2022\u63A8\u51FA\uFF09"
5250
+ },
5251
+ {
5252
+ id: "L3-SMC1-03",
5253
+ categoryCn: "\u5B89\u5168\u7BA1\u7406\u4E2D\u5FC3",
5254
+ categoryEn: "Security Management Center",
5255
+ controlCn: "\u5BA1\u8BA1\u7BA1\u7406",
5256
+ controlEn: "Audit Management",
5257
+ requirementCn: "\u5E94\u5BF9\u5BA1\u8BA1\u7BA1\u7406\u5458\u8FDB\u884C\u8EAB\u4EFD\u9274\u522B\uFF0C\u53EA\u5141\u8BB8\u5176\u901A\u8FC7\u7279\u5B9A\u7684\u547D\u4EE4\u6216\u64CD\u4F5C\u754C\u9762\u8FDB\u884C\u5B89\u5168\u5BA1\u8BA1\u64CD\u4F5C\uFF0C\u5E76\u5BF9\u8FD9\u4E9B\u64CD\u4F5C\u8FDB\u884C\u5BA1\u8BA1",
5258
+ requirementEn: "The audit administrator should be authenticated and only allowed to perform security audit operations through specific commands or operation interfaces. These operations need to be audited",
5259
+ referenceStatus: "\u7B26\u5408 No Gap",
5260
+ referenceComment: "1. IAM\n2. \u5355\u70B9\u767B\u5F55\uFF08Tesla Bounce\u4EA7\u54C1\u6216\u8005AWS SSO \u670D\u52A1\u5C06\u4E8EQ2,2022\u63A8\u51FA\uFF09"
5261
+ },
5262
+ {
5263
+ id: "L3-SMC1-04",
5264
+ categoryCn: "\u5B89\u5168\u7BA1\u7406\u4E2D\u5FC3",
5265
+ categoryEn: "Security Management Center",
5266
+ controlCn: "\u5BA1\u8BA1\u7BA1\u7406",
5267
+ controlEn: "Audit Management",
5268
+ requirementCn: "\u5E94\u901A\u8FC7\u5BA1\u8BA1\u7BA1\u7406\u5458\u5BF9\u5BA1\u8BA1\u8BB0\u5F55\u5E94\u8FDB\u884C\u5206\u6790\uFF0C\u5E76\u6839\u636E\u5206\u6790\u7ED3\u679C\u8FDB\u884C\u5904\u7406\uFF0C\u5305\u62EC\u6839\u636E\u5B89\u5168\u5BA1\u8BA1\u7B56\u7565\u5BF9\u5BA1\u8BA1\u8BB0\u5F55\u8FDB\u884C\u5B58\u50A8\u3001\u7BA1\u7406\u548C\u67E5\u8BE2\u7B49",
5269
+ requirementEn: "The audit administrator should analyze the audit records and dispose them according to the analysis results. The disposals include storage, management and query of the audit records according to the security audit policy.",
5270
+ referenceStatus: "\u7B26\u5408 No Gap",
5271
+ referenceComment: "1. IAM\n2. \u5355\u70B9\u767B\u5F55\uFF08Tesla Bounce\u4EA7\u54C1\u6216\u8005AWS SSO \u670D\u52A1\u5C06\u4E8EQ2,2022\u63A8\u51FA\uFF09"
5272
+ },
5273
+ {
5274
+ id: "L3-SMC1-05",
5275
+ categoryCn: "\u5B89\u5168\u7BA1\u7406\u4E2D\u5FC3",
5276
+ categoryEn: "Security Management Center",
5277
+ controlCn: "\u5B89\u5168\u7BA1\u7406",
5278
+ controlEn: "Security Management",
5279
+ requirementCn: "\u5E94\u5BF9\u5B89\u5168\u7BA1\u7406\u5458\u8FDB\u884C\u8EAB\u4EFD\u9274\u522B\uFF0C\u53EA\u5141\u8BB8\u5176\u901A\u8FC7\u7279\u5B9A\u7684\u547D\u4EE4\u6216\u64CD\u4F5C\u754C\u9762\u8FDB\u884C\u5B89\u5168\u7BA1\u7406\u64CD\u4F5C\uFF0C\u5E76\u5BF9\u8FD9\u4E9B\u64CD\u4F5C\u8FDB\u884C\u5BA1\u8BA1",
5280
+ requirementEn: "The security administrator should be authenticated and only allowed to perform security management operations through specific commands or operation interfaces. These operations need to be audited",
5281
+ referenceStatus: "\u7B26\u5408 No Gap",
5282
+ referenceComment: "1. IAM\n2. \u5355\u70B9\u767B\u5F55\uFF08Tesla Bounce\u4EA7\u54C1\u6216\u8005AWS SSO \u670D\u52A1\u5C06\u4E8EQ2,2022\u63A8\u51FA\uFF09"
5283
+ },
5284
+ {
5285
+ id: "L3-SMC1-06",
5286
+ categoryCn: "\u5B89\u5168\u7BA1\u7406\u4E2D\u5FC3",
5287
+ categoryEn: "Security Management Center",
5288
+ controlCn: "\u5B89\u5168\u7BA1\u7406",
5289
+ controlEn: "Security Management",
5290
+ requirementCn: "\u5E94\u901A\u8FC7\u5B89\u5168\u7BA1\u7406\u5458\u5BF9\u7CFB\u7EDF\u4E2D\u7684\u5B89\u5168\u7B56\u7565\u8FDB\u884C\u914D\u7F6E\uFF0C\u5305\u62EC\u5B89\u5168\u53C2\u6570\u7684\u8BBE\u7F6E\uFF0C\u4E3B\u4F53\u3001\u5BA2\u4F53\u8FDB\u884C\u7EDF\u4E00\u5B89\u5168\u6807\u8BB0\uFF0C\u5BF9\u4E3B\u4F53\u8FDB\u884C\u6388\u6743\uFF0C\u914D\u7F6E\u53EF\u4FE1\u9A8C\u8BC1\u7B56\u7565\u7B49",
5291
+ requirementEn: "The security policy should be configured by the security administrator, including the setting of security parameters, the unified security mark of the subject and the object, the authorization and trusted authentication policy configuration of the subject.",
5292
+ referenceStatus: "\u7B26\u5408 No Gap",
5293
+ referenceComment: "1. IAM\n2. \u5355\u70B9\u767B\u5F55\uFF08Tesla Bounce\u4EA7\u54C1\u6216\u8005AWS SSO \u670D\u52A1\u5C06\u4E8EQ2,2022\u63A8\u51FA\uFF09"
5294
+ },
5295
+ {
5296
+ id: "L3-SMC1-07",
5297
+ categoryCn: "\u5B89\u5168\u7BA1\u7406\u4E2D\u5FC3",
5298
+ categoryEn: "Security Management Center",
5299
+ controlCn: "\u96C6\u4E2D\u7BA1\u63A7",
5300
+ controlEn: "Centralized Management and Control",
5301
+ requirementCn: "\u5E94\u5212\u5206\u51FA\u7279\u5B9A\u7684\u7BA1\u7406\u533A\u57DF\uFF0C\u5BF9\u5206\u5E03\u5728\u7F51\u7EDC\u4E2D\u7684\u5B89\u5168\u8BBE\u5907\u6216\u5B89\u5168\u7EC4\u4EF6\u8FDB\u884C\u7BA1\u63A7",
5302
+ requirementEn: "A specific network management area should be divided to control the security devices or security components distributed in the network",
5303
+ referenceStatus: "\u7B26\u5408 No Gap",
5304
+ referenceComment: "\u5229\u7528Firewall Manager\u53EF\u4EE5\u5BF9WAF\u8FDB\u884C\u7EDF\u4E00\u7BA1\u7406\nGuardDuty\u53EF\u4EE5\u8DE8\u8D26\u53F7\u7EDF\u4E00\u7BA1\u7406\u5B89\u5168\u53D1\u73B0\nCloudTrail\u53EF\u4EE5\u96C6\u4E2D\u5BF9\u8DE8\u8D26\u53F7\u8FDB\u884C\u5206\u6790\nSecurityHub\u53EF\u4EE5\u8DE8\u8D26\u53F7\u7EDF\u4E00\u8FDB\u884C\u5B89\u5168\u53D1\u73B0"
5305
+ },
5306
+ {
5307
+ id: "L3-SMC1-08",
5308
+ categoryCn: "\u5B89\u5168\u7BA1\u7406\u4E2D\u5FC3",
5309
+ categoryEn: "Security Management Center",
5310
+ controlCn: "\u96C6\u4E2D\u7BA1\u63A7",
5311
+ controlEn: "Centralized Management and Control",
5312
+ requirementCn: "\u5E94\u80FD\u591F\u5EFA\u7ACB\u4E00\u6761\u5B89\u5168\u7684\u4FE1\u606F\u4F20\u8F93\u8DEF\u5F84\uFF0C\u5BF9\u7F51\u7EDC\u4E2D\u7684\u5B89\u5168\u8BBE\u5907\u6216\u5B89\u5168\u7EC4\u4EF6\u8FDB\u884C\u7BA1\u7406",
5313
+ requirementEn: "A secure information transmission channel should be established to manage security devices or security components in the network",
5314
+ referenceStatus: "\u7B26\u5408 No Gap",
5315
+ referenceComment: "\u5229\u7528Firewall Manager\u53EF\u4EE5\u5BF9WAF\u8FDB\u884C\u7EDF\u4E00\u7BA1\u7406\nGuardDuty\u53EF\u4EE5\u8DE8\u8D26\u53F7\u7EDF\u4E00\u7BA1\u7406\u5B89\u5168\u53D1\u73B0\nCloudTrail\u53EF\u4EE5\u96C6\u4E2D\u5BF9\u8DE8\u8D26\u53F7\u8FDB\u884C\u5206\u6790\nSecurityHub\u53EF\u4EE5\u8DE8\u8D26\u53F7\u7EDF\u4E00\u8FDB\u884C\u5B89\u5168\u53D1\u73B0"
5316
+ },
5317
+ {
5318
+ id: "L3-SMC1-09",
5319
+ categoryCn: "\u5B89\u5168\u7BA1\u7406\u4E2D\u5FC3",
5320
+ categoryEn: "Security Management Center",
5321
+ controlCn: "\u96C6\u4E2D\u7BA1\u63A7",
5322
+ controlEn: "Centralized Management and Control",
5323
+ requirementCn: "\u5E94\u5BF9\u7F51\u7EDC\u94FE\u8DEF\u3001\u5B89\u5168\u8BBE\u5907\u3001\u7F51\u7EDC\u8BBE\u5907\u548C\u670D\u52A1\u5668\u7B49\u7684\u8FD0\u884C\u72B6\u51B5\u8FDB\u884C\u96C6\u4E2D\u76D1\u6D4B",
5324
+ requirementEn: "Centralized monitoring of network links, security devices, network devices and servers should be carried out.",
5325
+ referenceStatus: "\u7B26\u5408 No Gap",
5326
+ referenceComment: "CloudWatch\u548CSplunk\u8FDB\u884C\u7EDF\u4E00\u76D1\u6D4B"
5327
+ },
5328
+ {
5329
+ id: "L3-SMC1-10",
5330
+ categoryCn: "\u5B89\u5168\u7BA1\u7406\u4E2D\u5FC3",
5331
+ categoryEn: "Security Management Center",
5332
+ controlCn: "\u96C6\u4E2D\u7BA1\u63A7",
5333
+ controlEn: "Centralized Management and Control",
5334
+ requirementCn: "\u5E94\u5BF9\u5206\u6563\u5728\u5404\u4E2A\u8BBE\u5907\u4E0A\u7684\u5BA1\u8BA1\u6570\u636E\u8FDB\u884C\u6536\u96C6\u6C47\u603B\u548C\u96C6\u4E2D\u5206\u6790\uFF0C\u5E76\u4FDD\u8BC1\u5BA1\u8BA1\u8BB0\u5F55\u7684\u7559\u5B58\u65F6\u95F4\u7B26\u5408\u6CD5\u5F8B\u6CD5\u89C4\u8981\u6C42",
5335
+ requirementEn: "The audit data scattered on various equipment should be collected, summarized and centralized analyzed, and the retention time of audit records should be guaranteed to meet the requirements of laws and regulations.",
5336
+ referenceStatus: "\u7B26\u5408 No Gap",
5337
+ referenceComment: "CloudTrail"
5338
+ },
5339
+ {
5340
+ id: "L3-SMC1-11",
5341
+ categoryCn: "\u5B89\u5168\u7BA1\u7406\u4E2D\u5FC3",
5342
+ categoryEn: "Security Management Center",
5343
+ controlCn: "\u96C6\u4E2D\u7BA1\u63A7",
5344
+ controlEn: "Centralized Management and Control",
5345
+ requirementCn: "\u5E94\u5BF9\u5B89\u5168\u7B56\u7565\u3001\u6076\u610F\u4EE3\u7801\u3001\u8865\u4E01\u5347\u7EA7\u7B49\u5B89\u5168\u76F8\u5173\u4E8B\u9879\u8FDB\u884C\u96C6\u4E2D\u7BA1\u7406",
5346
+ requirementEn: "Security policy, malicious code, patch upgrade and other security related matters should be centrally managed.",
5347
+ referenceStatus: "\u90E8\u5206\u7B26\u5408 Partially",
5348
+ referenceComment: "\u9700\u8981\u7B2C\u4E09\u65B9\u9632\u5165\u4FB5\u548C\u9632\u75C5\u6BD2\u652F\u6301"
5349
+ },
5350
+ {
5351
+ id: "L3-SMC1-12",
5352
+ categoryCn: "\u5B89\u5168\u7BA1\u7406\u4E2D\u5FC3",
5353
+ categoryEn: "Security Management Center",
5354
+ controlCn: "\u96C6\u4E2D\u7BA1\u63A7",
5355
+ controlEn: "Centralized Management and Control",
5356
+ requirementCn: "\u5E94\u80FD\u5BF9\u7F51\u7EDC\u4E2D\u53D1\u751F\u7684\u5404\u7C7B\u5B89\u5168\u4E8B\u4EF6\u8FDB\u884C\u8BC6\u522B\u3001\u62A5\u8B66\u548C\u5206\u6790",
5357
+ requirementEn: "Various types of security incidents occurring in the network can be identified, alerted, and analyzed.",
5358
+ referenceStatus: "\u7B26\u5408 No Gap",
5359
+ referenceComment: "CloudWatch\u548CSplunk\u8FDB\u884C\u7EDF\u4E00\u62A5\u8B66\u548C\u5206\u6790"
5360
+ },
5361
+ {
5362
+ id: "L3-PES2-01",
5363
+ categoryCn: "\u5B89\u5168\u7269\u7406\u73AF\u5883",
5364
+ categoryEn: "Physical Environment Security",
5365
+ controlCn: "\u57FA\u7840\u8BBE\u65BD\u4F4D\u7F6E",
5366
+ controlEn: "Location of Infrastructure",
5367
+ requirementCn: "\u5E94\u4FDD\u8BC1\u4E91\u8BA1\u7B97\u57FA\u7840\u8BBE\u65BD\u4F4D\u4E8E\u4E2D\u56FD\u5883\u5185",
5368
+ requirementEn: "Ensure that the cloud computing infrastructure is located in China.",
5369
+ referenceStatus: "\u7B26\u5408 No Gap",
5370
+ referenceComment: "1.\u53C2\u8003\u5B89\u5168\u8D23\u4EFB\u5171\u62C5\u6A21\u578B\n2. AWS\u81EA\u8EAB\u7684\u7B49\u4FDD\u6DB5\u76D6"
5371
+ },
5372
+ {
5373
+ id: "L3-CNS2-01",
5374
+ categoryCn: "\u5B89\u5168\u901A\u4FE1\u7F51\u7EDC",
5375
+ categoryEn: "Communication Network Security",
5376
+ controlCn: "\u7F51\u7EDC\u67B6\u6784",
5377
+ controlEn: "Network Architecture",
5378
+ requirementCn: "\u5E94\u4FDD\u8BC1\u4E91\u8BA1\u7B97\u5E73\u53F0\u4E0D\u627F\u8F7D\u9AD8\u4E8E\u5176\u5B89\u5168\u4FDD\u62A4\u7B49\u7EA7\u7684\u4E1A\u52A1\u5E94\u7528\u7CFB\u7EDF",
5379
+ requirementEn: "Ensure that the cloud computing platform shall not carry business application systems higher than its security protection level.",
5380
+ referenceStatus: "\u7B26\u5408 No Gap",
5381
+ referenceComment: "1.\u53C2\u8003\u5B89\u5168\u8D23\u4EFB\u5171\u62C5\u6A21\u578B\n2. AWS\u81EA\u8EAB\u7684\u7B49\u4FDD\u6DB5\u76D6"
5382
+ },
5383
+ {
5384
+ id: "L3-CNS2-02",
5385
+ categoryCn: "\u5B89\u5168\u901A\u4FE1\u7F51\u7EDC",
5386
+ categoryEn: "Communication Network Security",
5387
+ controlCn: "\u7F51\u7EDC\u67B6\u6784",
5388
+ controlEn: "Network Architecture",
5389
+ requirementCn: "\u5E94\u5B9E\u73B0\u4E0D\u540C\u4E91\u670D\u52A1\u5BA2\u6237\u865A\u62DF\u7F51\u7EDC\u4E4B\u95F4\u7684\u9694\u79BB",
5390
+ requirementEn: "It should implement the independence between different cloud service customer virtual networks.",
5391
+ referenceStatus: "\u7B26\u5408 No Gap",
5392
+ referenceComment: "AWS\u81EA\u8EAB\u7684\u7B49\u4FDD\u6DB5\u76D6"
5393
+ },
5394
+ {
5395
+ id: "L3-CNS2-03",
5396
+ categoryCn: "\u5B89\u5168\u901A\u4FE1\u7F51\u7EDC",
5397
+ categoryEn: "Communication Network Security",
5398
+ controlCn: "\u7F51\u7EDC\u67B6\u6784",
5399
+ controlEn: "Network Architecture",
5400
+ requirementCn: "\u5E94\u5177\u6709\u6839\u636E\u4E91\u670D\u52A1\u5BA2\u6237\u4E1A\u52A1\u9700\u6C42\u63D0\u4F9B\u901A\u4FE1\u4F20\u8F93\u3001\u8FB9\u754C\u9632\u62A4\u3001\u5165\u4FB5\u9632\u8303\u7B49\u5B89\u5168\u673A\u5236\u7684\u80FD\u529B",
5401
+ requirementEn: "It should have the ability to provide security mechanisms, such as communication transmission, border protection and intrusion prevention, based on the business requirements of cloud service customers.",
5402
+ referenceStatus: "\u90E8\u5206\u7B26\u5408 Partially",
5403
+ referenceComment: "1. \u6309\u7167\u4E0D\u540C\u5B50\u7F51\u8BBE\u7F6E\uFF0C\u91C7\u7528\u5B89\u5168\u7EC4\u6216\u8005Network ACL\uFF0C\u5E76\u6309\u7167\u6700\u5C0F\u5316\u539F\u5219\u673A\u8FDB\u884C\u914D\u7F6E\n2. \u542F\u7528WAF\n3. \u542F\u7528GuardDuty\n4. \u4F7F\u7528\u7B2C\u4E09\u65B9\u7684\u4E0B\u4E00\u4EE3\u9632\u706B\u5899\uFF0C\u5E76\u7ED3\u5408GLWB\u8FDB\u884C\u9AD8\u53EF\u7528\u90E8\u7F72\n5. \u7B2C\u4E09\u65B9\u5165\u4FB5\u9632\u8303\u4EA7\u54C1"
5404
+ },
5405
+ {
5406
+ id: "L3-CNS2-04",
5407
+ categoryCn: "\u5B89\u5168\u901A\u4FE1\u7F51\u7EDC",
5408
+ categoryEn: "Communication Network Security",
5409
+ controlCn: "\u7F51\u7EDC\u67B6\u6784",
5410
+ controlEn: "Network Architecture",
5411
+ requirementCn: "\u5E94\u5177\u6709\u6839\u636E\u4E91\u670D\u52A1\u5BA2\u6237\u4E1A\u52A1\u9700\u6C42\u81EA\u4E3B\u8BBE\u7F6E\u5B89\u5168\u7B56\u7565\u7684\u80FD\u529B\uFF0C\u5305\u62EC\u5B9A\u4E49\u8BBF\u95EE\u8DEF\u5F84\u3001\u9009\u62E9\u5B89\u5168\u7EC4\u4EF6\u3001\u914D\u7F6E\u5B89\u5168\u7B56\u7565",
5412
+ requirementEn: "It should have the ability to independently set security policies based on the business requirements of cloud service customers, including defining access paths, selecting security components and configuring security policies.",
5413
+ referenceStatus: "\u7B26\u5408 No Gap",
5414
+ referenceComment: "AWS\u81EA\u8EAB\u7684\u7B49\u4FDD\u6DB5\u76D6"
5415
+ },
5416
+ {
5417
+ id: "L3-CNS2-05",
5418
+ categoryCn: "\u5B89\u5168\u901A\u4FE1\u7F51\u7EDC",
5419
+ categoryEn: "Communication Network Security",
5420
+ controlCn: "\u7F51\u7EDC\u67B6\u6784",
5421
+ controlEn: "Network Architecture",
5422
+ requirementCn: "\u5E94\u63D0\u4F9B\u5F00\u653E\u63A5\u53E3\u6216\u5F00\u653E\u6027\u5B89\u5168\u670D\u52A1\uFF0C\u5141\u8BB8\u4E91\u670D\u52A1\u5BA2\u6237\u63A5\u5165\u7B2C\u4E09\u65B9\u5B89\u5168\u4EA7\u54C1\u6216\u5728\u4E91\u8BA1\u7B97\u5E73\u53F0\u9009\u62E9\u7B2C\u4E09\u65B9\u5B89\u5168\u670D\u52A1",
5423
+ requirementEn: "It should provide open interfaces or open security services to allow cloud service customers to access third-party security products or select third-party security services on cloud computing platforms.",
5424
+ referenceStatus: "\u7B26\u5408 No Gap",
5425
+ referenceComment: "AWS\u81EA\u8EAB\u7684\u7B49\u4FDD\u6DB5\u76D6"
5426
+ },
5427
+ {
5428
+ id: "L3-ABS2-01",
5429
+ categoryCn: "\u5B89\u5168\u533A\u57DF\u8FB9\u754C",
5430
+ categoryEn: "Area Boundary Security",
5431
+ controlCn: "\u8BBF\u95EE\u63A7\u5236",
5432
+ controlEn: "Access Control",
5433
+ requirementCn: "\u5E94\u5728\u865A\u62DF\u5316\u7F51\u7EDC\u8FB9\u754C\u90E8\u7F72\u8BBF\u95EE\u63A7\u5236\u673A\u5236\uFF0C\u5E76\u8BBE\u7F6E\u8BBF\u95EE\u63A7\u5236\u89C4\u5219",
5434
+ requirementEn: "It should deploy access control mechanisms at the boundaries of the virtualized network and set access control rules.",
5435
+ referenceStatus: "\u90E8\u5206\u7B26\u5408 Partially",
5436
+ referenceComment: "1. \u6309\u7167\u4E0D\u540C\u5B50\u7F51\u8BBE\u7F6E\uFF0C\u91C7\u7528\u5B89\u5168\u7EC4\u6216\u8005Network ACL\uFF0C\u5E76\u6309\u7167\u6700\u5C0F\u5316\u539F\u5219\u673A\u8FDB\u884C\u914D\u7F6E\n2. \u542F\u7528WAF\n3. \u542F\u7528GuardDuty\n4. \u4F7F\u7528\u7B2C\u4E09\u65B9\u7684\u4E0B\u4E00\u4EE3\u9632\u706B\u5899\uFF0C\u5E76\u7ED3\u5408GLWB\u8FDB\u884C\u9AD8\u53EF\u7528\u90E8\u7F72\n5. \u7B2C\u4E09\u65B9\u5165\u4FB5\u9632\u8303\u4EA7\u54C1"
5437
+ },
5438
+ {
5439
+ id: "L3-ABS2-02",
5440
+ categoryCn: "\u5B89\u5168\u533A\u57DF\u8FB9\u754C",
5441
+ categoryEn: "Area Boundary Security",
5442
+ controlCn: "\u8BBF\u95EE\u63A7\u5236",
5443
+ controlEn: "Access Control",
5444
+ requirementCn: "\u5E94\u5728\u4E0D\u540C\u7B49\u7EA7\u7684\u7F51\u7EDC\u533A\u57DF\u8FB9\u754C\u90E8\u7F72\u8BBF\u95EE\u63A7\u5236\u673A\u5236\uFF0C\u8BBE\u7F6E\u8BBF\u95EE\u63A7\u5236\u89C4\u5219",
5445
+ requirementEn: "It should deploy access control mechanisms at different levels of network area boundaries and set access control rules.",
5446
+ referenceStatus: "\u90E8\u5206\u7B26\u5408 Partially",
5447
+ referenceComment: "1. \u6309\u7167\u4E0D\u540C\u5B50\u7F51\u8BBE\u7F6E\uFF0C\u91C7\u7528\u5B89\u5168\u7EC4\u6216\u8005Network ACL\uFF0C\u5E76\u6309\u7167\u6700\u5C0F\u5316\u539F\u5219\u673A\u8FDB\u884C\u914D\u7F6E\n2. \u542F\u7528WAF\n3. \u542F\u7528GuardDuty\n4. \u4F7F\u7528\u7B2C\u4E09\u65B9\u7684\u4E0B\u4E00\u4EE3\u9632\u706B\u5899\uFF0C\u5E76\u7ED3\u5408GLWB\u8FDB\u884C\u9AD8\u53EF\u7528\u90E8\u7F72\n5. \u7B2C\u4E09\u65B9\u5165\u4FB5\u9632\u8303\u4EA7\u54C1"
5448
+ },
5449
+ {
5450
+ id: "L3-ABS2-03",
5451
+ categoryCn: "\u5B89\u5168\u533A\u57DF\u8FB9\u754C",
5452
+ categoryEn: "Area Boundary Security",
5453
+ controlCn: "\u5165\u4FB5\u9632\u8303",
5454
+ controlEn: "Intrusion Prevention",
5455
+ requirementCn: "\u5E94\u80FD\u68C0\u6D4B\u5230\u4E91\u670D\u52A1\u5BA2\u6237\u53D1\u8D77\u7684\u7F51\u7EDC\u653B\u51FB\u884C\u4E3A\uFF0C\u5E76\u80FD\u8BB0\u5F55\u653B\u51FB\u7C7B\u578B\u3001\u653B\u51FB\u65F6\u95F4\u3001\u653B\u51FB\u6D41\u91CF\u7B49",
5456
+ requirementEn: "It should be able to detect the network attack behavior initiated by cloud service customers, and record the attack type, attack time, attack traffic, etc.",
5457
+ referenceStatus: "\u90E8\u5206\u7B26\u5408 Partially",
5458
+ referenceComment: "1. \u6309\u7167\u4E0D\u540C\u5B50\u7F51\u8BBE\u7F6E\uFF0C\u91C7\u7528\u5B89\u5168\u7EC4\u6216\u8005Network ACL\uFF0C\u5E76\u6309\u7167\u6700\u5C0F\u5316\u539F\u5219\u673A\u8FDB\u884C\u914D\u7F6E\n2. \u542F\u7528WAF\n3. \u542F\u7528GuardDuty\n4. \u4F7F\u7528\u7B2C\u4E09\u65B9\u7684\u4E0B\u4E00\u4EE3\u9632\u706B\u5899\uFF0C\u5E76\u7ED3\u5408GLWB\u8FDB\u884C\u9AD8\u53EF\u7528\u90E8\u7F72\n5. \u7B2C\u4E09\u65B9\u5165\u4FB5\u9632\u8303\u4EA7\u54C1"
5459
+ },
5460
+ {
5461
+ id: "L3-ABS2-04",
5462
+ categoryCn: "\u5B89\u5168\u533A\u57DF\u8FB9\u754C",
5463
+ categoryEn: "Area Boundary Security",
5464
+ controlCn: "\u5165\u4FB5\u9632\u8303",
5465
+ controlEn: "Intrusion Prevention",
5466
+ requirementCn: "\u5E94\u80FD\u68C0\u6D4B\u5230\u5BF9\u865A\u62DF\u7F51\u7EDC\u8282\u70B9\u7684\u7F51\u7EDC\u653B\u51FB\u884C\u4E3A\uFF0C\u5E76\u80FD\u8BB0\u5F55\u653B\u51FB\u7C7B\u578B\u3001\u653B\u51FB\u65F6\u95F4\u3001\u653B\u51FB\u6D41\u91CF\u7B49",
5467
+ requirementEn: "It should be able to detect the network attack behavior of virtual network nodes and record the attack type, attack time, attack traffic, etc.",
5468
+ referenceStatus: "\u90E8\u5206\u7B26\u5408 Partially",
5469
+ referenceComment: '"1. \u6309\u7167\u4E0D\u540C\u5B50\u7F51\u8BBE\u7F6E\uFF0C\u91C7\u7528\u5B89\u5168\u7EC4\u6216\u8005Network ACL\uFF0C\u5E76\u6309\u7167\u6700\u5C0F\u5316\u539F\u5219\u673A\u8FDB\u884C\u914D\u7F6E\n2. \u542F\u7528WAF\n3. \u542F\u7528GuardDuty\n4. \u4F7F\u7528\u7B2C\u4E09\u65B9\u7684\u4E0B\u4E00\u4EE3\u9632\u706B\u5899\uFF0C\u5E76\u7ED3\u5408GLWB\u8FDB\u884C\u9AD8\u53EF\u7528\u90E8\u7F72\n5. \u7B2C\u4E09\u65B9\u5165\u4FB5\u9632\u8303\u4EA7\u54C1"'
5470
+ },
5471
+ {
5472
+ id: "L3-ABS2-05",
5473
+ categoryCn: "\u5B89\u5168\u533A\u57DF\u8FB9\u754C",
5474
+ categoryEn: "Area Boundary Security",
5475
+ controlCn: "\u5165\u4FB5\u9632\u8303",
5476
+ controlEn: "Intrusion Prevention",
5477
+ requirementCn: "\u5E94\u80FD\u68C0\u6D4B\u5230\u865A\u62DF\u673A\u4E0E\u5BBF\u4E3B\u673A\u3001\u865A\u62DF\u673A\u4E0E\u865A\u62DF\u673A\u4E4B\u95F4\u7684\u5F02\u5E38\u6D41\u91CF",
5478
+ requirementEn: "It should be able to detect abnormal traffic between virtual machines and hosts, and between virtual machines and virtual machines.",
5479
+ referenceStatus: "\u90E8\u5206\u7B26\u5408 Partially",
5480
+ referenceComment: '"1. \u6309\u7167\u4E0D\u540C\u5B50\u7F51\u8BBE\u7F6E\uFF0C\u91C7\u7528\u5B89\u5168\u7EC4\u6216\u8005Network ACL\uFF0C\u5E76\u6309\u7167\u6700\u5C0F\u5316\u539F\u5219\u673A\u8FDB\u884C\u914D\u7F6E\n2. \u542F\u7528WAF\n3. \u542F\u7528GuardDuty\n4. \u4F7F\u7528\u7B2C\u4E09\u65B9\u7684\u4E0B\u4E00\u4EE3\u9632\u706B\u5899\uFF0C\u5E76\u7ED3\u5408GLWB\u8FDB\u884C\u9AD8\u53EF\u7528\u90E8\u7F72\n5. \u7B2C\u4E09\u65B9\u5165\u4FB5\u9632\u8303\u4EA7\u54C1"'
5481
+ },
5482
+ {
5483
+ id: "L3-ABS2-06",
5484
+ categoryCn: "\u5B89\u5168\u533A\u57DF\u8FB9\u754C",
5485
+ categoryEn: "Area Boundary Security",
5486
+ controlCn: "\u5165\u4FB5\u9632\u8303",
5487
+ controlEn: "Intrusion Prevention",
5488
+ requirementCn: "\u5E94\u5728\u68C0\u6D4B\u5230\u7F51\u7EDC\u653B\u51FB\u884C\u4E3A\u3001\u5F02\u5E38\u6D41\u91CF\u60C5\u51B5\u65F6\u8FDB\u884C\u544A\u8B66",
5489
+ requirementEn: "It should give an alarm when network attack and abnormal traffic are detected.",
5490
+ referenceStatus: "\u90E8\u5206\u7B26\u5408 Partially",
5491
+ referenceComment: '"1. \u6309\u7167\u4E0D\u540C\u5B50\u7F51\u8BBE\u7F6E\uFF0C\u91C7\u7528\u5B89\u5168\u7EC4\u6216\u8005Network ACL\uFF0C\u5E76\u6309\u7167\u6700\u5C0F\u5316\u539F\u5219\u673A\u8FDB\u884C\u914D\u7F6E\n2. \u542F\u7528WAF\n3. \u542F\u7528GuardDuty\n4. \u4F7F\u7528\u7B2C\u4E09\u65B9\u7684\u4E0B\u4E00\u4EE3\u9632\u706B\u5899\uFF0C\u5E76\u7ED3\u5408GLWB\u8FDB\u884C\u9AD8\u53EF\u7528\u90E8\u7F72\n5. \u7B2C\u4E09\u65B9\u5165\u4FB5\u9632\u8303\u4EA7\u54C1"'
5492
+ },
5493
+ {
5494
+ id: "L3-ABS2-07",
5495
+ categoryCn: "\u5B89\u5168\u533A\u57DF\u8FB9\u754C",
5496
+ categoryEn: "Area Boundary Security",
5497
+ controlCn: "\u5B89\u5168\u5BA1\u8BA1",
5498
+ controlEn: "Security Audit",
5499
+ requirementCn: "\u5E94\u5BF9\u4E91\u670D\u52A1\u5546\u548C\u4E91\u670D\u52A1\u5BA2\u6237\u5728\u8FDC\u7A0B\u7BA1\u7406\u65F6\u6267\u884C\u7684\u7279\u6743\u547D\u4EE4\u8FDB\u884C\u5BA1\u8BA1\uFF0C\u81F3\u5C11\u5305\u62EC\u865A\u62DF\u673A\u5220\u9664\u3001\u865A\u62DF\u673A\u91CD\u542F",
5500
+ requirementEn: "Audit the privileged commands executed by the cloud service provider and cloud service customers while remote administration, including at least virtual machine deletion and virtual machine restart.",
5501
+ referenceStatus: "\u7B26\u5408 No Gap",
5502
+ referenceComment: "CloudTrail and CloudWatch"
5503
+ },
5504
+ {
5505
+ id: "L3-ABS2-08",
5506
+ categoryCn: "\u5B89\u5168\u533A\u57DF\u8FB9\u754C",
5507
+ categoryEn: "Area Boundary Security",
5508
+ controlCn: "\u5B89\u5168\u5BA1\u8BA1",
5509
+ controlEn: "Security Audit",
5510
+ requirementCn: "\u5E94\u4FDD\u8BC1\u4E91\u670D\u52A1\u5546\u5BF9\u4E91\u670D\u52A1\u5BA2\u6237\u7CFB\u7EDF\u548C\u6570\u636E\u7684\u64CD\u4F5C\u53EF\u88AB\u4E91\u670D\u52A1\u5BA2\u6237\u5BA1\u8BA1",
5511
+ requirementEn: "Ensure that operations of cloud service providers on cloud service customer systems and data can be audited by cloud service customers.",
5512
+ referenceStatus: "\u7B26\u5408 No Gap",
5513
+ referenceComment: "CloudTrail"
5514
+ },
5515
+ {
5516
+ id: "L3-CES2-01",
5517
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
5518
+ categoryEn: "Computing Environment Security",
5519
+ controlCn: "\u8EAB\u4EFD\u9274\u522B",
5520
+ controlEn: "Identification and Authentication",
5521
+ requirementCn: "\u5F53\u8FDC\u7A0B\u7BA1\u7406\u4E91\u8BA1\u7B97\u5E73\u53F0\u4E2D\u8BBE\u5907\u65F6\uFF0C\u7BA1\u7406\u7EC8\u7AEF\u548C\u4E91\u8BA1\u7B97\u5E73\u53F0\u4E4B\u95F4\u5E94\u5EFA\u7ACB\u53CC\u5411\u8EAB\u4EFD\u9A8C\u8BC1\u673A\u5236",
5522
+ requirementEn: "It should establish a mutual authentication mechanism between the management terminal and the cloud computing platform, when remotely managing devices in a cloud computing platform.",
5523
+ referenceStatus: "\u7B26\u5408 No Gap",
5524
+ referenceComment: "1. IAM\n2. \u5355\u70B9\u767B\u5F55\uFF08Tesla Bounce\u4EA7\u54C1\u6216\u8005AWS SSO \u670D\u52A1\u5C06\u4E8EQ2,2022\u63A8\u51FA\uFF09\n3. \u5229\u7528SSH\u548C\u52A0\u5BC6\u7684RDP\u8FDB\u884C\u8BBF\u95EEEC2\n4. \u5821\u5792\u673A"
5525
+ },
5526
+ {
5527
+ id: "L3-CES2-02",
5528
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
5529
+ categoryEn: "Computing Environment Security",
5530
+ controlCn: "\u8BBF\u95EE\u63A7\u5236",
5531
+ controlEn: "Access Control",
5532
+ requirementCn: "\u5E94\u4FDD\u8BC1\u5F53\u865A\u62DF\u673A\u8FC1\u79FB\u65F6\uFF0C\u8BBF\u95EE\u63A7\u5236\u7B56\u7565\u968F\u5176\u8FC1\u79FB",
5533
+ requirementEn: "Ensure that access control policies migrate with the virtual machine as it migrates.",
5534
+ referenceStatus: "\u7B26\u5408 No Gap",
5535
+ referenceComment: "1. IAM\n2. \u5355\u70B9\u767B\u5F55\uFF08Tesla Bounce\u4EA7\u54C1\u6216\u8005AWS SSO \u670D\u52A1\u5C06\u4E8EQ2,2022\u63A8\u51FA\uFF09\n3. \u5229\u7528SSH\u548C\u52A0\u5BC6\u7684RDP\u8FDB\u884C\u8BBF\u95EEEC2\n4. \u5821\u5792\u673A"
5536
+ },
5537
+ {
5538
+ id: "L3-CES2-03",
5539
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
5540
+ categoryEn: "Computing Environment Security",
5541
+ controlCn: "\u8BBF\u95EE\u63A7\u5236",
5542
+ controlEn: "Access Control",
5543
+ requirementCn: "\u5E94\u5141\u8BB8\u4E91\u670D\u52A1\u5BA2\u6237\u8BBE\u7F6E\u4E0D\u540C\u865A\u62DF\u673A\u4E4B\u95F4\u7684\u8BBF\u95EE\u63A7\u5236\u7B56\u7565",
5544
+ requirementEn: "It should allow cloud service customers to set access control policies between different virtual machines.",
5545
+ referenceStatus: "\u7B26\u5408 No Gap",
5546
+ referenceComment: "1. IAM\n2. \u5355\u70B9\u767B\u5F55\uFF08Tesla Bounce\u4EA7\u54C1\u6216\u8005AWS SSO \u670D\u52A1\u5C06\u4E8EQ2,2022\u63A8\u51FA\uFF09\n3. \u5229\u7528SSH\u548C\u52A0\u5BC6\u7684RDP\u8FDB\u884C\u8BBF\u95EEEC2\n4. \u5821\u5792\u673A"
5547
+ },
5548
+ {
5549
+ id: "L3-CES2-04",
5550
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
5551
+ categoryEn: "Computing Environment Security",
5552
+ controlCn: "\u5165\u4FB5\u9632\u8303",
5553
+ controlEn: "Intrusion Prevention",
5554
+ requirementCn: "\u5E94\u80FD\u68C0\u6D4B\u865A\u62DF\u673A\u4E4B\u95F4\u7684\u8D44\u6E90\u9694\u79BB\u5931\u6548\uFF0C\u5E76\u8FDB\u884C\u544A\u8B66",
5555
+ requirementEn: "It should be able to detect and alert resource isolation failures between virtual machines.",
5556
+ referenceStatus: "\u7B26\u5408 No Gap",
5557
+ referenceComment: "AWS\u81EA\u8EAB\u7684\u7B49\u4FDD\u6DB5\u76D6"
5558
+ },
5559
+ {
5560
+ id: "L3-CES2-05",
5561
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
5562
+ categoryEn: "Computing Environment Security",
5563
+ controlCn: "\u5165\u4FB5\u9632\u8303",
5564
+ controlEn: "Intrusion Prevention",
5565
+ requirementCn: "\u5E94\u80FD\u68C0\u6D4B\u975E\u6388\u6743\u65B0\u5EFA\u865A\u62DF\u673A\u6216\u8005\u91CD\u65B0\u542F\u7528\u865A\u62DF\u673A\uFF0C\u5E76\u8FDB\u884C\u544A\u8B66",
5566
+ requirementEn: "It should be able to detect and alert unauthorized new or re-enabled virtual machines.",
5567
+ referenceStatus: "\u7B26\u5408 No Gap",
5568
+ referenceComment: "\u53EF\u901A\u8FC7cloudtrail\u68C0\u6D4B\u975E\u6388\u6743\u7684\u65B0\u5EFA\u673A\u5668\u884C\u4E3A\uFF0C\u5E76\u8FDB\u884C\u544A\u8B66"
5569
+ },
5570
+ {
5571
+ id: "L3-CES2-06",
5572
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
5573
+ categoryEn: "Computing Environment Security",
5574
+ controlCn: "\u5165\u4FB5\u9632\u8303",
5575
+ controlEn: "Intrusion Prevention",
5576
+ requirementCn: "\u5E94\u80FD\u591F\u68C0\u6D4B\u6076\u610F\u4EE3\u7801\u611F\u67D3\u53CA\u5728\u865A\u62DF\u673A\u95F4\u8513\u5EF6\u7684\u60C5\u51B5\uFF0C\u5E76\u8FDB\u884C\u544A\u8B66",
5577
+ requirementEn: "It should be able to detect and alert malicious code infections and spread between virtual machines.",
5578
+ referenceStatus: "\u90E8\u5206\u7B26\u5408 Partially",
5579
+ referenceComment: "1. \u6309\u7167\u4E0D\u540C\u5B50\u7F51\u8BBE\u7F6E\uFF0C\u91C7\u7528\u5B89\u5168\u7EC4\u6216\u8005Network ACL\uFF0C\u5E76\u6309\u7167\u6700\u5C0F\u5316\u539F\u5219\u673A\u8FDB\u884C\u914D\u7F6E\n2. \u542F\u7528WAF\n3. \u542F\u7528GuardDuty\n4. \u4F7F\u7528\u7B2C\u4E09\u65B9\u7684\u4E0B\u4E00\u4EE3\u9632\u706B\u5899\uFF0C\u5E76\u7ED3\u5408GLWB\u8FDB\u884C\u9AD8\u53EF\u7528\u90E8\u7F72\n5. \u7B2C\u4E09\u65B9\u5165\u4FB5\u9632\u8303\u548C\u6740\u6BD2\u4EA7\u54C1"
5580
+ },
5581
+ {
5582
+ id: "L3-CES2-07",
5583
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
5584
+ categoryEn: "Computing Environment Security",
5585
+ controlCn: "\u955C\u50CF\u548C\u5FEB\u7167\u4FDD\u62A4",
5586
+ controlEn: "Image and Snapshot Protection",
5587
+ requirementCn: "\u5E94\u9488\u5BF9\u91CD\u8981\u4E1A\u52A1\u7CFB\u7EDF\u63D0\u4F9B\u52A0\u56FA\u7684\u64CD\u4F5C\u7CFB\u7EDF\u955C\u50CF\u6216\u64CD\u4F5C\u7CFB\u7EDF\u5B89\u5168\u52A0\u56FA\u670D\u52A1",
5588
+ requirementEn: "It should provide hardened operating system mirroring or operating system security hardening services for critical business systems.",
5589
+ referenceStatus: "\u7B26\u5408 No Gap",
5590
+ referenceComment: "\u82E5\u4E0D\u4F7F\u7528AWS\u955C\u50CF\uFF0C\u9700\u8981\u81EA\u884C\u52A0\u56FA"
5591
+ },
5592
+ {
5593
+ id: "L3-CES2-08",
5594
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
5595
+ categoryEn: "Computing Environment Security",
5596
+ controlCn: "\u955C\u50CF\u548C\u5FEB\u7167\u4FDD\u62A4",
5597
+ controlEn: "Image and Snapshot Protection",
5598
+ requirementCn: "\u5E94\u63D0\u4F9B\u865A\u62DF\u673A\u955C\u50CF\u3001\u5FEB\u7167\u5B8C\u6574\u6027\u6821\u9A8C\u529F\u80FD\uFF0C\u9632\u6B62\u865A\u62DF\u673A\u955C\u50CF\u88AB\u6076\u610F\u7BE1\u6539",
5599
+ requirementEn: "It should provide virtual machine image and snapshot integrity check function to prevent malicious tampering of virtual machine image.",
5600
+ referenceStatus: "\u7B26\u5408 No Gap",
5601
+ referenceComment: "\u82E5\u4E0D\u4F7F\u7528AWS\u955C\u50CF\uFF0C\u9700\u8981\u81EA\u884C\u52A0\u56FA"
5602
+ },
5603
+ {
5604
+ id: "L3-CES2-09",
5605
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
5606
+ categoryEn: "Computing Environment Security",
5607
+ controlCn: "\u955C\u50CF\u548C\u5FEB\u7167\u4FDD\u62A4",
5608
+ controlEn: "Image and Snapshot Protection",
5609
+ requirementCn: "\u5E94\u91C7\u53D6\u5BC6\u7801\u6280\u672F\u6216\u5176\u4ED6\u6280\u672F\u624B\u6BB5\u9632\u6B62\u865A\u62DF\u673A\u955C\u50CF\u3001\u5FEB\u7167\u4E2D\u53EF\u80FD\u5B58\u5728\u7684\u654F\u611F\u8D44\u6E90\u88AB\u975E\u6CD5\u8BBF\u95EE",
5610
+ requirementEn: "It should adopt cryptography or other techniques to prevent unauthorized access to sensitive resources that may exist in virtual machine images and snapshots.",
5611
+ referenceStatus: "\u7B26\u5408 No Gap",
5612
+ referenceComment: "\u5229\u7528KMS\u5BF9\u5FEB\u7167\u8FDB\u884C\u52A0\u5BC6"
5613
+ },
5614
+ {
5615
+ id: "L3-CES2-10",
5616
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
5617
+ categoryEn: "Computing Environment Security",
5618
+ controlCn: "\u6570\u636E\u5B8C\u6574\u6027\u548C\u4FDD\u5BC6\u6027",
5619
+ controlEn: "Data Integrity and Confidentiality",
5620
+ requirementCn: "\u5E94\u786E\u4FDD\u4E91\u670D\u52A1\u5BA2\u6237\u6570\u636E\u3001\u7528\u6237\u4E2A\u4EBA\u4FE1\u606F\u7B49\u5B58\u50A8\u4E8E\u4E2D\u56FD\u5883\u5185\uFF0C\u5982\u9700\u51FA\u5883\u5E94\u9075\u5FAA\u56FD\u5BB6\u76F8\u5173\u89C4\u5B9A",
5621
+ requirementEn: "Ensure that cloud service customer data and user personal information are stored in China, and follow relevant national regulations when cross-border transferring.",
5622
+ referenceStatus: "\u7B26\u5408 No Gap",
5623
+ referenceComment: "AWS\u81EA\u8EAB\u7684\u7B49\u4FDD\u6DB5\u76D6"
5624
+ },
5625
+ {
5626
+ id: "L3-CES2-11",
5627
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
5628
+ categoryEn: "Computing Environment Security",
5629
+ controlCn: "\u6570\u636E\u5B8C\u6574\u6027\u548C\u4FDD\u5BC6\u6027",
5630
+ controlEn: "Data Integrity and Confidentiality",
5631
+ requirementCn: "\u5E94\u786E\u4FDD\u53EA\u6709\u5728\u4E91\u670D\u52A1\u5BA2\u6237\u6388\u6743\u4E0B\uFF0C\u4E91\u670D\u52A1\u5546\u6216\u7B2C\u4E09\u65B9\u624D\u5177\u6709\u4E91\u670D\u52A1\u5BA2\u6237\u6570\u636E\u7684\u7BA1\u7406\u6743\u9650",
5632
+ requirementEn: "Ensure that the cloud service provider or a third party has the right to manage the cloud service customer data only under the authorization of the cloud service customer.",
5633
+ referenceStatus: "\u7B26\u5408 No Gap",
5634
+ referenceComment: "AWS\u81EA\u8EAB\u7684\u7B49\u4FDD\u6DB5\u76D6"
5635
+ },
5636
+ {
5637
+ id: "L3-CES2-12",
5638
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
5639
+ categoryEn: "Computing Environment Security",
5640
+ controlCn: "\u6570\u636E\u5B8C\u6574\u6027\u548C\u4FDD\u5BC6\u6027",
5641
+ controlEn: "Data Integrity and Confidentiality",
5642
+ requirementCn: "\u5E94\u4F7F\u7528\u6821\u9A8C\u7801\u6216\u5BC6\u7801\u6280\u672F\u786E\u4FDD\u865A\u62DF\u673A\u8FC1\u79FB\u8FC7\u7A0B\u4E2D\u91CD\u8981\u6570\u636E\u7684\u5B8C\u6574\u6027\uFF0C\u5E76\u5728\u68C0\u6D4B\u5230\u5B8C\u6574\u6027\u53D7\u5230\u7834\u574F\u65F6\u91C7\u53D6\u5FC5\u8981\u7684\u6062\u590D\u63AA\u65BD",
5643
+ requirementEn: "It should adopt checksum or cryptographic techniques to ensure the integrity of important data during virtual machine migration and take necessary recovery measures when integrity is detected to be compromised.",
5644
+ referenceStatus: "\u7B26\u5408 No Gap",
5645
+ referenceComment: "\u4F20\u8F93\u52A0\u5BC6 - ACM\n\u5B58\u50A8\u9759\u6001\u52A0\u5BC6 - KMS\n\u5FEB\u7167\u5907\u4EFD\u670D\u52A1"
5646
+ },
5647
+ {
5648
+ id: "L3-CES2-13",
5649
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
5650
+ categoryEn: "Computing Environment Security",
5651
+ controlCn: "\u6570\u636E\u5B8C\u6574\u6027\u548C\u4FDD\u5BC6\u6027",
5652
+ controlEn: "Data Integrity and Confidentiality",
5653
+ requirementCn: "\u5E94\u652F\u6301\u4E91\u670D\u52A1\u5BA2\u6237\u90E8\u7F72\u5BC6\u94A5\u7BA1\u7406\u89E3\u51B3\u65B9\u6848\uFF0C\u4FDD\u8BC1\u4E91\u670D\u52A1\u5BA2\u6237\u81EA\u884C\u5B9E\u73B0\u6570\u636E\u7684\u52A0\u89E3\u5BC6\u8FC7\u7A0B",
5654
+ requirementEn: "It should support cloud service customers to deploy key management solutions to ensure that cloud service customers can implement the data encryption and decryption process by themselves.",
5655
+ referenceStatus: "\u7B26\u5408 No Gap",
5656
+ referenceComment: "\u4F20\u8F93\u52A0\u5BC6 - ACM\n\u5B58\u50A8\u9759\u6001\u52A0\u5BC6 - KMS"
5657
+ },
5658
+ {
5659
+ id: "L3-CES2-14",
5660
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
5661
+ categoryEn: "Computing Environment Security",
5662
+ controlCn: "\u6570\u636E\u5907\u4EFD\u6062\u590D",
5663
+ controlEn: "Data Backup and Recovery",
5664
+ requirementCn: "\u4E91\u670D\u52A1\u5BA2\u6237\u5E94\u5728\u672C\u5730\u4FDD\u5B58\u5176\u4E1A\u52A1\u6570\u636E\u7684\u5907\u4EFD",
5665
+ requirementEn: "Ensure cloud service customers keep a backup of their business data locally.",
5666
+ referenceStatus: "\u4E0D\u9002\u7528 N/A",
5667
+ referenceComment: "\u8BF7\u786E\u8BA4\u662F\u5426\u5FC5\u987B"
5668
+ },
5669
+ {
5670
+ id: "L3-CES2-15",
5671
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
5672
+ categoryEn: "Computing Environment Security",
5673
+ controlCn: "\u6570\u636E\u5907\u4EFD\u6062\u590D",
5674
+ controlEn: "Data Backup and Recovery",
5675
+ requirementCn: "\u5E94\u63D0\u4F9B\u67E5\u8BE2\u4E91\u670D\u52A1\u5BA2\u6237\u6570\u636E\u53CA\u5907\u4EFD\u5B58\u50A8\u4F4D\u7F6E\u7684\u80FD\u529B",
5676
+ requirementEn: "It should provide the ability to query cloud service customer data and back up storage locations.",
5677
+ referenceStatus: "\u7B26\u5408 No Gap",
5678
+ referenceComment: "AWS\u81EA\u8EAB\u7684\u7B49\u4FDD\u6DB5\u76D6"
5679
+ },
5680
+ {
5681
+ id: "L3-CES2-16",
5682
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
5683
+ categoryEn: "Computing Environment Security",
5684
+ controlCn: "\u6570\u636E\u5907\u4EFD\u6062\u590D",
5685
+ controlEn: "Data Backup and Recovery",
5686
+ requirementCn: "\u4E91\u670D\u52A1\u5546\u7684\u4E91\u5B58\u50A8\u670D\u52A1\u5E94\u4FDD\u8BC1\u4E91\u670D\u52A1\u5BA2\u6237\u6570\u636E\u5B58\u5728\u82E5\u5E72\u4E2A\u53EF\u7528\u7684\u526F\u672C\uFF0C\u5404\u526F\u672C\u4E4B\u95F4\u7684\u5185\u5BB9\u5E94\u4FDD\u6301\u4E00\u81F4",
5687
+ requirementEn: "The cloud storage service of the cloud service provider It should ensure that there are several available copies of the customer data of the cloud service, and the contents of each copy It should be consistent.",
5688
+ referenceStatus: "\u7B26\u5408 No Gap",
5689
+ referenceComment: "AWS\u81EA\u8EAB\u7684\u7B49\u4FDD\u6DB5\u76D6"
5690
+ },
5691
+ {
5692
+ id: "L3-CES2-17",
5693
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
5694
+ categoryEn: "Computing Environment Security",
5695
+ controlCn: "\u6570\u636E\u5907\u4EFD\u6062\u590D",
5696
+ controlEn: "Data Backup and Recovery",
5697
+ requirementCn: "\u5E94\u4E3A\u4E91\u670D\u52A1\u5BA2\u6237\u5C06\u4E1A\u52A1\u7CFB\u7EDF\u53CA\u6570\u636E\u8FC1\u79FB\u5230\u5176\u4ED6\u4E91\u8BA1\u7B97\u5E73\u53F0\u548C\u672C\u5730\u7CFB\u7EDF\u63D0\u4F9B\u6280\u672F\u624B\u6BB5\uFF0C\u5E76\u534F\u52A9\u5B8C\u6210\u8FC1\u79FB\u8FC7\u7A0B",
5698
+ requirementEn: "It should provide technical means for cloud service customers to migrate business systems and data to other cloud computing platforms and local systems and assist in the migration process.",
5699
+ referenceStatus: "\u4E0D\u9002\u7528 N/A",
5700
+ referenceComment: "\u8BF7\u786E\u8BA4\u662F\u5426\u5FC5\u987B"
5701
+ },
5702
+ {
5703
+ id: "L3-CES2-18",
5704
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
5705
+ categoryEn: "Computing Environment Security",
5706
+ controlCn: "\u5269\u4F59\u4FE1\u606F\u4FDD\u62A4",
5707
+ controlEn: "Residual Information Protection",
5708
+ requirementCn: "\u5E94\u4FDD\u8BC1\u865A\u62DF\u673A\u6240\u4F7F\u7528\u7684\u5185\u5B58\u548C\u5B58\u50A8\u7A7A\u95F4\u56DE\u6536\u65F6\u5F97\u5230\u5B8C\u5168\u6E05\u9664",
5709
+ requirementEn: "Ensure that the memory and storage space used by the virtual machine is completely cleared when reclaimed.",
5710
+ referenceStatus: "\u7B26\u5408 No Gap",
5711
+ referenceComment: "AWS\u81EA\u8EAB\u7684\u7B49\u4FDD\u6DB5\u76D6\uFF0C\u4E0D\u540C\u5B58\u50A8\u670D\u52A1\u5747\u63D0\u4F9B\u6570\u636E\u5B8C\u5168\u5220\u9664\u6216\u8005\u64E6\u9664\u7684\u65B9\u6CD5"
5712
+ },
5713
+ {
5714
+ id: "L3-CES2-19",
5715
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
5716
+ categoryEn: "Computing Environment Security",
5717
+ controlCn: "\u5269\u4F59\u4FE1\u606F\u4FDD\u62A4",
5718
+ controlEn: "Residual Information Protection",
5719
+ requirementCn: "\u4E91\u670D\u52A1\u5BA2\u6237\u5220\u9664\u4E1A\u52A1\u5E94\u7528\u6570\u636E\u65F6\uFF0C\u4E91\u8BA1\u7B97\u5E73\u53F0\u5E94\u5C06\u4E91\u5B58\u50A8\u4E2D\u6240\u6709\u526F\u672C\u5220\u9664",
5720
+ requirementEn: "The cloud computing platform It should delete all copies in the cloud storage, when a cloud service customer deletes business application data.",
5721
+ referenceStatus: "\u7B26\u5408 No Gap",
5722
+ referenceComment: "AWS\u81EA\u8EAB\u7684\u7B49\u4FDD\u6DB5\u76D6\uFF0C\u4E0D\u540C\u5B58\u50A8\u670D\u52A1\u5747\u63D0\u4F9B\u6570\u636E\u5B8C\u5168\u5220\u9664\u6216\u8005\u64E6\u9664\u7684\u65B9\u6CD5"
5723
+ },
5724
+ {
5725
+ id: "L3-SMC2-01",
5726
+ categoryCn: "\u5B89\u5168\u7BA1\u7406\u4E2D\u5FC3",
5727
+ categoryEn: "Security Management Center",
5728
+ controlCn: "\u96C6\u4E2D\u7BA1\u63A7",
5729
+ controlEn: "Centralized Management and Control",
5730
+ requirementCn: "\u5E94\u80FD\u5BF9\u7269\u7406\u8D44\u6E90\u548C\u865A\u62DF\u8D44\u6E90\u6309\u7167\u7B56\u7565\u505A\u7EDF\u4E00\u7BA1\u7406\u8C03\u5EA6\u4E0E\u5206\u914D",
5731
+ requirementEn: "It should be able to uniformly manage and allocate physical resources and virtual resources according to the policy.",
5732
+ referenceStatus: "\u7B26\u5408 No Gap",
5733
+ referenceComment: "AWS\u81EA\u8EAB\u7684\u7B49\u4FDD\u6DB5\u76D6"
5734
+ },
5735
+ {
5736
+ id: "L3-SMC2-02",
5737
+ categoryCn: "\u5B89\u5168\u7BA1\u7406\u4E2D\u5FC3",
5738
+ categoryEn: "Security Management Center",
5739
+ controlCn: "\u96C6\u4E2D\u7BA1\u63A7",
5740
+ controlEn: "Centralized Management and Control",
5741
+ requirementCn: "\u5E94\u4FDD\u8BC1\u4E91\u8BA1\u7B97\u5E73\u53F0\u7BA1\u7406\u6D41\u91CF\u4E0E\u4E91\u670D\u52A1\u5BA2\u6237\u4E1A\u52A1\u6D41\u91CF\u5206\u79BB",
5742
+ requirementEn: "Ensure the separation of cloud computing platform management traffic and cloud service customer business traffic.",
5743
+ referenceStatus: "\u7B26\u5408 No Gap",
5744
+ referenceComment: "AWS\u81EA\u8EAB\u7684\u7B49\u4FDD\u6DB5\u76D6"
5745
+ },
5746
+ {
5747
+ id: "L3-SMC2-03",
5748
+ categoryCn: "\u5B89\u5168\u7BA1\u7406\u4E2D\u5FC3",
5749
+ categoryEn: "Security Management Center",
5750
+ controlCn: "\u96C6\u4E2D\u7BA1\u63A7",
5751
+ controlEn: "Centralized Management and Control",
5752
+ requirementCn: "\u5E94\u6839\u636E\u4E91\u670D\u52A1\u5546\u548C\u4E91\u670D\u52A1\u5BA2\u6237\u7684\u804C\u8D23\u5212\u5206\uFF0C\u6536\u96C6\u5404\u81EA\u63A7\u5236\u90E8\u5206\u7684\u5BA1\u8BA1\u6570\u636E\u5E76\u5B9E\u73B0\u5404\u81EA\u7684\u96C6\u4E2D\u5BA1\u8BA1",
5753
+ requirementEn: "It should collect the audit data of each control part and implement centralized audit of each control part, according to the responsibilities of cloud service providers and cloud service customers.",
5754
+ referenceStatus: "\u7B26\u5408 No Gap",
5755
+ referenceComment: "1.\u53C2\u8003\u5B89\u5168\u8D23\u4EFB\u5171\u62C5\u6A21\u578B\n2. AWS\u81EA\u8EAB\u7684\u7B49\u4FDD\u6DB5\u76D6"
5756
+ },
5757
+ {
5758
+ id: "L3-SMC2-04",
5759
+ categoryCn: "\u5B89\u5168\u7BA1\u7406\u4E2D\u5FC3",
5760
+ categoryEn: "Security Management Center",
5761
+ controlCn: "\u96C6\u4E2D\u7BA1\u63A7",
5762
+ controlEn: "Centralized Management and Control",
5763
+ requirementCn: "\u5E94\u6839\u636E\u4E91\u670D\u52A1\u5546\u548C\u4E91\u670D\u52A1\u5BA2\u6237\u7684\u804C\u8D23\u5212\u5206\uFF0C\u5B9E\u73B0\u5404\u81EA\u63A7\u5236\u90E8\u5206\uFF0C\u5305\u62EC\u865A\u62DF\u5316\u7F51\u7EDC\u3001\u865A\u62DF\u673A\u3001\u865A\u62DF\u5316\u5B89\u5168\u8BBE\u5907\u7B49\u7684\u8FD0\u884C\u72B6\u51B5\u7684\u96C6\u4E2D\u76D1\u6D4B",
5764
+ requirementEn: "According to the responsibilities of cloud service providers and cloud service customers, It should realize centralized monitoring of the operation status of their respective control parts, including virtualized networks, virtual machines and virtualized security devices.",
5765
+ referenceStatus: "\u7B26\u5408 No Gap",
5766
+ referenceComment: "1.\u53C2\u8003\u5B89\u5168\u8D23\u4EFB\u5171\u62C5\u6A21\u578B\n2. AWS\u81EA\u8EAB\u7684\u7B49\u4FDD\u6DB5\u76D6"
5767
+ },
5768
+ {
5769
+ id: "L3-PES3-01",
5770
+ categoryCn: "\u5B89\u5168\u7269\u7406\u73AF\u5883",
5771
+ categoryEn: "Physical Environment Security",
5772
+ controlCn: "\u65E0\u7EBF\u63A5\u5165\u70B9\u7684\u7269\u7406\u4F4D\u7F6E",
5773
+ controlEn: "Location of Wireless Access Point",
5774
+ requirementCn: "\u5E94\u4E3A\u65E0\u7EBF\u63A5\u5165\u8BBE\u5907\u7684\u5B89\u88C5\u9009\u62E9\u5408\u7406\u4F4D\u7F6E\uFF0C\u907F\u514D\u8FC7\u5EA6\u8986\u76D6\u548C\u7535\u78C1\u5E72\u6270",
5775
+ requirementEn: "Choose a reasonable location for the installation of wireless access equipment to avoid excessive coverage and electromagnetic interference",
5776
+ referenceStatus: "\u4E0D\u9002\u7528 N/A",
5777
+ referenceComment: ""
5778
+ },
5779
+ {
5780
+ id: "L3-ABS3-01",
5781
+ categoryCn: "\u5B89\u5168\u533A\u57DF\u8FB9\u754C",
5782
+ categoryEn: "Area Boundary Security",
5783
+ controlCn: "\u8FB9\u754C\u9632\u62A4",
5784
+ controlEn: "Border Protection",
5785
+ requirementCn: "\u5E94\u4FDD\u8BC1\u6709\u7EBF\u7F51\u7EDC\u4E0E\u65E0\u7EBF\u7F51\u7EDC\u8FB9\u754C\u4E4B\u95F4\u7684\u8BBF\u95EE\u548C\u6570\u636E\u6D41\u901A\u8FC7\u65E0\u7EBF\u63A5\u5165\u7F51\u5173\u8BBE\u5907",
5786
+ requirementEn: "Ensure access and data flow between the wired network and the wireless network boundary pass through the wireless access gateway device",
5787
+ referenceStatus: "\u4E0D\u9002\u7528 N/A",
5788
+ referenceComment: ""
5789
+ },
5790
+ {
5791
+ id: "L3-ABS3-02",
5792
+ categoryCn: "\u5B89\u5168\u533A\u57DF\u8FB9\u754C",
5793
+ categoryEn: "Area Boundary Security",
5794
+ controlCn: "\u8BBF\u95EE\u63A7\u5236",
5795
+ controlEn: "Access Control",
5796
+ requirementCn: "\u65E0\u7EBF\u63A5\u5165\u8BBE\u5907\u5E94\u5F00\u542F\u63A5\u5165\u8BA4\u8BC1\u529F\u80FD\uFF0C\u5E76\u652F\u6301\u91C7\u7528\u8BA4\u8BC1\u670D\u52A1\u5668\u8BA4\u8BC1\u6216\u56FD\u5BB6\u5BC6\u7801\u7BA1\u7406\u673A\u6784\u6279\u51C6\u7684\u5BC6\u7801\u6A21\u5757\u8FDB\u884C\u8BA4\u8BC1",
5797
+ requirementEn: "Wireless access devices should turn on access authentication function and support to use the authentication server or cryptographic module approved by the State Cryptography Authority of China (SCA).",
5798
+ referenceStatus: "\u4E0D\u9002\u7528 N/A",
5799
+ referenceComment: ""
5800
+ },
5801
+ {
5802
+ id: "L3-ABS3-03",
5803
+ categoryCn: "\u5B89\u5168\u533A\u57DF\u8FB9\u754C",
5804
+ categoryEn: "Area Boundary Security",
5805
+ controlCn: "\u5165\u4FB5\u9632\u8303",
5806
+ controlEn: "Intrusion Prevention",
5807
+ requirementCn: "\u5E94\u80FD\u591F\u68C0\u6D4B\u5230\u975E\u6388\u6743\u65E0\u7EBF\u63A5\u5165\u8BBE\u5907\u548C\u975E\u6388\u6743\u79FB\u52A8\u7EC8\u7AEF\u7684\u63A5\u5165\u884C\u4E3A",
5808
+ requirementEn: "Unauthorized wireless access devices and unauthorized mobile terminals should be detected",
5809
+ referenceStatus: "\u4E0D\u9002\u7528 N/A",
5810
+ referenceComment: ""
5811
+ },
5812
+ {
5813
+ id: "L3-ABS3-04",
5814
+ categoryCn: "\u5B89\u5168\u533A\u57DF\u8FB9\u754C",
5815
+ categoryEn: "Area Boundary Security",
5816
+ controlCn: "\u5165\u4FB5\u9632\u8303",
5817
+ controlEn: "Intrusion Prevention",
5818
+ requirementCn: "\u5E94\u80FD\u591F\u68C0\u6D4B\u5230\u9488\u5BF9\u65E0\u7EBF\u63A5\u5165\u8BBE\u5907\u7684\u7F51\u7EDC\u626B\u63CF\u3001DDoS \u653B\u51FB\u3001\u5BC6\u94A5\u7834\u89E3\u3001\u4E2D\u95F4\u4EBA\u653B\u51FB\u548C\u6B3A\u9A97\u653B\u51FB\u7B49\u884C\u4E3A",
5819
+ requirementEn: "It should be able to detect network scanning, DDoS attacks, key cracking, man-in-the-middle attacks and deception attacks against wireless access devices.",
5820
+ referenceStatus: "\u4E0D\u9002\u7528 N/A",
5821
+ referenceComment: ""
5822
+ },
5823
+ {
5824
+ id: "L3-ABS3-05",
5825
+ categoryCn: "\u5B89\u5168\u533A\u57DF\u8FB9\u754C",
5826
+ categoryEn: "Area Boundary Security",
5827
+ controlCn: "\u5165\u4FB5\u9632\u8303",
5828
+ controlEn: "Intrusion Prevention",
5829
+ requirementCn: "\u5E94\u80FD\u591F\u68C0\u6D4B\u5230\u65E0\u7EBF\u63A5\u5165\u8BBE\u5907\u7684 SSID \u5E7F\u64AD\u3001WPS \u7B49\u9AD8\u98CE\u9669\u529F\u80FD\u7684\u5F00\u542F\u72B6\u6001",
5830
+ requirementEn: "It should be able to detect the use status of high-risk functions such as SSID broadcast and WPS of the wireless access device.",
5831
+ referenceStatus: "\u4E0D\u9002\u7528 N/A",
5832
+ referenceComment: ""
5833
+ },
5834
+ {
5835
+ id: "L3-ABS3-06",
5836
+ categoryCn: "\u5B89\u5168\u533A\u57DF\u8FB9\u754C",
5837
+ categoryEn: "Area Boundary Security",
5838
+ controlCn: "\u5165\u4FB5\u9632\u8303",
5839
+ controlEn: "Intrusion Prevention",
5840
+ requirementCn: "\u5E94\u7981\u7528\u65E0\u7EBF\u63A5\u5165\u8BBE\u5907\u548C\u65E0\u7EBF\u63A5\u5165\u7F51\u5173\u5B58\u5728\u98CE\u9669\u7684\u529F\u80FD\uFF0C\u5982\uFF1ASSID \u5E7F\u64AD\u3001WEP \u8BA4\u8BC1\u7B49",
5841
+ requirementEn: "Disable high risk functions of the wireless access device and the wireless access gateway, such as SSID broadcast, WEP authentication, etc.",
5842
+ referenceStatus: "\u4E0D\u9002\u7528 N/A",
5843
+ referenceComment: ""
5844
+ },
5845
+ {
5846
+ id: "L3-ABS3-07",
5847
+ categoryCn: "\u5B89\u5168\u533A\u57DF\u8FB9\u754C",
5848
+ categoryEn: "Area Boundary Security",
5849
+ controlCn: "\u5165\u4FB5\u9632\u8303",
5850
+ controlEn: "Intrusion Prevention",
5851
+ requirementCn: "\u5E94\u7981\u6B62\u591A\u4E2A AP \u4F7F\u7528\u540C\u4E00\u4E2A\u8BA4\u8BC1\u5BC6\u94A5",
5852
+ requirementEn: "Multiple APs should be prohibited from using the same authentication key",
5853
+ referenceStatus: "\u4E0D\u9002\u7528 N/A",
5854
+ referenceComment: ""
5855
+ },
5856
+ {
5857
+ id: "L3-ABS3-08",
5858
+ categoryCn: "\u5B89\u5168\u533A\u57DF\u8FB9\u754C",
5859
+ categoryEn: "Area Boundary Security",
5860
+ controlCn: "\u5165\u4FB5\u9632\u8303",
5861
+ controlEn: "Intrusion Prevention",
5862
+ requirementCn: "\u5E94\u80FD\u591F\u963B\u65AD\u975E\u6388\u6743\u65E0\u7EBF\u63A5\u5165\u8BBE\u5907\u6216\u975E\u6388\u6743\u79FB\u52A8\u7EC8\u7AEF",
5863
+ requirementEn: "It should be able to block the unauthorized wireless access devices or unauthorized mobile terminals",
5864
+ referenceStatus: "\u4E0D\u9002\u7528 N/A",
5865
+ referenceComment: ""
5866
+ },
5867
+ {
5868
+ id: "L3-CES3-01",
5869
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
5870
+ categoryEn: "Computing Environment Security",
5871
+ controlCn: "\u79FB\u52A8\u7EC8\u7AEF\u7BA1\u63A7",
5872
+ controlEn: "Mobile Terminal Control",
5873
+ requirementCn: "\u5E94\u4FDD\u8BC1\u79FB\u52A8\u7EC8\u7AEF\u5B89\u88C5\u3001\u6CE8\u518C\u5E76\u8FD0\u884C\u7EC8\u7AEF\u7BA1\u7406\u5BA2\u6237\u7AEF\u8F6F\u4EF6",
5874
+ requirementEn: "The mobile terminal should be guaranteed to install, register and run the terminal management client software.",
5875
+ referenceStatus: "\u4E0D\u9002\u7528 N/A",
5876
+ referenceComment: ""
5877
+ },
5878
+ {
5879
+ id: "L3-CES3-02",
5880
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
5881
+ categoryEn: "Computing Environment Security",
5882
+ controlCn: "\u79FB\u52A8\u7EC8\u7AEF\u7BA1\u63A7",
5883
+ controlEn: "Mobile Terminal Control",
5884
+ requirementCn: "\u79FB\u52A8\u7EC8\u7AEF\u5E94\u63A5\u53D7\u79FB\u52A8\u7EC8\u7AEF\u7BA1\u7406\u670D\u52A1\u7AEF\u7684\u8BBE\u5907\u751F\u547D\u5468\u671F\u7BA1\u7406\u3001\u8BBE\u5907\u8FDC\u7A0B\u63A7\u5236\uFF0C\u5982\uFF1A\u8FDC\u7A0B\u9501\u5B9A\u3001\u8FDC\u7A0B\u64E6\u9664\u7B49",
5885
+ requirementEn: "The mobile terminal shall accept the device lifecycle management and remote control from the mobile terminal management server, such as remote locking, remote erasing, etc.",
5886
+ referenceStatus: "\u4E0D\u9002\u7528 N/A",
5887
+ referenceComment: ""
5888
+ },
5889
+ {
5890
+ id: "L3-CES3-03",
5891
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
5892
+ categoryEn: "Computing Environment Security",
5893
+ controlCn: "\u79FB\u52A8\u5E94\u7528\u7BA1\u63A7",
5894
+ controlEn: "Mobile Application Control",
5895
+ requirementCn: "\u5E94\u5177\u6709\u9009\u62E9\u5E94\u7528\u8F6F\u4EF6\u5B89\u88C5\u3001\u8FD0\u884C\u7684\u529F\u80FD",
5896
+ requirementEn: "It should provide the function which allows to select application software to install and run",
5897
+ referenceStatus: "\u4E0D\u9002\u7528 N/A",
5898
+ referenceComment: ""
5899
+ },
5900
+ {
5901
+ id: "L3-CES3-04",
5902
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
5903
+ categoryEn: "Computing Environment Security",
5904
+ controlCn: "\u79FB\u52A8\u5E94\u7528\u7BA1\u63A7",
5905
+ controlEn: "Mobile Application Control",
5906
+ requirementCn: "\u5E94\u53EA\u5141\u8BB8\u6307\u5B9A\u8BC1\u4E66\u7B7E\u540D\u7684\u5E94\u7528\u8F6F\u4EF6\u5B89\u88C5\u548C\u8FD0\u884C",
5907
+ requirementEn: "Only applications that have specify certificate and signature should be allowed to install and run",
5908
+ referenceStatus: "\u4E0D\u9002\u7528 N/A",
5909
+ referenceComment: ""
5910
+ },
5911
+ {
5912
+ id: "L3-CES3-05",
5913
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
5914
+ categoryEn: "Computing Environment Security",
5915
+ controlCn: "\u79FB\u52A8\u5E94\u7528\u7BA1\u63A7",
5916
+ controlEn: "Mobile Application Control",
5917
+ requirementCn: "\u5E94\u5177\u6709\u8F6F\u4EF6\u767D\u540D\u5355\u529F\u80FD\uFF0C\u5E94\u80FD\u6839\u636E\u767D\u540D\u5355\u63A7\u5236\u5E94\u7528\u8F6F\u4EF6\u5B89\u88C5\u3001\u8FD0\u884C",
5918
+ requirementEn: "It should provide the software whitelist function, and the installation and operation of applications should be controlled according to the whitelist",
5919
+ referenceStatus: "\u4E0D\u9002\u7528 N/A",
5920
+ referenceComment: ""
5921
+ },
5922
+ {
5923
+ id: "L3-PES4-01",
5924
+ categoryCn: "\u5B89\u5168\u7269\u7406\u73AF\u5883",
5925
+ categoryEn: "Physical Environment Security",
5926
+ controlCn: "\u611F\u77E5\u8282\u70B9\u8BBE\u5907\u7269\u7406\u9632\u62A4",
5927
+ controlEn: "Physical Protection of Sensor Node",
5928
+ requirementCn: "\u611F\u77E5\u8282\u70B9\u8BBE\u5907\u6240\u5904\u7684\u7269\u7406\u73AF\u5883\u5E94\u4E0D\u5BF9\u611F\u77E5\u8282\u70B9\u8BBE\u5907\u9020\u6210\u7269\u7406\u7834\u574F\uFF0C\u5982\u6324\u538B\u3001\u5F3A\u632F\u52A8",
5929
+ requirementEn: "The physical environment in which the sensor node is located should not cause physical damage to the sensor node, such as extrusion and strong vibration.",
5930
+ referenceStatus: "\u4E0D\u9002\u7528 N/A",
5931
+ referenceComment: ""
5932
+ },
5933
+ {
5934
+ id: "L3-PES4-02",
5935
+ categoryCn: "\u5B89\u5168\u7269\u7406\u73AF\u5883",
5936
+ categoryEn: "Physical Environment Security",
5937
+ controlCn: "\u611F\u77E5\u8282\u70B9\u8BBE\u5907\u7269\u7406\u9632\u62A4",
5938
+ controlEn: "Physical Protection of Sensor Node",
5939
+ requirementCn: "\u611F\u77E5\u8282\u70B9\u8BBE\u5907\u5728\u5DE5\u4F5C\u72B6\u6001\u6240\u5904\u7269\u7406\u73AF\u5883\u5E94\u80FD\u6B63\u786E\u53CD\u6620\u73AF\u5883\u72B6\u6001\uFF08\u5982\u6E29\u6E7F\u5EA6\u4F20\u611F\u5668\u4E0D\u80FD\u5B89\u88C5\u5728\u9633\u5149\u76F4\u5C04\u533A\u57DF\uFF09",
5940
+ requirementEn: "The physical environment in which the sensor node is in working status should correctly reflect the environmental state (for example, the temperature and humidity sensor cannot be installed in a direct sunlight area)",
5941
+ referenceStatus: "\u4E0D\u9002\u7528 N/A",
5942
+ referenceComment: ""
5943
+ },
5944
+ {
5945
+ id: "L3-PES4-03",
5946
+ categoryCn: "\u5B89\u5168\u7269\u7406\u73AF\u5883",
5947
+ categoryEn: "Physical Environment Security",
5948
+ controlCn: "\u611F\u77E5\u8282\u70B9\u8BBE\u5907\u7269\u7406\u9632\u62A4",
5949
+ controlEn: "Physical Protection of Sensor Node",
5950
+ requirementCn: "\u611F\u77E5\u8282\u70B9\u8BBE\u5907\u5728\u5DE5\u4F5C\u72B6\u6001\u6240\u5904\u7269\u7406\u73AF\u5883\u5E94\u4E0D\u5BF9\u611F\u77E5\u8282\u70B9\u8BBE\u5907\u7684\u6B63\u5E38\u5DE5\u4F5C\u9020\u6210\u5F71\u54CD\uFF0C\u5982\u5F3A\u5E72\u6270\u3001\u963B\u6321\u5C4F\u853D\u7B49",
5951
+ requirementEn: "The physical environment in which the sensor node is located should not affect the normal operation of the sensor node, such as strong interference, blocking shielding, etc.",
5952
+ referenceStatus: "\u4E0D\u9002\u7528 N/A",
5953
+ referenceComment: ""
5954
+ },
5955
+ {
5956
+ id: "L3-PES4-04",
5957
+ categoryCn: "\u5B89\u5168\u7269\u7406\u73AF\u5883",
5958
+ categoryEn: "Physical Environment Security",
5959
+ controlCn: "\u611F\u77E5\u8282\u70B9\u8BBE\u5907\u7269\u7406\u9632\u62A4",
5960
+ controlEn: "Physical Protection of Sensor Node",
5961
+ requirementCn: "\u5173\u952E\u611F\u77E5\u8282\u70B9\u8BBE\u5907\u5E94\u5177\u6709\u53EF\u4F9B\u957F\u65F6\u95F4\u5DE5\u4F5C\u7684\u7535\u529B\u4F9B\u5E94\uFF08\u5173\u952E\u7F51\u5173\u8282\u70B9\u8BBE\u5907\u5E94\u5177\u6709\u6301\u4E45\u7A33\u5B9A\u7684\u7535\u529B\u4F9B\u5E94\u80FD\u529B\uFF09",
5962
+ requirementEn: "Critical sensor nodes should have a power supply for long periods of time (critical gateway node should have a durable and stable power supply capability)",
5963
+ referenceStatus: "\u4E0D\u9002\u7528 N/A",
5964
+ referenceComment: ""
5965
+ },
5966
+ {
5967
+ id: "L3-ABS4-01",
5968
+ categoryCn: "\u5B89\u5168\u533A\u57DF\u8FB9\u754C",
5969
+ categoryEn: "Area Boundary Security",
5970
+ controlCn: "\u63A5\u5165\u63A7\u5236",
5971
+ controlEn: "Access Control",
5972
+ requirementCn: "\u5E94\u4FDD\u8BC1\u53EA\u6709\u6388\u6743\u7684\u611F\u77E5\u8282\u70B9\u53EF\u4EE5\u63A5\u5165",
5973
+ requirementEn: "Ensured that only authorized sensor nodes can access",
5974
+ referenceStatus: "\u4E0D\u9002\u7528 N/A",
5975
+ referenceComment: ""
5976
+ },
5977
+ {
5978
+ id: "L3-ABS4-02",
5979
+ categoryCn: "\u5B89\u5168\u533A\u57DF\u8FB9\u754C",
5980
+ categoryEn: "Area Boundary Security",
5981
+ controlCn: "\u5165\u4FB5\u9632\u8303",
5982
+ controlEn: "Intrusion Prevention",
5983
+ requirementCn: "\u5E94\u80FD\u591F\u9650\u5236\u4E0E\u611F\u77E5\u8282\u70B9\u901A\u4FE1\u7684\u76EE\u6807\u5730\u5740\uFF0C\u4EE5\u907F\u514D\u5BF9\u964C\u751F\u5730\u5740\u7684\u653B\u51FB\u884C\u4E3A",
5984
+ requirementEn: "The target address to communicate with the sensor node should be restricted, thus avoiding attacks to unfamiliar addresses",
5985
+ referenceStatus: "\u4E0D\u9002\u7528 N/A",
5986
+ referenceComment: ""
5987
+ },
5988
+ {
5989
+ id: "L3-ABS4-03",
5990
+ categoryCn: "\u5B89\u5168\u533A\u57DF\u8FB9\u754C",
5991
+ categoryEn: "Area Boundary Security",
5992
+ controlCn: "\u5165\u4FB5\u9632\u8303",
5993
+ controlEn: "Intrusion Prevention",
5994
+ requirementCn: "\u5E94\u80FD\u591F\u9650\u5236\u4E0E\u7F51\u5173\u8282\u70B9\u901A\u4FE1\u7684\u76EE\u6807\u5730\u5740\uFF0C\u4EE5\u907F\u514D\u5BF9\u964C\u751F\u5730\u5740\u7684\u653B\u51FB\u884C\u4E3A",
5995
+ requirementEn: "The target address to communicate with the gateway node should be restricted, thus avoiding attacks to unfamiliar addresses",
5996
+ referenceStatus: "\u4E0D\u9002\u7528 N/A",
5997
+ referenceComment: ""
5998
+ },
5999
+ {
6000
+ id: "L3-CES4-01",
6001
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
6002
+ categoryEn: "Computing Environment Security",
6003
+ controlCn: "\u611F\u77E5\u8282\u70B9\u8BBE\u5907\u5B89\u5168",
6004
+ controlEn: "Sensor Node Security",
6005
+ requirementCn: "\u5E94\u4FDD\u8BC1\u53EA\u6709\u6388\u6743\u7684\u7528\u6237\u53EF\u4EE5\u5BF9\u611F\u77E5\u8282\u70B9\u8BBE\u5907\u4E0A\u7684\u8F6F\u4EF6\u5E94\u7528\u8FDB\u884C\u914D\u7F6E\u6216\u53D8\u66F4",
6006
+ requirementEn: "Ensured that only authorized users can configure or change software applications on the sensor node device.",
6007
+ referenceStatus: "\u4E0D\u9002\u7528 N/A",
6008
+ referenceComment: ""
6009
+ },
6010
+ {
6011
+ id: "L3-CES4-02",
6012
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
6013
+ categoryEn: "Computing Environment Security",
6014
+ controlCn: "\u611F\u77E5\u8282\u70B9\u8BBE\u5907\u5B89\u5168",
6015
+ controlEn: "Sensor Node Security",
6016
+ requirementCn: "\u5E94\u5177\u6709\u5BF9\u5176\u8FDE\u63A5\u7684\u7F51\u5173\u8282\u70B9\u8BBE\u5907\uFF08\u5305\u62EC\u8BFB\u5361\u5668\uFF09\u8FDB\u884C\u8EAB\u4EFD\u6807\u8BC6\u548C\u9274\u522B\u7684\u80FD\u529B",
6017
+ requirementEn: "It should be able to identify and authenticate the gateway nodes (including card readers) to which they are connected",
6018
+ referenceStatus: "\u4E0D\u9002\u7528 N/A",
6019
+ referenceComment: ""
6020
+ },
6021
+ {
6022
+ id: "L3-CES4-03",
6023
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
6024
+ categoryEn: "Computing Environment Security",
6025
+ controlCn: "\u611F\u77E5\u8282\u70B9\u8BBE\u5907\u5B89\u5168",
6026
+ controlEn: "Sensor Node Security",
6027
+ requirementCn: "\u5E94\u5177\u6709\u5BF9\u5176\u8FDE\u63A5\u7684\u5176\u4ED6\u611F\u77E5\u8282\u70B9\u8BBE\u5907\uFF08\u5305\u62EC\u8DEF\u7531\u8282\u70B9\uFF09\u8FDB\u884C\u8EAB\u4EFD\u6807\u8BC6\u548C\u9274\u522B\u7684\u80FD\u529B",
6028
+ requirementEn: "It should be able to identify and authenticate other connected node (including routing nodes) to which they are connected",
6029
+ referenceStatus: "\u4E0D\u9002\u7528 N/A",
6030
+ referenceComment: ""
6031
+ },
6032
+ {
6033
+ id: "L3-CES4-04",
6034
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
6035
+ categoryEn: "Computing Environment Security",
6036
+ controlCn: "\u7F51\u5173\u8282\u70B9\u8BBE\u5907\u5B89\u5168",
6037
+ controlEn: "Gateway Node Security",
6038
+ requirementCn: "\u5E94\u8BBE\u7F6E\u6700\u5927\u5E76\u53D1\u8FDE\u63A5\u6570",
6039
+ requirementEn: "The maximum number of concurrent connections of the gateway node should be set.",
6040
+ referenceStatus: "\u4E0D\u9002\u7528 N/A",
6041
+ referenceComment: ""
6042
+ },
6043
+ {
6044
+ id: "L3-CES4-05",
6045
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
6046
+ categoryEn: "Computing Environment Security",
6047
+ controlCn: "\u7F51\u5173\u8282\u70B9\u8BBE\u5907\u5B89\u5168",
6048
+ controlEn: "Gateway Node Security",
6049
+ requirementCn: "\u5E94\u5177\u5907\u5BF9\u5408\u6CD5\u8FDE\u63A5\u8BBE\u5907\uFF08\u5305\u62EC\u7EC8\u7AEF\u8282\u70B9\u3001\u8DEF\u7531\u8282\u70B9\u3001\u6570\u636E\u5904\u7406\u4E2D\u5FC3\uFF09\u8FDB\u884C\u6807\u8BC6\u548C\u9274\u522B\u7684\u80FD\u529B",
6050
+ requirementEn: "Ability to identify and authenticate legitimate connected devices (including endpoints, routing nodes, data processing centers)",
6051
+ referenceStatus: "\u4E0D\u9002\u7528 N/A",
6052
+ referenceComment: ""
6053
+ },
6054
+ {
6055
+ id: "L3-CES4-06",
6056
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
6057
+ categoryEn: "Computing Environment Security",
6058
+ controlCn: "\u7F51\u5173\u8282\u70B9\u8BBE\u5907\u5B89\u5168",
6059
+ controlEn: "Gateway Node Security",
6060
+ requirementCn: "\u5E94\u5177\u5907\u8FC7\u6EE4\u975E\u6CD5\u8282\u70B9\u548C\u4F2A\u9020\u8282\u70B9\u6240\u53D1\u9001\u7684\u6570\u636E\u7684\u80FD\u529B",
6061
+ requirementEn: "It should be able to filter data sent by illegal and forged nodes",
6062
+ referenceStatus: "\u4E0D\u9002\u7528 N/A",
6063
+ referenceComment: ""
6064
+ },
6065
+ {
6066
+ id: "L3-CES4-07",
6067
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
6068
+ categoryEn: "Computing Environment Security",
6069
+ controlCn: "\u7F51\u5173\u8282\u70B9\u8BBE\u5907\u5B89\u5168",
6070
+ controlEn: "Gateway Node Security",
6071
+ requirementCn: "\u6388\u6743\u7528\u6237\u5E94\u80FD\u591F\u5728\u8BBE\u5907\u4F7F\u7528\u8FC7\u7A0B\u4E2D\u5BF9\u5173\u952E\u5BC6\u94A5\u8FDB\u884C\u5728\u7EBF\u66F4\u65B0",
6072
+ requirementEn: "Authorized users should be able to update critical keys online during device use",
6073
+ referenceStatus: "\u4E0D\u9002\u7528 N/A",
6074
+ referenceComment: ""
6075
+ },
6076
+ {
6077
+ id: "L3-CES4-08",
6078
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
6079
+ categoryEn: "Computing Environment Security",
6080
+ controlCn: "\u7F51\u5173\u8282\u70B9\u8BBE\u5907\u5B89\u5168",
6081
+ controlEn: "Gateway Node Security",
6082
+ requirementCn: "\u6388\u6743\u7528\u6237\u5E94\u80FD\u591F\u5728\u8BBE\u5907\u4F7F\u7528\u8FC7\u7A0B\u4E2D\u5BF9\u5173\u952E\u914D\u7F6E\u53C2\u6570\u8FDB\u884C\u5728\u7EBF\u66F4\u65B0",
6083
+ requirementEn: "Authorized users should be able to update critical configuration parameters online while the device is in use",
6084
+ referenceStatus: "\u4E0D\u9002\u7528 N/A",
6085
+ referenceComment: ""
6086
+ },
6087
+ {
6088
+ id: "L3-CES4-09",
6089
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
6090
+ categoryEn: "Computing Environment Security",
6091
+ controlCn: "\u6297\u6570\u636E\u91CD\u653E",
6092
+ controlEn: "Anti-data Playback",
6093
+ requirementCn: "\u5E94\u80FD\u591F\u9274\u522B\u6570\u636E\u7684\u65B0\u9C9C\u6027\uFF0C\u907F\u514D\u5386\u53F2\u6570\u636E\u7684\u91CD\u653E\u653B\u51FB",
6094
+ requirementEn: "Identify the freshness of data and avoid replay attacks of historical data",
6095
+ referenceStatus: "\u4E0D\u9002\u7528 N/A",
6096
+ referenceComment: ""
6097
+ },
6098
+ {
6099
+ id: "L3-CES4-10",
6100
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
6101
+ categoryEn: "Computing Environment Security",
6102
+ controlCn: "\u6297\u6570\u636E\u91CD\u653E",
6103
+ controlEn: "Anti-data Playback",
6104
+ requirementCn: "\u5E94\u80FD\u591F\u9274\u522B\u5386\u53F2\u6570\u636E\u7684\u975E\u6CD5\u4FEE\u6539\uFF0C\u907F\u514D\u6570\u636E\u7684\u4FEE\u6539\u91CD\u653E\u653B\u51FB",
6105
+ requirementEn: "Identifies illegal modification of historical data to avoid data modification and replay attacks",
6106
+ referenceStatus: "\u4E0D\u9002\u7528 N/A",
6107
+ referenceComment: ""
6108
+ },
6109
+ {
6110
+ id: "L3-CES4-11",
6111
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
6112
+ categoryEn: "Computing Environment Security",
6113
+ controlCn: "\u6570\u636E\u878D\u5408\u5904\u7406",
6114
+ controlEn: "Data Aggregation Processing",
6115
+ requirementCn: "\u5E94\u5BF9\u6765\u81EA\u4F20\u611F\u7F51\u7684\u6570\u636E\u8FDB\u884C\u6570\u636E\u878D\u5408\u5904\u7406\uFF0C\u4F7F\u4E0D\u540C\u79CD\u7C7B\u7684\u6570\u636E\u53EF\u4EE5\u5728\u540C\u4E00\u4E2A\u5E73\u53F0\u88AB\u4F7F\u7528",
6116
+ requirementEn: "Data from the sensor network should be aggregated to make different types of data be used on the same platform",
6117
+ referenceStatus: "\u4E0D\u9002\u7528 N/A",
6118
+ referenceComment: ""
6119
+ },
6120
+ {
6121
+ id: "L3-PES5-01",
6122
+ categoryCn: "\u5B89\u5168\u7269\u7406\u73AF\u5883",
6123
+ categoryEn: "Physical Environment Security",
6124
+ controlCn: "\u5BA4\u5916\u63A7\u5236\u8BBE\u5907\u7269\u7406\u9632\u62A4",
6125
+ controlEn: "Physical Protection of Outdoor Control Equipment",
6126
+ requirementCn: "\u5BA4\u5916\u63A7\u5236\u8BBE\u5907\u5E94\u653E\u7F6E\u4E8E\u91C7\u7528\u94C1\u677F\u6216\u5176\u4ED6\u9632\u706B\u6750\u6599\u5236\u4F5C\u7684\u7BB1\u4F53\u6216\u88C5\u7F6E\u4E2D\u5E76\u7D27\u56FA\u7BB1\u4F53\u6216\u88C5\u7F6E\u5177\u6709\u900F\u98CE\u3001\u6563\u70ED\u3001\u9632\u76D7\u3001\u9632\u96E8\u548C\u9632\u706B\u80FD\u529B\u7B49",
6127
+ requirementEn: "The outdoor control equipment shall be placed in a box or device made of iron plates or other fireproof materials and fastened to the cabinet or device to have ventilation, heat dissipation, anti-theft, rainproof and fireproof capabilities, etc.",
6128
+ referenceStatus: "\u4E0D\u9002\u7528 N/A",
6129
+ referenceComment: ""
6130
+ },
6131
+ {
6132
+ id: "L3-PES5-02",
6133
+ categoryCn: "\u5B89\u5168\u7269\u7406\u73AF\u5883",
6134
+ categoryEn: "Physical Environment Security",
6135
+ controlCn: "\u5BA4\u5916\u63A7\u5236\u8BBE\u5907\u7269\u7406\u9632\u62A4",
6136
+ controlEn: "Physical Protection of Outdoor Control Equipment",
6137
+ requirementCn: "\u5BA4\u5916\u63A7\u5236\u8BBE\u5907\u653E\u7F6E\u5E94\u8FDC\u79BB\u5F3A\u7535\u78C1\u5E72\u6270\u3001\u5F3A\u70ED\u6E90\u7B49\u73AF\u5883\uFF0C\u5982\u65E0\u6CD5\u907F\u514D\u5E94\u53CA\u65F6\u505A\u597D\u5E94\u6025\u5904\u7F6E\u53CA\u68C0\u4FEE\uFF0C \u4FDD\u8BC1\u8BBE\u5907\u6B63\u5E38\u8FD0\u884C",
6138
+ requirementEn: "The outdoor control equipment should be placed away from strong electromagnetic interference, strong heat source and other extreme environments. If it is unavoidable, emergency treatment and maintenance should be done in time to ensure the normal operation of the equipment.",
6139
+ referenceStatus: "\u4E0D\u9002\u7528 N/A",
6140
+ referenceComment: ""
6141
+ },
6142
+ {
6143
+ id: "L3-CNS5-01",
6144
+ categoryCn: "\u5B89\u5168\u901A\u4FE1\u7F51\u7EDC",
6145
+ categoryEn: "Communication Network Security",
6146
+ controlCn: "\u7F51\u7EDC\u67B6\u6784",
6147
+ controlEn: "Network Architecture",
6148
+ requirementCn: "\u5DE5\u4E1A\u63A7\u5236\u7CFB\u7EDF\u4E0E\u4F01\u4E1A\u5176\u4ED6\u7CFB\u7EDF\u4E4B\u95F4\u5E94\u5212\u5206\u4E3A\u4E24\u4E2A\u533A\u57DF\uFF0C\u533A\u57DF\u95F4\u5E94\u91C7\u7528\u5355\u5411\u7684\u6280\u672F\u9694\u79BB\u624B\u6BB5",
6149
+ requirementEn: "The industrial control system and other systems of the enterprise should be divided into two areas, and one-way technical isolation should be adopted between the areas.",
6150
+ referenceStatus: "\u4E0D\u9002\u7528 N/A",
6151
+ referenceComment: ""
6152
+ },
6153
+ {
6154
+ id: "L3-CNS5-02",
6155
+ categoryCn: "\u5B89\u5168\u901A\u4FE1\u7F51\u7EDC",
6156
+ categoryEn: "Communication Network Security",
6157
+ controlCn: "\u7F51\u7EDC\u67B6\u6784",
6158
+ controlEn: "Network Architecture",
6159
+ requirementCn: "\u5DE5\u4E1A\u63A7\u5236\u7CFB\u7EDF\u5185\u90E8\u5E94\u6839\u636E\u4E1A\u52A1\u7279\u70B9\u5212\u5206\u4E3A\u4E0D\u540C\u7684\u5B89\u5168\u57DF\uFF0C\u5B89\u5168\u57DF\u4E4B\u95F4\u5E94\u91C7\u7528\u6280\u672F\u9694\u79BB\u624B\u6BB5",
6160
+ requirementEn: "The industrial control system should be intenally divided into different security domains according to the business feature. Technical isolation should be adopted between different security domains.",
6161
+ referenceStatus: "\u4E0D\u9002\u7528 N/A",
6162
+ referenceComment: ""
6163
+ },
6164
+ {
6165
+ id: "L3-CNS5-03",
6166
+ categoryCn: "\u5B89\u5168\u901A\u4FE1\u7F51\u7EDC",
6167
+ categoryEn: "Communication Network Security",
6168
+ controlCn: "\u7F51\u7EDC\u67B6\u6784",
6169
+ controlEn: "Network Architecture",
6170
+ requirementCn: "\u6D89\u53CA\u5B9E\u65F6\u63A7\u5236\u548C\u6570\u636E\u4F20\u8F93\u7684\u5DE5\u4E1A\u63A7\u5236\u7CFB\u7EDF\uFF0C\u5E94\u4F7F\u7528\u72EC\u7ACB\u7684\u7F51\u7EDC\u8BBE\u5907\u7EC4\u7F51\uFF0C\u5728\u7269\u7406\u5C42\u9762\u4E0A\u5B9E\u73B0\u4E0E\u5176\u5B83\u6570\u636E\u7F51\u53CA\u5916\u90E8\u516C\u5171\u4FE1\u606F\u7F51\u7684\u5B89\u5168\u9694\u79BB",
6171
+ requirementEn: "Industrial control systems involving real-time control and data transmission should use independent network equipment to set up a network to achieve secure isolation from other data networks and external public information networks at physical level.",
6172
+ referenceStatus: "\u4E0D\u9002\u7528 N/A",
6173
+ referenceComment: ""
6174
+ },
6175
+ {
6176
+ id: "L3-CNS5-04",
6177
+ categoryCn: "\u5B89\u5168\u901A\u4FE1\u7F51\u7EDC",
6178
+ categoryEn: "Communication Network Security",
6179
+ controlCn: "\u901A\u4FE1\u4F20\u8F93",
6180
+ controlEn: "Communication Transmission",
6181
+ requirementCn: "\u5728\u5DE5\u4E1A\u63A7\u5236\u7CFB\u7EDF\u5185\u4F7F\u7528\u5E7F\u57DF\u7F51\u8FDB\u884C\u63A7\u5236\u6307\u4EE4\u6216\u76F8\u5173\u6570\u636E\u4EA4\u6362\u7684\u5E94\u91C7\u7528\u52A0\u5BC6\u8BA4\u8BC1\u6280\u672F\u624B\u6BB5\u5B9E\u73B0\u8EAB\u4EFD\u8BA4\u8BC1\u3001\u8BBF\u95EE\u63A7\u5236\u548C\u6570\u636E\u52A0\u5BC6\u4F20\u8F93",
6182
+ requirementEn: "If WAN is used in industrial control system to control instructions or exchange related data, encryption and authentication technology should be adopted to realize identity authentication, access control and data encryption transmission",
6183
+ referenceStatus: "\u4E0D\u9002\u7528 N/A",
6184
+ referenceComment: ""
6185
+ },
6186
+ {
6187
+ id: "L3-ABS5-01",
6188
+ categoryCn: "\u5B89\u5168\u533A\u57DF\u8FB9\u754C",
6189
+ categoryEn: "Area Boundary Security",
6190
+ controlCn: "\u8BBF\u95EE\u63A7\u5236",
6191
+ controlEn: "Access Control",
6192
+ requirementCn: "\u5E94\u5728\u5DE5\u4E1A\u63A7\u5236\u7CFB\u7EDF\u4E0E\u4F01\u4E1A\u5176\u4ED6\u7CFB\u7EDF\u4E4B\u95F4\u90E8\u7F72\u8BBF\u95EE\u63A7\u5236\u8BBE\u5907\uFF0C\u914D\u7F6E\u8BBF\u95EE\u63A7\u5236\u7B56\u7565\uFF0C\u7981\u6B62\u4EFB\u4F55\u7A7F\u8D8A\u533A\u57DF\u8FB9\u754C\u7684 E-Mail\u3001Web\u3001Telnet\u3001Rlogin\u3001FTP \u7B49\u901A\u7528\u7F51\u7EDC\u670D\u52A1",
6193
+ requirementEn: "The access control device should be deployed between the industrial control system and other enterprise systems, and the access control policy should be configured to prohibit any common network services such as E-Mail, Web, Telnet, Rlogin, and FTP that traverse the boundary of the area.",
6194
+ referenceStatus: "\u4E0D\u9002\u7528 N/A",
6195
+ referenceComment: ""
6196
+ },
6197
+ {
6198
+ id: "L3-ABS5-02",
6199
+ categoryCn: "\u5B89\u5168\u533A\u57DF\u8FB9\u754C",
6200
+ categoryEn: "Area Boundary Security",
6201
+ controlCn: "\u8BBF\u95EE\u63A7\u5236",
6202
+ controlEn: "Access Control",
6203
+ requirementCn: "\u5E94\u5728\u5DE5\u4E1A\u63A7\u5236\u7CFB\u7EDF\u5185\u5B89\u5168\u57DF\u548C\u5B89\u5168\u57DF\u4E4B\u95F4\u7684\u8FB9\u754C\u9632\u62A4\u673A\u5236\u5931\u6548\u65F6\uFF0C\u53CA\u65F6\u8FDB\u884C\u62A5\u8B66",
6204
+ requirementEn: "The alarm should be promptly issued when the boundary protection mechanism between different security domains fails in the industrial control system.",
6205
+ referenceStatus: "\u4E0D\u9002\u7528 N/A",
6206
+ referenceComment: ""
6207
+ },
6208
+ {
6209
+ id: "L3-ABS5-03",
6210
+ categoryCn: "\u5B89\u5168\u533A\u57DF\u8FB9\u754C",
6211
+ categoryEn: "Area Boundary Security",
6212
+ controlCn: "\u62E8\u53F7\u4F7F\u7528\u63A7\u5236",
6213
+ controlEn: "Dail-up Use Control",
6214
+ requirementCn: "\u5DE5\u4E1A\u63A7\u5236\u7CFB\u7EDF\u786E\u9700\u4F7F\u7528\u62E8\u53F7\u8BBF\u95EE\u670D\u52A1\u7684\uFF0C\u5E94\u9650\u5236\u5177\u6709\u62E8\u53F7\u8BBF\u95EE\u6743\u9650\u7684\u7528\u6237\u6570\u91CF\uFF0C\u5E76\u91C7\u53D6\u7528\u6237\u8EAB\u4EFD\u9274\u522B\u548C\u8BBF\u95EE\u63A7\u5236\u7B49\u63AA\u65BD",
6215
+ requirementEn: "If the industrial control system needs to use the dial-up access service, it should limit the number of users with dial-up access rights, and take measures such as user identity authentication and access control.",
6216
+ referenceStatus: "\u4E0D\u9002\u7528 N/A",
6217
+ referenceComment: ""
6218
+ },
6219
+ {
6220
+ id: "L3-ABS5-04",
6221
+ categoryCn: "\u5B89\u5168\u533A\u57DF\u8FB9\u754C",
6222
+ categoryEn: "Area Boundary Security",
6223
+ controlCn: "\u62E8\u53F7\u4F7F\u7528\u63A7\u5236",
6224
+ controlEn: "Dail-up Use Control",
6225
+ requirementCn: "\u62E8\u53F7\u670D\u52A1\u5668\u548C\u5BA2\u6237\u7AEF\u5747\u5E94\u4F7F\u7528\u7ECF\u5B89\u5168\u52A0\u56FA\u7684\u64CD\u4F5C\u7CFB\u7EDF\uFF0C\u5E76\u91C7\u53D6\u6570\u5B57\u8BC1\u4E66\u8BA4\u8BC1\u3001\u4F20\u8F93\u52A0\u5BC6\u548C\u8BBF\u95EE\u63A7\u5236\u7B49\u63AA\u65BD",
6226
+ requirementEn: "Both the dial-up server and the client should use a security-hardened operating system and take measures such as digital certificate authentication, transport encryption, and access control.",
6227
+ referenceStatus: "\u4E0D\u9002\u7528 N/A",
6228
+ referenceComment: ""
6229
+ },
6230
+ {
6231
+ id: "L3-ABS5-05",
6232
+ categoryCn: "\u5B89\u5168\u533A\u57DF\u8FB9\u754C",
6233
+ categoryEn: "Area Boundary Security",
6234
+ controlCn: "\u65E0\u7EBF\u4F7F\u7528\u63A7\u5236",
6235
+ controlEn: "Wireless Use Control",
6236
+ requirementCn: "\u5E94\u5BF9\u6240\u6709\u53C2\u4E0E\u65E0\u7EBF\u901A\u4FE1\u7684\u7528\u6237\uFF08\u4EBA\u5458\u3001\u8F6F\u4EF6\u8FDB\u7A0B\u6216\u8005\u8BBE\u5907\uFF09\u63D0\u4F9B\u552F\u4E00\u6027\u6807\u8BC6\u548C\u9274\u522B",
6237
+ requirementEn: "Provide unique identification and authentication to all users (personnel, software processes or devices) involved in wireless communications",
6238
+ referenceStatus: "\u4E0D\u9002\u7528 N/A",
6239
+ referenceComment: ""
6240
+ },
6241
+ {
6242
+ id: "L3-ABS5-06",
6243
+ categoryCn: "\u5B89\u5168\u533A\u57DF\u8FB9\u754C",
6244
+ categoryEn: "Area Boundary Security",
6245
+ controlCn: "\u65E0\u7EBF\u4F7F\u7528\u63A7\u5236",
6246
+ controlEn: "Wireless Use Control",
6247
+ requirementCn: "\u5E94\u5BF9\u6240\u6709\u53C2\u4E0E\u65E0\u7EBF\u901A\u4FE1\u7684\u7528\u6237\uFF08\u4EBA\u5458\u3001\u8F6F\u4EF6\u8FDB\u7A0B\u6216\u8005\u8BBE\u5907\uFF09\u8FDB\u884C\u6388\u6743\u4EE5\u53CA\u6267\u884C\u4F7F\u7528\u8FDB\u884C\u9650\u5236",
6248
+ requirementEn: "Restrictions on the authorization and execution of all users (personnel, software processes or devices) involved in wireless communication",
6249
+ referenceStatus: "\u4E0D\u9002\u7528 N/A",
6250
+ referenceComment: ""
6251
+ },
6252
+ {
6253
+ id: "L3-ABS5-07",
6254
+ categoryCn: "\u5B89\u5168\u533A\u57DF\u8FB9\u754C",
6255
+ categoryEn: "Area Boundary Security",
6256
+ controlCn: "\u65E0\u7EBF\u4F7F\u7528\u63A7\u5236",
6257
+ controlEn: "Wireless Use Control",
6258
+ requirementCn: "\u5E94\u5BF9\u65E0\u7EBF\u901A\u4FE1\u91C7\u53D6\u4F20\u8F93\u52A0\u5BC6\u7684\u5B89\u5168\u63AA\u65BD\uFF0C\u5B9E\u73B0\u4F20\u8F93\u62A5\u6587\u7684\u673A\u5BC6\u6027\u4FDD\u62A4",
6259
+ requirementEn: "Security measures for transmission encryption should be adopted for wireless communication to achieve confidentiality protection of transmitted messages.",
6260
+ referenceStatus: "\u4E0D\u9002\u7528 N/A",
6261
+ referenceComment: ""
6262
+ },
6263
+ {
6264
+ id: "L3-ABS5-08",
6265
+ categoryCn: "\u5B89\u5168\u533A\u57DF\u8FB9\u754C",
6266
+ categoryEn: "Area Boundary Security",
6267
+ controlCn: "\u65E0\u7EBF\u4F7F\u7528\u63A7\u5236",
6268
+ controlEn: "Wireless Use Control",
6269
+ requirementCn: "\u5BF9\u91C7\u7528\u65E0\u7EBF\u901A\u4FE1\u6280\u672F\u8FDB\u884C\u63A7\u5236\u7684\u5DE5\u4E1A\u63A7\u5236\u7CFB\u7EDF\uFF0C\u5E94\u80FD\u8BC6\u522B\u5176\u7269\u7406\u73AF\u5883\u4E2D\u53D1\u5C04\u7684\u672A\u7ECF\u6388\u6743\u7684\u65E0\u7EBF\u8BBE\u5907\uFF0C\u62A5\u544A\u672A\u7ECF\u6388\u6743\u8BD5\u56FE\u63A5\u5165\u6216\u5E72\u6270\u63A7\u5236\u7CFB\u7EDF\u7684\u884C\u4E3A",
6270
+ requirementEn: "Industrial control systems that use wireless communication technology should be able to identify unauthorized wireless devices transmitted in their physical environment and report unauthorized attempts to access or interfere with control systems.",
6271
+ referenceStatus: "\u4E0D\u9002\u7528 N/A",
6272
+ referenceComment: ""
6273
+ },
6274
+ {
6275
+ id: "L3-CES5-01",
6276
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
6277
+ categoryEn: "Computing Environment Security",
6278
+ controlCn: "\u63A7\u5236\u8BBE\u5907\u5B89\u5168",
6279
+ controlEn: "Control Equipment Security",
6280
+ requirementCn: "\u63A7\u5236\u8BBE\u5907\u81EA\u8EAB\u5E94\u5B9E\u73B0\u76F8\u5E94\u7EA7\u522B\u5B89\u5168\u901A\u7528\u8981\u6C42\u63D0\u51FA\u7684\u8EAB\u4EFD\u9274\u522B\u3001\u8BBF\u95EE\u63A7\u5236\u548C\u5B89\u5168\u5BA1\u8BA1\u7B49\u5B89\u5168\u8981\u6C42\uFF0C\u5982\u53D7\u6761\u4EF6\u9650\u5236\u63A7\u5236\u8BBE\u5907\u65E0\u6CD5\u5B9E\u73B0\u4E0A\u8FF0\u8981\u6C42\uFF0C\u5E94\u7531\u5176\u4E0A\u4F4D\u63A7\u5236\u6216\u7BA1\u7406\u8BBE\u5907\u5B9E\u73B0\u540C\u7B49\u529F\u80FD\u6216\u901A\u8FC7\u7BA1\u7406\u624B\u6BB5\u63A7\u5236",
6281
+ requirementEn: "The control device itself shall implement the security requirements such as identity authentication, access control and security audit proposed by the corresponding level of security general requirements. If the above requirements cannot be implemented by restricted conditions, the equivalent function should be implemented by its upper class control or controlled by management means",
6282
+ referenceStatus: "\u4E0D\u9002\u7528 N/A",
6283
+ referenceComment: ""
6284
+ },
6285
+ {
6286
+ id: "L3-CES5-02",
6287
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
6288
+ categoryEn: "Computing Environment Security",
6289
+ controlCn: "\u63A7\u5236\u8BBE\u5907\u5B89\u5168",
6290
+ controlEn: "Control Equipment Security",
6291
+ requirementCn: "\u5E94\u5728\u7ECF\u8FC7\u5145\u5206\u6D4B\u8BD5\u8BC4\u4F30\u540E\uFF0C\u5728\u4E0D\u5F71\u54CD\u7CFB\u7EDF\u5B89\u5168\u7A33\u5B9A\u8FD0\u884C\u7684\u60C5\u51B5\u4E0B\u5BF9\u63A7\u5236\u8BBE\u5907\u8FDB\u884C\u8865\u4E01\u66F4\u65B0\u3001\u56FA\u4EF6\u66F4\u65B0\u7B49\u5DE5\u4F5C",
6292
+ requirementEn: "After sufficient testing and evaluation, patches and firmware update can be applied to the control equipment which should not affect the safe and stable operation of the system.",
6293
+ referenceStatus: "\u4E0D\u9002\u7528 N/A",
6294
+ referenceComment: ""
6295
+ },
6296
+ {
6297
+ id: "L3-CES5-03",
6298
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
6299
+ categoryEn: "Computing Environment Security",
6300
+ controlCn: "\u63A7\u5236\u8BBE\u5907\u5B89\u5168",
6301
+ controlEn: "Control Equipment Security",
6302
+ requirementCn: "\u5E94\u5173\u95ED\u6216\u62C6\u9664\u63A7\u5236\u8BBE\u5907\u7684\u8F6F\u76D8\u9A71\u52A8\u3001\u5149\u76D8\u9A71\u52A8\u3001USB \u63A5\u53E3\u3001\u4E32\u884C\u53E3\u6216\u591A\u4F59\u7F51\u53E3\u7B49\uFF0C\u786E\u9700\u4FDD\u7559\u7684\u5FC5\u987B\u901A\u8FC7\u76F8\u5173\u7684\u6280\u672F\u63AA\u65BD\u5B9E\u65BD\u4E25\u683C\u7684\u76D1\u63A7\u7BA1\u7406",
6303
+ requirementEn: "The floppy disk drive, CD-ROM drive, USB interface, serial port or redundant network port of the control device should be turned off or removed. It should be strictly monitored and managed through relevant technical measures if any of them are indeed to retain.",
6304
+ referenceStatus: "\u4E0D\u9002\u7528 N/A",
6305
+ referenceComment: ""
6306
+ },
6307
+ {
6308
+ id: "L3-CES5-04",
6309
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
6310
+ categoryEn: "Computing Environment Security",
6311
+ controlCn: "\u63A7\u5236\u8BBE\u5907\u5B89\u5168",
6312
+ controlEn: "Control Equipment Security",
6313
+ requirementCn: "\u5E94\u4F7F\u7528\u4E13\u7528\u8BBE\u5907\u548C\u4E13\u7528\u8F6F\u4EF6\u5BF9\u63A7\u5236\u8BBE\u5907\u8FDB\u884C\u66F4\u65B0",
6314
+ requirementEn: "Control equipment should be updated with dedicated equipment and software",
6315
+ referenceStatus: "\u4E0D\u9002\u7528 N/A",
6316
+ referenceComment: ""
6317
+ },
6318
+ {
6319
+ id: "L3-CES5-05",
6320
+ categoryCn: "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
6321
+ categoryEn: "Computing Environment Security",
6322
+ controlCn: "\u63A7\u5236\u8BBE\u5907\u5B89\u5168",
6323
+ controlEn: "Control Equipment Security",
6324
+ requirementCn: "\u5E94\u4FDD\u8BC1\u63A7\u5236\u8BBE\u5907\u5728\u4E0A\u7EBF\u524D\u7ECF\u8FC7\u5B89\u5168\u6027\u68C0\u6D4B\uFF0C\u907F\u514D\u63A7\u5236\u8BBE\u5907\u56FA\u4EF6\u4E2D\u5B58\u5728\u6076\u610F\u4EE3\u7801\u7A0B\u5E8F",
6325
+ requirementEn: "It should be ensured that the control device is tested for security before going online, and there is no malicious code program in the control device firmware.",
6326
+ referenceStatus: "\u4E0D\u9002\u7528 N/A",
6327
+ referenceComment: ""
6328
+ }
6329
+ ];
6330
+
6331
+ // src/data/mlps3-check-mapping.ts
6332
+ var MLPS3_FULL_CHECKLIST = mlps3_full_checklist_default;
6333
+ var MLPS3_CATEGORY_ORDER = [
6334
+ "\u5B89\u5168\u7269\u7406\u73AF\u5883",
6335
+ "\u5B89\u5168\u901A\u4FE1\u7F51\u7EDC",
6336
+ "\u5B89\u5168\u533A\u57DF\u8FB9\u754C",
6337
+ "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
6338
+ "\u5B89\u5168\u7BA1\u7406\u4E2D\u5FC3"
6339
+ ];
6340
+ var MLPS3_CATEGORY_SECTION = {
6341
+ "\u5B89\u5168\u7269\u7406\u73AF\u5883": "\u4E00\u3001\u5B89\u5168\u7269\u7406\u73AF\u5883",
6342
+ "\u5B89\u5168\u901A\u4FE1\u7F51\u7EDC": "\u4E8C\u3001\u5B89\u5168\u901A\u4FE1\u7F51\u7EDC",
6343
+ "\u5B89\u5168\u533A\u57DF\u8FB9\u754C": "\u4E09\u3001\u5B89\u5168\u533A\u57DF\u8FB9\u754C",
6344
+ "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883": "\u56DB\u3001\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
6345
+ "\u5B89\u5168\u7BA1\u7406\u4E2D\u5FC3": "\u4E94\u3001\u5B89\u5168\u7BA1\u7406\u4E2D\u5FC3"
6346
+ };
6347
+ var MLPS3_CHECK_MAPPING = [
6348
+ // =========================================================================
6349
+ // 安全物理环境 — L3-PES1-* (22 items) → cloud_provider
6350
+ // =========================================================================
6351
+ { id: "L3-PES1-01", type: "cloud_provider", note: "AWS \u8D1F\u8D23\u673A\u623F\u7269\u7406\u5B89\u5168" },
6352
+ { id: "L3-PES1-02", type: "cloud_provider", note: "AWS \u8D1F\u8D23\u673A\u623F\u7269\u7406\u5B89\u5168" },
6353
+ { id: "L3-PES1-03", type: "cloud_provider", note: "AWS \u8D1F\u8D23\u673A\u623F\u7269\u7406\u5B89\u5168" },
6354
+ { id: "L3-PES1-04", type: "cloud_provider", note: "AWS \u8D1F\u8D23\u673A\u623F\u7269\u7406\u5B89\u5168" },
6355
+ { id: "L3-PES1-05", type: "cloud_provider", note: "AWS \u8D1F\u8D23\u673A\u623F\u7269\u7406\u5B89\u5168" },
6356
+ { id: "L3-PES1-06", type: "cloud_provider", note: "AWS \u8D1F\u8D23\u673A\u623F\u7269\u7406\u5B89\u5168" },
6357
+ { id: "L3-PES1-07", type: "cloud_provider", note: "AWS \u8D1F\u8D23\u673A\u623F\u7269\u7406\u5B89\u5168" },
6358
+ { id: "L3-PES1-08", type: "cloud_provider", note: "AWS \u8D1F\u8D23\u673A\u623F\u7269\u7406\u5B89\u5168" },
6359
+ { id: "L3-PES1-09", type: "cloud_provider", note: "AWS \u8D1F\u8D23\u673A\u623F\u7269\u7406\u5B89\u5168" },
6360
+ { id: "L3-PES1-10", type: "cloud_provider", note: "AWS \u8D1F\u8D23\u673A\u623F\u7269\u7406\u5B89\u5168" },
6361
+ { id: "L3-PES1-11", type: "cloud_provider", note: "AWS \u8D1F\u8D23\u673A\u623F\u7269\u7406\u5B89\u5168" },
6362
+ { id: "L3-PES1-12", type: "cloud_provider", note: "AWS \u8D1F\u8D23\u673A\u623F\u7269\u7406\u5B89\u5168" },
6363
+ { id: "L3-PES1-13", type: "cloud_provider", note: "AWS \u8D1F\u8D23\u673A\u623F\u7269\u7406\u5B89\u5168" },
6364
+ { id: "L3-PES1-14", type: "cloud_provider", note: "AWS \u8D1F\u8D23\u673A\u623F\u7269\u7406\u5B89\u5168" },
6365
+ { id: "L3-PES1-15", type: "cloud_provider", note: "AWS \u8D1F\u8D23\u673A\u623F\u7269\u7406\u5B89\u5168" },
6366
+ { id: "L3-PES1-16", type: "cloud_provider", note: "AWS \u8D1F\u8D23\u673A\u623F\u7269\u7406\u5B89\u5168" },
6367
+ { id: "L3-PES1-17", type: "cloud_provider", note: "AWS \u8D1F\u8D23\u673A\u623F\u7269\u7406\u5B89\u5168" },
6368
+ { id: "L3-PES1-18", type: "cloud_provider", note: "AWS \u8D1F\u8D23\u673A\u623F\u7269\u7406\u5B89\u5168" },
6369
+ { id: "L3-PES1-19", type: "cloud_provider", note: "AWS \u8D1F\u8D23\u673A\u623F\u7269\u7406\u5B89\u5168" },
6370
+ { id: "L3-PES1-20", type: "cloud_provider", note: "AWS \u8D1F\u8D23\u673A\u623F\u7269\u7406\u5B89\u5168" },
6371
+ { id: "L3-PES1-21", type: "cloud_provider", note: "AWS \u8D1F\u8D23\u673A\u623F\u7269\u7406\u5B89\u5168" },
6372
+ { id: "L3-PES1-22", type: "cloud_provider", note: "AWS \u8D1F\u8D23\u673A\u623F\u7269\u7406\u5B89\u5168" },
6373
+ // L3-PES2-01 (Cloud extension — physical infra in China)
6374
+ { id: "L3-PES2-01", type: "cloud_provider", note: "AWS \u4E2D\u56FD\u533A\u57FA\u7840\u8BBE\u65BD\u4F4D\u4E8E\u4E2D\u56FD\u5883\u5185" },
6375
+ // L3-PES3-01 (Wireless — N/A)
6376
+ { id: "L3-PES3-01", type: "not_applicable" },
6377
+ // L3-PES4-* (IoT sensor — N/A)
6378
+ { id: "L3-PES4-01", type: "not_applicable" },
6379
+ { id: "L3-PES4-02", type: "not_applicable" },
6380
+ { id: "L3-PES4-03", type: "not_applicable" },
6381
+ { id: "L3-PES4-04", type: "not_applicable" },
6382
+ // L3-PES5-* (Industrial control outdoor — N/A)
6383
+ { id: "L3-PES5-01", type: "not_applicable" },
6384
+ { id: "L3-PES5-02", type: "not_applicable" },
6385
+ // =========================================================================
6386
+ // 安全通信网络 — L3-CNS1-* (8 items)
6387
+ // =========================================================================
6388
+ { id: "L3-CNS1-01", type: "cloud_provider", note: "AWS \u8D1F\u8D23\u7F51\u7EDC\u8BBE\u5907\u5904\u7406\u80FD\u529B" },
6389
+ { id: "L3-CNS1-02", type: "cloud_provider", note: "AWS \u8D1F\u8D23\u7F51\u7EDC\u5E26\u5BBD" },
6390
+ {
6391
+ id: "L3-CNS1-03",
6392
+ type: "auto",
6393
+ modules: ["network_reachability", "security_hub_findings"],
6394
+ securityHubControlIds: ["EC2.2"]
6395
+ },
6396
+ {
6397
+ id: "L3-CNS1-04",
6398
+ type: "auto",
6399
+ modules: ["network_reachability", "security_hub_findings"],
6400
+ securityHubControlIds: ["EC2.2", "EC2.18", "EC2.19"]
6401
+ },
6402
+ { id: "L3-CNS1-05", type: "cloud_provider", note: "AWS \u591A\u53EF\u7528\u533A/\u591A\u533A\u57DF\u5197\u4F59" },
6403
+ {
6404
+ id: "L3-CNS1-06",
6405
+ type: "auto",
6406
+ modules: ["ssl_certificate", "security_hub_findings"],
6407
+ securityHubControlIds: ["ELB.1"]
6408
+ },
6409
+ {
6410
+ id: "L3-CNS1-07",
6411
+ type: "auto",
6412
+ modules: ["ssl_certificate", "security_hub_findings"],
6413
+ securityHubControlIds: ["ELB.1"]
6414
+ },
6415
+ { id: "L3-CNS1-08", type: "not_applicable" },
6416
+ // L3-CNS2-* (Cloud extension communication — 5 items)
6417
+ { id: "L3-CNS2-01", type: "cloud_provider", note: "AWS \u7B49\u4FDD\u6DB5\u76D6" },
6418
+ { id: "L3-CNS2-02", type: "cloud_provider", note: "VPC \u5B9E\u73B0\u865A\u62DF\u7F51\u7EDC\u9694\u79BB" },
6419
+ {
6420
+ id: "L3-CNS2-03",
6421
+ type: "auto",
6422
+ modules: ["network_reachability", "waf_coverage", "guardduty_findings"]
6423
+ },
6424
+ { id: "L3-CNS2-04", type: "cloud_provider", note: "AWS \u652F\u6301\u81EA\u4E3B\u5B89\u5168\u7B56\u7565\u914D\u7F6E" },
6425
+ { id: "L3-CNS2-05", type: "cloud_provider", note: "AWS Marketplace \u652F\u6301\u7B2C\u4E09\u65B9\u4EA7\u54C1" },
6426
+ // L3-CNS5-* (Industrial control communication — N/A)
6427
+ { id: "L3-CNS5-01", type: "not_applicable" },
6428
+ { id: "L3-CNS5-02", type: "not_applicable" },
6429
+ { id: "L3-CNS5-03", type: "not_applicable" },
6430
+ { id: "L3-CNS5-04", type: "not_applicable" },
6431
+ // =========================================================================
6432
+ // 安全区域边界 — L3-ABS1-* (20 items)
6433
+ // =========================================================================
6434
+ {
6435
+ id: "L3-ABS1-01",
6436
+ type: "auto",
6437
+ modules: ["network_reachability", "waf_coverage", "security_hub_findings"],
6438
+ securityHubControlIds: ["EC2.18", "EC2.19"]
6439
+ },
6440
+ {
6441
+ id: "L3-ABS1-02",
6442
+ type: "auto",
6443
+ modules: ["network_reachability", "security_hub_findings"],
6444
+ securityHubControlIds: ["EC2.18", "EC2.19"]
6445
+ },
6446
+ {
6447
+ id: "L3-ABS1-03",
6448
+ type: "manual",
6449
+ guidance: "\u9700\u786E\u8BA4 NAT Gateway\u3001VPC Endpoint \u914D\u7F6E\uFF0C\u9650\u5236\u5185\u90E8\u7528\u6237\u975E\u6388\u6743\u5916\u8054"
6450
+ },
6451
+ { id: "L3-ABS1-04", type: "not_applicable" },
6452
+ {
6453
+ id: "L3-ABS1-05",
6454
+ type: "auto",
6455
+ modules: ["network_reachability", "security_hub_findings"],
6456
+ securityHubControlIds: ["EC2.18", "EC2.19"]
6457
+ },
6458
+ {
6459
+ id: "L3-ABS1-06",
6460
+ type: "auto",
6461
+ modules: ["network_reachability", "security_hub_findings"],
6462
+ securityHubControlIds: ["EC2.18", "EC2.19"]
6463
+ },
6464
+ {
6465
+ id: "L3-ABS1-07",
6466
+ type: "auto",
6467
+ modules: ["network_reachability", "waf_coverage", "security_hub_findings"],
6468
+ securityHubControlIds: ["EC2.18", "EC2.19"]
6469
+ },
6470
+ {
6471
+ id: "L3-ABS1-08",
6472
+ type: "manual",
6473
+ guidance: "\u9700\u542F\u7528 WAF \u6216\u90E8\u7F72\u7B2C\u4E09\u65B9\u4E0B\u4E00\u4EE3\u9632\u706B\u5899\u5B9E\u73B0\u57FA\u4E8E\u4F1A\u8BDD\u72B6\u6001\u7684\u8BBF\u95EE\u63A7\u5236"
6474
+ },
6475
+ {
6476
+ id: "L3-ABS1-09",
6477
+ type: "manual",
6478
+ guidance: "\u9700\u542F\u7528 WAF \u6216\u90E8\u7F72\u7B2C\u4E09\u65B9\u4E0B\u4E00\u4EE3\u9632\u706B\u5899\u5B9E\u73B0\u57FA\u4E8E\u5E94\u7528\u534F\u8BAE\u7684\u8BBF\u95EE\u63A7\u5236"
6479
+ },
6480
+ {
6481
+ id: "L3-ABS1-10",
6482
+ type: "auto",
6483
+ modules: ["guardduty_findings", "waf_coverage", "inspector_findings", "security_hub_findings"],
6484
+ securityHubControlIds: ["GuardDuty.1"]
6485
+ },
6486
+ {
6487
+ id: "L3-ABS1-11",
6488
+ type: "auto",
6489
+ modules: ["guardduty_findings", "waf_coverage", "inspector_findings", "security_hub_findings"],
6490
+ securityHubControlIds: ["GuardDuty.1"]
6491
+ },
6492
+ {
6493
+ id: "L3-ABS1-12",
6494
+ type: "auto",
6495
+ modules: ["guardduty_findings", "waf_coverage", "inspector_findings", "security_hub_findings"],
6496
+ securityHubControlIds: ["GuardDuty.1"]
6497
+ },
6498
+ {
6499
+ id: "L3-ABS1-13",
6500
+ type: "auto",
6501
+ modules: ["guardduty_findings", "waf_coverage"]
6502
+ },
6503
+ {
6504
+ id: "L3-ABS1-14",
6505
+ type: "manual",
6506
+ guidance: "\u9700\u5728\u64CD\u4F5C\u7CFB\u7EDF\u5B89\u88C5\u7B2C\u4E09\u65B9\u6740\u6BD2\u8F6F\u4EF6\uFF0C\u6216\u90E8\u7F72\u4E0B\u4E00\u4EE3\u9632\u706B\u5899\u8FDB\u884C\u6076\u610F\u4EE3\u7801\u68C0\u6D4B"
6507
+ },
6508
+ { id: "L3-ABS1-15", type: "not_applicable" },
6509
+ {
6510
+ id: "L3-ABS1-16",
6511
+ type: "auto",
6512
+ modules: ["service_detection", "config_rules_findings", "security_hub_findings"],
6513
+ securityHubControlIds: ["CloudTrail.1"]
6514
+ },
6515
+ {
6516
+ id: "L3-ABS1-17",
6517
+ type: "auto",
6518
+ modules: ["service_detection", "security_hub_findings"],
6519
+ securityHubControlIds: ["CloudTrail.1"]
6520
+ },
6521
+ {
6522
+ id: "L3-ABS1-18",
6523
+ type: "auto",
6524
+ modules: ["security_hub_findings"],
6525
+ securityHubControlIds: ["CloudTrail.4", "CloudTrail.5", "CloudTrail.6", "CloudTrail.7"]
6526
+ },
6527
+ {
6528
+ id: "L3-ABS1-19",
6529
+ type: "manual",
6530
+ guidance: "\u9700\u914D\u7F6E S3 Access Log\u3001ALB Access Log\uFF0C\u6216\u90E8\u7F72\u4E0A\u7F51\u884C\u4E3A\u7BA1\u7406\u4EA7\u54C1\u8FDB\u884C\u8FDC\u7A0B\u8BBF\u95EE\u884C\u4E3A\u5BA1\u8BA1"
6531
+ },
6532
+ { id: "L3-ABS1-20", type: "not_applicable" },
6533
+ // L3-ABS2-* (Cloud extension boundary — 8 items)
6534
+ {
6535
+ id: "L3-ABS2-01",
6536
+ type: "auto",
6537
+ modules: ["network_reachability", "security_hub_findings"],
6538
+ securityHubControlIds: ["EC2.18", "EC2.19"]
6539
+ },
6540
+ {
6541
+ id: "L3-ABS2-02",
6542
+ type: "auto",
6543
+ modules: ["network_reachability", "security_hub_findings"],
6544
+ securityHubControlIds: ["EC2.18", "EC2.19"]
6545
+ },
6546
+ {
6547
+ id: "L3-ABS2-03",
6548
+ type: "auto",
6549
+ modules: ["guardduty_findings", "waf_coverage"]
6550
+ },
6551
+ {
6552
+ id: "L3-ABS2-04",
6553
+ type: "auto",
6554
+ modules: ["guardduty_findings", "waf_coverage"]
6555
+ },
6556
+ {
6557
+ id: "L3-ABS2-05",
6558
+ type: "auto",
6559
+ modules: ["guardduty_findings"]
6560
+ },
6561
+ {
6562
+ id: "L3-ABS2-06",
6563
+ type: "auto",
6564
+ modules: ["guardduty_findings", "waf_coverage"]
6565
+ },
6566
+ {
6567
+ id: "L3-ABS2-07",
6568
+ type: "auto",
6569
+ modules: ["security_hub_findings"],
6570
+ securityHubControlIds: ["CloudTrail.1"]
6571
+ },
6572
+ {
6573
+ id: "L3-ABS2-08",
6574
+ type: "auto",
6575
+ modules: ["security_hub_findings"],
6576
+ securityHubControlIds: ["CloudTrail.1"]
6577
+ },
6578
+ // L3-ABS3-* (Wireless boundary — N/A)
6579
+ { id: "L3-ABS3-01", type: "not_applicable" },
6580
+ { id: "L3-ABS3-02", type: "not_applicable" },
6581
+ { id: "L3-ABS3-03", type: "not_applicable" },
6582
+ { id: "L3-ABS3-04", type: "not_applicable" },
6583
+ { id: "L3-ABS3-05", type: "not_applicable" },
6584
+ { id: "L3-ABS3-06", type: "not_applicable" },
6585
+ { id: "L3-ABS3-07", type: "not_applicable" },
6586
+ { id: "L3-ABS3-08", type: "not_applicable" },
6587
+ // L3-ABS4-* (IoT boundary — N/A)
6588
+ { id: "L3-ABS4-01", type: "not_applicable" },
6589
+ { id: "L3-ABS4-02", type: "not_applicable" },
6590
+ { id: "L3-ABS4-03", type: "not_applicable" },
6591
+ // L3-ABS5-* (Industrial control boundary — N/A)
6592
+ { id: "L3-ABS5-01", type: "not_applicable" },
6593
+ { id: "L3-ABS5-02", type: "not_applicable" },
6594
+ { id: "L3-ABS5-03", type: "not_applicable" },
6595
+ { id: "L3-ABS5-04", type: "not_applicable" },
6596
+ { id: "L3-ABS5-05", type: "not_applicable" },
6597
+ { id: "L3-ABS5-06", type: "not_applicable" },
6598
+ { id: "L3-ABS5-07", type: "not_applicable" },
6599
+ { id: "L3-ABS5-08", type: "not_applicable" },
6600
+ // =========================================================================
6601
+ // 安全计算环境 — L3-CES1-* (34 items, no CES1-16)
6602
+ // =========================================================================
6603
+ {
6604
+ id: "L3-CES1-01",
6605
+ type: "auto",
6606
+ modules: ["iam_privilege_escalation", "access_analyzer_findings", "security_hub_findings"],
6607
+ securityHubControlIds: ["IAM.7", "IAM.10", "IAM.11"]
6608
+ },
6609
+ {
6610
+ id: "L3-CES1-02",
6611
+ type: "manual",
6612
+ guidance: "\u9700\u914D\u7F6E\u5821\u5792\u673A\u6216\u901A\u8FC7 CloudTrail + CloudWatch Alarm + Lambda \u5B9E\u73B0\u767B\u5F55\u5931\u8D25\u5904\u7406"
6613
+ },
6614
+ {
6615
+ id: "L3-CES1-03",
6616
+ type: "auto",
6617
+ modules: ["ssl_certificate", "security_hub_findings"],
6618
+ securityHubControlIds: ["ELB.1"]
6619
+ },
6620
+ {
6621
+ id: "L3-CES1-04",
6622
+ type: "auto",
6623
+ modules: ["security_hub_findings"],
6624
+ securityHubControlIds: ["IAM.5", "IAM.6"]
6625
+ },
6626
+ {
6627
+ id: "L3-CES1-05",
6628
+ type: "auto",
6629
+ modules: ["iam_privilege_escalation", "access_analyzer_findings"]
6630
+ },
6631
+ {
6632
+ id: "L3-CES1-06",
6633
+ type: "manual",
6634
+ guidance: "\u9700\u786E\u8BA4\u5DF2\u91CD\u547D\u540D\u6216\u5220\u9664\u9ED8\u8BA4\u8D26\u6237\uFF08\u5982 root \u76F4\u63A5\u767B\u5F55\uFF09\uFF0C\u4FEE\u6539\u9ED8\u8BA4\u53E3\u4EE4"
6635
+ },
6636
+ {
6637
+ id: "L3-CES1-07",
6638
+ type: "auto",
6639
+ modules: ["security_hub_findings", "access_analyzer_findings"],
6640
+ securityHubControlIds: ["IAM.3", "IAM.4", "IAM.22"]
6641
+ },
6642
+ {
6643
+ id: "L3-CES1-08",
6644
+ type: "auto",
6645
+ modules: ["iam_privilege_escalation", "security_hub_findings"],
6646
+ securityHubControlIds: ["IAM.1", "IAM.21"]
6647
+ },
6648
+ {
6649
+ id: "L3-CES1-09",
6650
+ type: "auto",
6651
+ modules: ["iam_privilege_escalation", "access_analyzer_findings"]
6652
+ },
6653
+ {
6654
+ id: "L3-CES1-10",
6655
+ type: "auto",
6656
+ modules: ["iam_privilege_escalation", "security_hub_findings"],
6657
+ securityHubControlIds: ["IAM.1", "IAM.21"]
6658
+ },
6659
+ {
6660
+ id: "L3-CES1-11",
6661
+ type: "manual",
6662
+ guidance: "\u9700\u5728\u5E94\u7528\u5C42\u5BF9\u654F\u611F\u4FE1\u606F\u8FDB\u884C\u5206\u7C7B\uFF0C\u5229\u7528 Tag \u6216 Metadata \u6807\u8BB0\u6570\u636E\uFF0C\u914D\u5408\u8BBF\u95EE\u63A7\u5236\u7B56\u7565\u7BA1\u63A7"
6663
+ },
6664
+ {
6665
+ id: "L3-CES1-12",
6666
+ type: "auto",
6667
+ modules: ["service_detection", "security_hub_findings"],
6668
+ securityHubControlIds: ["CloudTrail.1"]
6669
+ },
6670
+ {
6671
+ id: "L3-CES1-13",
6672
+ type: "auto",
6673
+ modules: ["service_detection", "security_hub_findings"],
6674
+ securityHubControlIds: ["CloudTrail.1"]
6675
+ },
6676
+ {
6677
+ id: "L3-CES1-14",
6678
+ type: "auto",
6679
+ modules: ["security_hub_findings"],
6680
+ securityHubControlIds: ["CloudTrail.4", "CloudTrail.5", "CloudTrail.6", "CloudTrail.7"]
6681
+ },
6682
+ {
6683
+ id: "L3-CES1-15",
6684
+ type: "auto",
6685
+ modules: ["security_hub_findings"],
6686
+ securityHubControlIds: ["CloudTrail.4", "CloudTrail.5"]
6687
+ },
6688
+ // Note: L3-CES1-16 does not exist in the standard
6689
+ {
6690
+ id: "L3-CES1-17",
6691
+ type: "auto",
6692
+ modules: ["network_reachability", "security_hub_findings"],
6693
+ securityHubControlIds: ["EC2.18", "EC2.19"]
6694
+ },
6695
+ {
6696
+ id: "L3-CES1-18",
6697
+ type: "auto",
6698
+ modules: ["network_reachability", "security_hub_findings"],
6699
+ securityHubControlIds: ["EC2.18", "EC2.19"]
6700
+ },
6701
+ {
6702
+ id: "L3-CES1-19",
6703
+ type: "auto",
6704
+ modules: ["network_reachability", "security_hub_findings"],
6705
+ securityHubControlIds: ["EC2.18", "EC2.19"]
6706
+ },
6707
+ {
6708
+ id: "L3-CES1-20",
6709
+ type: "manual",
6710
+ guidance: "\u9700\u542F\u7528 WAF \u89C4\u5219\u8FDB\u884C\u8F93\u5165\u9A8C\u8BC1\uFF0C\u6216\u5728\u5E94\u7528\u5C42\u5B9E\u73B0\u6570\u636E\u6709\u6548\u6027\u68C0\u9A8C"
6711
+ },
6712
+ {
6713
+ id: "L3-CES1-21",
6714
+ type: "auto",
6715
+ modules: ["inspector_findings", "patch_compliance_findings"]
6716
+ },
6717
+ {
6718
+ id: "L3-CES1-22",
6719
+ type: "auto",
6720
+ modules: ["guardduty_findings", "waf_coverage"]
6721
+ },
6722
+ {
6723
+ id: "L3-CES1-23",
6724
+ type: "manual",
6725
+ guidance: "\u9700\u5728\u64CD\u4F5C\u7CFB\u7EDF\u5C42\u5B89\u88C5\u7B2C\u4E09\u65B9\u6740\u6BD2\u4EA7\u54C1\uFF1B\u53EF\u7ED3\u5408 GuardDuty \u68C0\u6D4B\u6076\u610F\u884C\u4E3A"
6726
+ },
6727
+ { id: "L3-CES1-24", type: "not_applicable" },
6728
+ {
6729
+ id: "L3-CES1-25",
6730
+ type: "auto",
6731
+ modules: ["ssl_certificate", "security_hub_findings"],
6732
+ securityHubControlIds: ["ELB.1"]
6733
+ },
6734
+ {
6735
+ id: "L3-CES1-26",
6736
+ type: "manual",
6737
+ guidance: "\u9700\u5B89\u88C5\u7B2C\u4E09\u65B9\u9632\u7BE1\u6539\u8F6F\u4EF6\uFF1BS3 \u53EF\u5229\u7528\u5BF9\u8C61\u6821\u9A8C\u786E\u4FDD\u5B8C\u6574\u6027"
6738
+ },
6739
+ {
6740
+ id: "L3-CES1-27",
6741
+ type: "auto",
6742
+ modules: ["ssl_certificate", "security_hub_findings"],
6743
+ securityHubControlIds: ["ELB.1"]
6744
+ },
6745
+ {
6746
+ id: "L3-CES1-28",
6747
+ type: "auto",
6748
+ modules: ["security_hub_findings"],
6749
+ securityHubControlIds: ["S3.4", "EC2.7", "RDS.3"]
6750
+ },
6751
+ {
6752
+ id: "L3-CES1-29",
6753
+ type: "auto",
6754
+ modules: ["disaster_recovery"]
6755
+ },
6756
+ {
6757
+ id: "L3-CES1-30",
6758
+ type: "auto",
6759
+ modules: ["disaster_recovery"]
6760
+ },
6761
+ {
6762
+ id: "L3-CES1-31",
6763
+ type: "auto",
6764
+ modules: ["disaster_recovery"]
6765
+ },
6766
+ { id: "L3-CES1-32", type: "cloud_provider", note: "AWS \u5B58\u50A8\u670D\u52A1\u6570\u636E\u6E05\u9664\u7B56\u7565\u8986\u76D6" },
6767
+ { id: "L3-CES1-33", type: "cloud_provider", note: "AWS \u5B58\u50A8\u670D\u52A1\u6570\u636E\u6E05\u9664\u7B56\u7565\u8986\u76D6" },
6768
+ {
6769
+ id: "L3-CES1-34",
6770
+ type: "manual",
6771
+ guidance: "\u5E94\u7528\u4FA7\u884C\u4E3A \u2014 \u9700\u786E\u8BA4\u4EC5\u91C7\u96C6\u548C\u4FDD\u5B58\u4E1A\u52A1\u5FC5\u9700\u7684\u7528\u6237\u4E2A\u4EBA\u4FE1\u606F"
6772
+ },
6773
+ {
6774
+ id: "L3-CES1-35",
6775
+ type: "manual",
6776
+ guidance: "\u5E94\u7528\u4FA7\u884C\u4E3A \u2014 \u9700\u786E\u8BA4\u7981\u6B62\u672A\u6388\u6743\u8BBF\u95EE\u548C\u975E\u6CD5\u4F7F\u7528\u7528\u6237\u4E2A\u4EBA\u4FE1\u606F"
6777
+ },
6778
+ // L3-CES2-* (Cloud extension computing — 19 items)
6779
+ {
6780
+ id: "L3-CES2-01",
6781
+ type: "auto",
6782
+ modules: ["security_hub_findings"],
6783
+ securityHubControlIds: ["IAM.5", "IAM.6"]
6784
+ },
6785
+ { id: "L3-CES2-02", type: "cloud_provider", note: "AWS \u786E\u4FDD VM \u8FC1\u79FB\u65F6\u8BBF\u95EE\u63A7\u5236\u968F\u8FC1" },
6786
+ {
6787
+ id: "L3-CES2-03",
6788
+ type: "auto",
6789
+ modules: ["network_reachability", "security_hub_findings"],
6790
+ securityHubControlIds: ["EC2.18", "EC2.19"]
6791
+ },
6792
+ { id: "L3-CES2-04", type: "cloud_provider", note: "AWS \u8D1F\u8D23\u865A\u62DF\u5316\u8D44\u6E90\u9694\u79BB" },
6793
+ {
6794
+ id: "L3-CES2-05",
6795
+ type: "auto",
6796
+ modules: ["guardduty_findings"]
6797
+ },
6798
+ {
6799
+ id: "L3-CES2-06",
6800
+ type: "manual",
6801
+ guidance: "\u9700\u90E8\u7F72\u7B2C\u4E09\u65B9\u5165\u4FB5\u9632\u8303\u548C\u6740\u6BD2\u4EA7\u54C1\u68C0\u6D4B\u865A\u62DF\u673A\u95F4\u6076\u610F\u4EE3\u7801\u8513\u5EF6"
6802
+ },
6803
+ {
6804
+ id: "L3-CES2-07",
6805
+ type: "manual",
6806
+ guidance: "\u82E5\u4E0D\u4F7F\u7528 AWS \u5B98\u65B9\u955C\u50CF\uFF0C\u9700\u81EA\u884C\u52A0\u56FA\u64CD\u4F5C\u7CFB\u7EDF"
6807
+ },
6808
+ {
6809
+ id: "L3-CES2-08",
6810
+ type: "manual",
6811
+ guidance: "\u82E5\u4E0D\u4F7F\u7528 AWS \u5B98\u65B9\u955C\u50CF\uFF0C\u9700\u81EA\u884C\u6821\u9A8C\u955C\u50CF\u548C\u5FEB\u7167\u5B8C\u6574\u6027"
6812
+ },
6813
+ {
6814
+ id: "L3-CES2-09",
6815
+ type: "auto",
6816
+ modules: ["security_hub_findings"],
6817
+ securityHubControlIds: ["EC2.7"]
6818
+ },
6819
+ { id: "L3-CES2-10", type: "cloud_provider", note: "AWS \u4E2D\u56FD\u533A\u6570\u636E\u5B58\u50A8\u4E8E\u4E2D\u56FD\u5883\u5185" },
6820
+ { id: "L3-CES2-11", type: "cloud_provider", note: "AWS \u4EC5\u5728\u5BA2\u6237\u6388\u6743\u4E0B\u7BA1\u7406\u6570\u636E" },
6821
+ { id: "L3-CES2-12", type: "cloud_provider", note: "AWS \u786E\u4FDD VM \u8FC1\u79FB\u6570\u636E\u5B8C\u6574\u6027" },
6822
+ {
6823
+ id: "L3-CES2-13",
6824
+ type: "auto",
6825
+ modules: ["security_hub_findings"],
6826
+ securityHubControlIds: ["KMS.4"]
6827
+ },
6828
+ { id: "L3-CES2-14", type: "not_applicable" },
6829
+ { id: "L3-CES2-15", type: "cloud_provider", note: "AWS \u652F\u6301\u67E5\u8BE2\u6570\u636E\u53CA\u5907\u4EFD\u5B58\u50A8\u4F4D\u7F6E" },
6830
+ { id: "L3-CES2-16", type: "cloud_provider", note: "AWS \u5B58\u50A8\u670D\u52A1\u4FDD\u8BC1\u591A\u526F\u672C\u4E00\u81F4" },
6831
+ { id: "L3-CES2-17", type: "not_applicable" },
6832
+ { id: "L3-CES2-18", type: "cloud_provider", note: "AWS \u786E\u4FDD VM \u5185\u5B58\u548C\u5B58\u50A8\u7A7A\u95F4\u56DE\u6536\u65F6\u5B8C\u5168\u6E05\u9664" },
6833
+ { id: "L3-CES2-19", type: "cloud_provider", note: "AWS \u786E\u4FDD\u5220\u9664\u6570\u636E\u65F6\u6E05\u9664\u6240\u6709\u526F\u672C" },
6834
+ // L3-CES3-* (Mobile — N/A)
6835
+ { id: "L3-CES3-01", type: "not_applicable" },
6836
+ { id: "L3-CES3-02", type: "not_applicable" },
6837
+ { id: "L3-CES3-03", type: "not_applicable" },
6838
+ { id: "L3-CES3-04", type: "not_applicable" },
6839
+ { id: "L3-CES3-05", type: "not_applicable" },
6840
+ // L3-CES4-* (IoT sensor/gateway — N/A)
6841
+ { id: "L3-CES4-01", type: "not_applicable" },
6842
+ { id: "L3-CES4-02", type: "not_applicable" },
6843
+ { id: "L3-CES4-03", type: "not_applicable" },
6844
+ { id: "L3-CES4-04", type: "not_applicable" },
6845
+ { id: "L3-CES4-05", type: "not_applicable" },
6846
+ { id: "L3-CES4-06", type: "not_applicable" },
6847
+ { id: "L3-CES4-07", type: "not_applicable" },
6848
+ { id: "L3-CES4-08", type: "not_applicable" },
6849
+ { id: "L3-CES4-09", type: "not_applicable" },
6850
+ { id: "L3-CES4-10", type: "not_applicable" },
6851
+ { id: "L3-CES4-11", type: "not_applicable" },
6852
+ // L3-CES5-* (Industrial control — N/A)
6853
+ { id: "L3-CES5-01", type: "not_applicable" },
6854
+ { id: "L3-CES5-02", type: "not_applicable" },
6855
+ { id: "L3-CES5-03", type: "not_applicable" },
6856
+ { id: "L3-CES5-04", type: "not_applicable" },
6857
+ { id: "L3-CES5-05", type: "not_applicable" },
6858
+ // =========================================================================
6859
+ // 安全管理中心 — L3-SMC1-* (12 items)
6860
+ // =========================================================================
6861
+ {
6862
+ id: "L3-SMC1-01",
6863
+ type: "auto",
6864
+ modules: ["iam_privilege_escalation", "security_hub_findings"],
6865
+ securityHubControlIds: ["IAM.4", "IAM.6"]
6866
+ },
6867
+ {
6868
+ id: "L3-SMC1-02",
6869
+ type: "auto",
6870
+ modules: ["security_hub_findings", "config_rules_findings"],
6871
+ securityHubControlIds: ["Config.1"]
6872
+ },
6873
+ {
6874
+ id: "L3-SMC1-03",
6875
+ type: "auto",
6876
+ modules: ["iam_privilege_escalation", "security_hub_findings"],
6877
+ securityHubControlIds: ["IAM.4", "IAM.6"]
6878
+ },
6879
+ {
6880
+ id: "L3-SMC1-04",
6881
+ type: "auto",
6882
+ modules: ["security_hub_findings"],
6883
+ securityHubControlIds: ["CloudTrail.1"]
6884
+ },
6885
+ {
6886
+ id: "L3-SMC1-05",
6887
+ type: "auto",
6888
+ modules: ["iam_privilege_escalation", "security_hub_findings"],
6889
+ securityHubControlIds: ["IAM.4", "IAM.6"]
6890
+ },
6891
+ {
6892
+ id: "L3-SMC1-06",
6893
+ type: "auto",
6894
+ modules: ["iam_privilege_escalation", "security_hub_findings"],
6895
+ securityHubControlIds: ["IAM.1", "IAM.21"]
6896
+ },
6897
+ {
6898
+ id: "L3-SMC1-07",
6899
+ type: "auto",
6900
+ modules: ["service_detection"],
6901
+ findingPatterns: ["Security Hub"]
6902
+ },
6903
+ {
6904
+ id: "L3-SMC1-08",
6905
+ type: "auto",
6906
+ modules: ["ssl_certificate", "security_hub_findings"],
6907
+ securityHubControlIds: ["ELB.1"]
6908
+ },
6909
+ {
6910
+ id: "L3-SMC1-09",
6911
+ type: "auto",
6912
+ modules: ["service_detection"],
6913
+ findingPatterns: ["CloudWatch"]
6914
+ },
6915
+ {
6916
+ id: "L3-SMC1-10",
6917
+ type: "auto",
6918
+ modules: ["security_hub_findings"],
6919
+ securityHubControlIds: ["CloudTrail.1"]
6920
+ },
6921
+ {
6922
+ id: "L3-SMC1-11",
6923
+ type: "manual",
6924
+ guidance: "\u9700\u90E8\u7F72\u7B2C\u4E09\u65B9\u9632\u5165\u4FB5\u548C\u9632\u75C5\u6BD2\u4EA7\u54C1\u8FDB\u884C\u5B89\u5168\u7B56\u7565\u3001\u6076\u610F\u4EE3\u7801\u3001\u8865\u4E01\u5347\u7EA7\u96C6\u4E2D\u7BA1\u7406"
6925
+ },
6926
+ {
6927
+ id: "L3-SMC1-12",
6928
+ type: "auto",
6929
+ modules: ["guardduty_findings", "security_hub_findings"],
6930
+ securityHubControlIds: ["GuardDuty.1"]
6931
+ },
6932
+ // L3-SMC2-* (Cloud extension management center — 4 items)
6933
+ { id: "L3-SMC2-01", type: "cloud_provider", note: "AWS \u8D1F\u8D23\u7EDF\u4E00\u7BA1\u7406\u8C03\u5EA6\u548C\u5206\u914D" },
6934
+ { id: "L3-SMC2-02", type: "cloud_provider", note: "AWS \u786E\u4FDD\u7BA1\u7406\u6D41\u91CF\u4E0E\u4E1A\u52A1\u6D41\u91CF\u5206\u79BB" },
6935
+ { id: "L3-SMC2-03", type: "cloud_provider", note: "AWS \u57FA\u4E8E\u8D23\u4EFB\u5171\u62C5\u6A21\u578B\u5B9E\u73B0\u96C6\u4E2D\u5BA1\u8BA1" },
6936
+ { id: "L3-SMC2-04", type: "cloud_provider", note: "AWS \u57FA\u4E8E\u8D23\u4EFB\u5171\u62C5\u6A21\u578B\u5B9E\u73B0\u96C6\u4E2D\u76D1\u6D4B" }
6937
+ ];
6938
+ var _mappingIndex = /* @__PURE__ */ new Map();
6939
+ for (const m of MLPS3_CHECK_MAPPING) {
6940
+ _mappingIndex.set(m.id, m);
6941
+ }
6942
+ function getMappingById(id) {
6943
+ return _mappingIndex.get(id);
6944
+ }
6945
+
4303
6946
  // src/tools/mlps-report.ts
6947
+ function evaluateFullCheck(item, mapping, allFindings, scanModules) {
6948
+ if (mapping.type === "cloud_provider") {
6949
+ return { item, mapping, status: "cloud_provider", relatedFindings: [] };
6950
+ }
6951
+ if (mapping.type === "not_applicable") {
6952
+ return { item, mapping, status: "not_applicable", relatedFindings: [] };
6953
+ }
6954
+ if (mapping.type === "manual") {
6955
+ return { item, mapping, status: "manual", relatedFindings: [] };
6956
+ }
6957
+ const mods = mapping.modules ?? [];
6958
+ const allModulesPresent = mods.every(
6959
+ (mod) => scanModules.some((m) => m.module === mod && m.status === "success")
6960
+ );
6961
+ if (!allModulesPresent) {
6962
+ return { item, mapping, status: "unknown", relatedFindings: [] };
6963
+ }
6964
+ let relatedFindings;
6965
+ if (mapping.securityHubControlIds?.length) {
6966
+ relatedFindings = allFindings.filter((f) => {
6967
+ if (!mods.includes(f.module ?? "")) return false;
6968
+ if (f.module === "security_hub_findings") {
6969
+ return mapping.securityHubControlIds.some((id) => f.title.includes(id));
6970
+ }
6971
+ return true;
6972
+ });
6973
+ } else if (mapping.findingPatterns?.length) {
6974
+ const patterns = mapping.findingPatterns;
6975
+ relatedFindings = allFindings.filter((f) => {
6976
+ if (!mods.includes(f.module ?? "")) return false;
6977
+ const text = `${f.title} ${f.description}`.toLowerCase();
6978
+ return patterns.some((pattern) => text.includes(pattern.toLowerCase()));
6979
+ });
6980
+ } else {
6981
+ relatedFindings = allFindings.filter((f) => mods.includes(f.module ?? ""));
6982
+ }
6983
+ const status = relatedFindings.length === 0 ? "clean" : "issues";
6984
+ return { item, mapping, status, relatedFindings };
6985
+ }
6986
+ function evaluateAllFullChecks(scanResults) {
6987
+ const allFindings = scanResults.modules.flatMap(
6988
+ (m) => m.findings.map((f) => ({ ...f, module: f.module ?? m.module }))
6989
+ );
6990
+ const scanModules = scanResults.modules.map((m) => ({
6991
+ module: m.module,
6992
+ status: m.status
6993
+ }));
6994
+ return MLPS3_FULL_CHECKLIST.map((item) => {
6995
+ const mapping = getMappingById(item.id);
6996
+ if (!mapping) {
6997
+ return {
6998
+ item,
6999
+ mapping: { id: item.id, type: "manual", guidance: "\u672A\u6620\u5C04\u7684\u68C0\u67E5\u9879" },
7000
+ status: "manual",
7001
+ relatedFindings: []
7002
+ };
7003
+ }
7004
+ return evaluateFullCheck(item, mapping, allFindings, scanModules);
7005
+ });
7006
+ }
4304
7007
  var MLPS_CHECKS = [
4305
7008
  // 一、身份鉴别
4306
7009
  {
@@ -4466,7 +7169,7 @@ function evaluateCheck(check, allFindings, scanModules) {
4466
7169
  });
4467
7170
  return {
4468
7171
  check,
4469
- status: relatedFindings.length === 0 ? "pass" : "fail",
7172
+ status: relatedFindings.length === 0 ? "clean" : "issues",
4470
7173
  relatedFindings
4471
7174
  };
4472
7175
  }
@@ -4483,22 +7186,25 @@ function generateMlps3Report(scanResults) {
4483
7186
  const results = MLPS_CHECKS.map(
4484
7187
  (check) => evaluateCheck(check, allFindings, scanModules)
4485
7188
  );
4486
- const passCount = results.filter((r) => r.status === "pass").length;
4487
- const failCount = results.filter((r) => r.status === "fail").length;
7189
+ const cleanCount = results.filter((r) => r.status === "clean").length;
7190
+ const issuesCount = results.filter((r) => r.status === "issues").length;
4488
7191
  const unknownCount = results.filter((r) => r.status === "unknown").length;
4489
- const checkedTotal = passCount + failCount;
7192
+ const checkedTotal = cleanCount + issuesCount;
4490
7193
  const total = results.length;
4491
- const percent = checkedTotal > 0 ? Math.round(passCount / checkedTotal * 100) : 0;
4492
7194
  const lines = [];
4493
7195
  lines.push("# \u7B49\u4FDD\u4E09\u7EA7\u9884\u68C0\u62A5\u544A");
4494
- lines.push("> **\u672C\u62A5\u544A\u4E3A\u7B49\u4FDD\u9884\u68C0\u53C2\u8003\uFF0C\u4EC5\u8986\u76D6 AWS \u4E91\u5E73\u53F0\u914D\u7F6E\u68C0\u67E5\u3002\u5B8C\u6574\u7B49\u4FDD\u6D4B\u8BC4\u9700\u7531\u6301\u8BC1\u6D4B\u8BC4\u673A\u6784\u6267\u884C\u3002**");
7196
+ lines.push("> **\u672C\u62A5\u544A\u4E3A\u7B49\u4FDD\u4E09\u7EA7\u9884\u68C0\u53C2\u8003\uFF0C\u63D0\u4F9B\u4E91\u5E73\u53F0\u914D\u7F6E\u68C0\u67E5\u6570\u636E\u4E0E\u5EFA\u8BAE\u3002\u5408\u89C4\u5224\u5B9A\uFF08\u7B26\u5408/\u90E8\u5206\u7B26\u5408/\u4E0D\u7B26\u5408\uFF09\u9700\u7531\u6301\u8BC1\u6D4B\u8BC4\u673A\u6784\u6839\u636E\u5B9E\u9645\u60C5\u51B5\u786E\u8BA4\u3002**");
4495
7197
  lines.push("");
4496
7198
  lines.push("## \u8D26\u6237\u4FE1\u606F");
4497
7199
  lines.push(`- Account: ${accountId} | Region: ${region} | \u626B\u63CF\u65F6\u95F4: ${scanTime}`);
4498
7200
  lines.push("");
4499
7201
  lines.push("## \u9884\u68C0\u603B\u89C8");
4500
- lines.push(`- \u68C0\u67E5\u9879: ${total} | \u901A\u8FC7: ${passCount} | \u4E0D\u901A\u8FC7: ${failCount}${unknownCount > 0 ? ` | \u672A\u68C0\u67E5: ${unknownCount}` : ""}`);
4501
- lines.push(`- \u901A\u8FC7\u7387: ${percent}%${unknownCount > 0 ? "\uFF08\u672A\u68C0\u67E5\u9879\u4E0D\u8BA1\u5165\u901A\u8FC7\u7387\uFF09" : ""}`);
7202
+ lines.push(`- \u5DF2\u68C0\u67E5 ${checkedTotal} \u9879 / \u5171 ${total} \u9879`);
7203
+ lines.push(` - \u672A\u53D1\u73B0\u95EE\u9898: ${cleanCount} \u9879`);
7204
+ lines.push(` - \u53D1\u73B0\u95EE\u9898: ${issuesCount} \u9879`);
7205
+ if (unknownCount > 0) {
7206
+ lines.push(` - \u672A\u68C0\u67E5: ${unknownCount} \u9879`);
7207
+ }
4502
7208
  lines.push("");
4503
7209
  for (const category of CATEGORY_ORDER) {
4504
7210
  const sectionTitle = CATEGORY_SECTION[category];
@@ -4515,10 +7221,10 @@ function generateMlps3Report(scanResults) {
4515
7221
  for (const [checkId, checkResults] of byId) {
4516
7222
  lines.push(`### ${checkId} ${checkResults[0].check.name}`);
4517
7223
  for (const r of checkResults) {
4518
- const icon = r.status === "pass" ? "\u2705" : r.status === "fail" ? "\u274C" : "\u26A0\uFE0F";
4519
- const label = r.status === "unknown" ? " \u672A\u68C0\u67E5" : "";
7224
+ const icon = r.status === "clean" ? "\u2705" : r.status === "issues" ? "\u274C" : "\u26A0\uFE0F";
7225
+ const label = r.status === "unknown" ? " \u672A\u68C0\u67E5" : r.status === "clean" ? " \u672A\u53D1\u73B0\u95EE\u9898" : r.status === "issues" ? " \u53D1\u73B0\u95EE\u9898" : "";
4520
7226
  lines.push(`- [${icon}] ${r.check.name}${label}`);
4521
- if (r.status === "fail" && r.relatedFindings.length > 0) {
7227
+ if (r.status === "issues" && r.relatedFindings.length > 0) {
4522
7228
  for (const f of r.relatedFindings.slice(0, 3)) {
4523
7229
  lines.push(` - ${f.severity}: ${f.title}`);
4524
7230
  }
@@ -4530,7 +7236,7 @@ function generateMlps3Report(scanResults) {
4530
7236
  lines.push("");
4531
7237
  }
4532
7238
  }
4533
- const failedResults = results.filter((r) => r.status === "fail");
7239
+ const failedResults = results.filter((r) => r.status === "issues");
4534
7240
  if (failedResults.length > 0) {
4535
7241
  lines.push("## \u5EFA\u8BAE\u6574\u6539\u9879\uFF08\u6309\u4F18\u5148\u7EA7\uFF09");
4536
7242
  lines.push("");
@@ -5225,21 +7931,15 @@ function generateMlps3HtmlReport(scanResults, history) {
5225
7931
  const { accountId, region, scanStart } = scanResults;
5226
7932
  const date = scanStart.split("T")[0];
5227
7933
  const scanTime = scanStart.replace("T", " ").replace(/\.\d+Z$/, " UTC");
5228
- const allFindings = scanResults.modules.flatMap(
5229
- (m) => m.findings.map((f) => ({ ...f, module: f.module ?? m.module }))
5230
- );
5231
- const scanModules = scanResults.modules.map((m) => ({
5232
- module: m.module,
5233
- status: m.status
5234
- }));
5235
- const results = MLPS_CHECKS.map(
5236
- (check) => evaluateCheck(check, allFindings, scanModules)
5237
- );
5238
- const passCount = results.filter((r) => r.status === "pass").length;
5239
- const failCount = results.filter((r) => r.status === "fail").length;
5240
- const unknownCount = results.filter((r) => r.status === "unknown").length;
5241
- const checkedTotal = passCount + failCount;
5242
- const percent = checkedTotal > 0 ? Math.round(passCount / checkedTotal * 100) : 0;
7934
+ const results = evaluateAllFullChecks(scanResults);
7935
+ const autoResults = results.filter((r) => r.mapping.type === "auto");
7936
+ const autoClean = autoResults.filter((r) => r.status === "clean").length;
7937
+ const autoIssues = autoResults.filter((r) => r.status === "issues").length;
7938
+ const autoUnknown = autoResults.filter((r) => r.status === "unknown").length;
7939
+ const checkedTotal = autoClean + autoIssues;
7940
+ const cloudCount = results.filter((r) => r.status === "cloud_provider").length;
7941
+ const manualCount = results.filter((r) => r.status === "manual").length;
7942
+ const naCount = results.filter((r) => r.status === "not_applicable").length;
5243
7943
  let trendHtml = "";
5244
7944
  if (history && history.length >= 2) {
5245
7945
  trendHtml = `
@@ -5255,68 +7955,102 @@ function generateMlps3HtmlReport(scanResults, history) {
5255
7955
  </div>
5256
7956
  </section>`;
5257
7957
  }
5258
- const categorySections = CATEGORY_ORDER.map((category) => {
5259
- const sectionTitle = CATEGORY_SECTION[category];
5260
- const categoryResults = results.filter(
5261
- (r) => r.check.category === category
5262
- );
5263
- if (categoryResults.length === 0) return "";
5264
- const catPass = categoryResults.filter((r) => r.status === "pass").length;
5265
- const catFail = categoryResults.filter((r) => r.status === "fail").length;
5266
- const catUnknown = categoryResults.filter(
5267
- (r) => r.status === "unknown"
5268
- ).length;
5269
- const byId = /* @__PURE__ */ new Map();
5270
- for (const r of categoryResults) {
5271
- const existing = byId.get(r.check.id) ?? [];
5272
- existing.push(r);
5273
- byId.set(r.check.id, existing);
7958
+ const categoryMap = /* @__PURE__ */ new Map();
7959
+ for (const r of results) {
7960
+ if (r.status === "not_applicable") continue;
7961
+ const cat = r.item.categoryCn;
7962
+ if (!categoryMap.has(cat)) categoryMap.set(cat, []);
7963
+ categoryMap.get(cat).push(r);
7964
+ }
7965
+ const categorySections = MLPS3_CATEGORY_ORDER.map((category) => {
7966
+ const sectionTitle = MLPS3_CATEGORY_SECTION[category];
7967
+ const catResults = categoryMap.get(category);
7968
+ if (!catResults || catResults.length === 0) return "";
7969
+ const allCloud = catResults.every((r) => r.status === "cloud_provider");
7970
+ if (allCloud) {
7971
+ return `<details class="category-fold mlps-cloud-section">
7972
+ <summary>
7973
+ <span class="category-title">${esc(sectionTitle)}</span>
7974
+ <span class="category-stats"><span class="category-stat-cloud">\u{1F3E2} ${catResults.length} \u9879\u4E91\u5E73\u53F0\u8D1F\u8D23</span></span>
7975
+ </summary>
7976
+ <div class="category-body">
7977
+ <div class="mlps-cloud-note">\u4EE5\u4E0B ${catResults.length} \u9879\u7531 AWS \u4E91\u5E73\u53F0\u8D1F\u8D23\uFF0C\u6839\u636E\u5B89\u5168\u8D23\u4EFB\u5171\u62C5\u6A21\u578B\u4E0D\u5728\u672C\u62A5\u544A\u68C0\u67E5\u8303\u56F4\u5185\u3002</div>
7978
+ ${catResults.map((r) => `<div class="check-item check-cloud"><span class="check-icon">\u{1F3E2}</span><span class="check-name">${esc(r.item.id)} ${esc(r.item.controlCn)}</span><span class="check-note">${esc(r.mapping.note ?? "")}</span></div>`).join("\n")}
7979
+ </div>
7980
+ </details>`;
5274
7981
  }
5275
- const groups = [...byId.entries()].map(([checkId, checkResults]) => {
5276
- const grpPass = checkResults.filter((r) => r.status === "pass").length;
5277
- const grpFail = checkResults.filter((r) => r.status === "fail").length;
5278
- const grpUnknown = checkResults.filter((r) => r.status === "unknown").length;
5279
- const items = checkResults.map((r) => {
5280
- const icon = r.status === "pass" ? "&#10004;" : r.status === "fail" ? "&#10008;" : "&#9888;";
5281
- const cls = `check-${r.status}`;
5282
- const label = r.status === "unknown" ? " (\u672A\u68C0\u67E5)" : "";
5283
- let findingsHtml = "";
5284
- if (r.status === "fail" && r.relatedFindings.length > 0) {
5285
- const items2 = r.relatedFindings.slice(0, 3).map(
5286
- (f) => `<li>${esc(f.severity)}: ${esc(f.title)}</li>`
5287
- );
5288
- if (r.relatedFindings.length > 3) {
5289
- items2.push(
5290
- `<li>... \u53CA\u5176\u4ED6 ${r.relatedFindings.length - 3} \u9879</li>`
5291
- );
7982
+ const catClean = catResults.filter((r) => r.status === "clean").length;
7983
+ const catIssues = catResults.filter((r) => r.status === "issues").length;
7984
+ const catUnknown = catResults.filter((r) => r.status === "unknown").length;
7985
+ const catCloud = catResults.filter((r) => r.status === "cloud_provider").length;
7986
+ const catManual = catResults.filter((r) => r.status === "manual").length;
7987
+ const statsHtml = [
7988
+ catClean > 0 ? `<span class="category-stat-clean">\u{1F7E2} ${catClean}</span>` : "",
7989
+ catIssues > 0 ? `<span class="category-stat-issues">\u{1F534} ${catIssues}</span>` : "",
7990
+ catUnknown > 0 ? `<span class="category-stat-unknown">? ${catUnknown}</span>` : "",
7991
+ catCloud > 0 ? `<span class="category-stat-cloud">\u{1F3E2} ${catCloud}</span>` : "",
7992
+ catManual > 0 ? `<span class="category-stat-manual">\u{1F4CB} ${catManual}</span>` : ""
7993
+ ].filter(Boolean).join("");
7994
+ const controlMap = /* @__PURE__ */ new Map();
7995
+ for (const r of catResults) {
7996
+ const key = r.item.controlCn;
7997
+ if (!controlMap.has(key)) controlMap.set(key, []);
7998
+ controlMap.get(key).push(r);
7999
+ }
8000
+ const controlGroups = [...controlMap.entries()].map(([controlName, controlResults]) => {
8001
+ const cloudItems = controlResults.filter((r) => r.status === "cloud_provider");
8002
+ const nonCloudItems = controlResults.filter((r) => r.status !== "cloud_provider");
8003
+ let itemsHtml = "";
8004
+ for (const r of nonCloudItems) {
8005
+ const icon = r.status === "clean" ? "\u{1F7E2}" : r.status === "issues" ? "\u{1F534}" : r.status === "unknown" ? "\u2B1C" : r.status === "manual" ? "\u{1F4CB}" : "\u{1F3E2}";
8006
+ const cls = `check-${r.status === "cloud_provider" ? "cloud" : r.status}`;
8007
+ const suffix = r.status === "unknown" ? " \u2014 \u672A\u68C0\u67E5" : r.status === "manual" ? ` \u2014 ${esc(r.mapping.guidance ?? "\u9700\u4EBA\u5DE5\u8BC4\u4F30")}` : "";
8008
+ let findingsDetail = "";
8009
+ if (r.status === "clean") {
8010
+ findingsDetail = `<div class="check-detail">\u68C0\u67E5\u7ED3\u679C\uFF1A\u672A\u53D1\u73B0\u76F8\u5173\u95EE\u9898</div>`;
8011
+ } else if (r.status === "issues" && r.relatedFindings.length > 0) {
8012
+ const fItems = r.relatedFindings.slice(0, 5).map((f) => `<li>${esc(f.severity)}: ${esc(f.title)}</li>`);
8013
+ if (r.relatedFindings.length > 5) {
8014
+ fItems.push(`<li>... \u53CA\u5176\u4ED6 ${r.relatedFindings.length - 5} \u9879</li>`);
5292
8015
  }
5293
- findingsHtml = `<ul class="check-findings">${items2.join("")}</ul>`;
8016
+ const remediationHint = r.relatedFindings[0]?.remediationSteps?.[0] ? `<p style="color:#fbbf24;font-size:12px;margin-top:4px">\u5EFA\u8BAE\uFF1A${esc(r.relatedFindings[0].remediationSteps[0])}</p>` : "";
8017
+ findingsDetail = `<div class="check-findings-wrap"><details><summary>\u68C0\u67E5\u7ED3\u679C\uFF1A\u53D1\u73B0 ${r.relatedFindings.length} \u4E2A\u76F8\u5173\u95EE\u9898</summary><ul class="check-findings">${fItems.join("")}</ul>${remediationHint}</details></div>`;
8018
+ }
8019
+ itemsHtml += `<div class="check-item ${cls}"><span class="check-icon">${icon}</span><span class="check-name">${esc(r.item.id)} ${esc(r.item.requirementCn.slice(0, 60))}${r.item.requirementCn.length > 60 ? "\u2026" : ""}${suffix}</span></div>
8020
+ ${findingsDetail}`;
8021
+ }
8022
+ if (cloudItems.length > 0) {
8023
+ for (const r of cloudItems) {
8024
+ itemsHtml += `<div class="check-item check-cloud"><span class="check-icon">\u{1F3E2}</span><span class="check-name">${esc(r.item.id)} ${esc(r.item.requirementCn.slice(0, 50))}${r.item.requirementCn.length > 50 ? "\u2026" : ""}</span><span class="check-note">\u4E91\u5E73\u53F0\u8D1F\u8D23</span></div>
8025
+ `;
5294
8026
  }
5295
- return `<div class="check-item ${cls}"><span class="check-icon">${icon}</span><span class="check-name">${esc(r.check.name)}${label}</span></div>${findingsHtml}`;
5296
- }).join("\n");
5297
- const statusBadges = [
5298
- grpPass > 0 ? `<span class="category-stat-pass">&#10003; ${grpPass}</span>` : "",
5299
- grpFail > 0 ? `<span class="category-stat-fail">&#10007; ${grpFail}</span>` : "",
5300
- grpUnknown > 0 ? `<span class="category-stat-unknown">? ${grpUnknown}</span>` : ""
8027
+ }
8028
+ const grpClean = controlResults.filter((r) => r.status === "clean").length;
8029
+ const grpIssues = controlResults.filter((r) => r.status === "issues").length;
8030
+ const grpUnknown = controlResults.filter((r) => r.status === "unknown").length;
8031
+ const grpCloud = controlResults.filter((r) => r.status === "cloud_provider").length;
8032
+ const grpManual = controlResults.filter((r) => r.status === "manual").length;
8033
+ const grpStats = [
8034
+ grpClean > 0 ? `<span class="category-stat-clean">\u{1F7E2} ${grpClean}</span>` : "",
8035
+ grpIssues > 0 ? `<span class="category-stat-issues">\u{1F534} ${grpIssues}</span>` : "",
8036
+ grpUnknown > 0 ? `<span class="category-stat-unknown">? ${grpUnknown}</span>` : "",
8037
+ grpCloud > 0 ? `<span class="category-stat-cloud">\u{1F3E2} ${grpCloud}</span>` : "",
8038
+ grpManual > 0 ? `<span class="category-stat-manual">\u{1F4CB} ${grpManual}</span>` : ""
5301
8039
  ].filter(Boolean).join(" ");
5302
- return `<details class="severity-group-fold"><summary><h4>${esc(checkId)} ${esc(checkResults[0].check.name)} <span class="category-stats">${statusBadges}</span></h4></summary>
5303
- ${items}
8040
+ const hasFailures = grpIssues > 0;
8041
+ return `<details class="severity-group-fold"${hasFailures ? " open" : ""}><summary><h4>${esc(controlName)} <span class="category-stats">${grpStats}</span></h4></summary>
8042
+ ${itemsHtml}
5304
8043
  </details>`;
5305
8044
  }).join("\n");
5306
- const statsHtml = [
5307
- catPass > 0 ? `<span class="category-stat-pass">&#10003; ${catPass}</span>` : "",
5308
- catFail > 0 ? `<span class="category-stat-fail">&#10007; ${catFail}</span>` : "",
5309
- catUnknown > 0 ? `<span class="category-stat-unknown">? ${catUnknown}</span>` : ""
5310
- ].filter(Boolean).join("");
5311
8045
  return `<details class="category-fold">
5312
8046
  <summary>
5313
8047
  <span class="category-title">${esc(sectionTitle)}</span>
5314
8048
  <span class="category-stats">${statsHtml}</span>
5315
8049
  </summary>
5316
- <div class="category-body">${groups}</div>
8050
+ <div class="category-body">${controlGroups}</div>
5317
8051
  </details>`;
5318
8052
  }).filter(Boolean).join("\n");
5319
- const failedResults = results.filter((r) => r.status === "fail");
8053
+ const failedResults = results.filter((r) => r.status === "issues");
5320
8054
  let remediationHtml = "";
5321
8055
  if (failedResults.length > 0) {
5322
8056
  const mlpsRecMap = /* @__PURE__ */ new Map();
@@ -5339,54 +8073,78 @@ ${items}
5339
8073
  if (sevDiff !== 0) return sevDiff;
5340
8074
  return b.count - a.count;
5341
8075
  });
5342
- const renderMlpsRec = (r) => {
5343
- const sev = r.severity.toLowerCase();
5344
- const countLabel = r.count > 1 ? ` (&times; ${r.count})` : "";
5345
- return `<li><span class="badge badge-${esc(sev)}">${esc(r.severity)}</span> ${esc(r.text)}${countLabel}</li>`;
5346
- };
5347
- const MLPS_TOP_N = 10;
5348
- const mlpsTopItems = mlpsUniqueRecs.slice(0, MLPS_TOP_N).map(renderMlpsRec).join("\n");
5349
- const mlpsRemaining = mlpsUniqueRecs.slice(MLPS_TOP_N);
5350
- const mlpsMoreHtml = mlpsRemaining.length > 0 ? `
8076
+ if (mlpsUniqueRecs.length > 0) {
8077
+ const renderMlpsRec = (r) => {
8078
+ const sev = r.severity.toLowerCase();
8079
+ const countLabel = r.count > 1 ? ` (&times; ${r.count})` : "";
8080
+ return `<li><span class="badge badge-${esc(sev)}">${esc(r.severity)}</span> ${esc(r.text)}${countLabel}</li>`;
8081
+ };
8082
+ const MLPS_TOP_N = 10;
8083
+ const mlpsTopItems = mlpsUniqueRecs.slice(0, MLPS_TOP_N).map(renderMlpsRec).join("\n");
8084
+ const mlpsRemaining = mlpsUniqueRecs.slice(MLPS_TOP_N);
8085
+ const mlpsMoreHtml = mlpsRemaining.length > 0 ? `
5351
8086
  <details><summary>\u663E\u793A\u5176\u4F59 ${mlpsRemaining.length} \u9879&hellip;</summary>
5352
8087
  ${mlpsRemaining.map(renderMlpsRec).join("\n")}
5353
8088
  </details>` : "";
5354
- remediationHtml = `
5355
- <details class="rec-fold">
5356
- <summary><h2 style="margin:0;border:0;display:inline">\u5EFA\u8BAE\u6574\u6539\u9879\uFF08${mlpsUniqueRecs.length} \u9879\u53BB\u91CD\uFF09</h2></summary>
5357
- <div class="rec-body">
5358
- <ol>${mlpsTopItems}${mlpsMoreHtml}</ol>
5359
- </div>
5360
- </details>`;
8089
+ remediationHtml = `
8090
+ <details class="rec-fold" open>
8091
+ <summary><h2 style="margin:0;border:0;display:inline">\u5EFA\u8BAE\u6574\u6539\u9879\uFF08${mlpsUniqueRecs.length} \u9879\u53BB\u91CD\uFF09</h2></summary>
8092
+ <div class="rec-body">
8093
+ <ol>${mlpsTopItems}${mlpsMoreHtml}</ol>
8094
+ </div>
8095
+ </details>`;
8096
+ }
5361
8097
  }
5362
- const passRateColor = percent >= 80 ? "#22c55e" : percent >= 50 ? "#eab308" : "#ef4444";
5363
- const unknownNote = unknownCount > 0 ? `<div style="color:#94a3b8;font-size:12px;margin-top:8px">\uFF08\u672A\u68C0\u67E5\u9879\u4E0D\u8BA1\u5165\u901A\u8FC7\u7387\uFF09</div>` : "";
8098
+ const naNote = naCount > 0 ? `<p style="color:#64748b;font-size:13px;margin-top:24px">\u4E0D\u9002\u7528\u9879: ${naCount} \u9879\uFF08\u7269\u8054\u7F51/\u65E0\u7EBF\u7F51\u7EDC/\u79FB\u52A8\u7EC8\u7AEF/\u5DE5\u63A7\u7CFB\u7EDF/\u53EF\u4FE1\u9A8C\u8BC1\u7B49\uFF09</p>` : "";
8099
+ const unknownNote = autoUnknown > 0 ? `<div style="color:#94a3b8;font-size:12px;margin-top:8px">\uFF08${autoUnknown} \u9879\u672A\u68C0\u67E5\uFF0C\u5BF9\u5E94\u626B\u63CF\u6A21\u5757\u672A\u8FD0\u884C\uFF09</div>` : "";
8100
+ const mlpsCss = `
8101
+ .mlps-cloud-section>summary{color:#94a3b8}
8102
+ .mlps-cloud-note{color:#94a3b8;font-size:13px;margin-bottom:12px;font-style:italic}
8103
+ .check-cloud{background:rgba(148,163,184,0.08)}
8104
+ .check-cloud .check-note{color:#64748b;font-size:12px;margin-left:auto;white-space:nowrap}
8105
+ .check-manual{background:rgba(148,163,184,0.06)}
8106
+ .check-clean{background:rgba(34,197,94,0.1);border-left:3px solid #22c55e}
8107
+ .check-issues{background:rgba(239,68,68,0.1);border-left:3px solid #ef4444}
8108
+ .check-unknown{background:rgba(148,163,184,0.1);border-left:3px solid #94a3b8}
8109
+ .check-findings-wrap{margin-left:28px;margin-bottom:4px}
8110
+ .check-detail{color:#94a3b8;font-size:13px;margin-left:28px;margin-top:2px}
8111
+ .category-stat-clean{color:#22c55e}
8112
+ .category-stat-issues{color:#ef4444}
8113
+ .category-stat-cloud{color:#94a3b8}
8114
+ .category-stat-manual{color:#94a3b8}
8115
+ .mlps-summary-cards{display:flex;gap:12px;flex-wrap:wrap;margin-bottom:32px}
8116
+ .mlps-summary-card{background:#1e293b;border:1px solid #334155;border-radius:8px;padding:16px 20px;text-align:center;min-width:100px;flex:1}
8117
+ .mlps-summary-card .stat-count{font-size:28px;font-weight:700}
8118
+ .mlps-summary-card .stat-label{font-size:12px;color:#94a3b8;margin-top:2px}
8119
+ `;
5364
8120
  return `<!DOCTYPE html>
5365
8121
  <html lang="zh-CN">
5366
8122
  <head>
5367
8123
  <meta charset="UTF-8">
5368
8124
  <meta name="viewport" content="width=device-width,initial-scale=1">
5369
8125
  <title>\u7B49\u4FDD\u4E09\u7EA7\u9884\u68C0\u62A5\u544A &mdash; ${esc(date)}</title>
5370
- <style>${sharedCss()}</style>
8126
+ <style>${sharedCss()}${mlpsCss}</style>
5371
8127
  </head>
5372
8128
  <body>
5373
8129
  <div class="container">
5374
8130
 
5375
8131
  <header>
5376
8132
  <h1>&#128737;&#65039; \u7B49\u4FDD\u4E09\u7EA7\u9884\u68C0\u62A5\u544A</h1>
5377
- <div class="disclaimer">\u672C\u62A5\u544A\u4E3A\u7B49\u4FDD\u9884\u68C0\u53C2\u8003\uFF0C\u4EC5\u8986\u76D6 AWS \u4E91\u5E73\u53F0\u914D\u7F6E\u68C0\u67E5\u3002\u5B8C\u6574\u7B49\u4FDD\u6D4B\u8BC4\u9700\u7531\u6301\u8BC1\u6D4B\u8BC4\u673A\u6784\u6267\u884C\u3002</div>
8133
+ <div class="disclaimer">\u672C\u62A5\u544A\u4E3A\u7B49\u4FDD\u4E09\u7EA7\u9884\u68C0\u53C2\u8003\uFF0C\u63D0\u4F9B\u4E91\u5E73\u53F0\u914D\u7F6E\u68C0\u67E5\u6570\u636E\u4E0E\u5EFA\u8BAE\u3002\u5408\u89C4\u5224\u5B9A\uFF08\u7B26\u5408/\u90E8\u5206\u7B26\u5408/\u4E0D\u7B26\u5408\uFF09\u9700\u7531\u6301\u8BC1\u6D4B\u8BC4\u673A\u6784\u6839\u636E\u5B9E\u9645\u60C5\u51B5\u786E\u8BA4\u3002\uFF08GB/T 22239-2019 \u5B8C\u6574\u68C0\u67E5\u6E05\u5355 184 \u9879\uFF09</div>
5378
8134
  <div class="meta">\u8D26\u6237: ${esc(accountId)} | \u533A\u57DF: ${esc(region)} | \u626B\u63CF\u65F6\u95F4: ${esc(scanTime)}</div>
5379
8135
  </header>
5380
8136
 
5381
- <section class="summary">
5382
- <div class="score-card">
5383
- <div class="score-value" style="color:${passRateColor}">${percent}%</div>
5384
- <div class="score-label">\u901A\u8FC7\u7387</div>
8137
+ <section class="summary" style="display:block;text-align:center">
8138
+ <div style="font-size:36px;font-weight:700;margin-bottom:12px">
8139
+ <span style="color:#22c55e">${autoClean}</span> <span style="color:#94a3b8;font-size:18px">\u672A\u53D1\u73B0\u95EE\u9898</span>
8140
+ <span style="color:#475569;margin:0 16px">/</span>
8141
+ <span style="color:#ef4444">${autoIssues}</span> <span style="color:#94a3b8;font-size:18px">\u53D1\u73B0\u95EE\u9898</span>
5385
8142
  </div>
5386
- <div class="severity-stats">
5387
- <div class="stat-card" style="border-color:#22c55e30"><div class="stat-count" style="color:#22c55e">${passCount}</div><div class="stat-label">\u901A\u8FC7</div></div>
5388
- <div class="stat-card" style="border-color:#ef444430"><div class="stat-count" style="color:#ef4444">${failCount}</div><div class="stat-label">\u4E0D\u901A\u8FC7</div></div>
5389
- ${unknownCount > 0 ? `<div class="stat-card" style="border-color:#94a3b830"><div class="stat-count" style="color:#94a3b8">${unknownCount}</div><div class="stat-label">\u672A\u68C0\u67E5</div></div>` : ""}
8143
+ <div class="mlps-summary-cards" style="justify-content:center">
8144
+ <div class="mlps-summary-card"><div class="stat-count" style="color:#60a5fa">${checkedTotal}</div><div class="stat-label">\u5DF2\u68C0\u67E5\u9879</div></div>
8145
+ <div class="mlps-summary-card"><div class="stat-count" style="color:#94a3b8">${cloudCount}</div><div class="stat-label">\u{1F3E2} \u4E91\u5E73\u53F0\u8D1F\u8D23</div></div>
8146
+ <div class="mlps-summary-card"><div class="stat-count" style="color:#eab308">${manualCount}</div><div class="stat-label">\u{1F4CB} \u9700\u4EBA\u5DE5\u8BC4\u4F30</div></div>
8147
+ ${naCount > 0 ? `<div class="mlps-summary-card"><div class="stat-count" style="color:#64748b">${naCount}</div><div class="stat-label">\u2796 \u4E0D\u9002\u7528</div></div>` : ""}
5390
8148
  </div>
5391
8149
  </section>
5392
8150
  ${unknownNote}
@@ -5399,9 +8157,11 @@ ${categorySections}
5399
8157
 
5400
8158
  ${remediationHtml}
5401
8159
 
8160
+ ${naNote}
8161
+
5402
8162
  <footer>
5403
8163
  <p>\u7531 AWS Security MCP Server v${VERSION} \u751F\u6210</p>
5404
- <p>\u672C\u62A5\u544A\u4EC5\u4F9B\u53C2\u8003\u3002\u5B8C\u6574\u7B49\u4FDD\u6D4B\u8BC4\u9700\u7531\u6301\u8BC1\u6D4B\u8BC4\u673A\u6784\u6267\u884C\u3002</p>
8164
+ <p>\u672C\u62A5\u544A\u4E3A\u8BC1\u636E\u6536\u96C6\u53C2\u8003\uFF0C\u4E0D\u5305\u542B\u5408\u89C4\u5224\u5B9A\u3002\u5B8C\u6574\u7B49\u4FDD\u6D4B\u8BC4\u9700\u7531\u6301\u8BC1\u6D4B\u8BC4\u673A\u6784\u6267\u884C\u3002</p>
5405
8165
  </footer>
5406
8166
 
5407
8167
  </div>