All Products
Search
Document Center

Elastic Compute Service:Enable basic security services

Last Updated:May 15, 2026

Detect unusual logons, scan for vulnerabilities, and monitor the real-time security status of ECS instances in the ECS console or Security Center console.

Background

Security Center provides free basic security services for ECS instances, including vulnerability scanning, alert notifications, unusual logon detection, AccessKey pair leak detection, and compliance checks. View this information on the Overview page of the ECS console or in the Security Center console.

Billing

Note the following billing details:

Use the Security Center agent

The Security Center agent is a lightweight component installed on ECS instances. Instances without the agent are not protected by Security Center, and their security data (such as vulnerabilities, alerts, baseline checks, and asset fingerprints) does not appear in the ECS console. See Supported operating systems for agent installation paths.

Manage the Security Center agent as follows:

  • Automatically install the agent when creating an ECS instance

    1. Go to ECS console - Instances. In the top-left corner, select the region and resource group for the target resource.

    2. Create an ECS instance. In the Images section, select Free Security Hardening. The agent is automatically installed on the new instance. See Create an instance using the wizard.

    You can also set SecurityEnhancementStrategy=Active when you call the RunInstances
  • Manually install the agent on an existing ECS instance

    See Install the agent.

  • Uninstall the agent

    See Uninstall the agent.

View security status and fix security issues

To view and fix security issues for an ECS instance:

  1. Go to ECS console - Instances. In the top-left corner, select the region and resource group for the target resource.

  2. On the Instances page, find the instance and click the image icon in the Monitoring column to open the Security Center console.

  3. Go to the Security Center console to fix vulnerabilities and process security alerts.

Common security scenarios

For common vulnerability and security alert scenarios, see Vulnerability categories and scenarios and Security alert scenarios.

Vulnerability categories and scenarios

Vulnerability level

Description

Common scenarios

Countermeasures

Fixes

High-risk vulnerabilities

These vulnerabilities directly threaten system security, such as unpatched system vulnerabilities, SQL injection, and weak passwords. Fix them as soon as possible.

Unpatched system vulnerabilities:

  • High-risk CVEs in operating systems such as Linux and Windows.

  • Unpatched remote code execution (RCE) vulnerabilities.

  • Regularly check for and install OS and software security patches.

  • Use Security Center vulnerability scanning to fix high-risk vulnerabilities promptly.

  • For Linux: Run yum update or apt-get update to install updates.

  • For Windows: Use Windows Update to install the latest patches.

Web application vulnerabilities:

  • SQL injection vulnerabilities that grant direct database access.

  • Remote command execution vulnerabilities, such as Struts2 vulnerabilities.

  • Strictly validate and filter user input.

  • Use WAF to defend against common attacks.

  • Fix code vulnerabilities. For example, use parameterized queries to prevent SQL injection.

  • Update web frameworks and components to their latest versions.

Service configuration vulnerabilities:

  • Services such as Redis and MySQL have no password or are exposed to the Internet.

  • Docker unauthorized access vulnerabilities.

  • Do not expose high-risk services such as Redis and MySQL to the Internet.

  • Set strong passwords and restrict access by IP address.

  • Bind services to internal IP addresses or configure whitelists in configuration files.

  • Enable authentication, such as the requirepass setting for Redis.

Malware:

  • Malicious files such as mining trojans and backdoors.

  • Regularly scan for and remove malicious files.

  • Use Security Center malicious file detection.

  • Delete malicious files and fix related vulnerabilities.

  • Reset the passwords of affected services.

Weak password risks:

  • Services such as SSH, RDP, and FTP use weak or default passwords.

  • Enforce strong passwords: uppercase, lowercase, digits, and special characters.

  • Enable multi-factor authentication (MFA).

  • Change weak passwords to strong passwords.

  • Disable default accounts or change default passwords.

Medium-risk vulnerabilities

These vulnerabilities can cause moderate harm, such as cross-site scripting (XSS) attacks, file upload vulnerabilities, and unusual logons. Fix them promptly.

Unpatched software vulnerabilities:

  • Medium-risk vulnerabilities in middleware such as Apache, Nginx, and Tomcat.

  • Privilege escalation vulnerabilities in databases such as MySQL and PostgreSQL.

  • Regularly update middleware to the latest versions.

  • Disable unnecessary feature modules.

  • Download and install official patches.

  • Disable high-risk features in configuration files.

Web application vulnerabilities:

  • Cross-site scripting (XSS) attacks.

  • File upload vulnerabilities enabling malicious file uploads.

  • Strictly filter and encode user input and output.

  • Restrict upload file types and sizes.

  • Fix XSS vulnerabilities in the code. For example, use HTML encoding for output content.

  • Add file type validation and virus scanning for uploads.

Configuration risks:

  • Web services without HTTPS enabled.

  • High-risk ports such as 22 and 3389 without IP-based access restriction.

  • Enable HTTPS-encrypted communication.

  • Close unnecessary ports.

  • Configure an SSL certificate and enable HTTPS.

  • Modify security group rules to restrict access to high-risk ports.

Unusual logons:

  • Brute-force attacks detected, such as multiple failed logon attempts.

  • Enable logon failure lockout.

  • Restrict logon IP addresses.

  • Configure Fail2Ban for SSH to prevent brute-force attacks.

  • Modify security group rules to restrict SSH and RDP access by IP address.

Data breach risks:

  • Configuration files such as .env files contain sensitive data.

  • Do not store sensitive data in plaintext.

  • Encrypt sensitive data at rest.

  • Remove sensitive data from configuration files.

  • Use environment variables or KMS to store sensitive data.

Low-risk vulnerabilities

These vulnerabilities have minor impact but can increase risks if unaddressed, such as configuration and compliance issues. Schedule fixes accordingly.

Unpatched low-risk vulnerabilities:

  • Low-risk OS or software vulnerabilities, such as information disclosure.

  • Regularly scan and fix low-risk vulnerabilities.

  • Install official patches or updates.

Configuration risks:

  • Log audit is not enabled.

  • SSL certificates are not updated promptly.

  • Enable log audit and check logs regularly.

  • Update SSL certificates promptly.

  • Configure a log audit tool, such as Logrotate.

  • Update SSL certificates and configure automatic renewal.

Compliance risks:

  • Multi-factor authentication (MFA) is not enabled.

  • Non-compliant with MLPS 2.0 or GDPR requirements.

  • Enable multi-factor authentication (MFA).

  • Adjust configurations to meet compliance requirements.

  • Enable MFA in the Alibaba Cloud console.

  • Improve security configurations per MLPS 2.0 or GDPR requirements.

Other risks:

  • Unused services or ports remain open.

  • Close unused services and ports.

  • Use systemctl disable to close unused services.

  • Modify security group rules to close unused ports.

Security alert scenarios

See Overview of security alerts for Cloud Workload Protection Platform (CWPP) and Overview of security alerts for Cloud Workload Protection Platform (CWPP) for alert type details.

Alert type

Description

Common scenarios

Unusual logons

Unusual logon behavior detected.

  • Unusual logon location: Logon from a previously unused IP address.

  • Brute-force attack: Multiple failed logon attempts.

  • Unusual logon time: Logon during non-working hours.

Malicious files

Malicious programs or files detected.

  • Mining trojan: e.g., XMRig.

  • Backdoor program: e.g., webshell.

  • Virus or worm: Malware propagation.

Network attacks

Network attacks against ECS instances detected.

  • DDoS attacks: SYN floods, UDP floods, etc.

  • Port scan: Port scanning on an ECS instance.

  • Brute-force attacks: Brute-force attacks on FTP, MySQL, etc.

Data breaches

Sensitive data leaks or unauthorized access detected.

  • Sensitive data leak: Database or configuration file leaked.

  • Unauthorized access: Unauthorized user accesses sensitive resources.

Configuration risks

Security risks from improper system or service configurations detected.

  • High-risk port exposure: Ports such as 22 and 3389 exposed to the Internet.

  • HTTPS not enabled: Web services lack HTTPS encryption.

Compliance risks

Non-compliant behavior detected.

  • MFA not enabled: Multi-factor authentication is disabled.

  • Log audit not enabled: Log audit is disabled.

Other alerts

Other potential security threats or abnormal behavior detected.

  • Abnormal process: Unknown malicious program running.

  • File tampering: Critical system files tampered with.

Set alert notifications

Basic security services send alert notifications as internal messages. Configure alert notifications as follows:

  1. ECS console

  2. On the Overview page, hover over a pending task in the area and click Handle in the Security Score area to open the Security Center console.

  3. In the left-side navigation pane, choose System Configurations > Notification Settings.

  4. In the Alert section, select alert levels and configure notification methods and schedule. See Risk levels of security alerts for alert level definitions.

    If you upgraded to the Premium or Enterprise Edition, see Overview of security alerts for Cloud Workload Protection Platform (CWPP) for additional notification methods.

Risk levels of security alerts

Security Center classifies alerts into the following risk levels:

Risk level

Description

Recommended action

Urgent

  • Indicates activity that closely resembles a known attack pattern and can cause destructive or persistent damage to an asset, such as a reverse shell.

  • This level means the asset is likely under active attack.

Respond immediately. Recommended actions: quarantine the asset, block suspicious network connections, and preserve the attack scene.

Suspicious

  • Indicates potentially risky activity that may resemble routine operations, such as a process that adds a new user.

  • The activity might also be a non-critical step in an attack chain, such as an attempt to clear tracks.

  • This level indicates a moderate probability that the asset is under attack.

Investigation required. Check whether the activity is a scheduled operation. If so, add the behavior to an allowlist. Otherwise, treat it as an Urgent alert.

Reminder

Indicates non-essential attack activity that resembles normal operations, such as a process listening on a suspicious port.

Audit and optimize. Use these alerts to identify non-compliant configurations or potential risks. We recommend that you regularly review and optimize your security policies. No immediate action is required.