Alibaba Cloud custom images are primarily used to create ECS instances. The operating system as well as pre-installed apps and data can be automatically copied to the new instance with the custom image. You can use a prepared custom image to easily create an instance with identical configurations, thereby improving working and delivery efficiency.
An instance created by an Alibaba Cloud custom image is the same as an instance created using a regular official image. During the creation, critical vulnerabilities may arise at different levels on the operating system, such as the remote execution of commands (the Windows 0day vulnerability which affects the NAS tool), and app security vulnerabilities (weak passwords, management information leak, web SQL injection in the code, and the Struts2 critical vulnerability). If you can solve these security problems before creating an image, your service is more secured.
The following are the best practices offered by the Alibaba Cloud security team that solve the security issues.
- We recommend that you keep a close eye on Security vulnerability intelligence after you use a custom image derived from an official standard image. When a critical vulnerability emerges, update the operating system with the latest patch immediately and recreate the custom image.
- If a critical vulnerability emerges but it cannot be fixed by a patch immediately, we recommend that you employ security group access policies and app protection policies to carry out real-time detection and defense against intrusions.
- We recommend you using the latest official versions of application service software that is installed using custom configurations, such as Tomcat, Apache and Nginx, and hardening the security of such applications by disabling unnecessary features or components to improve the overall security. The Alibaba Cloud security team provides related security hardening suggestions documentation for your reference.
- Pay attention to the security vulnerability information and update the software to the latest version as soon as a critical vulnerability is discovered.
- After you have completed Step 1 and Step 2, we recommend that you use security scan tools (such as the Nessus and Nexpose operating system vulnerability scanning tools and the Appscan and WVS web vulnerability scanning tools) to scan and re-check whether the image harbors any high-risk vulnerabilities. If any security vulnerabilities exist, we strongly recommend that you fix the vulnerability before launching the image.