To ensure cloud service security, implement basic and enhanced security solutions across operating systems, data, and networks. Strengthen access control, vulnerability management, and compliance audits. - Elastic Compute Service

To build and maintain secure, compliant business systems in a cloud environment, focus on security protection in five core realms.

Solution overview

Basic security solutions: These solutions are recommended for all business scenarios. They meet the basic requirements for securing your cloud assets.
Enhanced security solutions: These solutions are recommended for enterprise-level services that are security-sensitive or have compliance requirements. They provide comprehensive security protection.

Security type	Security child class	Best practices	Basic security solution	Enhanced security solution
Operating system security	Credential security	Avoid using weak security tokens to log on to instances	Recommended	Recommended
	Network-based access control	Restrict access to O&M ports of instances by source IP address	Recommended	Recommended
	Vulnerability management	Enable host security protection	Recommended	Recommended
	Vulnerability management	Fix important security vulnerabilities	Recommended	Recommended
	Privileged access management	Avoid using the root account to log on to instances		Recommended
	Credential security	Avoid using preset logon credentials in custom images		Recommended
	Supply chain security	Restrict the images that can be used to create instances		Recommended
	Monitoring and alerts	Enable abnormal logon detection		Recommended
Data security	Data protection	Enable an automatic snapshot policy for disks	Recommended	Recommended
	Sensitive information	Allow only HTTPS access to ECS OpenAPI	Recommended	Recommended
	Supply chain security	Prevent accidental disclosure of sensitive information from images and snapshots		Recommended
	Encryption	Use encrypted disks		Recommended
	Encryption	Use the strengthened mode to access instance metadata		Recommended
Identity and access control	Credential security	Protect your Alibaba Cloud account to prevent credential leaks	Recommended	Recommended
	Privileged access management	Avoid using your Alibaba Cloud account. Grant different permissions to RAM users based on their roles.	Recommended	Recommended
	Network-based access control	Restrict the source IP addresses that can be used to call OpenAPI		Recommended
	Resource-level access control	Use resource groups to manage permissions by project or department		Recommended
	Resource-level access control	Enable fine-grained permission management for resources using tags		Recommended
	Compliance constraint configuration	Use RAM policies to constrain cloud operation behaviors		Recommended
Network security	Network-based access control	Reduce the Internet exposure risks of ECS instances	Recommended	Recommended
	Network-based access control	Use VPCs for network isolation		Recommended
	Network-based access control	Use security groups for internal access control and micro-segmentation		Recommended
	Network-based access control	Use network ACLs to enhance network access control		Recommended
	Network-based access control	Access the cloud over an internal network		Recommended
	Network-based access control	Use PrivateLink to reduce unnecessary Internet traffic		Recommended
	Traffic security	Use a DDoS traffic scrubbing service to defend against Internet attacks		Recommended
	Traffic security	Use Cloud Firewall to defend against Internet attacks		Recommended
	Web traffic security	Use Web Application Firewall to defend against web attacks		Recommended
Security audit and O&M	Logs	Use ActionTrail to record and analyze cloud operations	Recommended	Recommended
	Privileged access management	Use Bastionhost for O&M to meet MLPS 2.0 requirements		Recommended
	Logs	Record and analyze VPC traffic logs		Recommended