All Products
Search
Document Center

Elastic Compute Service:Application security

Last Updated:May 15, 2026

Protect ECS instances with host security, vulnerability management, network firewalls, and traffic security for web applications.

  • Host security protection

    Hosts serve as hubs where cloud services such as web applications, databases, and Object Storage Service (OSS) converge. Effective host security services provide antivirus and threat detection capabilities to defend against viruses and hacker attacks.

  • Vulnerability management

    Use Security Center to discover and remediate vulnerabilities on ECS instances. You can also use the patch management feature of Operation Orchestration Service (OOS) to batch-patch and automatically install missing patches on ECS instances.

  • Network security protection for web applications

    Configure Cloud Firewall or security groups to confine attacks to a limited scope during virus intrusions without affecting overall business.

  • Traffic security protection for web applications

    Web application attacks remain a major source of Internet security threats, targeting not only traditional webpages but also APIs and miniapps. Use Web Application Firewall (WAF) and Anti-DDoS services to defend against traffic and vulnerability attacks and prevent business interruptions.

  • Regular operation audit

    Use ActionTrail events to perform risk, exception, and behavior analysis and trace back application security operation chains to identify defects.

Host security protection

  • Feature introduction

    Security Center Basic protects ECS instances with vulnerability detection, unusual logon detection, AccessKey pair leak detection, and compliance check. See Security Center Basic.

    Note

    For additional features such as vulnerability fixing, anti-ransomware, and website tamper-proofing, see Purchase Security Center.

  • Configuration methods

    • ECS console: When you create ECS instances, select Free Security Hardening to enable Security Center features such as vulnerability detection and compliance check.

      image

      Note

      You can also call the RunInstances operation with SecurityEnhancementStrategy set to Active to enable security hardening.

    • Security Center console: Install the Security Center agent on existing ECS instances. See Install the agent.

  • Check the security status of ECS instances

    • ECS console: On the Instance page, hover over the 云安全中心图标.png icon in the Monitoring column to check the security status. Click Process Now to view alert details. Handle high-severity risks promptly to prevent business impact.中危安全告警.png

    • Security Center console: In the left-side navigation pane, choose Assets > Host to view the security details of an ECS instance. See Manage servers.

Vulnerability management

Scan for and handle vulnerabilities

  • Feature introduction

    Security Center detects security vulnerabilities in operating systems, web content management systems, and applications, assesses severity, and prioritizes remediation. You can fix vulnerabilities with a few clicks to reduce the attack surface.

    Security Center Basic automatically scans for Linux software, Windows system, and Web-CMS vulnerabilities every two days. You can also trigger manual scans. Paid editions additionally update vulnerability information automatically and fix vulnerabilities. See Overview.

  • Configuration methods

    Scan for vulnerabilities regularly and fix detected issues. See Vulnerability scanning and Manage vulnerabilities.

Use patch baseline to automatically update security patches

  • Feature introduction

    OOS patch management automatically installs security and other patches on ECS instances. You can install service packs on Windows instances, update minor versions on Linux instances, and batch-patch multiple instances that run the same operating system. The feature also scans for missing patches and installs them automatically. See Patch Management Overview.

  • Configuration methods

    Use patch management to automatically scan, download, and install required system patches on ECS instances.

Network security protection for web applications

Configure Cloud Firewall

Configure security groups

  • Feature introduction

    A security group is a virtual firewall that controls inbound and outbound traffic of ECS instances. Configure inbound rules to control traffic to instances and outbound rules to control traffic from instances. See Overview.

  • Configuration methods

    Specify one or more security groups when you create an ECS instance, or add an existing instance to security groups.

Traffic security protection for web applications

Configure WAF

  • Feature introduction

    WAF filters malicious traffic destined for websites and applications and forwards clean traffic to web servers, protecting against intrusion. See What is WAF?

  • Configuration methods

    Add the ports of an ECS instance to WAF to forward web traffic through WAF for inspection. WAF filters malicious traffic and forwards clean traffic to the instance. See Enable WAF protection for ECS instances.

Anti-DDoS Basic

  • Feature introduction

    Anti-DDoS Basic provides free DDoS mitigation ranging from 500 Mbit/s to 5 Gbit/s for ECS instances. See What is Anti-DDoS Basic?

    Note

    Advanced editions such as Anti-DDoS Origin and Anti-DDoS Proxy provide additional protection. See What is Anti-DDoS Origin and What is Anti-DDoS Proxy?

    Anti-DDoS Basic monitors inbound traffic to ECS instances in real time. When traffic to an instance with a public IP address exceeds the scrubbing threshold, Anti-DDoS Basic automatically scrubs the traffic.

  • Configuration methods

    Anti-DDoS Basic is activated by default and cannot be deactivated. No manual configuration is required.

Regular operation audit

  • Feature introduction

    ActionTrail monitors and records the operations of your Alibaba Cloud account for security analysis, resource change tracking, and compliance audits. ActionTrail delivers management events to Simple Log Service (SLS) Logstores or OSS buckets for real-time auditing. See What is ActionTrail?

    Query management events for ECS resources in the ActionTrail console. See Audit events of ECS. If an error occurs, query event details to obtain the time, region, and involved instances.

  • Configuration methods

    ECS is integrated with ActionTrail by default. No manual configuration is required.