Security of Elastic Acceleration Instance (EAIS)
Alibaba Cloud secures Elastic Acceleration Instance (EAIS) against modern cybersecurity challenges, offering enhanced security for resource and network access control, operations, fault isolation, and risk detection.
You can attach an EAIS instance to an ECS instance (that is not a GPU instance) to create a new type of GPU instance. This method offers greater elasticity for GPU resources and reduces deployment and usage costs compared to directly purchasing a GPU instance. Therefore, before you use EAIS, you must also consider the security of the ECS instance. For more information, see ECS security.
Access control
Resource access control
To ensure the security of your Alibaba Cloud account and cloud resources, avoid using your Alibaba Cloud account (primary account) to access Elastic Acceleration Instance (EAIS) unless necessary. We recommend using RAM identities, such as RAM users and RAM roles, to access EAIS.
Only an Alibaba Cloud account (primary account), or a RAM user or RAM role with administrative permissions, can create a RAM user. RAM users can sign in to the console or use an API to access resources under an Alibaba Cloud account only after they are granted the necessary permissions. For more information, see Overview of RAM users and Use RAM for access control.
Network access control
EAIS integrates with VPC and supports network isolation and network access control through VPC features, including Network ACL.
NoteA VPC is an isolated network environment that you build on Alibaba Cloud. VPCs are logically isolated from each other. For more information, see What is VPC?.
A Network ACL is a VPC feature for network access control. You can define Network ACL rules and associate the Network ACL with a vSwitch to control traffic to and from EAIS instances. For more information, see Network ACLs.
To use an EAIS instance, you must attach it to an ECS instance. An EAIS instance is accessible only from the attached ECS instance over a private network, ensuring secure communication between resources.
Fault isolation
EAIS is deployed across multiple availability zones in multiple regions. The independence of each availability zone provides fault isolation and ensures the stability and reliability of the EAIS service.
An availability zone is a physical location within a region that has an independent power supply and network.
Availability zones within the same region are connected by low-latency internal network links. They are designed for fault isolation, which means that a failure in one availability zone does not affect the operations of others. Each region is completely independent, and availability zones in different regions are fully isolated.
By default, EAIS checks the health of ECS instances in the resource pool and automatically isolates abnormal instances. This process eliminates single points of failure at the ECS instance level and improves the overall security of EAIS.
Resource change tracking and operation auditing
EAIS is integrated with Alibaba Cloud ActionTrail to provide unified management of cloud resource operation logs. ActionTrail records user sign-ins and resource access operations under your Alibaba Cloud account, enabling security analysis, intrusion detection, resource change tracking, and compliance auditing.
ActionTrail records log data for actions performed through the Alibaba Cloud console, OpenAPI, and developer tools. For a list of specific auditable events for EAIS, see Auditable events for Elastic Acceleration Instance.
By default, ActionTrail tracks and retains events of the last 90 days. If you need to retain events for a longer period of time, you can create a trail to deliver events to Simple Log Service or OSS. For more information, see Create a trail.
After you create a trail to deliver events to a Logstore of Simple Log Service or an OSS bucket, you can query or analyze the events in the Simple Log Service or OSS console. For more information, see Query events in the Simple Log Service or OSS console.
If you need to trace a historical event, submit a ticket to request the required permissions.
Real-time risk detection
EAIS performs comprehensive baseline checks on attached ECS instances for real-time risk detection. It uses security-scanned, proprietary container images from Alibaba Cloud to manage system and application vulnerabilities. This feature requires no additional configuration.