Alibaba Cloud ECS basic security services include features such as unusual logon detection and vulnerability scanning. You can monitor the security status of your Elastic Compute Service in real-time via the ECS console or Security Center.
Background information
Alibaba Cloud Security Center offers complimentary basic security services for Elastic Compute Service, encompassing vulnerability scanning, basic alert notifications, unusual logon detection, AccessKey leak detection, and compliance checks. You can access related security information on the Overview page of the ECS console or the Security Center console. For more information, see What is Security Center.
Billing overview
The billing overview for basic security services is as follows:
-
Basic security services for Elastic Compute Service are available at no cost. For details, see Introduction to the free edition of Security Center.
-
To upgrade to the Pro or Enterprise edition of Security Center, you can try or purchase the service at no initial cost in the Security Center console. For billing details on the Pro or Enterprise edition of Security Center, see Billing overview.
Use the Security Center client
The Security Center client is a lightweight agent installed on Elastic Compute Service instances. Instances without the Security Center client will not benefit from Security Center protection, and the ECS console will not display information such as vulnerabilities, alerts, baseline vulnerabilities, and Asset Fingerprints for those assets. For the installation path of the Security Center client, see Operating systems supported by the client.
You can manage the Security Center client as follows:
-
Automatically install the Security Center client when creating an ECS instance
Log on to the ECS console.
In the left-side navigation pane, choose
.In the top navigation bar, select a region.
-
Create an ECS instance. In the Image section, choose Free Security Hardening. The system will automatically install the Security Center client on the new ECS instance. For more information, see Customize instance purchase.
NoteYou can also automatically install the Security Center client on the new ECS instance by setting
SecurityEnhancementStrategy=Active
when calling RunInstances. -
Manually install the Security Center client on existing ECS instances
For specific steps, refer to Install the client.
-
Uninstall the Security Center client
For specific steps, refer to Uninstall the client.
View security status and fix security issues
To view the security status of Elastic Compute Service and address security issues, follow these steps:
Log on to the ECS console.
In the left-side navigation pane, choose .
In the top navigation bar, select the region and resource group to which the resource belongs.
-
On the instance list page, locate the target instance and click the Monitor icon under the column to enter the Security Center console and view the security report.
-
Navigate to the Security Center console to remediate the identified vulnerabilities and security alert events. For specific remediation methods, see Fix vulnerabilities and View and handle security alerts.
Common security issue scenarios
Familiarize yourself with common scenarios of vulnerabilities and security alert events in Vulnerability classification and scenarios and Security alert event scenarios.
Set alert notifications
Basic security services enable you to configure alert notifications for security events. Notifications can be delivered via internal message. Configure alert notifications by following these steps:
Log on to the ECS console.
-
On the Overview page, click the Security Score section after the pending tasks, and then click Handle Now to proceed to the Security Center management console.
-
In the left-side navigation pane, choose
. -
In the Security Alerts section, select the alert level, and specify the notification method and timing. For details on security alert levels, see Classification of security alert risk levels.
NoteIf you have upgraded to the Pro or Enterprise edition of Security Center, refer to Overview of security alerts for additional notification options.
Classification of security alert risk levels
Security Center categorizes alerts into the following risk levels:
Risk level | Description |
Urgent | Urgent alerts are triggered by behavior that causes damages or imposes persistent impacts on your assets. This type of behavior is similar to common attacks such as reverse shells. Urgent alerts indicate that your assets are probably under attack. We recommend that you view the details of the alerts and handle the alerts at the earliest opportunity. |
Suspicious | Suspicious alerts are triggered by behavior that causes damages or imposes persistent impacts on your assets. This type of behavior is similar to some O&M behavior such as suspicious addition of users. This type of behavior may also be involved in an attack path but is unnecessary. Your assets can be attacked even if this type of behavior is missing. For example, the deletion of the traces that are left by attacks is unnecessary in an attack path. Suspicious alerts indicate that your assets have a certain probability of being attacked. We recommend that you view the details of the alerts and check whether risks exist. If risks exist, handle the risks. |
Reminder | Reminder alerts are triggered by behavior that is unnecessary in an attack path. Your assets can be attacked even if this type of behavior is missing. This type of behavior is similar to some O&M behavior such as suspicious port listening. If you have high security requirements for your assets, pay attention to Reminder alerts. |