All Products
Search

This Product

    Migration Hub:Security Best Practices

    Document Center

    Migration Hub:Security Best Practices

    Last Updated:Mar 13, 2025

    Identities and permissions

    • Account settings should adhere to the principle of least privilege.

    • Assign permissions within user groups to ensure separation of duties and streamline permission updates.

    • Utilize RAM users for cloud resource access instead of Alibaba Cloud accounts, configuring RAM user permission policies appropriately.

    • Access cloud resources using instance roles or temporary credentials (STS) rather than cloud accounts or RAM users' AccessKeys, and limit the scope of permissions as much as possible.

    • Conduct regular audits to remove unnecessary users, roles, permissions, keys, or credentials, and rotate keys periodically for users and applications.

    • Never expose AccessKey ID and AccessKey Secret. Avoid embedding AccessKey plaintext in code or storing it in locations that are accessible to others, such as GitHub.

    • Change passwords regularly, ensuring they comply with password strength requirements.

    • Create complex account passwords that are unique to each platform to mitigate security risks from potential password breaches. Do not share passwords or key pairs between different accounts on the same host.

    Infrastructure security

    Consider the following suggestions for isolating network resources:

    • Appoint a network administrator to manage security groups, network ACLs, and enable traffic logs centrally.

    • Separate production and non-production environments.

    • Employ network ACLs to limit access to sensitive data and configure security groups to minimize the attack surface.

    • Isolate network resources and preconfigure large subnets to avoid subnet overlap.

    • Base security group configurations on the source and destination addresses of access, not on resources. Maintain only the necessary ports for business operations in both public and private network security groups.

    • Avoid setting 0.0.0.0/0 as an authorization object. Using 0.0.0.0/0 means all ports are exposed with access privileges.

    Data security and protection

    • Employ secure images.

    • Encrypt disk data.

    • Ensure disaster recovery by backing up snapshots.

    Monitoring and auditing

    Audit account operations regularly.

    It is advisable to utilize Alibaba Cloud services like ActionTrail to log management console operations and OpenAPI call activities for the current account.