Security Center provides the configuration assessment feature to detect risks in the configurations of your Alibaba Cloud services. This topic describes the configuration assessment feature and the supported check items.
Background information
Security Center checks the following configurations of your Alibaba Cloud services to detect risks: identity authentication and permissions, network access control, data security, log audit, monitoring and alerting, and basic security protection. If risks are detected, Security Center provides solutions for the risks.
Note The Basic and Anti-virus editions of Security Center support a limited number of check items. The Advanced, Enterprise, and Ultimate editions support all check items. If you use the Basic or Anti-virus edition and want to use the configuration assessment feature to check all items,
upgrade Security Center to the Advanced, Enterprise, or Ultimate edition. For more information about the check items that each edition supports, see
Check items.
You can view the number of enabled check items in Checked items enabled on the Cloud Platform Configuration Assessment page. 
Check items
The following table describes the check items that each edition of Security Center
supports. Security Center has the following editions: Basic, Anti-virus, Advanced, Enterprise, and Ultimate. The following symbols are used to indicate whether a check item is supported:
- ×: The check item is not supported.
- √: The check item is supported.
| Check item | Type | Description | Basic and Anti-virus | Advanced, Enterprise, and Ultimate |
|---|---|---|---|---|
| Alibaba Cloud account security - AccessKey pair | Identity authentication and permissions | Checks the AccessKey pair of your Alibaba Cloud account. Your Alibaba Cloud account
has full permissions on your resources. To prevent the loss caused by AccessKey pair
leaks, we recommend that you do not create an AccessKey pair for your Alibaba Cloud
account or use the AccessKey pair in day-to-day operations.
Notice The results of this check are delayed. If you disable the AccessKey pair, the results
of the check are updated on the following day.
|
× | √ |
| Alibaba Cloud CDN - real-time log push feature | Log audit | Checks whether the real-time log push feature is enabled for Alibaba Cloud CDN. Alibaba Cloud CDN is integrated with Log Service to deliver log data to Log Service in real time. You can analyze real-time logs to identify and locate issues. | × | √ |
| PolarDB - backup configurations | Data security | Checks whether the automatic backup feature is enabled for PolarDB. Database backups reinforce security and allow you to restore data when an error occurs in your database. PolarDB provides the automatic backup feature. We recommend that you enable the automatic backup feature to create a backup on a daily basis. | × | √ |
| PolarDB - SQL Explorer | Log audit | Checks whether the SQL Explorer feature is enabled for PolarDB. PolarDB supports the SQL Explorer feature. This feature provides value-added capabilities, such as security audit and performance diagnosis. We recommend that you enable the SQL Explorer feature. | × | √ |
| OSS - authorization policies | Identity authentication and permissions | Checks the authorization policies of Object Storage Service (OSS). OSS supports three types of access control policies: access control lists (ACLs), Resource Access Management (RAM) policies, and bucket policies. When you configure bucket policies, we recommend that you do not grant the read and write permissions or full permissions to anonymous users. | × | √ |
| SLB - logging | Log audit | Checks whether the logging feature is enabled for Server Load Balancer (SLB). SLB provides the logging feature that records Layer 7 requests. This feature collects details about requests that are sent to SLB. The details include the request time, client IP address, network latency, request path, and server response. We recommend that you enable the logging feature. | × | √ |
| Container Registry - repository permission configurations | Data security | Checks whether a Container Registry repository is set to private. Container Registry supports public and private repositories. Public repositories allow anonymous users to download images over the Internet. If images in a repository contain sensitive information, we recommend that you set the repository to private. | × | √ |
| Container Registry - security scans | Basic security protection | Checks whether the security scan feature is enabled for Container Registry. Container Registry supports security scans for Linux base images. Security scans can detect system vulnerabilities and risks in base images. We recommend that you scan all images. If new versions of the base images are obtained, we recommend that you perform security scans on the new versions. | × | √ |
| ECS - security group policies | Network access control | Checks the policies of Elastic Compute Service (ECS) security groups. We recommend that you grant minimum permissions to users. If you set 0.0.0.0/0 for a service, requests from all IP addresses are allowed. For example, you can set 0.0.0.0/0 for port 80, 443, 22, or 3389. | × | √ |
| OSS - bucket server-side encryption | Data security | Checks whether the data encryption feature is enabled for OSS buckets. OSS supports server-side encryption to ensure the security of data that is persistently stored in OSS. We recommend that you enable server-side encryption to protect sensitive data. | × | √ |
| OSS - bucket hotlink protection | Network access control | Checks whether the hotlink protection feature is enabled for OSS buckets. The OSS hotlink protection feature checks the Referer header to deny access from unauthorized users. We recommend that you enable this feature. | × | √ |
| ApsaraDB RDS - cross-region backup configurations | Data security | Checks whether the cross-region backup feature is enabled for ApsaraDB RDS instances. ApsaraDB RDS for MySQL provides the cross-region backup feature. This feature automatically synchronizes on-premises backup files to OSS buckets in another region. This implements geo-disaster recovery. We recommend that you enable the cross-region backup feature. | × | √ |
| ApsaraDB for Redis - backup configurations | Data security | Checks whether the data backup feature is enabled for ApsaraDB for Redis instances. | × | √ |
| ApsaraDB for Redis - SSL encryption | Log audit | Checks whether SSL encryption is enabled for ApsaraDB for Redis instances. ApsaraDB for Redis 2.8 standard master-replica instances, ApsaraDB for Redis 2.8 master-replica cluster instances, and ApsaraDB for Redis 4.0 master-replica cluster instances support SSL encryption. We recommend that you enable SSL encryption to reinforce the security of data in transit. | × | √ |
| ApsaraDB for MongoDB - log audit | Log audit | Checks whether the log audit feature is enabled for ApsaraDB for MongoDB instances. This feature records all operations that you perform on the databases of ApsaraDB for MongoDB instances. Log audit helps you perform fault analysis, behavior analysis, and security audit on the databases. You can also obtain the information about data consumption. We recommend that you enable the log audit feature for ApsaraDB for MongoDB instances. | × | √ |
| ApsaraDB for MongoDB - SSL encryption | Data security | Checks whether SSL encryption is enabled for ApsaraDB for MongoDB instances. We recommend that you enable the SSL encryption feature to reinforce the security of ApsaraDB for MongoDB instances. | × | √ |
| ApsaraDB for MongoDB - backup configurations | Data security | Checks whether the automatic backup feature is enabled for ApsaraDB for MongoDB instances. Database backups reinforce security and allow you to restore data when an error occurs in your database. ApsaraDB for MongoDB provides the automatic backup feature. We recommend that you enable the automatic backup feature to create a backup on a daily basis. | × | √ |
| CloudMonitor - agent status | Monitoring and alerting | Checks the status of ECS instances. CloudMonitor helps you monitor Alibaba Cloud resources and web applications. To monitor the status of ECS instances and send alerts when exceptions occur, we recommend that you install the CloudMonitor agent on your ECS instances. | × | √ |
| VPC - DNAT management port mapping | Network access control | Checks whether a port is open to the Internet.
When you create a destination network address translation (DNAT) rule for a Network Address Translation (NAT) gateway deployed in a virtual private cloud (VPC), we recommend that you do not open internal management ports to the Internet. Do not open all ports or important ports, such as port 22, 80, 443, 1433, 3306, 3389, or 8080, to the Internet. |
× | √ |
| Alibaba Cloud - two-factor authentication | Identity authentication and permissions for Alibaba Cloud accounts | Checks whether two-factor authentication is enabled for your Alibaba Cloud account. If you use only password authentication, attackers may use methods such as brute-force attacks to obtain the password to your Alibaba Cloud account. We recommend that you enable two-factor authentication that requires both password and SMS verification to prevent the loss caused by password leaks. | √ | √ |
| RAM users - MFA | Identity authentication and permissions for RAM users | Checks whether multi-factor authentication (MFA) is enabled for RAM users. | √ | √ |
| Alibaba Cloud Security - agent status | Basic security protection | Checks the installation of the Server Guard agent. You must install the Server Guard agent on your servers before Server Guard can protect your servers. If the Server Guard agent is not installed on your servers, your servers are vulnerable to risks, such as webshells, trojans, remote logons, and brute-force attacks. | √ | √ |
| Alibaba Cloud Security - back-to-origin configuration checks for Anti-DDoS Pro or Anti-DDoS Premium | Network access control | Checks whether Anti-DDoS Pro or Anti-DDoS Premium allows requests from only Web Application Firewall (WAF) back-to-origin IP addresses. After you use Anti-DDoS Pro, Anti-DDoS Premium, or WAF, we recommend that you hide the IP address of the origin server to prevent attacks. | √ | √ |
| Alibaba Cloud Security - back-to-origin configuration checks for WAF | Network access control | Checks whether WAF allows requests from only WAF back-to-origin IP addresses. After you use Anti-DDoS Pro, Anti-DDoS Premium, or WAF, we recommend that you hide the IP address of the origin server to prevent attacks. | √ | √ |
| Security Center - detection of AccessKey pair leaks | Monitoring and alerting | Checks whether the AccessKey pair leak detection and account security features of Security Center are enabled. | √ | √ |
| ECS - public key authentication | Identity authentication and permissions | Checks whether ECS instances that run Linux operating systems are associated with Alibaba Cloud SSH key pairs. SSH public key authentication is more secure and convenient than SSH password authentication. We recommend that you use SSH public key authentication. | √ | √ |
| ECS - storage encryption | Data security | Checks whether encryption is enabled for disks on ECS instances. | √ | √ |
| ECS - automatic snapshot policies | Data security | Checks whether the automatic snapshot feature is enabled for ECS instances. The automatic snapshot feature reinforces the security of ECS instances and supports disaster recovery. | √ | √ |
| SLB - whitelist configurations | Network access control | Checks the access control configurations of SLB instances. The configurations include whether access control is enabled for HTTP and HTTPS services and whether 0.0.0.0/0 is added to the IP address whitelist. | √ | √ |
| SLB - open ports | Network access control | Checks whether ports of SLB instances are unnecessarily open to the Internet. | √ | √ |
| SLB - health status | Monitoring and alerting | Checks whether SLB backend servers are available. | √ | √ |
| SLB - certificate validity checks | Monitoring and alerting | Checks whether your SLB certificate expires. | √ | √ |
| OSS - bucket permissions | Data security | Checks whether the OSS bucket ACL is set to private. | √ | √ |
| OSS - logging | Data security | Checks whether the logging feature is enabled for OSS. | √ | √ |
| OSS - cross-region replication | Data security | Checks whether the cross-region replication feature is enabled for OSS. | √ | √ |
| ApsaraDB RDS - whitelist configurations | Network access control | Checks whether a whitelist is configured for ApsaraDB RDS and whether the whitelist contains 0.0.0.0/0. If the whitelist contains 0.0.0.0/0, requests from all IP addresses are allowed. We recommend that you configure the whitelist to allow requests only from specific IP addresses. | √ | √ |
| ApsaraDB RDS - database security policies | Data security | Checks whether the SQL audit, SSL encrypted transmission, and transparent database encryption features are enabled for ApsaraDB RDS instances. | √ | √ |
| ApsaraDB RDS - database backup | Data security | Checks whether the database backup feature is enabled for ApsaraDB RDS instances. | √ | √ |
| ApsaraDB for Redis - whitelist configurations | Network access control | Checks whether a whitelist is configured for ApsaraDB for Redis and whether the whitelist contains 0.0.0.0/0. If the whitelist contains 0.0.0.0/0, requests from all IP addresses are allowed. We recommend that you configure the whitelist to allow requests only from specific IP addresses. | √ | √ |
| AnalyticDB for PostgreSQL - whitelist configurations | Network access control | Checks whether a whitelist is configured for AnalyticDB for PostgreSQL and whether the whitelist contains 0.0.0.0/0. If the whitelist contains 0.0.0.0/0, requests from all IP addresses are allowed. We recommend that you configure the whitelist to allow requests only from specific IP addresses. | √ | √ |
| SSL Certificates Service - validity checks | Data security | Checks whether your SSL certificate expires. If your SSL certificate expires, you are not allowed to use the certificate. | √ | √ |
| PolarDB - whitelist configurations | Network access control | Checks whether a whitelist is configured for PolarDB and whether the whitelist contains
0.0.0.0/0. If the whitelist contains 0.0.0.0/0, requests from all IP addresses are allowed.
We recommend that you configure the whitelist to allow requests only from specific
IP addresses.
|
√ | √ |
| ActionTrail - logging | Log audit | Checks operation logs in OSS or Log Service.
To trace high-risk operations, we recommend that you activate ActionTrail, store operation logs in OSS or Log Service, and set proper access permissions. |
√ | √ |
| ApsaraDB for MongoDB - whitelist configurations | Network access control | Checks whether a whitelist is configured for ApsaraDB for MongoDB and whether the
whitelist contains 0.0.0.0/0. If the whitelist contains 0.0.0.0/0, requests from all IP addresses are allowed.
We recommend that you configure the whitelist to allow requests only from specific
IP addresses.
|
√ | √ |
| Apsara Devops - Codeup security | Basic security protection | Checks the status of code in Codeup and analyzes whether the code is secure from the following aspects: access control, member behavior, and code content. Codeup provides suggestions on security configurations based on the check results. | √ | √ |
| RAM - excessive authorization | Identity authentication and permissions | If you want to grant permissions to a RAM user, a RAM user group, or a RAM role, follow
the principle of least privilege. This prevents excessive authorizations. The following
list describes the principals that can be checked by using the check item:
|
X | √ |
| OSS - bucket versioning | Data security | OSS allows you to configure versioning for a bucket to protect objects that are stored in the bucket. After you enable versioning for a bucket, data that is overwritten or deleted in the bucket is saved as a previous version. After you configure versioning for a bucket, you can recover objects in the bucket to any previous version to protect your data from being accidentally overwritten or deleted. | × | √ |