All Products
Search
Document Center

Elastic Compute Service:Security overview

Last Updated:Apr 10, 2026

Navigate ECS security by scenario: respond to active attacks, harden your instances, or configure compliance baselines.

Important

ECS security responsibility follows the shared responsibility model: Alibaba Cloud is responsible for the physical hardware, underlying network, virtualization platform, and management control services; customers are responsible for OS patching and upgrades, application security configuration, access management, and data encryption and traffic security.

When you are attacked or alerted

When an ECS instance is under attack, you may observe service unavailability, slow response times, or timeouts. Monitoring may reveal abnormal network traffic, unauthorized login attempts, or unexplained CPU spikes. The following table covers three common attack types and how to identify and respond to each.

Attack type and symptoms

What to do

DDoS: High-volume requests exhaust bandwidth, CPU, memory, or connections, causing service degradation or outage. The included DDoS basic protection has a traffic threshold; exceeding it triggers blackhole routing.

Every public IP receives DDoS basic protection within the included quota. For attacks that exceed the quota or target the application layer, purchase DDoS Native Protection or Anti-DDoS. For details, see Use DDoS scrubbing to defend against attacks.

Unauthorized access: After credential compromise or account takeover, attackers may make repeated failed login attempts or log in from suspicious locations.

Enable the free Security Hardening service and configure your trusted login locations, IP addresses, time windows, and accounts. Anomalous logins trigger automatic alerts. For configuration steps, see Enable unusual logon detection.

Host malware: Cryptomining malware causes service disruption, data leakage, and lateral spread. When an instance is compromised, Cloud Security Center sends SMS and email alerts.

Use Cloud Security Center to handle the incident, or manually reset passwords and key pairs and block the attacker's IP address. For isolation and removal steps, see Guide to preventing mining viruses.

After an attack is contained, perform root cause analysis and ongoing hardening to prevent recurrence:

Security hardening

Instance hardening checklist

Security domain

Typical use cases

Technical controls

OS security

Remote operations, system hardening, vulnerability patching, runtime protection.

Data security

Cloud disk storage, image distribution, sensitive data transmission, ransomware protection.

Network security

VPC planning, network isolation, public network access control, traffic monitoring.

Identity and access management

Employee onboarding authorization, multi-account management, programmatic API authentication.

Security audit and operations

Internal audit, security behavior tracing, compliance checks.

Trusted computing and confidential computing

Alibaba Cloud provides multi-layer compute security capabilities: automatic memory encryption, Trusted Computing (vTPM).

  • Default memory encryption: Memory encryption enhances data security in the cloud by protecting in-memory data from physical attacks. This additional security layer requires no changes to your operating system or applications. Memory encryption is supported by default on instance families such as g8i general-purpose, c8i compute-optimized, and r8i memory-optimized.

  • Trusted computing: Builds a hardware root of trust using a virtual Trusted Platform Module (vTPM) to establish verified boot for ECS instances, validating core startup components to ensure they have not been tampered with.

Classified protection compliance

Effective December 1, 2019, a series of standards including the Basic Requirements for Classified Protection of Cybersecurity (GB/T 22239-2019 Information Security Technology) took effect. Implementing the classified protection scheme is a key responsibility for all enterprises and organizations. In addition to ensuring its own platform meets the foundational requirements, Alibaba Cloud provides the classified protection compliance check feature to help you implement the classified protection scheme more quickly, efficiently, and consistently. This enhances the security of your business systems that run on the cloud.

  1. Log on to the Security Center console. In the left-side navigation pane, choose System Settings > Compliance Check.

  2. On the Security Compliance Check tab, view the check result statistics.

    • View the total number of check items and non-compliant items

      In the Total Check Items and Non-compliant Items sections, view the total number of check items supported for classified protection compliance and the number of non-compliant items, respectively. You can click the number in the Non-compliant Items section to view the list of non-compliant check items.

    • Online consultation for classified protection

      Click Consult next to Contact Us to open a chat window and ask questions about classified protection. This service is available from 09:00 to 17:00 on weekdays.

    • Host Configuration Check

      Click Click here to configure to open the Baseline Check page, where you can view and handle baseline issues on your assets. For more information, see View and handle baseline check results.

    • Search for a specific check item

      In the search box, filter by check item category and compliance status, or enter the name of a check item to view matching results.

  3. Remediate non-compliant check items.

    Follow the instructions under Improvement Suggestion to remediate non-compliant check items.

    Note

    The classified protection compliance check feature in Security Center assesses whether your system has the required security capabilities, such as access control and log audit. To pass the classified protection assessment, you must implement these capabilities and resolve all identified issues.