Attack surface management is a proactive defense feature of Security Center. It automatically and continuously inventories all your Internet-exposed assets on Alibaba Cloud — both known cloud assets and unknown shadow assets. Based on asset risks and network reachability, it deduces potential attack paths, helping you identify and reduce exposure risks before attackers can exploit them and shifting your security posture from reactive response to proactive defense.
This feature is in public preview. It is available only to Enterprise Edition and Ultimate Edition customers and is free to use during the public preview period.
Key concepts
Cloud assets: Instances of cloud products activated under your Alibaba Cloud account and supported by the asset discovery feature. Examples include Elastic Compute Service (ECS), Server Load Balancer (SLB), and elastic IP addresses (EIPs).
Shadow assets: Alibaba Cloud assets not directly created by your account. The system discovers them by analyzing public information associated with your existing assets — Certificate Transparency logs, DNS records, and ICP filing information.
Attack path: A potential attack sequence deduced from asset associations, network reachability, and vulnerabilities or risky configurations. It shows how an attacker might progressively move from an entry point (start asset) to a high-value target (end asset).
An attack path represents a potential risk, not an actual attack event.
Use cases
Get a complete inventory of Internet-exposed assets. Rapid business growth leaves behind legacy test environments, subsidiary resources, and other unmanaged cloud assets that are easy to overlook. The asset discovery feature uses known assets as anchor points — WAF, Cloud Firewall, domain names, certificates, and EIPs — then continuously runs association analysis to surface both known cloud assets and unknown shadow assets, bringing everything into a single, accurate security view.
Identify and block high-risk attack paths. When the number of assets and vulnerabilities is large, it's hard to know which combinations of risks need fixing first. Attack surface management analyzes network reachability, vulnerabilities, and risky configurations to automatically deduce attack paths and display them in a topology graph. Focus remediation on critical nodes that block the highest-impact paths.
Continuously reduce your attack surface. Launching a new service or changing a configuration can introduce new exposures. Periodic asset scans and risk assessments detect changes as they happen, so routine security governance keeps pace with business growth rather than falling behind it.
How it works
Identify assets
Asset discovery works in two stages. First, it syncs a set of known assets as anchor points from their respective cloud product APIs: WAF, Cloud Firewall, domain names, SSL certificates, and EIPs. From these anchors, the system runs association analysis to discover additional shadow assets by mining Certificate Transparency logs, DNS records, and ICP filing information.
Asset sources and what they contribute:
| Source | Data collected |
|---|---|
| Web Application Firewall (WAF) and Cloud Firewall | Domain names and public IP addresses under protection |
| Domain names (Alibaba Cloud DNS) | Registered domain names under your account |
| SSL certificates | Strongly associated domain names and subdomains extracted from certificate data |
| Elastic IP addresses (EIPs) | Baseline inventory of all public IP assets under your account |
| ECS | Instances and their associated public IP addresses |
| SLB | Listener configurations, certificates, and backend server groups; establishes a mapping from services to resources |
Asset ownership management
Once assets are discovered, assign an ownership status for each one. Vulnerability scanning and attack path analysis run only on Attributed assets, which are also used as new anchor points to discover further shadow assets.
| Status | Meaning |
|---|---|
| Attributed | Confirmed as belonging to your account |
| Unconfirmed | Discovered by a scan; ownership not yet confirmed |
| To Be Investigated | Ownership under investigation; status temporarily unclear |
| Ignored | Confirmed as not belonging to your organization, or excluded from the scan scope |
Asset ownership management supports fine-grained status categorization for the three core asset types: domain names, IP addresses, and certificates.
Scan types and task management
| Type | When it runs | Best for |
|---|---|---|
| One-click scan | Immediately on demand | Emergency response or a pre-launch asset inventory |
| Periodic scan | On a configurable schedule (weekly, monthly, etc.) | Routine monitoring of asset exposure |
After a scan starts, it runs three sub-tasks in sequence: Refresh Cloud Assets → Cloud Product Exposure Analysis Task → Attack Path Analysis. Use the task management module to track overall progress and the status of each sub-task in real time.
Attack risk
Attack path deduction
The attack path engine combines network reachability, system vulnerabilities, weak passwords, cloud security posture management (CSPM) findings, and sensitive asset data to deduce complete attack sequences from an Internet entry point (start asset) to a core target (end asset).
Results are presented in an Attack Path visualization graph that shows attack nodes, lateral movement paths, and exposed components — making risk propagation visible across complex network environments.
Multi-dimensional risk tags cover alerts, vulnerabilities, weak passwords, critical nodes, sensitive assets, exposed AI applications, and cloud security configuration risks, so you can pinpoint high-risk locations quickly.
The Posture overview surfaces the top five risk paths, attack path type distribution, and asset exposure methods — giving you a severity-ordered starting point for daily security work rather than a static report to review periodically.
Risk handling
Remediation and hardening: For risk points identified on nodes in the Attack Path — such as system vulnerabilities, CSPM configuration issues, or exposed network ports — go to the corresponding vulnerability management or CSPM module, or the ECS console. Adjust security group rules to eliminate risks at their source.
Handle (add to whitelist): For confirmed false positives or acceptable risks, configure a whitelist policy to exclude the attack path from a specific start asset to an end asset. The system stops generating risk data for that path.
Supported cloud products for scanning
| Category | Products |
|---|---|
| Compute and containers | ECS, Elastic Container Instance (ECI), Function Compute (FC), Container Registry (ACR) |
| Network | Virtual Private Cloud (VPC), SLB, Content Delivery Network (CDN), API Gateway |
| Database | ApsaraDB RDS, Tair (Redis OSS-compatible), ApsaraDB for MongoDB, ApsaraDB for OceanBase, ApsaraDB for ClickHouse, PolarDB |
| Storage | Object Storage Service (OSS) |
| Middleware | Simple Message Queue (formerly MNS) |
| AI and big data | Platform for AI (PAI), Elasticsearch |
| Network security | Web Application Firewall (WAF), Cloud Firewall |
| Domain name services | Alibaba Cloud HiChina |
Common asset exposure methods
| Exposure method | Risk profile |
|---|---|
| Public IP address | Directly accessible to any Internet user; the most fundamental entry point for attacks on open ports and services |
| Public database connection | Exposes database ports (3306, 1433, 5432) to the public network; high risk of weak-password brute-forcing or vulnerability exploitation, which can lead to a data breach |
| Public network connectivity for cloud services | Cloud-native services such as OSS and API Gateway configured with public access permissions; risk typically comes from overly permissive access control policies that expose sensitive data or core business logic |
| Elastic IP address (EIP) | A static public IP that can be bound dynamically; carries the same risk as a regular public IP address, with additional management complexity from its portability |
| Application Load Balancer (ALB) | Operates at Layer 7; distributes HTTP/HTTPS traffic under a single access point; a primary entry point for web application attacks such as SQL injection and cross-site scripting (XSS) |
| Network Load Balancer (NLB) | Operates at Layer 4; distributes TCP/UDP traffic with high performance and low latency; directly exposes specific backend server ports to the public network |
| Server Load Balancer (SLB) | Alibaba Cloud's load balancing service family, which includes ALB (Layer 7) and NLB (Layer 4); provides access to multiple backend services through a single IP address |
| NAT Gateway | Primarily provides one-way outbound access (private to public); port forwarding rules (DNAT) can map external requests to specific internal hosts, creating a controlled but exploitable entry point |