Alibaba Cloud platform security best practices

更新时间:
复制 MD 格式

The Alibaba Cloud platform security best practices compliance package continuously detects risky configurations across account security, cloud resource security, network security, data security, backup and recovery, and log audits.

Rule name

Rule description

Enable MFA for Alibaba Cloud accounts

An Alibaba Cloud account is considered compliant if multi-factor authentication (MFA) is enabled. MFA reduces the risk of account theft.

Do not use an AccessKey for the Alibaba Cloud account

An Alibaba Cloud account is considered compliant if it does not have an AccessKey. The AccessKey of an Alibaba Cloud account has unrestricted permissions, and a leak can have catastrophic consequences. Use RAM user AccessKeys with proper access control instead.

Use HTTPS for public API requests in API Gateway

An API Gateway API is considered compliant if it uses HTTPS for public requests to encrypt data in transit. APIs restricted to internal network calls are not applicable.

Enable HTTPS encryption for accelerated domain names

An accelerated domain name is considered compliant if HTTPS is enabled to encrypt data in transit.

Set an automatic snapshot policy for ECS disks

An ECS disk is considered compliant if an automatic snapshot policy is configured. Disks not in use, disks that do not support automatic snapshot policies, or disks mounted on ACK clusters for non-persistent use are not applicable. Automatic snapshots enable quick recovery from security events such as virus intrusions or ransomware attacks.

Enable Security Center protection for running ECS instances

An ECS instance is considered compliant if the Security Center plugin is installed. Instances that are not running are not applicable.

Use ECS instances in a VPC

An ECS instance is considered compliant if its network type is VPC. If a parameter is specified, the instance is compliant only if it is in the specified VPC. VPC provides basic network isolation for your cloud environment.

Use a key pair to log on to Linux hosts

A Linux host is considered compliant if a key pair is used for logon. SSH key pairs provide secure and convenient authentication that resists brute-force attacks.

Prevent security groups from opening risky ports to all IP addresses for specified protocols

A security group is considered compliant if its inbound rule for a specified protocol does not open specified risky ports to 0.0.0.0/0. This reduces the risk of brute-force attacks. A security group is also compliant if a higher-priority authorization policy rejects the risky port. Security groups used by cloud products or virtual operators are not applicable. By default, this rule detects risky ports 22 and 3389.

Do not enable public access for MongoDB instances or set the whitelist to allow access from any source

A MongoDB instance is considered compliant if public network access is disabled or the whitelist does not allow access from any source. This prevents brute-force attacks and reduces the risk of data leaks.

Enable log backup for MongoDB instances

A MongoDB instance is considered compliant if log backup is enabled. Log backups allow you to restore data to any point in time within the retention period.

Disable public-read-write ACL for OSS buckets

An OSS bucket is considered compliant if its access control list (ACL) is not set to public-read-write. Public-read-write allows any visitor to write to the bucket, creating a risk of malicious data injection.

Disable public-read ACL for OSS buckets

An OSS bucket is considered compliant if its ACL is not set to public-read. Public-read increases the risk of data leaks.

Set an access policy for public OSS buckets and grant no permissions to anonymous accounts

An OSS bucket with public read or write permissions is considered compliant if its authorization policy does not grant read or write permissions to anonymous accounts. This reduces the risk of data leaks. Buckets with private permissions are not applicable.

Do not enable public access for PolarDB instances or set the IP whitelist to all network segments

A PolarDB instance is considered compliant if public network access is disabled or the IP whitelist does not allow access from all IP addresses. This prevents brute-force attacks and reduces the risk of data leaks.

Set SSL encryption for PolarDB clusters

A PolarDB cluster is considered compliant if SSL encryption is enabled to protect data in transit.

Set the log backup retention period for PolarDB clusters to more than 30 days

A PolarDB cluster is considered compliant if its log backup retention period is at least the specified number of days (default: 30 days). Non-compliant if log backup is disabled or the retention period is shorter. Log backups enable point-in-time data restoration.

Do not grant super administrator (Admin) permissions to RAM users

Compliant if no RAM user, RAM user group, or RAM role is granted Admin permissions (Resource: *, Action: *). Follow the principle of least privilege.

Enable MFA for RAM users

A RAM user with console access is considered compliant if MFA is enabled. MFA reduces the risk of account theft.

Ensure no idle AccessKeys exist for RAM users

A RAM user's AccessKey is considered compliant if it has been used within the specified number of days (default: 90 days). Disable idle AccessKeys promptly.

Do not configure a public IP address for RDS instances

An RDS instance is considered compliant if it has no public IP address. Direct Internet Access in production environments makes instances vulnerable to brute-force attacks and data leaks.

Enable log backup for RDS instances

An RDS instance is considered compliant if log backup is enabled. Read-only instances are not applicable. Log backups enable point-in-time data restoration.

Enable SSL for RDS instances and use a specified TLS version

An RDS instance is considered compliant if SSL is enabled and the TLS version matches a version specified by the parameter. This encrypts data in transit.

Do not enable public access for Redis instances or set the whitelist to allow access from any source

A Redis instance is considered compliant if public network access is disabled or its whitelist does not allow access from any source. Unrestricted public access exposes instances to brute-force attacks and data leaks.

Set TLS or SSL encryption for Redis instances

A Redis instance is considered compliant if SSL encryption is enabled to protect data in transit.

Enable incremental backup for Redis instances

A Redis instance is considered compliant if incremental backup is enabled. Only Tair or Enterprise Edition instances are applicable. Incremental backups enable point-in-time data restoration.

Do not configure the access control list of a CLB instance to all address segments

A CLB instance is considered compliant if its access control list does not contain a 0.0.0.0/0 entry. For non-HTTP/HTTPS services, enable access control with a whitelist that excludes 0.0.0.0/0.

Ensure CLB instance listeners do not include risky ports

A CLB instance is considered compliant if its listeners do not monitor specified risky ports. Do not forward ports such as 22 and 3389 to the internet to reduce brute-force attack risk.

Add an HTTPS listener to a CLB instance

A CLB instance is considered compliant if an HTTPS listener is configured on a specified port to encrypt data in transit. Instances with only TCP or UDP listeners are not applicable. Default port: 443. Multiple ports can be comma-separated; the instance is compliant if any specified port has an HTTPS listener.

Ensure the network ACL of a VPC does not open risky ports

A VPC is considered compliant if its inbound rules for TCP or UDP on ports 22 and 3389 do not allow source 0.0.0.0/0. This reduces the risk of brute-force attacks.