How Security Center protects serverless assets - Security Center

If your business operates in the Alibaba Cloud Serverless environment, you can use the serverless asset protection feature of Security Center to secure your assets. This feature includes alert detection, vulnerability scanning, and baseline checks for serverless assets. This topic explains how Security Center adds serverless assets and offers security protection for them.

Functions

Supported assets

Elastic Container Instance (ECI) created by ACK managed clusters, dedicated clusters, and Serverless clusters.
ECI instances created through Container Compute Service (ACS).
ECI instances of Serverless App Engine (SAE).

Security capabilities

The serverless asset protection feature provides the following security capabilities:

Alert detection: The feature detects and allows you to manage common alerts generated on serverless assets, such as Webshell, Unusual Network Connection, and Suspicious Process. For more information, see Alerts for container environments.
Vulnerability detection: On the Risk Governance > Vulnerabilities page, you can click the number below Disclosed Vulnerabilities to view the supported vulnerabilities in the Detectable Vulnerabilities panel.
The feature detects application vulnerabilities but does not fix them. You must manually upgrade the software or modify configurations based on the remediation suggestions provided in the vulnerability details to address security threats.
Baseline check: The feature allows you to identify and handle baseline risks on serverless assets that are detected by using check items. For example, the Kubernetes (ECI) Pod Internationally Agreed Best Practices for Security baseline includes check items such as Minimize the admission of root containers and Minimize the admission of containers with capabilities assigned. For more information about items that can be detected, see Baselines.

Security Center classifies added serverless assets into different instance types based on their container runtime status. The table below outlines the supported security capabilities for each instance type.

Instance type	Supported security capabilities
ECI	Alert detection Vulnerability scanning Baseline risk check
RunD container instance	Alert detection

Billing rules

The public preview of the serverless asset protection feature ends on July 31, 2024 (UTC+8), after which the free trial is no longer available. To use the feature, you must purchase the feature by using the pay-as-you-go billing method in the Security Center console. For more information, see 2. Enable pay-as-you-go in this topic.

Start billing

After purchasing the serverless asset protection feature and completing the required authorization, you can use it. Charges apply for assets added to the feature with the Security Center agent online, based on a pay-as-you-go tiered billing method outlined in the table below. The system calculates the number of cores for added assets daily and generates bills the next day.

Usage tier (cores/second)	Price (USD per core-second)	Fee formula (U represents daily usage in cores/second)
0~200,000,000	0.000003	0.000003×U (USD)
200,000,001~1,000,000,000	0.000002	0.000002×(U-200,000,000)+0.000003×200,000,000 (USD)
1,000,000,001~9,999,999,999,999	0.0000015	0.0000015×(U-1,000,000,000)+0.000002×800,000,000+0.000003×200,000,000 (USD)

Stop billing

The system stops checking serverless assets that are added to the serverless asset protection feature and stops billing in the following scenarios:

Billing is stopped for all serverless assets
- On the Overview page of the Security Center console, turn off the switch for Serverless Asset Protection in the Pay-as-you-go Feature section.
- On the Assets > Serverless Asset page of the Security Center console, click Suspended.
- The current Alibaba Cloud account has overdue payments.
Billing is stopped for specific serverless assets
On the Assets > Serverless Asset page of the Security Center console, remove specific assets from the serverless asset protection feature. For more information, see 3.2 Bind or unbind assets in this topic.

1. Install and start the Security Center agent on an ECI pod

If you use ECIs created with ACK managed and dedicated clusters, ACS clusters, or ACK Serverless clusters, you must install and start the Security Center agent on those instances. This allows you to utilize the security capabilities of the serverless asset protection feature.

You can install and start the Security Center agent on an ECI instance using the following methods:

ACK Serverless cluster

Log on to the ACK console and go to the details page of a cluster. In the left-side navigation pane, choose Workloads > Deployments. On the Pods page, click Create from YAML. In the YAML template, choose spec > template > metadata, add the annotations parameter, and set the parameter to k8s.aliyun.com/eci-aliyundun-enabled: "true".

Example of a YAML template:

apiVersion: apps/v1 # for versions before 1.8.0 use apps/v1beta1
kind: Deployment
metadata:
  name: nginx-deployment-basic
  labels:
    app: nginx
spec:
  replicas: 2
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      annotations:
        k8s.aliyun.com/eci-aliyundun-enabled: 'true'
      labels:
        app: nginx
    spec:
    #  nodeSelector:
    #    env: test-team
      containers:
      - name: nginx
        image: nginx:1.7.9 # replace it with your exactly <image_name:tags>
        ports:
        - containerPort: 80
        resources:
          limits:
            cpu: "500m"

If you use an image to create resources, add the k8s.aliyun.com/eci-aliyundun-enabled key for the Annotations parameter in the Advanced step and set the value to true. For more information, see Create a stateless application by using an image.

ACK managed or dedicated cluster

Log on to the ACK console and go to the details page of a cluster to deploy the ack-virtual-node component and schedule pods to your elastic container instance. For more information, see Schedule pods to elastic container instances.

In the left-side navigation pane of the details page of the cluster, choose Workloads > Deployments. On the Pods page, click Create from YAML. In the YAML template, choose metadata, add the annotations parameter, and then set the parameter to k8s.aliyun.com/eci-aliyundun-enabled: "true". Choose spec > containers and configure the env environment variable. Set the name field to ECI_CONTAINER_TYPE and the value field to sidecar.

Example of a YAML template:

apiVersion: v1
kind: Pod
metadata:
  name: test-aegis-alinux2-lifsea-x86
  labels:
    eci: "true"
  annotations:
    k8s.aliyun.com/eci-aliyundun-enabled: "true"
spec:
  containers:
  - name: sidecar
    image: registry-vpc.cn-shanghai.aliyuncs.com/eci_open/centos:7
    command:
    - /bin/sh
    - -c
    args:
    - sleep inf
    env:
    - name: ECI_CONTAINER_TYPE
      value: sidecar
  - name: nginx
    image: registry-vpc.cn-shanghai.aliyuncs.com/eci_open/centos:7
    command:
    - /bin/sh
    - -c
    args:
    - sleep inf

ACS cluster

In the left navigation pane of the target cluster management page in the Container Compute Service console, click Workloads > Deployments, click Create From YAML, add the annotations parameter under spec > template > metadata in the YAML template, and set it to security.alibabacloud.com/aliyundun-enabled: 'true'. For more information, see ACS pod overview and Use a YAML template.

Example of a YAML template:

apiVersion: apps/v1 # for versions before 1.8.0 use apps/v1beta1
kind: Deployment
metadata:
  name: nginx-deployment-basic
  labels:
    app: nginx
spec:
  replicas: 2
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
        alibabacloud.com/compute-class: general-purpose
        alibabacloud.com/compute-qos: default
      annotations:
         security.alibabacloud.com/aliyundun-enabled: 'true'
    spec:
    #  nodeSelector:
    #    env: test-team
      containers:
      - name: nginx
        image: anolis-registry.cn-zhangjiakou.cr.aliyuncs.com/openanolis/nginx:1.14.1-8.6 # replace it with your exactly <image_name:tags>
        ports:
        - containerPort: 80
        resources:
          limits:
            cpu: "500m"

If you create resources from an image, you can add the pod annotation security.alibabacloud.com/aliyundun-enabled=true in Advanced. For more information about how to create resources, see Use a YAML template.

2. Enable pay-as-you-go

Users of Basic edition and free trial

If you use the Basic edition or free trial of Security Center, you can separately purchase the serverless asset protection feature.

Go to the Security Center buy page and log on with your Alibaba Cloud account.
On the buy page, set the Billing Method parameter to Pay-as-you-go and the Serverless Asset Protection parameter to Yes.
Click Custom Quota Binding. In the Quota Management dialog box, select All Servers or Specific Servers to protect all assets or specific assets.
Important
If you do not perform custom binding, all assets are bound by default, and new assets are automatically bound.
Read and select Security Center Terms of Service and click Order Now.

Security Center automatically synchronizes all serverless assets within your account to the Serverless Asset page and adds serverless assets to the feature based on the configuration of the Protection Quota.

Other users

If you use one of the following paid editions of Security Center, you can also purchase the serverless asset protection feature: Anti-virus, Advanced, Enterprise, and Ultimate.

Log on to the Security Center console. In the upper-left corner of the console, select the region where the assets to be protected are located: China or Outside China.
In the left navigation pane, choose Assets > Serverless Asset.
On the Serverless Asset page, click Activate Now.
Alternatively, turn on the switch for Serverless Asset Protection in the Pay-as-you-go Feature section of the Overview page.
In the confirmation dialog box, you can click Custom Quota Binding to configure the quota for the target serverless assets, and click OK.
Important
If you do not perform custom binding, the system binds serverless assets based on the following logic:
- If you have never purchased the serverless asset protection feature, all serverless assets in your account will be added to the feature upon purchase, and new assets will be automatically added.
- If you have purchased the feature at least once, previously added ECI instances will be automatically re-added. If no ECI or SAE instances were previously added, all serverless assets in your account will be included after your new purchase, with new assets automatically added thereafter.
- If your Alibaba Cloud account has overdue payments and you purchased the serverless asset protection feature, previously added serverless assets will remain unchanged once you settle the overdue payments.
In the dialog box that appears, acknowledge and select I have read and agree to Security Center (Pay-as-you-go) Terms of Service., and click Activate Now.

3. Manage bound assets

Bind assets: Only serverless assets with the Security Center agent online and bound can use the serverless asset protection feature.
Unbind assets: You can unbind assets that do not need protection.

3.1. Synchronize assets

After you enable the serverless asset protection feature, you need to synchronize the latest asset information to confirm that the Security Center agent is installed and started on the assets to be protected.

Log on to the Security Center console. In the upper-left corner of the console, select the region where the assets to be protected are located: China or Outside China.
In the left-side navigation pane, choose Assets > Serverless Asset, and click Synchronize Assets.
Security Center obtains the information about the latest serverless assets and updates the asset list.
Note
The system takes 1 minute to update the information.
On the Assets > Serverless Asset page, find the serverless asset that you want to manage and view the color of the icon in the Agent column.
- Green: The agent is online. After the asset is bound, the serverless asset protection feature can be used.
- Gray: The agent is offline because it is not installed or the network is unstable. After the asset is bound, the security protection feature cannot be used.
  Refer to 1. Install and start the Security Center agent on an ECI pod in this topic to check and install the Security Center agent for the corresponding asset, and restart the instance.
After creating or restarting a Serverless asset instance, on the Assets Serverless Asset page, click Synchronize Assets to synchronize the latest asset information to Security Center.

3.2. Bind or unbind assets

After the Security Center agent is online for the asset, you can bind the asset to use the serverless asset protection feature. You can unbind any assets that don't need protection.

On the Assets > Serverless Asset page, click Quota Management below Instances That Do Not Consume Quota.
In the Quota Management dialog box, select Add or Remove for the operation type, select serverless assets, and then click OK.
If you want new serverless assets to be automatically added to the feature, select Automatically Add New Assets.

4. View and handle security risks

After a serverless asset is added to Security Center and protected by the serverless asset protection feature, Security Center detects alerts generated on the asset in real time and conducts vulnerability detection and baseline checks at specified intervals. You can view the most recent detection or check time on the Vulnerabilities or Baseline Check page.

To address security risks, follow these steps:

On the Assets > Serverless Asset page, find the required asset and check the security status in the Risk Status column. If At Risk is displayed in this column, alerts, vulnerabilities, or baseline risks are detected on the asset.
Click the asset name or View in the Actions column to view information about the security risks on the asset.
On the page that appears, click Alerts, Vulnerabilities, and Baseline Risks to view each type of security risks.
Handle alerts.
Find an alert that you want to handle and click Details in the Actions column to view information about the alert. You can check whether the alert indicates actual risks. To handle the alert, click Handle in the Actions column.
If the alert corresponds to actual risks, select Isolation as the Handling Method. If the alert does not require action or you wish to ignore it, choose Add to Whitelist, Ignore, or Handled Manually as the Handling Method.
Handle vulnerabilities.
Click Vulnerabilities to view the vulnerabilities that are detected on the asset.
Vulnerabilities can be exploited by attackers, so it is important to address detected vulnerabilities promptly. The serverless asset protection feature does not support quick fixes for application vulnerabilities; instead, use the vulnerability fixing feature to resolve these vulnerabilities effectively.
Handle baseline risks.
Click Baseline Risks to view the baseline risks that are detected on the asset. Find a baseline risk that you want to handle and click Details in the Actions column to view the risk details and security reinforcement suggestions. You can determine whether to handle the baseline risk or whitelist the baseline risk.
You can fix only specific baseline risks in the Security Center console. If a Fix button is displayed in the risk list of the details page of the baseline risk, you can directly fix the baseline risk in the Security Center console.