Connect applications to Application Security

更新时间:
复制 MD 格式

You can connect your application to Application Security with a single click in the ARMS console. After connecting the application, restart its instances to enable Application Security. No code changes are required.

Prerequisites

  • Application Security currently supports only Java applications. Before you proceed, make sure your Java application is already connected to Application Monitoring. For more information, see Application Monitoring overview.

  • The Java agent for Application Monitoring must meet the following version requirements:

    • For applications in auto-upgrade environments, such as those in a container service or EDAS, the agent version must be v2.7.1.2 or later.

      Note

      Auto-upgrade environments are those where the agent upgrades automatically when you restart the application or its pod. For more information, see Upgrade the ARMS agent.

    • For manual upgrade scenarios, the agent version must be v2.7.1.3 or later.

    You can log on to the ARMS console and go to the Application Monitoring > Agent Management page to view the agent versions for your connected applications. If you need to upgrade an agent, see Upgrade the ARMS agent.

Authorize the service

Before connecting an application to Application Security, you must authorize ARMS to access Alibaba Cloud security services. This allows ARMS to access only the resources Application Security needs to function.

  1. Log on to the ARMS console.

  2. In the left-side navigation pane, choose Application Security > Application List.

  3. In the Application Security section, click Authorize Now.

  4. In the Note dialog box, click Confirm.

    After you grant the authorization, ARMS automatically creates the AliyunServiceRoleForARMSSecurity service-linked role. You can then view the application list and connect your target application. For more information about the permissions of this role, see Service-linked role for Application Security.

    Note

    If a message indicates that you do not have the permissions to create a service-linked role, ask your Alibaba Cloud account administrator to attach the required policy to your RAM user. For more information, see FAQ.

Connect to Application Security via Application Monitoring

Agent versions 2.7.1.4 and later support enabling Application Security when you connect to Application Monitoring.

Connect to Application Security from the console

If you did not enable Application Security during the initial connection to Application Monitoring, follow these steps.

  1. Log on to the ARMS console.

  2. In the left-side navigation pane, choose Application Security > Application List, and then select a region in the top navigation bar.

    The Application List page lists all Java applications that can be connected to Application Security.

    Note

    Before you connect an application, ensure that its agent version is 2.7.1.3 or later.

  3. Connect your target application.

    • To connect a single application: In the Actions column for the target application, click Monitor . In the dialog box that appears, click Confirm.

    • To connect multiple applications at once:

      1. On the Application List page, click Add Application in the upper-left corner.

      2. In the Add Application dialog box, select the target applications from the Applications Not Connected to Application Security list, click the > icon to move them to the Applications Connected to Application Security list, and then click OK.

  4. Restart the instances of the target application to apply the change.

    You can check the connection status of your applications in the Integration Status column on the Application List page. After all instances are restarted, Application Security takes effect for all instances of the application. If you restart only some instances, the feature takes effect only for those instances.

    In the Integration Status column, the Instances Added field shows the number of connected instances versus the total number of instances. You can click the numbers to view detailed status information for each instance.

    The top of the Applications page provides a Connect Application button, a connection status filter, and an application name search function. The list also contains columns such as Tags, Protection Mode (Monitor or Monitor and Block), the number of Vulnerable Components, and Attack Statistics. The Actions column in each row provides Protection Settings and Disconnect links.

Set the protection mode

After you connect an application to Application Security, you can set its protection mode. The available modes are Monitor, Monitor and Block, and Disable. By default, the protection mode is Monitor. After you have confirmed your application runs correctly for a period, you can switch to Monitor and Block mode to protect it from attacks.

  1. On the Application Security > Application List page, find the target application and click Protection Settings in the Actions column.

  2. In the Protection Settings dialog box, configure the following settings and click OK.

    Setting

    Description

    Protection Mode

    • Monitor: Monitors attack behavior. If an alert rule is configured, an alert is triggered. This mode does not affect application runtime.

    • Monitor and Block: Monitors and blocks attack behavior. When an attack is blocked, the application throws an exception.

    • Disable: Turns off all Application Security features for the application. No attacks are detected or blocked.

    Detection Timeout Period

    The maximum time allowed for attack detection. The value can range from 5 to 200,000 milliseconds. The default is 300 ms. If detection exceeds this timeout, the original business logic proceeds without waiting for completion. We recommend that you use the default value unless you have a specific reason to change it.

    Check Type

    The categories of attacks to be detected. We recommend that you use the default configuration (all types selected). For a description of each detection type, see Descriptions of attack types and protection suggestions.

    Note

    Changes to protection settings may take up to 30 seconds to take effect.

Disconnect an application

Applications connected via Application Monitoring

To disconnect an application that was connected through Application Monitoring:

  • For applications in ACK clusters:

    Remove the armsSecAutoEnable: "on" label.

  • For applications in other environments:

    Remove the -Darms.appsec.enable=true startup parameter.

Applications connected via the console

To disconnect an application that was connected from the console, go to the Application Security > Application List page. Find the target application, click Remove in the Actions column, and then click Confirm in the dialog box that appears. Afterward, you must restart the application's instances to complete the disconnection from Application Security.

However, if you have no special requirements and are only concerned about application performance, we do not recommend that you disconnect from Application Security. After you connect to Application Security, the default protection mode is "Monitor". In this mode, the system only reports attack alarms, does not perform actual blocking, and has no impact on application performance. You can also switch to the "Disable" mode to turn off all security detection capabilities. In this mode, the system does not report attack alarms even if a security attack occurs.