Detect unusual logons, scan for vulnerabilities, and monitor the real-time security status of ECS instances in the ECS console or Security Center console.
Background
Security Center provides free basic security services for ECS instances, including vulnerability scanning, alert notifications, unusual logon detection, AccessKey pair leak detection, and compliance checks. View this information on the Overview page of the ECS console or in the Security Center console.
Billing
Note the following billing details:
-
Basic security services for ECS instances are free of charge. See Introduction to the Free Edition of Security Center.
-
To upgrade to the Premium or Enterprise Edition, start a free trial or purchase the service in the Security Center console. See Billing description for edition pricing.
Use the Security Center agent
The Security Center agent is a lightweight component installed on ECS instances. Instances without the agent are not protected by Security Center, and their security data (such as vulnerabilities, alerts, baseline checks, and asset fingerprints) does not appear in the ECS console. See Supported operating systems for agent installation paths.
Manage the Security Center agent as follows:
-
Automatically install the agent when creating an ECS instance
Go to ECS console - Instances. In the top-left corner, select the region and resource group for the target resource.
-
Create an ECS instance. In the Images section, select Free Security Hardening. The agent is automatically installed on the new instance. See Create an instance using the wizard.
You can also set
SecurityEnhancementStrategy=Activewhen you call the RunInstances -
Manually install the agent on an existing ECS instance
See Install the agent.
-
Uninstall the agent
See Uninstall the agent.
View security status and fix security issues
To view and fix security issues for an ECS instance:
Go to ECS console - Instances. In the top-left corner, select the region and resource group for the target resource.
-
On the Instances page, find the instance and click the
icon in the Monitoring column to open the Security Center console. -
Go to the Security Center console to fix vulnerabilities and process security alerts.
Common security scenarios
For common vulnerability and security alert scenarios, see Vulnerability categories and scenarios and Security alert scenarios.
Set alert notifications
Basic security services send alert notifications as internal messages. Configure alert notifications as follows:
-
On the Overview page, hover over a pending task in the area and click Handle in the Security Score area to open the Security Center console.
-
In the left-side navigation pane, choose .
-
In the Alert section, select alert levels and configure notification methods and schedule. See Risk levels of security alerts for alert level definitions.
If you upgraded to the Premium or Enterprise Edition, see Overview of security alerts for Cloud Workload Protection Platform (CWPP) for additional notification methods.
Risk levels of security alerts
Security Center classifies alerts into the following risk levels:
|
Risk level |
Description |
Recommended action |
|
Urgent |
|
Respond immediately. Recommended actions: quarantine the asset, block suspicious network connections, and preserve the attack scene. |
|
Suspicious |
|
Investigation required. Check whether the activity is a scheduled operation. If so, add the behavior to an allowlist. Otherwise, treat it as an Urgent alert. |
|
Reminder |
Indicates non-essential attack activity that resembles normal operations, such as a process listening on a suspicious port. |
Audit and optimize. Use these alerts to identify non-compliant configurations or potential risks. We recommend that you regularly review and optimize your security policies. No immediate action is required. |