This document provides guidance on ECS security operations, organized by three key scenarios: incident response, security baseline hardening, and classified protection compliance.
ECS security follows a shared responsibility model between Alibaba Cloud and you. Alibaba Cloud is responsible for the security of the cloud, which includes physical hardware, underlying networks, the virtualization platform, and management control services. You are responsible for security in the cloud, which includes OS patching and upgrades, application security configuration, access permission management, data encryption, and traffic security.
Respond to an attack or alert
When an instance is under attack, you may experience service interruptions, slow responses, or timeouts. You can also detect attacks by monitoring for signs like unusual network traffic, abnormal logon activity, or high CPU usage. The following table describes how to quickly identify and respond to three common types of attacks.
Attack type and symptoms | Response |
DDoS: A high volume of requests exhausts bandwidth, CPU, memory, or connections, causing services to slow down or become unavailable. The free basic protection has a traffic limit. If the limit is exceeded, traffic is routed to a blackhole. | Each public IP has basic DDoS scrubbing enabled by default, up to a certain limit. If the limit is exceeded or you face application-layer attacks, purchase Anti-DDoS Origin or Anti-DDoS Pro/Premium. For details, see Use Anti-DDoS services to defend against public network attacks. |
Logon and session: After a password leak or account compromise, an attacker may make multiple failed logon attempts or log on from a suspicious location. | Enable free security hardening. Configure common logon locations, IP addresses, times, and accounts to receive alerts for abnormal logons. For configuration details, see Enable abnormal logon detection. |
Host malware: Cryptojacking malware can cause service disruptions, data leaks, and spread to other systems. If your instance is compromised, Security Center sends you an SMS or email alert. | Use Security Center to handle the threat, or manually reset passwords and keys and block the attacker's IP address. For isolation and removal steps, see Guide to handling and preventing cryptojacking. |
After responding to an attack, perform a root cause analysis and implement continuous hardening to prevent recurrence:
Root cause analysis: Use ActionTrail records to analyze cloud operations, reconstruct the attack path, and determine the method of intrusion and the scope of affected resources.
Targeted hardening: Tighten the security of the exploited configurations and close any gaps in your security baseline.
Detection optimization: Adjust your monitoring and alert rules and use Security Center to improve future detection capabilities.
Harden security configuration
Basic security configuration
Security domain | Scenarios | Technical measures |
Operating system security | Remote O&M, system hardening, vulnerability patching, and runtime protection. |
|
Data security | Cloud disk storage, image distribution, sensitive data transfer, and ransomware prevention. |
|
Network security | VPC planning, network isolation, public network access control, and traffic monitoring. |
|
Identity and access control | Employee onboarding authorization, multi-account management, and API authentication for applications. |
|
Security audit and O&M | Internal auditing, security event tracing, and compliance checks. |
Trusted computing and confidential computing
Alibaba Cloud provides multiple layers of computing security, including default memory encryption, Trusted Computing (vTPM).
Default memory encryption: Memory encryption enhances data security in the cloud by protecting in-memory data from physical attacks. This additional security layer requires no changes to your operating system or applications. Memory encryption is supported by default on instance families such as g8i general-purpose, c8i compute-optimized, and r8i memory-optimized.
Trusted Computing: Builds a root of trust based on a virtual Trusted Platform Module (vTPM). This enables a trusted boot process for ECS instances, verifying that core components have not been tampered with during startup.
Classified protection compliance
Effective December 1, 2019, a series of standards including the Basic Requirements for Classified Protection of Cybersecurity (GB/T 22239-2019 Information Security Technology) took effect. Implementing the classified protection scheme is a key responsibility for all enterprises and organizations. In addition to ensuring its own platform meets the foundational requirements, Alibaba Cloud provides the classified protection compliance check feature to help you implement the classified protection scheme more quickly, efficiently, and consistently. This enhances the security of your business systems that run on the cloud.
Log on to the Security Center console. In the left-side navigation pane, choose .
On the Security Compliance Check tab, view the check result statistics.
View the total number of check items and non-compliant items
In the Total Check Items and Non-compliant Items sections, view the total number of check items supported for classified protection compliance and the number of non-compliant items, respectively. You can click the number in the Non-compliant Items section to view the list of non-compliant check items.
Online consultation for classified protection
Click Consult next to Contact Us to open a chat window and ask questions about classified protection. This service is available from 09:00 to 17:00 on weekdays.
Host Configuration Check
Click Click here to configure to open the Baseline Check page, where you can view and handle baseline issues on your assets. For more information, see View and handle baseline check results.
Search for a specific check item
In the search box, filter by check item category and compliance status, or enter the name of a check item to view matching results.
Remediate non-compliant check items.
Follow the instructions under Improvement Suggestion to remediate non-compliant check items.
NoteThe classified protection compliance check feature in Security Center assesses whether your system has the required security capabilities, such as access control and log audit. To pass the classified protection assessment, you must implement these capabilities and resolve all identified issues.