Asset exposure analysis scans your Alibaba Cloud resources to identify internet-facing security risks—weak passwords, exploitable vulnerabilities, exposed ports, and unprotected components. Results refresh automatically every day, giving you an up-to-date view of your attack surface.
Edition requirements
This feature requires one of the following:
Subscription: Purchase a subscription instance and select Ultimate or Enterprise as the edition.
Pay-as-you-go: Purchase a feature (pay-as-you-go), set Host and Container Security to Yes, and bind the Ultimate or Enterprise edition quota to at least one server.
This feature is available only for servers bound to the Ultimate or Enterprise edition.
Supported asset types
Asset exposure analysis covers:
Compute and database: ECS instances, Tair (Redis OSS-compatible), ApsaraDB RDS, and ApsaraDB for MongoDB
Network: NAT gateways and Server Load Balancer (SLB) instances (reported under Gateways)
Software: System components such as OpenSSL and OpenSSH, and AI application components
Network exposure: Ports
Assets not deployed on Alibaba Cloud are not supported.
Exposure statistics
The Asset Exposure Analysis page shows the following statistics for assets exposed on the Internet. Results refresh automatically every day.
| Statistic | Description |
|---|---|
| Weak Password | Total weak passwords detected on ECS instances and database systems exposed on the Internet. Click the number to view the asset list. |
| Exploitable Vulnerabilities | Total vulnerabilities exploitable by attackers, broken down by severity: high-risk (red), medium-risk (orange), and low-risk (gray). Click the total to open the Vulnerabilities page. |
| Exposed Assets/Public IP Addresses | Counts of ECS instances, Tair (Redis OSS-compatible), ApsaraDB RDS, ApsaraDB for MongoDB, and public IP addresses exposed on the Internet. |
| Gateways | Total NAT gateways and SLB instances exposed on the Internet. Click the number to open the Gateways panel, then click a gateway name to view its details. |
| Exposed Port | Total ports exposed on the Internet. Click the number to open the Exposed Port panel, then click a port number to see which assets use it. |
| Exposed Component | Total system components (such as OpenSSL and OpenSSH) running on ECS instances and exposed on the Internet. Click the number to open the Exposed Component panel, then click a component name to see the associated assets. |
| AI Application Component | Total AI application components exposed on the Internet. Click the number to open the AI Application Component panel, then click a component name to see the associated assets. |
Vulnerability severity levels:
| Color | Severity | Recommended action |
|---|---|---|
| Red | High-risk | Fix as soon as possible. |
| Orange | Medium-risk | Address promptly. |
| Gray | Low-risk | Fix at your convenience. |
Scan asset exposures
Security Center automatically scans exposed assets every day—no manual configuration needed. To get the latest results immediately, run a manual scan.
Before you begin
Make sure the Security Center agent is installed and online on your ECS instance. On the Host page, the Agent column for the instance must show the online icon (
).
Run a manual scan
Log on to the Security Center consoleSecurity Center consoleSecurity Center console. In the upper-left corner, select the region where your assets are located: China or Outside China.
In the left-side navigation pane, choose Risk Governance > Asset Exposure Analysis.
On the Asset Exposure Analysis page, click Quick Scan under Asset Exposure Scan.
View scan tasks
Task Management records automatic and manual scan tasks from the last seven days.
Log on to the Security Center consoleSecurity Center consoleSecurity Center console. In the upper-left corner, select the region where your assets are located: China or Outside China.
In the left-side navigation pane, choose Risk Governance > Asset Exposure Analysis.
On the Asset Exposure Analysis page, click Task Management in the upper-right corner.
On the Task Management page, view the task ID, task type, task time, status, and progress. Filter tasks by Task Type, Task Status (Not Started, Running, Waiting for Data Collection, Data Collection in Progress, Complete, Timeout, Stopped, or Failed), or Task Started At.
To view exposure details for a task, click Details in the Actions column. The details include the number of exposed instances, successfully scanned instances, and failed scans, along with the list of asset instances. Filter results by status or asset instance ID.
View asset exposure details
Log on to the Security Center consoleSecurity Center consoleSecurity Center console. In the upper-left corner, select the region where your assets are located: China or Outside China.
In the left-side navigation pane, choose Risk Governance > Asset Exposure Analysis.
On the Asset Exposure Analysis page, review the following exposure data. Overview data The upper part of the page shows aggregate counts for Weak Password and Exploitable Vulnerabilities. Click any number to view the related details. Exposed asset list Filter assets by vulnerability status, asset group, port, or other dimensions to find exposures across different criteria. If an asset has an AI application tag, it has AI components exposed to the Internet. Exposure details for an asset Click Exposure Details in the Actions column for an asset to open the details panel. The panel shows the communication link topology of the asset, link details, and detected weak passwords and vulnerabilities. Use the asset dropdown at the top of the panel to switch between assets. Review risk details on the following tabs: Communication link topology If an ECS instance or database accesses the Internet through multiple methods, the topology shows multiple paths. For example, if an instance uses both a NAT gateway and an SLB instance, the topology shows two paths. Click any asset on a path to switch to that path and view its details. Node colors indicate the severity of vulnerabilities detected on each asset: Export exposure data To export the exposure data as an Excel file, click the
icon in the upper-right corner above the exposed asset list.Weak Password — View detected weak passwords. Click a weak password item name to go to the asset details page. On the Baseline Risks tab, view all baseline risks detected on that asset. Change weak passwords promptly to prevent unauthorized access and data theft.
Exploitable Vulnerabilities / All Vulnerabilities — Click a vulnerability URL to open the vulnerability details page, where you can view vulnerability information and apply the provided fixing suggestions. Fix high-risk vulnerabilities as soon as possible.
Risk-related Configurations — Click a detected risk item to go to the Cloud Service page and view risk details and remediation options.
Color coding applies only to your assets. Other components in the topology, such as Internet nodes, are gray by default.
Color Meaning Red High-risk vulnerabilities detected—exploitable over the Internet. Orange Medium-risk vulnerabilities detected—exploitable over the Internet. Gray Low-risk vulnerabilities detected, or the default color for Internet nodes. Green No weak passwords or exploitable vulnerabilities detected. 
What's next
To reduce the internet exposure of ECS instances:
To handle detected vulnerabilities:
To fix weak passwords in your system: