DocsICP FilingConsole
官方文档
首页

Analysis of Default Configuration Risks of Cloud Platforms and Services

更新时间:
复制 MD 格式
我的收藏

Identify and assess security risks in the default configurations of cloud platforms and services to protect your workloads.

Cloud platforms and services generate different configurations based on business requirements. For example, some OSS buckets require public read and write access, while others allow only public read and private write access. Default configurations may not be secure in every scenario. Therefore, enterprises should identify the security risks of default configurations, understand the security best practices for each service, and then assess the impact and acceptability of risks based on actual business scenarios. Consider the following dimensions when analyzing default configuration risks:

Risk Assessment Dimension

Description

Example

Identity management

Verify the identity authentication method, password complexity, and RAM roles and users.

Use RAM password policies to enforce password complexity. A minimum password length of 14 to 32 characters is recommended.

Permission management

Check for excessive authorization or other permission-related issues in cloud platforms and services.

Review RAM identity policies for high-risk actions and remove unused actions based on the operation logs from the past month.

Access control

Verify that access methods and controls for cloud platforms and services meet security requirements.

Enabling public network access for RDS exposes instances to potential attacks. We recommend that you disable public network access.

Network security

Verify that the network settings of resources comply with security specifications and compliance requirements.

Associating a VPC with a public NAT gateway may expose resources to external attacks.

Data security

Verify that data access control and encryption are enabled for resources that process data.

Enable server-side encryption for OSS storage.

Log auditing

Verify that logging and monitoring are enabled for resources.

When users access OSS, a large number of access logs are generated. The log storage feature stores hourly access logs as objects with fixed naming rules in a specified target bucket. You can use Alibaba Cloud Data Lake Analytics or a Spark cluster to analyze these log files.

Disaster recovery and backups

Verify that data backup strategies for resources are properly configured and executed.

Regularly back up NAS files in the NAS console so that you can recover files promptly if data loss or damage occurs.

Previous:Identify and Detect Default Configuration RisksNext:Best practices for detecting risks in default cloud platform and product configurations