Security monitoring integrates ACK with Security Center to detect runtime threats and generate real-time alerts across four security domains: runtime alerts, vulnerabilities, baseline risks, and container firewall alerts. This topic describes how to view and act on security events from the ACK console.
Prerequisites
Before you begin, ensure that you have:
An ACK cluster. For more information, see Create an ACK managed cluster.
Security Center activated. For more information, see Purchase Security Center.
(Required for Resource Access Management (RAM) users) The AliyunYundunSASReadOnlyAccess policy attached to the RAM user.
How it works
Cloud-native applications run in containers after passing API server authentication and admission control. Security monitoring extends the zero trust principle to the runtime layer: Security Center continuously monitors your cluster and surfaces threats as they occur. Alerts appear on the cluster details page in real time, covering four security domains:
| Security domain | What it detects |
|---|---|
| Alerts | Runtime threats: use of malicious container images, attacks by viruses or malware in containers and hosts, container intrusions, container escapes, and high-risk operations |
| Vulnerabilities | Linux and application vulnerabilities detected in cluster assets |
| Baseline risks | Configuration weaknesses in Elastic Compute Service (ECS) instance operating systems, databases, software, and containers |
| Container firewall alerts | Network-level threats blocked or flagged by the container firewall |
View security monitoring
Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, find your cluster and click its name. In the left-side pane, choose Security > Security Monitoring.
On the Security Monitoring page, review the information across the four sections described below.
Work with alerts
The Alerts section displays security events triggered at runtime, including use of malicious container images, attacks by viruses or malware in containers and hosts, container intrusions, container escapes, and high-risk operations. For background on alert types, see Overview.
Click the Alerts section to expand the alert list, then take one of the following actions:
Handle an alert: Click Handle in the Actions column. In the dialog box, choose to add the alert to the whitelist or ignore it.
Investigate an alert: Click Details in the Actions column to view the event time, affected assets, and process ID. On the Details page, open the Diagnosis tab to trace the event source and view raw data.
Manage vulnerabilities
The Vulnerabilities section lets you view and remediate Linux and application vulnerabilities across your cluster assets. For more information, see Vulnerability Management.
Click the Vulnerabilities section to expand the vulnerability list, then take one of the following actions:
View and fix a vulnerability: Click the vulnerability name or click Handle in the Actions column to see details and pending fixes. The details view includes remediation suggestions, and you can fix vulnerabilities, verify fixes, and review additional details directly from the list.
Look up a CVE: Click CVE ID next to a vulnerability to open the Alibaba Cloud vulnerability library for the full CVE details.
Review baseline risks
The Baseline Risks section surfaces configuration weaknesses in ECS instance operating systems, databases, software, and containers. Addressing these risks reduces your exposure to intrusions and helps meet security compliance requirements. For more information, see Baseline check.
Click the Baseline Risks section to expand the risk list. Click Details in the Actions column of a risk to view its description and the affected assets.
Review container firewall alerts
The Alerts Generated by Container Firewall section shows network-level threats detected by the container firewall. When attackers exploit vulnerabilities or malicious images to access your cluster, the container firewall can generate alerts or block the attack. For more information, see Overview.
Click the Alerts Generated by Container Firewall section to expand the alert list. Each entry includes the severity level, alert name, source, targeted network objects, ports, clusters, and defense mode.
To update the rule that triggered an alert, click Edit Rule in the Actions column.