Infrastructure risk analysis

Identify and mitigate security risks in your cloud network architecture, account system, and workload deployment.

Network architecture risks

Network architecture risks arise from improper network segmentation, asset exposure, or Demilitarized Zone (DMZ) design. These issues can expose internal interfaces or addresses to the Internet, allow unauthorized network access, and let attackers gather information about your company's assets and applications.

Common network architecture risks in the cloud:

Category	Influencing factor	Risk level	Potential risks
Vulnerable ports open	Common vulnerable ports (22, 3389, 445) are open at the Internet Border or accessible from the public network through methods such as port mapping.	High	Attackers can exploit exposed vulnerable ports for brute-force attacks, malicious logons, and vulnerability exploits. Without port translation or protection, internal assets are directly at risk.
Overly permissive security group policies and maintenance	Security group policies are overly permissive. As network complexity grows, policy count increases and maintenance becomes harder, leading to outdated or disorganized rules.	High	Security groups control network access for ECS instances. Overly permissive rules expose internal resources, allowing attackers to scan and launch insider attacks. In complex architectures with multiple VPCs, accounts, and CEN to build a unified internal network, security group policies can become difficult to maintain. Outdated or unmaintained policies increase the risk of network attacks.
East-west network traffic	VPCs and CEN Transit Routers (TRs) connect corporate intranets and enable full network connectivity.	High	CEN connectivity breaks VPC isolation for east-west and VPC-to-VPC traffic. Without security controls for network isolation and traffic auditing, lateral attacks within the internal network become possible.
Network partitioning and isolation	During initial cloud migration, the network architecture was not divided by partitioning and domain principles, resulting in services stacked within a single VPC or account.	Medium	Without partitioning, frontend, middleware, and database services share one VPC. If the Internet-facing frontend has open ports or vulnerabilities, attackers can penetrate the internal network and access all VPC resources — stealing data, disrupting systems, or launching ransomware attacks, causing severe losses. Overly complex systems without resource isolation also suffer reduced scalability, flexibility, and stability.
Unprotected public resources	EIPs are attached directly to ECS instances or ACK clusters, bypassing security protection and monitoring.	High	Direct public IP attachment bypasses security settings, creating monitoring blind spots. If an ECS instance has critical vulnerabilities or exposed ports, network attacks and sniffing attacks may not be detected promptly.

Account system risks

Cloud resources are accessed through the platform's account system — both through a user interface and programmatically via APIs or SDKs. Account system risks include data breaches and instability caused by identity misuse, excessive permissions, or leaked AccessKey pairs, which can allow unauthorized users to use your cloud resources.

In past Alibaba Cloud security incidents, network attacks, data breaches, and ransomware caused by tenant account issues were common.

Common Alibaba Cloud account security risks:

Category	Influencing factor	Risk level	Potential risks
RAM user configuration risks	MFA is not enabled for a RAM user.	High	Without MFA, accounts are vulnerable to theft, unusual logons, and brute-force attacks, leading to resource exploitation and data breaches.
	A RAM user has excessive permissions.	Medium	Excessive permissions can lead to privilege escalation, resource misuse, and data breaches.
	An inactive RAM user.	Medium	Inactive RAM users can lead to brute-force attacks and management risks.
	An inactive AccessKey pair.	Medium	Inactive AccessKey pairs can lead to abnormal API calls and management risks.
Credential leak	Alibaba Cloud account credentials are leaked.	High	AccessKey pairs are the primary access credentials for cloud resources, granting usage rights, data access, and control permissions. They are often hardcoded in code or tools. A leaked AccessKey pair can lead to data breaches and asset destruction.
Alibaba Cloud account configuration risks	Insecure configuration of an Alibaba Cloud account.	High	An Alibaba Cloud account has excessive permissions. Without RAM users or RAM user AccessKey pairs for delegation, privilege escalation and data breaches can occur.
Alibaba Cloud account configuration risks	An Alibaba Cloud account AccessKey pair.	High	Because an Alibaba Cloud account has excessive permissions, creating an AccessKey pair for it introduces risks of privilege escalation and data breaches.

Workload architecture risks

A workload is a cloud service that supports business operations, such as an ECS instance, Kubernetes cluster, or container. Workload architecture risks stem from deployment methods, network connectivity, and access control configurations. For example, an attacker can exploit an ECS instance that is directly attached to a public IP address to provide services over the Internet.

Common workload architecture risks:

Category	Influencing factor	Risk level	Potential risks
Unprotected workloads	A workload is directly attached to an EIP without NAT Gateway, SLB, or firewall protection.	High	Direct public IP attachment bypasses security settings, creating monitoring blind spots. If an ECS instance has critical vulnerabilities or exposed ports, network attacks and sniffing attacks may not be detected promptly.
Overly permissive security groups	The security group has overly permissive rules and does not effectively protect the workload. Too many workloads share one security group with loose policy settings.	Medium	When too many ECS instances share a security group, policies become overly permissive due to different requirements and maintenance burden, creating loose access control.
Unified logon authentication and audit	Direct connection to a workload without using a Bastionhost.	High	Without centralized authentication and access control, credential leaks or brute-force attacks cannot be effectively mitigated.
Unified logon authentication and audit	Operation audits for workloads are not centralized.	High	Security events cannot be effectively traced or located.