This topic describes how to improve the security of instances when you create and use them.

Background information

Security covers a variety of aspects. Alibaba Cloud guarantees the security of the Alibaba Cloud infrastructure and services such as data centers and virtualization platforms. However, when you use Alibaba Cloud services, you must also follow the best practices for security such as controlling traffic, keeping confidential information, and controlling permissions.

Use the account security features

Alibaba Cloud provides the following account-related security features to help you avoid risks at the account level:
  • Enable multi-factor authentication (MFA) for Alibaba Cloud accounts.

    When MFA is enabled, a dynamic authentication code generated by an MFA device is required in addition to your username and password when you attempt to log on to the Alibaba Cloud Management Console. This way, unauthorized access can be blocked to ensure security of your account in the event of password leaks.

  • Use Resource Access Management (RAM) users and user groups to control access to resources at the account level.

    If multiple users want to use the same resources, we recommend that you do not share your Alibaba Cloud account with these users. If you share the AccessKey pair of your Alibaba Cloud account with other users, confidential information may be leaked, and the security of all resources within your account may be threatened. We recommend that you create RAM users and user groups and grant them the minimum permissions to reduce security risks.

    RAM users can be used to represent employees, systems, and applications within an enterprise. You can grant the minimum access permissions to the RAM users based on your needs. If RAM users have clear responsibilities, you can classify RAM users that have the same responsibilities to the same RAM user group to improve management efficiency. For example, you can perform the following operations:
    1. Create a SysAdmins user group for RAM users who create and use resources and attach policies to grant them permissions to perform all operations.
    2. Create a Developers user group for RAM users who use resources and attach policies to grant them permissions to call the StartInstance, StopInstance, and DescribeInstances operations.
    3. Create RAM users for employees and add them to different groups based on their positions.
    4. Attach policies to deny group users access to the enterprise resources if their IP addresses are from outside the enterprise. This can enhance network security.
    5. If employees change positions from developers to system administrators, move their associated RAM users from the Developers user group to the SysAdmins user group.
    6. If RAM users in the Developers user group require more permissions, modify the policies of the user group to grant more permissions to all RAM users in the group.

    For more information, see Implement access control by using RAM.

  • Use an instance RAM role to ensure the confidentiality of AccessKey pairs.

    To allow applications deployed on an Elastic Compute Service (ECS) instance to call API operations of other Alibaba Cloud services such as Object Storage Service (OSS), Virtual Private Cloud (VPC), and ApsaraDB RDS, do not store AccessKey pairs on the instance, such as by writing an AccessKey pair to configuration files, which increases the risk of leaks.

    We recommend that you assign a RAM role to the instance, and the ECS instance can assume the RAM role. Then, you can use temporary tokens issued by Security Token Service (STS) to call API operations of other Alibaba Cloud services. This ensures the security of your AccessKey pair and helps you implement fine-grained permission control and management by using RAM. For more information, see Overview.

Enable security compliance when you create instances

Alibaba Cloud provides features that meet the requirements of security compliance for instances, such as instance types and disk encryption. You can use them based on your needs.
  • Activate Key Management Service (KMS).

    If you want to encrypt data related to cloud services, we recommend that you activate KMS in advance. You can enable data encryption in cloud services without the need to develop and maintain the cryptographic infrastructure on your own. For example, you can enable disk encryption and trusted boot on ECS instances. For more information, see Activate KMS.

  • Create security-enhanced instances for business scenarios that require high security and enhanced trust.

    Security-enhanced instances provide the trusted computing capability based on Trusted Cryptography Module (TCM) or Trusted Platform Module (TPM) chips. This ensures trusted boot of instances and the security of private data on instances. For more information, see Security-enhanced instance families.

    Example: Select c6t, the security-enhanced compute-optimized instance family. instance-type
  • Enable security hardening for instances that use public images.
    Instances that have security hardening enabled load basic security components when they start. These components can be used to check the security configurations of cloud services for exceptional logons, DDoS attacks, and common vulnerabilities. In addition, assets of the instances can be managed in Security Center in a centralized manner. For more information, see Introduction to Security Center Basic. image-security-enhanced
  • Enable disk encryption.
    Disks are encrypted by using the AES-256 algorithm. You can use the keys managed in KMS to ensure the security of data stored on disks without the need to build or maintain your key management infrastructure. For more information, see Encrypt a system disk and Encrypt a data disk. The following section describes the effect of disk encryption:
    • System disk: Data in the operating system is automatically encrypted. The data is decrypted when it is read.
    • Data disk: After an encrypted data disk is attached to an instance, data stored on the disk, data transmitted between the disk and the instance (excluding data in the operating system), and data transmitted from the instance to a backend storage cluster are automatically encrypted. The data is decrypted when it is read. In addition, snapshots created from encrypted disks and disks created from encrypted snapshots are automatically encrypted.
    For example, you can encrypt the data disk created along with an instance, as shown in the following figure. disk-encryption
  • Use snapshots to back up data for disaster recovery.

    Snapshots are a convenient and efficient method for data disaster recovery. You can create snapshots for a disk to back up data stored on the disk on a regular basis. If the data is exceptional or lost due to system failures or accidental operations, you can use the most recently created snapshot to restore the data to reduce loss. Before you perform high-risk operations, we recommend that you create snapshots to avoid unexpected outcomes.

    For example, you can enable the snapshot service for an instance when you create the instance, as shown in the following figure. This way, snapshots are automatically created for all disks of the instance on a daily basis. auto-snapshot

Build a secure network environment for instances

When you build a network environment for an instance, you can perform operations such as network isolation and network throttling on the instance to reduce the chances of being exposed to attacks.
  • Use security groups to decrease the attack range.
    A security group is a virtual firewall that is used to control the inbound and outbound traffic of instances in the security group. We recommend that you perform the following operations when you use a security group:
    • Use a security group as a whitelist that denies all access by default. You can add rules to allow access to or from specific destinations or sources on specific ports. Security group rules can be configured based on 5-tuples. You can implement fine-grained control of source IP addresses, destination IP addresses, source ports, destination ports, and transport layer protocols. For more information, see Security group quintuple rules.
    • Follow the principle of least privilege when you configure security group rules. For example, to allow connections to port 22 on a Linux instance, we recommend that you add a rule to allow access from specific IP addresses instead of all IP addresses (0.0.0.0/0).

      Alibaba Cloud provides the feature of detecting potential high-risk security groups to help you identify security group rules that do not restrict access.

      If security group rules that do not restrict access are identified, check whether you need to allow traffic on the corresponding port and modify the excessive permissions in a timely manner. For example, if MySQL is installed on your instance, access to the Internet cannot be allowed over port 3306 by default. Modify the current security group rules to deny access from all IP addresses, set priority to the smallest value, and then follow the principle of least privilege to add security group rules that allow access.

    • Make sure that the rules in each security group are simple and clear. A single instance can be added to multiple security groups. A single security group can contain multiple rules. If an excessive number of rules are applied to an instance, management complexity is increased, and risks are introduced.
    • Add instances that serve different purposes to different security groups and separately maintain the security group rules applied to the instances. For example, if you add instances that need to be accessible from the Internet to a single security group, you must add rules to the security group to enable only ports that are used to provide external services, such as ports 80 and 443 because the security group that contains no rules denies all access by default. To ensure that instances accessible from the Internet do not provide other services such as MySQL and Redis, we recommend that you deploy internal services on the instances inaccessible from the Internet and then add these instances to another security group.
    • Make proper use of mutual access between basic security groups. By default, instances in basic security groups can access each other. In some cases, the default mutual access can decrease management complexity. For example, if multiple security groups exist and you want to add complex rules for instances that require access to each other over the internal network, you can create a security group for these instances. However, if the number of instances is large, we recommend that you do not use a security group to manage all instances, which makes it complex to manage the outbound rules of the group.

      Basic security groups can also be configured with internal isolation rules. For more information, see Network isolation within a basic security group.

    • Make proper use of mutual access authorization between basic security groups. For example, in distributed applications, the SG_Web security group is created for the Web service and the SG_Database security group is created for the MySQL database service. You can add a rule to SG_Database to allow all instances in SG_Web to access port 3306 of instances in SG_Database.

      The private IP addresses of instances of the classic network type frequently change. We recommend that you authorize mutual access between security groups and do not enable authorization based on CIDR blocks or private IP addresses.

    • Do not modify the security groups that are used in the production environment. All changes to a security group are automatically applied to the instances in the security group. Before you change a security group, you can clone, change, and debug it in the test environment to ensure that the change does not interrupt the communication between the associated instances.
    • Specify identifiable names and tags for security groups for easy search and management. For more information about tags, see Create or bind a tag.
    For more information about the scenarios and practical suggestions of security group configurations, see the following topics:
  • Use VPC to isolate services of different security levels within an enterprise.
    VPCs are logically isolated from each other based on tunneling technology. You can implement network isolation by using VPC. We recommend that you perform the following operations when you use VPC:
    • Deploy business systems that require strict isolation in different VPCs, such as the production and test environments.
    • You can use vSwitches to divide a VPC into multiple subnets and manage services that have different access policies. For example, you can deploy web services in subnets that can access the Internet and deploy database services in subnets that are completely isolated from the outside.

    For more information about network planning based on business scenarios, see Plan a VPC.

  • Make proper use of jump servers or bastion hosts to defend against internal and external intrusions.
    In a VPC, we recommend that you create dedicated vSwitches for instances used as jump servers. You can access the Internet by assigning elastic IP addresses (EIPs) or configuring port forwarding tables of NAT gateways and control access by using security groups. For example, you can perform the following operations:
    1. Create the SG_Bridge security group for the jump server. You can authorize access to only required ports (such as port 22 on a Linux instance and port 3389 on a Windows instance) and restrict the authorized object to specific IP addresses or CIDR blocks to reduce unauthorized logons to the jump server.
    2. Add the jump server to the SG_Bridge security group.
    3. Configure access rules for the security group to allow the jump server to access instances in other security groups.
      For example, you can add rules to the SG_Current security group and specify the SG_Bridge security group as the authorization object to control access to specific ports by using specific protocols.
      Note When you use the jump server to log on to another instance, we recommend that you preferentially use SSH key pairs. For more information, see Overview.

    Jump servers can enhance security. However, excessive permissions are offered to the jump servers, which makes operation auditing difficult. You can use bastion hosts that are more secure to meet the O&M requirements of access controlling, operation auditing, and security compliance. Alibaba Cloud also provides Bastionhost. For more information, see What is Bastionhost?

  • Allow only required instances to access the Internet.
    Access management can be simplified, and the risks of external attacks can be reduced by allowing required instances to access the Internet in a proper manner. We recommend that you perform the following operations:
    • Most distributed applications contain different layers and groups. Do not assign public IP addresses to instances that cannot access the Internet. If multiple instances can access the Internet, we recommend that you use Server Load Balancer (SLB) to distribute the Internet traffic to improve security and availability. This avoids exposing excessive instances to the Internet and affecting access due to single points of failure of instances. For more information, see What is SLB?
    • If instances that are not assigned public IP addresses in VPCs need to access the Internet, use the SNAT feature of NAT gateways to enable instances without public IP addresses in VPCs to access the Internet. This avoids exposing instances that require only access the Internet to the Internet. For more information about how to specify instances or vSwitches to access the Internet when you create an SNAT entry, see Configure SNAT to access the Internet.

Use security services to build a security defense system

Alibaba Cloud provides a comprehensive range of security services to improve the security of your cloud assets in various scenarios.
  • Use Alibaba Cloud Anti-DDoS services to defend against traffic flood attacks.

    In a DDoS attack, multiple computers launch coordinated attacks against one or more intended servers by using malicious programs. The attack undermines the performance or consumes network bandwidth and causes the intended servers to be unable to provide services.

    Alibaba Cloud provides the Anti-DDoS Origin and Anti-DDoS Premium services. Anti-DDoS Origin enhances the DDoS attack defense capability for instances such as ECS instances, SLB instances, Web Application Firewall (WAF) instances, and EIPs that have public IP addresses assigned and is applicable to the business whose resources are deployed on the cloud. When the traffic exceeds the default scrubbing threshold that is predefined in Anti-DDoS Origin, traffic scrubbing is automatically triggered to mitigate DDoS attacks. For more information about how to customize the traffic scrubbing threshold, see Configure a traffic scrubbing threshold.

    Anti-DDoS Origin provides a basic defense capacity of up to 5 Gbit/s against DDoS attacks for free. By default, Anti-DDoS Origin is enabled. If you need advanced defense capacity, purchase other paid editions of Anti-DDoS services. For more information, see Overview.

  • Connect instances to Security Center to defend against system security vulnerabilities.

    Security Center Basic provides free basic features to harden the security of your instances. You can use these features to detect risks on your instances, such as exceptional logons, DDoS attacks, common vulnerabilities, and configuration risks of Alibaba Cloud services. For more information, see Introduction to Security Center Basic.

    Security Center Basic detects risks, but cannot handle these risks. If you need features such as vulnerability fixing and proactive defense, go to the Security Center console to purchase a paid edition of Security Center.

    Paid editions of Security Center provide the following features in addition to basic security hardening capabilities:
    • Vulnerability fixing: fixes Linux software vulnerabilities and Windows system vulnerabilities. Vulnerabilities can lead to long-standing security risks. Security Center can detect vulnerabilities in a timely manner and improve vulnerability fixing efficiency.
    • Virus defense: provides the antivirus feature to scan for persistent viruses and generates alerts when persistent viruses are detected. This feature also supports virus deep cleaning and data backup to prevent viruses from intruding your instances.
    • Security alerting: generates alerts when Security Center detects web tampering proofing, web shells, exceptional logons, suspicious processes, and malicious processes. You can identify the security threats to your assets based on these alerts.

    For more information about the features of Security Center, see Features.

  • Purchase Alibaba Cloud WAF to defend against application security vulnerabilities.

    WAF identifies malicious traffic, scrubs and filters the traffic, and then forwards normal traffic to your web server. WAF protects your web server against attacks and ensures the security of your data and business.

    When you use WAF, your instance can defend against common web application attacks and mitigate HTTP attacks without the need to install hardware or software or adjust route configurations. This improves the security of websites. For more information about how to enable WAF, see Quick start.

    When WAF is used with Anti-DDoS services and Security Center, the protection capability can be enhanced, and business security can be improved in a comprehensive manner.

Complete security configurations in the instance operating system

Proper security configurations in the operating system of an instance can reduce the risk of being intruded.
  • Improve the security of logon configurations.
    • Linux instances:
      • Use only SSH key pairs to log on to Linux instances. An SSH key pair is a pair of public and private keys that are generated based on an encryption algorithm. By default, 2048-bit RSA key pairs are used. SSH key pairs are more secure and convenient than passwords. For more information about how to use SSH key pairs and their features, see Overview and Connect to a Linux instance by using an SSH key pair.
      • Do not log on to a Linux instance by using a root user. Use another user as the administrator. If the user wants to perform operations that require the administrator permissions, run the sudo command to grant the administrator permissions to the user.
    • Windows instances: Use a strong password. The password must be 8 to 30 in length and must contain at least three of the following character types: uppercase letters, lowercase letters, digits, and special characters ( ( ) ` ~ ! @ # $ % ^ & * _ - + = | { } [ ] : ; ' < > , . ? /). We recommend that you include special characters in the password. When you use a password to log on to an instance, we recommend that you change the password on a regular basis.
  • Protect service ports.

    When an instance is used to provide services, the service ports of the instance are enabled. The more service ports are enabled, the higher the potential risk. We recommend that you enable only required service ports, modify the default port numbers of the service ports to port numbers that are greater than 30000, and use firewalls and security groups to control access to the ports. For more information about how to modify the default remote port of an instance, see Modify the default remote port of an instance.

    For example, you can access the database services only over the internal network to avoid exposing the database services to the Internet. If you want to access the database services over the Internet, you can modify the default port number (such as port 3306 for MySQL databases) to a higher port number and authorize specific IP addresses to access the database services.

  • Do not use weak passwords.

    If you use weak passwords that are easy to guess and crack, your instances may be prone to unauthorized access or be destroyed, and your data may be stolen. We recommend that you set a complex password and change it on a regular basis.

Follow the best practices for security when you use services

In addition to using security services and making security configurations, you must also follow the best practices for security to avoid leaks of confidential information such as AccessKey pairs and logon passwords and use the audit features to track the use of the confidential information when you complete the security configurations and use security services.
  • Properly keep and use confidential information.
    • AccessKey pairs of Alibaba Cloud accounts are equivalent to the logon passwords used to call API operations of cloud services. AccessKey pairs are also important identity credentials to access cloud resources. We recommend that you perform the following operations:
      • Use the AccessKey pairs of RAM users instead of those of Alibaba Cloud accounts and follow the principle of least privilege to grant permissions to RAM users. This avoids threats to the security of all resources within the account due to the leaks of the AccessKey pair of the account.
      • Do not write AccessKey pairs into code to avoid accidental leaks along with the code.
      • Change AccessKey pairs on a regular basis to ensure that online business is not affected if the previous AccessKey pairs are leaked.
      • Delete AccessKey pairs that are no longer needed.
      • Enable ActionTrail and store operation logs in OSS buckets and Log Service Logstores.
      • Take note of the AccessKey pair leak notifications from Security Center. By default, the AccessKey pair leakage check feature of Security Center is enabled. If AccessKey pairs leaked on GitHub are detected, Security Center sends you a notification so that you can respond in a quick manner and minimize the negative impacts.
    • To ensure the security of key pairs and passwords, we recommend that you perform the following operations:
      • Use different keys and passwords on different platforms to avoid threats to the security of all resources on the platforms due to the leaks of the keys and passwords.
      • Do not share keys and passwords between different users on instances.
      • Keep the purpose of a key simple. For example, do not use the keys used to log on to instances for other scenarios.
    • Use KMS to manage confidential information and do not store passwords and keys in plaintext.

    For more information, see Best practices to prevent AccessKey pair leaks.

  • Encrypt data in transit.

    Use encryption protocols such as Transport Layer Security (TLS) 1.2 or later to encrypt sensitive data transmitted between instances and clients, and configure security groups and firewalls in the operating system to ensure that only encrypted communications are allowed between instances and sensitive remote network services.

  • Enable ActionTrail.
    After you enable ActionTrail, the events of all accounts can be recorded and stored in an OSS bucket or a Log Service Logstore. You can implement security analytics, resource change tracking, and compliance auditing based on these records. For more information, see Create a single-account trail. The following examples show the applications of ActionTrail:
    • Analyze information such as the logon time, logon IP addresses, and whether MFA is enabled to determine whether the account has security risks such as exceptional logons.
    • Use RAM to manage the identities of multiple members in an organization and obtain the detailed operation records to meet the compliance auditing requirements of the organization.
    • In the event of exceptional changes to the state of resources, such as an exceptional shutdown of an instance, use the operation logs to search for information such as the operator, operation time, and operation IP addresses to identify and troubleshoot the exception.