Alibaba Cloud ECS offers basic security services that include unusual logon detection and vulnerability scanning. You can monitor the security status of your ECS instances in real time via the ECS console or Security Center.
Background information
Alibaba Cloud Security Center provides complimentary basic security services for ECS instances, such as vulnerability scanning, basic alert notifications, unusual logon detection, AccessKey leakage detection, and compliance checks. You can access related security information on the Overview page of the ECS console or within the Security Center console. For more information, see What is Security Center.
Billing overview
The billing details for basic security services are as follows:
-
Basic security services for ECS instances are provided at no cost. For more information, see Introduction to the free edition of Security Center.
-
To upgrade to the Pro or Enterprise edition of Security Center, you can initiate a free trial or purchase the service through the Security Center console. For billing details of the Pro or Enterprise edition, see Billing overview.
Use the Security Center agent
The Security Center agent is a lightweight security control installed on ECS instances. Without the agent, ECS instances are not protected by Security Center, and the ECS console will not display their security data, such as vulnerabilities, alerts, baseline vulnerabilities, and asset fingerprints. For the agent's installation path, see Supported operating systems for the client.
The following operations can be performed on the agent:
-
Automatically install the Security Center agent when creating an ECS instance
Log on to the ECS console.
In the left-side navigation pane, choose
.In the top navigation bar, select a region.
-
Create an ECS instance. In the Image section, select Free Security Hardening. The system will automatically install the agent on the new ECS instance. For more information, see the referenced document.
NoteThe agent can also be automatically installed on new ECS instances by setting
SecurityEnhancementStrategy=Active
when using RunInstances. -
Manually install the Security Center agent on an existing ECS instance
For more information, see install the client.
-
Uninstall the agent
For detailed instructions, see uninstall the client.
View security status and fix security issues
Follow these steps to view the security status of ECS instances and address security issues.
Log on to the ECS console.
In the left-side navigation pane, choose .
In the top navigation bar, select the region and resource group to which the resource belongs.
-
On the instance list page, locate the destination instance and click the Monitoring column's icon to navigate to the Security Center console and view the cloud security report.
-
Navigate to the Security Center console to remediate the identified vulnerabilities and security alert events. For specific methods, see Fix vulnerabilities and View and handle security alerts.
Common scenarios of security issues
For common vulnerability and security alert event scenarios, see vulnerability classification and scenarios and security alert event scenarios.
Set alert notifications
Basic security services enable you to configure alert notifications for security alert items. Notifications can be sent via internal message. To set alert notifications, follow these steps:
Log on to the ECS console.
-
On the Overview page, click Security Score in the area of pending tasks, and then click Handle Now to proceed to the Security Center console.
-
In the left-side navigation pane, select
. -
In the Security Alerts section, select the alert level and configure the notification method and timing. For more information about alert levels, see the classification of security alert risk levels.
NoteIf you have upgraded to the Pro or Enterprise edition of Security Center, refer to Security alert overview for additional notification methods.
Classification of security alert risk levels
Security Center classifies alerts into the following risk levels:
Risk level | Description |
Urgent | Urgent alerts are triggered by behavior that causes damages or imposes persistent impacts on your assets. This type of behavior is similar to common attacks such as reverse shells. Urgent alerts indicate that your assets are probably under attack. We recommend that you view the details of the alerts and handle the alerts at the earliest opportunity. |
Suspicious | Suspicious alerts are triggered by behavior that causes damages or imposes persistent impacts on your assets. This type of behavior is similar to some O&M behavior such as suspicious addition of users. This type of behavior may also be involved in an attack path but is unnecessary. Your assets can be attacked even if this type of behavior is missing. For example, the deletion of the traces that are left by attacks is unnecessary in an attack path. Suspicious alerts indicate that your assets have a certain probability of being attacked. We recommend that you view the details of the alerts and check whether risks exist. If risks exist, handle the risks. |
Reminder | Reminder alerts are triggered by behavior that is unnecessary in an attack path. Your assets can be attacked even if this type of behavior is missing. This type of behavior is similar to some O&M behavior such as suspicious port listening. If you have high security requirements for your assets, pay attention to Reminder alerts. |