koninr
Intern
Intern
  • UID5328
  • Fans1
  • Follows2
  • Posts12
Reads:2052Replies:5

Any security best practice for hardening my Aliyun infrastructure?

Created#
More Posted time:Mar 14, 2018 15:42 PM
As it is mentioned in the subject line, are there any security checlist / best practice for hardening the Aliyun infrastructure?  Thanks.

abdulhafeez
Assistant Engineer
Assistant Engineer
  • UID4972
  • Fans4
  • Follows5
  • Posts48
1st Reply#
Posted time:Mar 14, 2018 15:59 PM
HI @koninr,

Can you share details on your infrastructure & applications, how is the architecture front-end / back-end etc.?

I will share some inputs.

abdulhafeez
Assistant Engineer
Assistant Engineer
  • UID4972
  • Fans4
  • Follows5
  • Posts48
2nd Reply#
Posted time:Mar 14, 2018 16:12 PM

koninr
Intern
Intern
  • UID5328
  • Fans1
  • Follows2
  • Posts12
3rd Reply#
Posted time:Mar 15, 2018 12:45 PM
abdulhafeez:HI @koninr,

Can you share details on your infrastructure & applications, how is the architecture front-end / back-end e...
回到原帖
Thanks abdulhafeez.  I am planning to write a security assessment checklist for Aliyun that it would focus on few fields. i.e. IAM (e.g. Policy, MFA), Logging (e.g. API logging), Monitoring (e.g. log metric filter, alarm), Networking (e.g. Security Groups), Database (e.g. RDS) , VPC (e.g. Security Groups)

abdulhafeez
Assistant Engineer
Assistant Engineer
  • UID4972
  • Fans4
  • Follows5
  • Posts48
4Floor#
Posted time:Mar 15, 2018 19:51 PM

Hi @koninr :

Great initiative !!

I suggest you to have a look on this URL:

you can go through below URL:

https://www.alibabacloud.com/help/faq-list/60793.htm?spm=a3c0i.l35474en.a3.8.5cda4974itCmxm

Please consider below points in your assessment checklist:

- Login Security / User Access (RAM etc.)
- Host-level security (ECS) (server guard AV., Windows updates etc)
- Application level security (upgrades/patches etc)
- Network security / isolation (VPC / Security Groups etc)
- Data level / data transmission security (white listening of certain sources)
- Internet facing layer protection (Anti-DDoS, WAF, SLB traffic encryption etc.)

Let me know if you need any help

Cheers !!

afzaalvirgoboy
Intern
Intern
  • UID6091
  • Fans0
  • Follows0
  • Posts8
5Floor#
Posted time:Aug 15, 2018 22:02 PM
Hi, the security check lists depend on several factors, ranging from the type of services on the cloud (web apps, databases, storage units), all the way to the users of the services (customers, extended apps, or employees). I will recommend that you create a full featured, generic community post, where we all can append the content and ad more security tips.


Anyways, for the services you have talked about, the first and foremost the important piece of the security is the cloud firewall that grants access to your services. Best way to secure databases, or internal services is to keep these services behind a virtual network. Anything that your users/customers can access via a dashboard, or portal, can and should be accessed from there, and any public access must be forbidden.


The security group ports for the services must be allowed, only if no other option is possible. Such as, the port 80 for the web apps. However, no ports for the databases must be exposed on the public internet, and let alone, why would anyone ever want to leave their online databases exposed to the public internet?


Basic scenario:
If I had to design this infrastructure, I would definitely deploy a virtual network on the cloud, and utilize the platform's security implements. This will allow me to deploy the services online, keep them in a secure network, where no one can access. Then expose the services, as needed, and when needed. Other services can communicate internally, like the logging, database, reporting etc.


One thing extra, the IAM would be suitable for your own employees/developers only. Your customers do not require an IAM access to the services, only the exposed services.
Guest