Security Center provides the configuration assessment feature to check whether the configurations of your services are at risk. This topic describes the configuration assessment feature and the check items.

Background information

To find the risks in your cloud services and provide solutions, Security Center runs the following security checks: identity authentication and permissions, network access control, data security, log auditing, monitoring and alerting, and basic security protection.

Note The Basic and Basic Anti-Virus editions of Security Center support a limited number of check items. The Advanced and Enterprise editions support all check items. To check all items, users of the Basic and Basic Anti-Virus editions must upgrade Security Center to the Advanced or Enterprise edition.
You can view the number of Checked items enabled on the Cloud Platform Configuration Assessment page. Enabled check items

The list of check items

The following list contains check items supported by different editions. The following signs indicate whether a check item is supported:
  • ×: not supported by this edition.
  • √: supported by this edition.
Check item Type Description Basic or Basic Anti-Virus Advanced or Enterprise
Alibaba Cloud account security - AccessKey use Identity authentication and permissions Checks the AccessKey account permissions of your Alibaba Cloud account. Your Alibaba Cloud account has full permissions to its resources. To avoid potential financial losses caused by AccessKey leakage, we recommend that you do not create an AccessKey pair for your Alibaba Cloud account or use it in your daily work.
Notice The check result has a time delay. If the AccessKey pair is disabled, the check result is updated on the next day.
X
CDN - real-time log push service Log auditing Checks whether the real-time log push service is enabled for Alibaba Cloud CDN. Alibaba Cloud CDN is integrated with Log Service to deliver log data to Log Service in real time for further analysis. You can quickly find issues through real-time log analysis. X
Cloud services - ActionTrail Log auditing Checks whether the ActionTrail feature is enabled. If the ActionTrail feature is not enabled, the actions of the administrator are not recorded and security compliance requirements are not met. X
ApsaraDB for PolarDB - backups Data security Checks whether the automatic backup feature is enabled for ApsaraDB for PolarDB. Database backups improve database security and allow you to restore data when an error occurs in your database. ApsaraDB for PolarDB supports automatic backups. We recommend that you enable automatic backups to create a backup on a daily basis. X
ApsaraDB for PolarDB - SQL Explorer Log auditing Checks whether SQL Explorer is enabled for ApsaraDB for PolarDB. ApsaraDB for PolarDB supports SQL Explorer that provides value-added services, such as security auditing and performance diagnosis. We recommend that you enable SQL Explorer. X
OSS - authorization policies Identity authentication and permission control Checks Object Storage Service (OSS) authorization policies. OSS supports three types of permission control policies: access control lists (ACLs), Resource Access Management (RAM), and bucket policies. We recommend that you do not grant read, write, or full permissions to anonymous users when you configure bucket policies. X
SLB - logging Log auditing Checks whether Server Load Balancer (SLB) has the logging feature enabled. SLB provides the logging feature that records Layer-7 requests. This feature collects the detailed information about requests sent to SLB. The information includes the request time, client IP address, network latency, request path, and server response. We recommend that you enable the logging feature. X
Container Registry - repository permission configurations Data security Checks whether the Container Registry repository is set to private. Container Registry repositories include public and private repositories. Public repositories allow all Internet users to download information anonymously. If the images in the repository contain sensitive information, we recommend that you set the repository to private. X
Container Registry - security scan Basic security protection Checks whether the security scan feature is enabled for Container Registry. Container Registry provides security scan for Linux-based basic images. Security scan can detect system vulnerabilities and risks in basic images. We recommend that you scan all images. If you have the latest version of basic images, we suggest that you run security scan on the latest version. X
ECS - security group policies Network access control Checks the policies of Elastic Compute Service (ECS) security groups. We recommend that you grant minimum permissions to users. If you set 0.0.0.0/0 for a service, requests from all IP addresses are allowed. For example, you can set 0.0.0.0/0 for port 80, 443, 22, or 3389. X
OSS - server-side bucket encryption Data security Checks whether the data encryption feature is enabled for OSS buckets. OSS supports server-side encryption to secure data that is persistently stored in OSS. We recommend that you enable server-side encryption to protect sensitive data. X
OSS - bucket hotlinking protection Network access control Checks whether the hotlinking protection is enabled for OSS buckets. The OSS hotlinking protection feature checks the referer header to deny access from unauthorized users. We recommend that you enable this feature. X
OSS - sensitive information leakage Data security Checks whether access to OSS sensitive files requires permissions. X
ApsaraDB for RDS - cross-region backups Data security Checks whether the cross-region backup feature is enabled for ApsaraDB for RDS instances. ApsaraDB for RDS provides the cross-region backup feature for ApsaraDB for MySQL. This feature automatically synchronizes local backup files to OSS buckets in another region. This allows you to implement disaster recovery. We recommend that you enable the cross-region backup feature. X
ApsaraDB for Redis - backups Data security Checks whether the data backup feature is enabled for ApsaraDB for Redis instances. X
ApsaraDB for Redis - SSL encryption Log auditing Checks whether Secure Sockets Layer (SSL) encryption is enabled for ApsaraDB for Redis instances. ApsaraDB for Redis 2.8 standard master-replica instances, master-replica cluster instances, and ApsaraDB for Redis 4.0 master-replica cluster instances support SSL encryption. We recommend that you enable SSL encryption to improve data transmission security. X
ApsaraDB for Redis - log auditing Log auditing Checks whether the log auditing feature is enabled for ApsaraDB for Redis instances. ApsaraDB for Redis provides the log auditing feature, which records all requests sent to ApsaraDB for Redis instances and stores the records in Log Service. We recommend that you enable this feature. X
ApsaraDB for MongoDB - log auditing Log auditing Checks whether the log auditing feature is enabled for ApsaraDB for MongoDB instances. The log auditing feature records all operations you perform on databases. Log auditing allows you to perform fault analysis, behavior analysis, security auditing on databases. This feature also allows you to obtain the information about data consumption. We recommend that you enable the log auditing feature for ApsaraDB for MongoDB instances. X
ApsaraDB for MongoDB - SSL encryption Data security Checks whether SSL encryption is enabled for ApsaraDB for MongoDB instances. We recommend that you enable the SSL encryption feature to improve the security of ApsaraDB for MongoDB instances. X
ApsaraDB for MongoDB - backups Data security Checks whether the automatic backup feature is enabled for ApsaraDB for MongoDB instances. Database backups improve database security and allow you to restore data when an error occurs in your database. ApsaraDB for MongoDB provides automatic backups. We recommend that you enable automatic backups to create a backup on a daily basis. X
Cloud Monitor - agent status Monitoring and alerting Checks the status of ECS instances. Cloud Monitor can monitor Alibaba Cloud resources and web applications. To monitor the status of ECS instances and send alerts when exceptions occur, we recommend that you install the Cloud Monitor agent on your ECS instance. X
VPC - DNAT management port mapping Network access control Checks whether the port is mapped to the Internet. When you create a DNAT rule for a NAT gateway deployed in a Virtual Private Cloud (VPC) network, we recommend that you do not map internal management ports to the Internet. Do not map all ports or important ports, for example, port 22, 3389, 1433, or 3306. X
Alibaba Cloud - Two-factor authentication Identity authentication and permission control for Alibaba Cloud accounts Checks whether two-factor authentication is enabled for your Alibaba Cloud account. If you use password-based authentication, attackers may use brute-force cracking or other methods to obtain the password to your Alibaba Cloud account. We recommend that you enable two-factor authentication that requires password and SMS verification to minimize the risk of password leakage.
RAM users - multi-factor authentication (MFA) Identity authentication and permission control for RAM users Checks whether MFA is enabled for RAM users.
Alibaba Cloud Security - agent status Basic security protection Checks the installation of the Server Guard agent. You must install the Server Guard agent on your servers before Server Guard can protect your servers. If the Server Guard agent is not installed on your servers, your servers are vulnerable to risks, such as webshells, Trojan files, remote logons, and brute-force attacks.
Alibaba Cloud Security - back-to-origin configuration checks of Anti-DDoS Pro Network access control Checks whether Anti-DDoS Pro allows only requests from Web Application Firewall (WAF) back-to-origin IP addresses. After you use Anti-DDoS Pro or WAF, we recommend that you hide the IP address of the backend server to prevent attacks.
Alibaba Cloud Security - back-to-origin configuration checks of WAF Network access control Checks whether WAF only allows requests from WAF back-to-origin IP addresses. After you use Anti-DDoS Pro or WAF, we recommend that you hide the IP address of the backend server to prevent attacks.
Security Center - AccessKey leak detection Monitoring and alerting Checks whether the AccessKey leak detection and account security features of Security Center are enabled.
ECS - key-pair-based logons Identity authentication and permissions Checks whether ECS instances that run Linux operating systems are associated with Alibaba Cloud SSH key pairs. Compared with the SSH password-based logon method, the SSH key-pair-based logon method is more secure and convenient. We recommend that you use the SSH key-pair-based logon method.
ECS - storage encryption Data security Checks whether encryption is enabled for disks on ECS instances.
ECS - automatic snapshot policies Data security Checks whether the automatic snapshot feature is enabled for ECS instances. The automatic snapshot feature improves the security of ECS data and supports disaster recovery.
SLB - whitelist configurations Network access control Checks the access control configurations of SLB instances. Checks whether access control is enabled for HTTP and HTTPS services and checks whether 0.0.0.0/0 is set. If 0.0.0.0/0 is set for a service, requests from all IP addresses are allowed.
SLB - open ports Network access control Checks whether unnecessary ports of SLB are open to the Internet.
SLB - health status Monitoring and alerting Checks whether SLB backend servers are available.
SLB - certificate validity checks Monitoring and alerting Checks whether your SLB certificate has expired.
OSS - bucket permissions Data security Checks whether the OSS bucket permission is set to private.
OSS - logging Data security Checks whether the logging feature is enabled for OSS.
OSS - cross-region replication Data security Checks whether the cross-region replication feature is enabled for OSS.
ApsaraDB for RDS - whitelist configurations Network access control Checks whether the whitelist is set to 0.0.0.0/0 or not set, which allows requests from all IP addresses. We recommend that you configure the whitelist to allow only requests from specific IP addresses.
ApsaraDB for RDS - database security policies Data security Checks whether the SQL auditing, SSL encrypted transmissions, and transparent database encryption features are enabled for ApsaraDB for RDS instances.
ApsaraDB for RDS - database backups Data security Checks whether the data backup feature is enabled for ApsaraDB for RDS instances.
ApsaraDB for Redis - whitelist configurations Network access control Checks whether the whitelist is set to 0.0.0.0/0 or not set, which allows requests from all IP addresses. We recommend that you configure the whitelist to allow only requests from specific IP addresses.
AnalyticDB for PostgreSQL - whitelist configurations Network access control Checks whether the whitelist is set to 0.0.0.0/0 or not set, which allows requests from all IP addresses. We recommend that you configure the whitelist to allow only requests from specific IP addresses.
SSL Certificate Service - validity checks Data security Checks whether your SSL certificate has expired. If your SSL certificate has expired, you are not allowed to use SSL Certificate Service.
ApsaraDB for PolarDB - whitelist configurations Network access control Checks whether the whitelist is set to 0.0.0.0/0, which allows requests from all IP addresses. We recommend that you configure the whitelist to allow only requests from specific IP addresses.
ActionTrail - logging Log auditing Checks the operation logs in OSS or Log Service.

To trace high-risk operations, we recommend that you enable ActionTrail, save operation logs in OSS or Log Service, and set proper access permissions.

ApsaraDB for MongoDB - whitelist configurations Network access control Checks whether the whitelist is set to 0.0.0.0/0 or not set, which allows requests from all IP addresses. We recommend that you configure the whitelist to allow only requests from specific IP addresses.

Related topics

Perform configuration assessment on cloud services

View and manage configuration risks