Security Center provides the configuration assessment feature to check for security risks in the configurations of your cloud services. This topic describes the configuration assessment feature and the check items.

Background information

To detect risks in your cloud services and provide solutions, Security Center performs checks on the following configurations: identity authentication and permissions, network access control, data security, log auditing, monitoring and alerting, and basic security protection.

Note The Basic and Basic Anti-Virus editions of Security Center support a limited number of check items. The Advanced and Enterprise editions support all check items. For security purposes, we recommend that you upgrade to the Advanced or Enterprise edition to take advantage of all check items. For more information about the check items that each edition supports, see Check items.
You can view the number of Checked items enabled on the Cloud Platform Configuration Assessment page. Enabled check items

Check items

The following table describes the check items that each edition of Security Center supports. The following symbols indicate whether a check item is supported:
  • ×: not supported.
  • √: supported.
Check item Type Description Basic or Basic Anti-Virus edition Advanced or Enterprise edition
Alibaba Cloud account security - AccessKey pair Identity authentication and permissions Checks the AccessKey pair of your Alibaba Cloud account. Your Alibaba Cloud account has full permissions on your resources. To avoid losses caused by leaked AccessKey pairs, we recommend that you do not create an AccessKey pair for your Alibaba Cloud account and do not use the AccessKey pair in day-to-day operations.
Notice The results of this check are delayed. If you disable the AccessKey pair, the results of the check are updated on the following day.
X
Alibaba Cloud CDN - real-time log push feature Log auditing Checks whether the real-time log push feature is enabled for Alibaba Cloud CDN. Alibaba Cloud CDN is integrated with Log Service to deliver log data to Log Service in real time for further analysis. You can find and locate issues by analyzing real-time logs. X
Cloud services - ActionTrail Log auditing Checks whether ActionTrail is activated. If ActionTrail is not activated, the actions of the administrator are not recorded. This does not meet security compliance requirements. X
PolarDB - backup configurations Data security Checks whether the automatic backup feature is enabled for PolarDB. Database backups improve security and allow you to restore data when an error occurs in your database. PolarDB provides the automatic backup feature. We recommend that you enable the automatic backup feature to create a backup on a daily basis. X
PolarDB - SQL Explorer Log auditing Checks whether the SQL Explorer feature is enabled for PolarDB. PolarDB supports the SQL Explorer feature. This feature provides value-added capabilities, such as security auditing and performance diagnosis. We recommend that you enable the SQL Explorer feature. X
OSS - authorization policies Identity authentication and permissions Checks the authorization policies of Object Storage Service (OSS). OSS supports three types of access control policies: access control lists (ACLs), Resource Access Management (RAM) policies, and bucket policies. We recommend that you do not grant read/write or full permissions to anonymous users. X
SLB - logging Log auditing Checks whether the logging feature is enabled for Server Load Balancer (SLB). SLB provides the logging feature that records Layer 7 requests. This feature collects detailed information about requests that are sent to SLB. The information includes the request time, client IP address, network latency, request path, and server response. We recommend that you enable the logging feature. X
Container Registry - repository permission configurations Data security Checks whether a Container Registry repository is set to private. Container Registry supports public and private repositories. Public repositories allow anonymous users to download images over the Internet. If images in a repository contain sensitive information, we recommend that you set the repository to private. X
Container Registry - security scans Basic security protection Checks whether the security scan feature is enabled for Container Registry. Container Registry supports security scans for Linux base images. Security scans can detect system vulnerabilities and risks in base images. We recommend that you scan all images. If new versions of the base images are obtained, we recommend that you perform security scans on the new versions. X
ECS - security group policies Network access control Checks the policies of Elastic Compute Service (ECS) security groups. We recommend that you grant the least permissions to users. Furthermore, we recommend that you specify 0.0.0.0/0 only for public-facing ports, such as port 80, 443, 22, or 3389. X
OSS - bucket server-side encryption Data security Checks whether the data encryption feature is enabled for OSS buckets. OSS supports server-side encryption to ensure the security of persistent storage. We recommend that you enable server-side encryption to protect sensitive data. X
OSS - bucket hotlink protection Network access control Checks whether the hotlink protection feature is enabled for OSS buckets. The OSS hotlink protection feature checks the Referer header to deny access from unauthorized users. We recommend that you enable this feature. X
OSS - sensitive information leak Data security Checks whether access to OSS sensitive files requires permissions. X
ApsaraDB for RDS - cross-region backup configurations Data security Checks whether the cross-region backup feature is enabled for ApsaraDB for RDS instances. ApsaraDB RDS for MySQL provides the cross-region backup feature. This feature automatically synchronizes local backup files to OSS buckets in another region. This implements geo-disaster recovery. We recommend that you enable the cross-region backup feature. X
ApsaraDB for Redis - backup configurations Data security Checks whether the data backup feature is enabled for ApsaraDB for Redis instances. X
ApsaraDB for Redis - SSL encryption Log auditing Checks whether Secure Sockets Layer (SSL) encryption is enabled for ApsaraDB for Redis instances. ApsaraDB for Redis 2.8 standard master-replica instances, ApsaraDB for Redis 2.8 master-replica cluster instances, and ApsaraDB for Redis 4.0 master-replica cluster instances support SSL encryption. We recommend that you enable SSL encryption to improve the security of data in transit. X
ApsaraDB for Redis - log auditing Log auditing Checks whether the log auditing feature is enabled for ApsaraDB for Redis instances. ApsaraDB for Redis provides the log auditing feature. This feature records all requests sent to ApsaraDB for Redis instances and stores the records in Log Service. We recommend that you enable this feature. X
ApsaraDB for MongoDB - log auditing Log auditing Checks whether the log auditing feature is enabled for ApsaraDB for MongoDB instances. This feature records all operations that you perform on the databases of ApsaraDB for MongoDB instances. Log auditing helps you perform fault analysis, behavior analysis, and security auditing on the databases. You can also obtain the information about data consumption. We recommend that you enable the log auditing feature. X
ApsaraDB for MongoDB - SSL encryption Data security Checks whether SSL encryption is enabled for ApsaraDB for MongoDB instances. We recommend that you enable the SSL encryption feature to improve the security of ApsaraDB for MongoDB instances. X
ApsaraDB for MongoDB - backup configurations Data security Checks whether the automatic backup feature is enabled for ApsaraDB for MongoDB instances. Database backups improve security and allow you to restore data when an error occurs in your database. ApsaraDB for MongoDB provides the automatic backup feature. We recommend that you enable the automatic backup feature to create a backup on a daily basis. X
Cloud Monitor - agent status Monitoring and alerting Checks the status of ECS instances. Cloud Monitor helps you monitor Alibaba Cloud resources and web applications. To monitor the status of ECS instances and send alerts when exceptions occur, we recommend that you install the Cloud Monitor agent on your ECS instances. X
VPC - DNAT management port mapping Network access control Checks whether a port is open to the Internet.

When you create a DNAT rule for a NAT gateway deployed in a virtual private cloud (VPC), we recommend that you do not open internal management ports to the Internet. Do not open all ports or important ports, such as port 22, 80, 443, 1433, 3306, 3389, or 8080, to the Internet.

X
Alibaba Cloud - two-factor authentication Identity authentication and permissions for Alibaba Cloud accounts Checks whether two-factor authentication is enabled for your Alibaba Cloud account. If you use only password authentication, attackers may use methods such as brute-force attacks to obtain the password to your Alibaba Cloud account. We recommend that you enable two-factor authentication that requires both password and SMS verification to minimize the risk of password leaks.
RAM users - multi-factor authentication (MFA) Identity authentication and permissions for RAM users Checks whether MFA is enabled for RAM users.
Alibaba Cloud Security - agent status Basic security protection Checks the installation of the Server Guard agent. You must install the Server Guard agent on your servers before Server Guard can protect your servers. If the Server Guard agent is not installed on your servers, your servers are vulnerable to risks, such as webshells, trojans, remote logons, and brute-force attacks.
Alibaba Cloud Security - back-to-origin configuration checks for Anti-DDoS Pro or Anti-DDoS Premium Network access control Checks whether Anti-DDoS Pro or Anti-DDoS Premium allows requests from only Web Application Firewall (WAF) back-to-origin IP addresses. After you use Anti-DDoS Pro, Anti-DDoS Premium, or WAF, we recommend that you hide the IP address of the origin server to prevent attacks.
Alibaba Cloud Security - back-to-origin configuration checks for WAF Network access control Checks whether WAF allows requests from only WAF back-to-origin IP addresses. After you use Anti-DDoS Pro, Anti-DDoS Premium, or WAF, we recommend that you hide the IP address of the origin server to prevent attacks.
Security Center - AccessKey pair leak detection Monitoring and alerting Checks whether the AccessKey pair leak detection and account security features of Security Center are enabled.
ECS - public key authentication Identity authentication and permissions Checks whether ECS instances that run Linux operating systems are associated with Alibaba Cloud SSH key pairs. SSH public key authentication is more secure and convenient than SSH password authentication. We recommend that you use SSH public key authentication.
ECS - storage encryption Data security Checks whether encryption is enabled for disks on ECS instances.
ECS - automatic snapshot policies Data security Checks whether the automatic snapshot feature is enabled for ECS instances. The automatic snapshot feature improves the security of ECS data and supports disaster recovery.
SLB - whitelist configurations Network access control Checks the access control configurations of SLB instances. Checks whether access control is enabled for HTTP and HTTPS services and checks whether 0.0.0.0/0 is added to the whitelist.
SLB - open ports Network access control Checks whether ports of SLB instances are unnecessarily open to the Internet.
SLB - health status Monitoring and alerting Checks whether SLB backend servers are available.
SLB - certificate validity checks Monitoring and alerting Checks whether your SLB certificate has expired.
OSS - bucket permissions Data security Checks whether the OSS bucket ACL is set to private.
OSS - logging Data security Checks whether the logging feature is enabled for OSS.
OSS - cross-region replication Data security Checks whether the cross-region replication feature is enabled for OSS.
ApsaraDB for RDS - whitelist configurations Network access control Checks whether a whitelist is configured for ApsaraDB for RDS and whether the whitelist contains 0.0.0.0/0. If the whitelist contains 0.0.0.0/0, requests from all IP addresses are allowed. We recommend that you configure the whitelist to allow requests from only specific IP addresses.
ApsaraDB for RDS - database security policies Data security Checks whether the SQL audit, SSL encrypted transmission, and transparent database encryption features are enabled for ApsaraDB for RDS instances.
ApsaraDB for RDS - database backup configurations Data security Checks whether the database backup feature is enabled for ApsaraDB for RDS instances.
ApsaraDB for Redis - whitelist configurations Network access control Checks whether a whitelist is configured for ApsaraDB for Redis and whether the whitelist contains 0.0.0.0/0. If the whitelist contains 0.0.0.0/0, requests from all IP addresses are allowed. We recommend that you configure the whitelist to allow requests from only specific IP addresses.
AnalyticDB for PostgreSQL - whitelist configurations Network access control Checks whether a whitelist is configured for AnalyticDB for PostgreSQL and whether the whitelist contains 0.0.0.0/0. If the whitelist contains 0.0.0.0/0, requests from all IP addresses are allowed. We recommend that you configure the whitelist to allow requests from only specific IP addresses.
SSL Certificates Service - validity checks Data security Checks whether your SSL certificate has expired. If your SSL certificate has expired, you are not allowed to use the certificate.
PolarDB - whitelist configurations Network access control Checks whether a whitelist is configured for PolarDB and whether the whitelist contains 0.0.0.0/0. If the whitelist contains 0.0.0.0/0, requests from all IP addresses are allowed. We recommend that you configure the whitelist to allow requests from only specific IP addresses.
ActionTrail - logging Log auditing Checks operations logs in OSS or Log Service.

To trace high-risk operations, we recommend that you activate ActionTrail, store operations logs in OSS or Log Service, and set proper access permissions.

ApsaraDB for MongoDB - whitelist configurations Network access control Checks whether a whitelist is configured for ApsaraDB for MongoDB and whether the whitelist contains 0.0.0.0/0. If the whitelist contains 0.0.0.0/0, requests from all IP addresses are allowed. We recommend that you configure the whitelist to allow requests from only specific IP addresses.

References

Perform configuration assessment on cloud services

View and manage configuration risks