Restrict instance creation to images from a specified scope - Elastic Compute Service

Restricting instance creation to images from a specified scope helps reduce the attack surface. This practice prevents security issues that arise from unauthorized or high-risk images and ensures a consistent and compliant computing environment.

Security risks

Allowing all users or accounts to use any image can lead to the following security risks:

Malicious images: Public images from unknown sources might contain malware, mining programs, or back doors. Using these images can allow an attacker to gain control of your Elastic Compute Service (ECS) instances.
Vulnerable images: In-house images that are not continuously maintained can become an attack vector. These outdated or unpatched images may contain unfixed system or software vulnerabilities, such as Log4j or Heartbleed.
Improperly configured images: Images might have insecure configurations from the creation process, such as unnecessary open ports or weak passwords.

Best practices

You can create and use a "golden image". A golden image is a standardized, hardened, and regularly updated baseline image that is maintained by your security and Operations and Maintenance (O&M) teams. In the Alibaba Cloud environment, you can use tags to mark and manage your golden images. For example, you can add a tag such as status: approved or security-level: trusted to all approved images.

Console

In the image list, use the tag filtering feature to find images with a specific tag.
Create an instance using an image with the specified tag.

API

Call the DescribeImages operation and use the Tag.Key and Tag.Value parameters to query the ImageId of images with a specific tag.
When you call the RunInstances or CreateInstance operation to create an instance, specify the ImageId parameter.

Compliance

Block: Restrict operations, such as instance creation, to images with specified tags

You can use a Resource Access Management (RAM) policy at the organization or account level to block attempts to create instances with images that do not have the specified tags.

For enterprise users:

Log on to the Resource Directory console with your Alibaba Cloud account. In the menu bar on the left, click Control Policies. Then, create a custom policy and paste the following JSON content.

This policy requires that images used to create instances or replace system disks must have the tag "environment": "production".

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ecs:CreateInstance",
        "ecs:RunInstances",
        "ecs:ReplaceSystemDisk"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "acs:ResourceTag/environment": "production"
        }
      }
    },
    {
      "Effect": "Deny",
      "Action": [
        "ecs:DeleteTags",
        "ecs:UntagResources",
        "ecs:CreateTags",
        "ecs:TagResources"
      ],
      "Resource": "acs:ecs:*:*:image/*"
    }
  ]
}

In the resource directory, select an appropriate node and attach the policy. The policy then blocks the specified operations for all accounts under that node.

For non-enterprise users:
1. Log on to the RAM console with your Alibaba Cloud account. In the menu bar on the left, click Policies. Then, create a custom policy with the same content as the policy for enterprise users.
2. Attach the policy to RAM users, RAM user groups, or RAM roles. For more information, see Manage policy-based authorization.

Fix: Ensure instances are created with the specified tagged image

You can manually add tags to the images associated with your ECS instances. You can also clean up or replace the ECS instances that are associated with images that do not meet the tag requirements.