Security Center provides the configuration assessment feature to check whether the configurations of your services are at risk. This topic describes the configuration assessment feature and the check items.

Background information

To help you find the risks in your cloud services and provide solutions, Security Center runs the following security checks: identity authentication and permissions, network access control, data security, log auditing, monitoring and alerting, and basic security protection.

Note Security Center Basic edition users can only check a limited number of items. Security Center Advanced edition and Enterprise edition users can check all items. Basic edition users must upgrade to Advanced edition or Enterprise edition to check all items.
You can view the number of Checked items enabled on the Cloud Platform Configuration Assessment page.Enabled check items

List of supported check items

The following list contains check items supported by different editions. The following signs are used to indicate whether a check item is supported or not:
  • ×: not supported by this edition.
  • √: supported by this edition.
Supported item Type Description Basic edition Advanced edition/Enterprise edition
Alibaba Cloud account security-AccessKey use Identity authentication and permissions Checks the AccessKey account permissions of your Alibaba Cloud account. Your Alibaba Cloud account has full permissions to its resources. To avoid financial loss caused by AccessKey leakage, we recommend that you do not create an AccessKey pair for your main account or use it in your daily work.
Notice After checking this item, you must wait one day. If the AccessKey pair is disabled, the check result will not change until the second day.
×
CDN-real-time log push service Log auditing Checks whether the CDN-real-time log push service is enabled. Alibaba Cloud CDN provides the feature that pushes the collected logs to the log service in real time and analyzes the logs. You can quickly find and locate issues through real-time log analysis. ×
Cloud services-ActionTrail Log auditing Checks whether the ActionTrail feature is enabled. If the feature is not enabled, the actions of the administrator will not be recorded and thus security compliance requirements are not met. ×
ApsaraDB for PolarDB-backup Data security Checks whether the automatic backup feature is enabled for ApsaraDB for PolarDB. Creating database backups improves database security. Database backups help you restore data when an error occurs in a database. ApsaraDB for PolarDB supports automatic backup. We recommend that you enable automatic backup to create a backup on a daily basis. ×
ApsaraDB for PolarDB-SQL explorer Log auditing Checks whether the SQL explorer feature is enabled for ApsaraDB for PolarDB. ApsaraDB for PolarDB supports the SQL explorer feature that provides value-added services, such as security auditing and performance diagnosis. We recommend that you enable the SQL explorer feature. ×
OSS-authorization policies Identity authentication and permission control Checks OSS authorization policies. OSS supports three types of permission control policies: ACL, RAM, and bucket policies. We recommend that you do not grant read/write or full permissions to anonymous users when you configure bucket policies. ×
SLB-logging Log auditing Checks whether SLB has the logging feature enabled. SLB provides the logging feature that records Layer-7 requests. This feature collects the detailed information of requests sent to SLB. The information includes the request time, client IP address, network latency, request path, and server response. We recommend that you enable the logging feature. ×
Container Registry-warehouse permission configurations Data security Checks whether the status of Container Registry warehouse is set to private. Container Registry warehouses include public warehouses and private warehouses. Public warehouses allow all Internet users to download information anonymously. If the image contains sensitive information, we recommend that you set the value to private. Otherwise, ignore relevant alerts. ×
Container Registry-image security status scan Basic security protection Checks whether the image security status scan feature is enabled for Container Registry. Container Registry scans Linux-based basic images. Security scan can detect system vulnerabilities and risks in basic images. We recommend that you scan all images. If you have the latest version of basic images, we suggest that you run security scans on the latest version. ×
ECS-security group policies Network access control Checks ECS security group policies. We recommend that you grant minimum permissions to users. If you set 0.0.0.0/0 for a service, it indicates that access from all IP addresses are allowed. For example, you can set 0.0.0.0/0 for ports 80, 443, 22, 3389. ×
OSS-bucket server-side encryption Data security Checks whether the data encryption feature of OSS buckets is enabled. OSS supports server-side encryption to secure data persistently stored in OSS. We recommend that you enable server-side encryption to protect sensitive data. ×
OSS-bucket hotlinking protection Network access control Checks whether the hotlinking protection is enabled for OSS buckets. The OSS hotlinking protection feature checks the Referer header to deny access from unauthorized users. We recommend that you enable this feature. ×
OSS-sensitive information leakage scans Data security Checks whether OSS sensitive files require access permissions. ×
ApsaraDB for RDS-cross-region backup Data security Checks whether the cross-region backup is enabled for ApsaraDB for RDS instances. ApsaraDB for RDS provides the cross-region backup feature for MySQL that automatically synchronizes local backup files to OSS in another region. This allows you to implement disaster recovery. We recommend that you enable the cross-region backup feature. ×
ApsaraDB for Redis-Backup Data security Checks whether the data backup feature is enabled for ApsaraDB for Redis instances. ×
ApsaraDB for Redis-SSL encryption Log auditing Checks whether SSL encryption is enabled for ApsaraDB for Redis. ApsaraDB for Redis 2.8 standard master-replica instances, master-replica cluster instances, and ApsaraDB for Redis 4.0 master-replica cluster instances support SSL encryption. Enable SSL encryption to improve data transmission security. ×
ApsaraDB for Redis-log auditing Log auditing Checks whether the log auditing feature is enabled for ApsaraDB for Redis. ApsaraDB for Redis provides the log auditing feature, which records all requests sent to ApsaraDB for Redis and stores the records in Log Service. We recommend that you enable this feature. ×
ApsaraDB for MongoDB-log auditing Log auditing Checks whether the log auditing feature is enabled for ApsaraDB for MongoDB. The log auditing feature records all operations you performed on databases. Log auditing allows you to perform fault analysis, behavior analysis, security auditing on databases and obtain information of data consumption. We recommend that you enable the log auditing feature for ApsaraDB for MongoDB. ×
ApsaraDB for MongoDB-SSL encryption Data security Checks whether SSL encryption is enabled for ApsaraDB for MongoDB database. We recommend that you enable the SSL encryption feature to improve the security of data link in ApsaraDB for MongoDB database. ×
ApsaraDB for MongoDB-backup Data security Checks whether the automatic backup feature is enabled for ApsaraDB for MongoDB. Database backups help you improve database security. You can restore data when an error occurs in your database. ApsaraDB for MongoDB provides automatic backup policies. We recommend that you enable automatic backup to create a backup on a daily basis. ×
CloudMonitor-agent status Monitoring alert Checks the status of ECS instances. CloudMonitor can monitor Alibaba cloud resources and web applications. To monitor the status of ECS instances and send alerts when exceptions occur. We recommend that you install the CloudMonitor agent on your ECS instance. ×
VPC-DNAT management port mapping Network access control Checks whether the port is mapped to the Internet. When you create a DNAT rule for a NAT Gateway deployed in a VPC network, we recommend that you do not map internal management ports to the Internet. Do not map all ports or any important port, for example, ports 22, 3389, 1433 or 3306. ×
Alibaba Cloud-Two-factor authentication for Alibaba Cloud accounts Identity authentication and permission control for Alibaba Cloud accounts Checks whether the two-factor authentication feature for Alibaba Cloud accounts is enabled. If you use single-factor authentication, attackers may use brute-force cracking or other methods to obtain the password to your Alibaba Cloud account. We recommend that you enable two-factor authentication that requires password authentication and SMS verification to protect administrator accounts of your cloud services to minimize the risk of password leaks.
RAM users-multi-factor authentication (MFA). Identity authentication and permission control for RAM users Checks whether MFA is enabled for RAM users.
Alibaba Cloud Security-host security protection status Basic security protection Checks the installation of the Server Guard agent. In the cloud security defense system, Server Guard must be deployed to address host security issues. If Server Guard is not deployed, the cloud host will lack intrusion detection and defense capabilities. The system will fail to detect hacking behaviors, for example, webshells, Trojan files, remote logons, and brute-force attacks against your account.
Alibaba Cloud Security-Anti-DDoS Pro back-to-origin check Network access control Checks whether the Anti-DDoS Pro feature is configured to only allow WAF back-to-origin IP addresses. After you set up Anti-DDoS Pro or Web Application Firewall, you need to hide the IP addresses of the backend servers to prevent attacks on the cloud assets.
Alibaba Cloud Security-Web application firewall (WAF) back-to-origin Network access control Checks whether WAF only allows requests from WAF back-to-origin IP addresses. After you set up Anti-DDoS Pro or Web Application Firewall, you need to hide the IP addresses of the backend servers to prevent attacks on the cloud assets.
Security Center-AccessKey leak detection Monitoring and alerting Checks whether the AccessKey leak detection and account security features of Security Center are enabled.
ECS-key pair-based logons Identity authentication and permission control Checks whether ECS instances that run a Linux operating system are associated with an Alibaba Cloud SSH key pair. Compared with the SSH password-based logon method, the SSH key pair logon method is more secure and convenient. We recommend that you use the SSH key pair logon method.
ECS-storage encryption Data security Checks whether encryption is enabled for disks on ECS instances.
ECS-automatic snapshot policies Data security Checks whether the automatic snapshot feature is enabled for the disks on ECS instances. The automatic snapshot feature improves the security of ECS data and supports disaster recovery.
SLB-whitelist Network access control Checks the access control configurations of SLB instances. Checks whether access control is enabled for HTTP and HTTPS services and checks whether 0.0.0.0/0 is added to the whitelist.
SLB-exposed ports Network access control Checks whether SLB opens ports to the Internet for forwarding unnecessary public services.
SLB-health status Monitoring and alerting Checks whether SLB backend servers are available.
SLB-certificate validity check Monitoring alert Checks whether your SLB certificate is expired.
OSS-bucket permissions Data security Checks whether the access permission of your OSS buckets is public read or public-read-write. We recommend that you set the access permission of the bucket to private.
OSS-logging Data security Checks whether the logging feature is enabled for OSS.
OSS-cross-region replication Data security Checks whether the cross-region replication feature is enabled for OSS.
ApsaraDB for RDS-whitelist Network access control Checks whether the ApsaraDB for RDS access control policy is set to 0.0.0.0/0, which allows requests from all IP addresses. We recommend that you restrict the access scope to a specific range of IP addresses rather than expose database services to the Internet.
ApsaraDB for RDS-database security policies Data security Checks whether the SQL auditing, SSL encrypted transmissions, and transparent database encryption features are enabled for ApsaraDB for RDS databases.
ApsaraDB for RDS-database backup Data security Checks whether the data backup feature is enabled for ApsaraDB for RDS instances.
ApsaraDB for Redis-whitelist Network access control Checks whether the ApsaraDB for Redis access control policy is set to 0.0.0.0/0, which allows requests from all IP addresses. We recommend that you restrict the access scope to a specific range of IP addresses rather than expose database services to the Internet.
AnalyticDB for PostgreSQL-whitelist Network access control Checks whether the AnalyticDB for PostgreSQL access control policy is set to 0.0.0.0/0, which allows requests from all IP addresses. We recommend that you restrict the access scope to a specific range of IP addresses rather than expose database services to the Internet. Yes
SSL Certificate-validity check Data security Checks whether your SSL certificate is expired. If your SSL certificate is expired, you are allowed to use SSL Certificate Service.
ApsaraDB for PolarDB-whitelist Network access control Checks whether the ApsaraDB for PolarDB access control policy is set to 0.0.0.0/0, which allows requests from all IP addresses. We recommend that you restrict the access scope to a specific range of IP addresses rather than expose database services to the Internet.
ActionTrail-logging Log auditing Checks the operation logs in OSS or Log Service.

The Action Trail feature must be enabled to access the Alibaba cloud security system. The operation logs need to be saved in OSS or Log Service. We recommend that you set proper access permissions to trace high-risk operations.

ApsaraDB for MongoDB-whitelist Network access control Checks whether the ApsaraDB for MongoDB access control policy is set to 0.0.0.0/0, which allows requests from all IP addresses. We recommend that you restrict the access scope to a specific range of IP addresses rather than expose database services to the Internet.

Related topics

Perform configuration assessment on cloud services

View and manage configuration risks