You can connect your application to Application Security with a single click in the ARMS console. After connecting the application, restart its instances to enable Application Security. No code changes are required.
Prerequisites
Application Security currently supports only Java applications. Before you proceed, make sure your Java application is already connected to Application Monitoring. For more information, see Application Monitoring overview.
The Java agent for Application Monitoring must meet the following version requirements:
For applications in auto-upgrade environments, such as those in a container service or EDAS, the agent version must be v2.7.1.2 or later.
NoteAuto-upgrade environments are those where the agent upgrades automatically when you restart the application or its pod. For more information, see Upgrade the ARMS agent.
For manual upgrade scenarios, the agent version must be v2.7.1.3 or later.
You can log on to the ARMS console and go to the page to view the agent versions for your connected applications. If you need to upgrade an agent, see Upgrade the ARMS agent.
Authorize the service
Before connecting an application to Application Security, you must authorize ARMS to access Alibaba Cloud security services. This allows ARMS to access only the resources Application Security needs to function.
Log on to the ARMS console.
In the left-side navigation pane, choose .
In the Application Security section, click Authorize Now.
In the Note dialog box, click Confirm.
After you grant the authorization, ARMS automatically creates the AliyunServiceRoleForARMSSecurity service-linked role. You can then view the application list and connect your target application. For more information about the permissions of this role, see Service-linked role for Application Security.
NoteIf a message indicates that you do not have the permissions to create a service-linked role, ask your Alibaba Cloud account administrator to attach the required policy to your RAM user. For more information, see FAQ.
Connect to Application Security via Application Monitoring
Agent versions 2.7.1.4 and later support enabling Application Security when you connect to Application Monitoring.
For applications in ACK clusters:
Add the
armsSecAutoEnable: "on"label. For more information, see Install the Java agent for applications in ACK and ACS clusters by using ack-onepilot.For applications in other environments:
Add the
-Darms.appsec.enable=truestartup parameter. For more information, see Manually install an agent.
Connect to Application Security from the console
If you did not enable Application Security during the initial connection to Application Monitoring, follow these steps.
Log on to the ARMS console.
In the left-side navigation pane, choose , and then select a region in the top navigation bar.
The Application List page lists all Java applications that can be connected to Application Security.
NoteBefore you connect an application, ensure that its agent version is 2.7.1.3 or later.
Connect your target application.
To connect a single application: In the Actions column for the target application, click Monitor . In the dialog box that appears, click Confirm.
To connect multiple applications at once:
On the Application List page, click Add Application in the upper-left corner.
In the Add Application dialog box, select the target applications from the Applications Not Connected to Application Security list, click the > icon to move them to the Applications Connected to Application Security list, and then click OK.
Restart the instances of the target application to apply the change.
You can check the connection status of your applications in the Integration Status column on the Application List page. After all instances are restarted, Application Security takes effect for all instances of the application. If you restart only some instances, the feature takes effect only for those instances.
In the Integration Status column, the Instances Added field shows the number of connected instances versus the total number of instances. You can click the numbers to view detailed status information for each instance.
The top of the Applications page provides a Connect Application button, a connection status filter, and an application name search function. The list also contains columns such as Tags, Protection Mode (Monitor or Monitor and Block), the number of Vulnerable Components, and Attack Statistics. The Actions column in each row provides Protection Settings and Disconnect links.
Set the protection mode
After you connect an application to Application Security, you can set its protection mode. The available modes are Monitor, Monitor and Block, and Disable. By default, the protection mode is Monitor. After you have confirmed your application runs correctly for a period, you can switch to Monitor and Block mode to protect it from attacks.
On the page, find the target application and click Protection Settings in the Actions column.
In the Protection Settings dialog box, configure the following settings and click OK.
Setting
Description
Protection Mode
Monitor: Monitors attack behavior. If an alert rule is configured, an alert is triggered. This mode does not affect application runtime.
Monitor and Block: Monitors and blocks attack behavior. When an attack is blocked, the application throws an exception.
Disable: Turns off all Application Security features for the application. No attacks are detected or blocked.
Detection Timeout Period
The maximum time allowed for attack detection. The value can range from 5 to 200,000 milliseconds. The default is 300 ms. If detection exceeds this timeout, the original business logic proceeds without waiting for completion. We recommend that you use the default value unless you have a specific reason to change it.
Check Type
The categories of attacks to be detected. We recommend that you use the default configuration (all types selected). For a description of each detection type, see Descriptions of attack types and protection suggestions.
NoteChanges to protection settings may take up to 30 seconds to take effect.
Disconnect an application
Applications connected via Application Monitoring
To disconnect an application that was connected through Application Monitoring:
For applications in ACK clusters:
Remove the
armsSecAutoEnable: "on"label.For applications in other environments:
Remove the
-Darms.appsec.enable=truestartup parameter.
Applications connected via the console
To disconnect an application that was connected from the console, go to the page. Find the target application, click Remove in the Actions column, and then click Confirm in the dialog box that appears. Afterward, you must restart the application's instances to complete the disconnection from Application Security.
However, if you have no special requirements and are only concerned about application performance, we do not recommend that you disconnect from Application Security. After you connect to Application Security, the default protection mode is "Monitor". In this mode, the system only reports attack alarms, does not perform actual blocking, and has no impact on application performance. You can also switch to the "Disable" mode to turn off all security detection capabilities. In this mode, the system does not report attack alarms even if a security attack occurs.