Enable and enforce host security protection - Elastic Compute Service

You can enable host security protection by selecting Free Security Hardening when you create an instance.

Security risks

A new Elastic Compute Service (ECS) instance, even with a clean operating system, is like a bare machine exposed to the Internet. It faces constant automated scans and attacks that exploit unpatched system vulnerabilities, weak passwords, or misconfigurations. These attacks can install malware, such as mining viruses and ransomware, steal data, or turn the instance into part of a botnet.

When you create an ECS instance from a public image, Alibaba Cloud provides the Free Edition of Security Center by default. You can enable this service to obtain basic security hardening features. These features include vulnerability scans (automatic remediation is not included), emergency vulnerability scans, AccessKey pair leak detection, compliance checks, and unusual logon detection.

Best practices

Enable free security hardening

Console

When you create an instance on the instance purchase page, select Free Security Hardening, which is enabled by default for public images.

API

When you create an instance by calling the RunInstances or CreateInstance operation, set the SecurityEnhancementStrategy parameter to Active to enable security hardening. This feature is supported only for public images.

Purchase Security Center

Security Center offers several paid editions for host and container security to meet various protection needs. These editions include Anti-virus Edition, Premium Edition, Enterprise Edition, and Ultimate Edition. Security Center also provides features for specific scenarios, such as anti-ransomware, container image security scan, cloud honeypot, web tamper-proofing, application protection, and threat analysis and response. You can learn how to purchase Security Center and then purchase the host and container editions and security features that meet your requirements.

Compliance

Check: Verify that free security hardening is enabled for instances

Method 1: Check in the Host Assets view

Go to the Security Center console.
In the navigation pane on the left, choose Assets > Host.
On this page, you can filter and view the client status for all ECS instances.
- : The client is online (Normal).
- : The client is not installed or is offline. An offline client was installed but cannot communicate with Security Center. This may be because the instance is stopped, the client process is abnormal, or there is a network issue.

Method 2: Check using a Cloud Security Posture Management scan

Go to the Security Center console.
In the navigation pane on the left, choose Risk Governance > CSPM. Click the Cloud Service Configuration Risk tab. Find the Check for Security Center Agent Status and click Scan in the Actions column.
If the status is Failed, it means that free security hardening is not enabled for some instances. Click Details to view more information.

Block: Block the instance creation without free security hardening

You can use a Resource Access Management (RAM) policy at the organization or account level to block the creation of instances that do not have free security hardening enabled.

For enterprise users:
1. Log on to the Resource Directory console with your Alibaba Cloud account. In the navigation pane on the left, click Control Policies. Create a custom policy and paste the following JSON content.
  This policy denies the creation of instances if security hardening is not enabled.
```
{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "ecs:RunInstances",
        "ecs:CreateInstance"
      ],
      "Resource": [
        "acs:ecs:*:*:instance/*"
      ],
      "Condition": {
        "StringEquals": {
          "ecs:SecurityEnhancementStrategy": "Deactive"
        }
      }
    }
  ]
}
```
2. In Resource Directory, attach the policy to the appropriate node. The policy will block the operation for all accounts under that node.
For non-enterprise users:
1. Log on to the RAM console with your Alibaba Cloud account. In the navigation pane on the left, click Policies. Create a custom policy with the same content as the one in the preceding section.
2. Attach the policy to a RAM user, RAM user group, or RAM role.

Fix: Resolve instances without security hardening

Use case 1: The instance has a stable network connection and the Cloud Assistant agent is installed.

Log on to the Security Center console. In the navigation pane on the left, choose System Settings > Feature Settings.
Click the Agent tab, and then click the Agent Not Installed sub-tab. This displays a list of instances on which the Security Center agent is not installed. Select the instances that you want to fix.
Click the install button below the list. The system automatically downloads and installs the Security Center agent using Cloud Assistant.
Go back to Assets > Host and confirm that the client status of the target instance has changed to Online.

Use case 2: The instance has a network issue or the Cloud Assistant agent is not installed. If you cannot automatically install the Security Center agent from the console, you must log on to the instance to install it.

Log on to the Security Center console. In the navigation pane on the left, choose System Settings > Feature Settings. Click the Agent tab, and then click the Installation Command sub-tab.
Based on the operating system of your ECS instance, such as CentOS, Ubuntu, or Windows, and the network environment (VPC internal network or the Internet), copy the corresponding installation command.
Log on to your ECS instance and run the installation command that you copied in the previous step.
After the installation is complete, go back to Assets > Host and confirm that the client status of the target instance has changed to Online.