Select Free Security Hardening during ECS instance creation, and use Security Center to verify and enforce compliance across your fleet.
Security risks
A new ECS instance with a clean OS is exposed to the Internet and faces automated scans and attacks that exploit unpatched vulnerabilities, weak passwords, or misconfigurations. These attacks can install malware such as mining viruses and ransomware, steal data, or turn the instance into a botnet node.
ECS instances created from public images include the Free Edition of Security Center by default. Enable it for basic security hardening: vulnerability scans (no automatic remediation), emergency vulnerability scans, AccessKey pair leak detection, compliance checks, and unusual logon detection.
Best practices
Enable Free Security Hardening
Console
On the instance purchase page, select Free Security Hardening. This option is enabled by default for public images.
API
Call RunInstances or CreateInstance with SecurityEnhancementStrategy set to Active. Supported only for public images.
Purchase Security Center editions
Security Center offers paid editions for host and container security: Anti-virus Edition, Premium Edition, Enterprise Edition, and Ultimate Edition. It also provides scenario-specific features such as anti-ransomware, container image security scan, cloud honeypot, web tamper-proofing, application protection, and threat analysis and response. Purchase Security Center to select the editions and features that fit your requirements.
Compliance
Verify that Free Security Hardening is enabled
Check in Host Assets
-
Go to the Security Center console.
-
In the left-side navigation pane, choose .
-
Filter and view the client status of all ECS instances.
-
: Client online. -
: Client not installed or offline. An offline client cannot communicate with Security Center, possibly because the instance is stopped, the client process is abnormal, or a network issue exists.
-
Check with a CSPM scan
-
Go to the Security Center console.
-
In the left-side navigation pane, choose . Click the Cloud Service Configuration Risk tab. Find Check for Security Center Agent Status and click Operation in the Actions column.
If the status is Failed, Free Security Hardening is not enabled for some instances. Click Details for more information.
Block instance creation without Free Security Hardening
Use a RAM policy at the organization or account level to block instance creation without Free Security Hardening.
-
For enterprise users:
-
Log on to the Resource Directory console. In the left-side navigation pane, click Control Policies. Create a custom policy with the following JSON content.
This policy denies instance creation when security hardening is disabled.
{ "Version": "1", "Statement": [ { "Effect": "Deny", "Action": [ "ecs:RunInstances", "ecs:CreateInstance" ], "Resource": [ "acs:ecs:*:*:instance/*" ], "Condition": { "StringEquals": { "ecs:SecurityEnhancementStrategy": "Deactive" } } } ] } -
In Resource Directory, attach the policy to the target node. The policy blocks instance creation for all accounts under that node.
-
-
For non-enterprise users:
-
Log on to the RAM console. In the left-side navigation pane, click Permission Policy. Create a custom policy with the same JSON content as above.
-
Attach the policy to a RAM user, RAM user group, or RAM role.
-
Install Security Center agent on unprotected instances
Use case 1: The instance has network access and Cloud Assistant Agent installed.
-
Log on to the Security Center console. In the left-side navigation pane, choose .
-
Click the Client tab, then click Agent Not Installed. Select the target instances.
-
Click the install button. The system installs the Security Center agent through Cloud Assistant.
-
Go to and verify that the client status is Online
.
Use case 2: The instance has a network issue or Cloud Assistant Agent is not installed. Install the Security Center agent manually on the instance.
-
Log on to the Security Center console. In the left-side navigation pane, choose . Click the Client tab, then click Installation Command.
-
Based on your instance's OS (such as CentOS, Ubuntu, or Windows) and network type (VPC internal network or the Internet), copy the corresponding installation command.
-
Log on to the ECS instance and run the copied installation command.
-
After installation, go to and verify that the client status is Online
.