Community Blog Cyber Security Tips for ECS Instances

Cyber Security Tips for ECS Instances

Cyber security should be a good concern in this information era, here you can get some useful information on ECS and some security hardening requirements.

Elastic Compute Service (ECS) instance, ApsaraDB for RDS MySQL database, Server Load Balancer, with Elastic IP and security group is the most common scenario for most applications hosted on the web. Although the system is functioning well, this type of deployment is deficient in terms of cyber security. This is especially true for servers used in production scenarios.

This article will focus on ECS and its security hardening requirements, which are easy to follow.

Reduce External Exposure of Alibaba Cloud Resources

As part of the design of your offering, you should have controls in place to ensure an ECS can only access their data and resources they are authorized to access. What controls can you put in place? What assurances can you offer to your ECS instance that their data can't be accessed by another ECS? This all bubbles down to the least privilege principle: the less you expose the offering to external world, the more secure design can be achieved.

In Alibaba Cloud this can be achieved through security group and network segregation of your offering.

Security group plays important role here, to segregate traffic,

  1. Operates at the instance level (first layer of defense)
  2. Supports allow rules only
  3. Is statefull: Return traffic is automatically allowed, regardless of any rules
  4. Evaluate all rules before deciding whether to allow traffic
  5. Applies to an ECS instance only if someone specifies the security group when launching the instance, or associates the security group with the instance later on

Network segregation: After creating a VPC, the next logical construct is the vSwitch. vSwitch in Alibaba cloud are sub-networks within a VPC and are analogous to the subnets. One can add one or more subnets in each availability zone; however, each subnet must reside exclusively within one AZ and cannot span AZs. Here is one example how the production env is segregated in two AZ operating on different vSwitch and one staging environment which is on complete different vSwitch

Secure Bastion Hosts

A bastion host is a server whose purpose is to provide access to a private network from an external network, such as the Internet.

Some security points to be considered:

  1. Bastion hosts is single point of accessing the private ECS instance; its security should be considered high enough.
  2. Utilize SSH Identity based login to connect to bastion hosts.
  3. Harden the bastion by limiting the access from given public IP or IP range.
  4. Monitor the logins.
  5. Disable root logins on bastion hosts.
  6. Have different bastion hosts to connect to production vs development environment.

Hardening ECS OS Images

By default ECS provisioned OS images are open to world, it's security posture is not much as it's required for the production environment . This choice is left to end-user to take this responsibility of the OS hardening which is provisioned in the Alibaba ECS. The requirement should be approved by the hardening process or by leveraging an approved custom images.

The end user can benefit from the CIS benchmarking of the OS hardening process. Once the ECS OS is process by CIS benchmarking tool, the end user will be presented with the action to be taken off.

Vulnerability and Penetration Testing of ECS Instance

Before starting this activity, you need to request for permission from Alibaba to your root account. Once you permission is granted, then only you can start the Vulnerability Testing(VT) and Penetration Testing (PT) activity. Otherwise any suspected traffic spikes will be block by Alibaba Cloud Security Intelligence.

VT and PT is must perform activity of your production service, this ensure compliance and security governance of your managed resource.

Vulnerability management process ensure all the critical patch applied on the timely manner and all the required asset particularly ECS are covered.

Continuous Penetration testing process ensure, application exposed on Alibaba cloud service, are safe from black hat hackers and a continuous effort is gone to achieve the web security.


There are many resources in the Alibaba cloud which needs to be monitored performing any manual scrubbing on the logs are error prone tasks so take help of monitoring solution.

Some of the list of events which can be actively monitors for Alibaba ECS Linux Instances

Monitored from syslog events:

  1. Nginx/httpd or apache web servers errors logs
  2. SSH too many failed authentication
  3. SSH successful logins
  4. sudo commmand invocations

Monitored from system processes:

  1. Processes with listening sockets
  2. Open connection
  4. Zombie process

Monitored from the system:

  1. User and group list
  2. Group membership changes

Monitored from the file system:

  1. SSH authorized_keys for users
  2. SSH known_hosts for users
  3. APT /YUM GPG keys changes/added

For other fundamental resources , like SLB , OSS, RDS, and their security hardening requirements, please go to 11 Security Recommendations for Production Instances on Alibaba Cloud.

Related Blog Posts

Top 5 Security Considerations for Cloud Deployments

In this article, we will address these concerns by discussing the top 5 security considerations you should look out for in a cloud provider. The Alibaba Cloud Security team has also written a detailed security whitepaper, covering all your security concerns of deploying on Alibaba Cloud.

1. Security Architecture of Cloud Provider

The security features of Alibaba Cloud are built on top of an 11-layer security architecture dubbed the "Security Compass". The Alibaba Cloud Security Compass consists of four layers oriented at cloud platform and seven layers oriented at cloud users.

2. Security Features of Cloud Products

Obviously, one of the main considerations when it comes to ensuring security on the cloud is to make sure the products that you use are robust. This means that even without any additional security products and services, the cloud product of your choice must be able to withstand a variety of cyber-attacks.

Alibaba Cloud Elastic Compute Service (ECS) instances can achieve this by employing features such as tenant isolation. Tenant isolation is achieved by providing isolation between the virtual machine management (VMM) system and the customer's VM, and isolation between customer's VMs. On Alibaba Cloud, ECS instances that are assigned to different users are isolated, providing the needed security barriers among tenants.

3. Security Services Offered by Cloud Provider

Despite having all these security features, your IT infrastructure is still not completely immune to cyber-attacks. If you want to keep your data and applications secure, you should definitely consider investing in cyber security products offered by your cloud provider.

4. Security Compliance and Credentials

For users to operate freely across the globe, cloud providers need to adhere to domestic and international information security standards, as well as industry requirements. Cloud providers should integrate compliance requirements and standards into internal control frameworks, and implement such standards by design in their cloud platform and products.

5. Shared Security Responsibility Model

Alibaba Cloud and its customers are jointly responsible for the security of customers' applications built on Alibaba Cloud. On Alibaba Cloud, customers are responsible only for the security of applications built on top of or connected to the cloud. Alibaba Cloud, on the other hand, is responsible for the security of the underlying cloud service platform and infrastructure.

Alibaba Cloud ECS Instance Security Checklist for Ubuntu 16.04

Security should be a first priority when deploying an Ubuntu 16.04 server on Alibaba Cloud. While Linux is considered secure out of the box, there is a lot more you can do to achieve adequate level of security on your system.

Alibaba Cloud offers Ubuntu 16.04 as one of the operating systems when deploying Elastic Compute Service (ECS) instances. This Ubuntu version is stable and ideal for running mission critical applications like web servers, email servers and database servers.

In this guide, we will quickly go over the Alibaba Cloud ECS instance security checklist to show you how to safeguard your Ubuntu 16.04 server.

Related Documentation

ECS security deployment method

In this document, you will get some useful information on the Operating system security hardening and Security deployment for application service software including web and database applications.

Manage security group rules

This topic describes how to manage security group rules. After you add security group rules, you can query, modify, restore, export, import, and delete them.

Related Market Products

Plesk Onyx on Ubuntu 16.04 (Web Admin SE – FREE)

WordPress management and security tools, one-click server hardening, and more. Enhanced security core that protects your server from brute force attacks and protects your web sites from common malware attacks. Ready-to-code environment with LAMP and NGINX, Javascript; NodeJS, Docker, Perl, Ruby, Python, Java, with Git support.

Check Point CloudGuard (BYOL)

Uses IPsec VPN to securely connect your on premise network with Alibaba Cloud while maintaining a strong security posture mitigating the most advanced threats. Mitigate attacks targeting your VPC while gaining unprecedented visibility and control over your network traffic with Check Point's advanced threat prevention security. Simplify compliance and audits by consolidating logging and reporting across on-premise and cloud environments with Check Point SmartEvents.

Related Special Offer

Elastic Compute Service Starter Packages

Alibaba Cloud offers easy-to-use high-performance virtual machines with data transfer plan starting from $2.50 a month now.

0 0 0
Share on

Alibaba Clouder

2,600 posts | 754 followers

You may also like