Ensure ECS data security in terms of integrity, confidentiality, and availability-Elastic Compute Service(ECS)-阿里云帮助中心

Protect data on ECS instances through integrity verification, encryption for confidentiality, and backup for availability.

Data integrity

Data integrity prevents accidental or malicious tampering during transmission and storage.

ECS uses triplicate storage for reliability, secure data erasure for complete deletion, and Cyclic Redundancy Check (CRC) for end-to-end data protection.

Triplicate storage
- Feature description: Cloud disk data is replicated into three chunk copies stored on different data nodes in a storage cluster. This ensures data reliability and stability during read and write operations. See ESSD cloud disk data reliability.
- Configuration method: By default, cloud disks support this feature.
Data erasure mechanism
- Feature description: Deleted data in the distributed block storage system is completely erased and cannot be accessed or restored.
  - Cloud disks use sequential append-writes at the underlying layer. This design leverages the high bandwidth and low latency of sequential writes on physical disks. Because of the append-write feature, an operation to delete a logical space on a cloud disk is recorded only as metadata. If you attempt to read from this logical space, the storage system returns all zeros. Similarly, overwriting a logical space does not immediately overwrite the corresponding space on the physical disk. Instead, the storage system modifies the mapping between the logical and physical spaces to perform the overwrite. This ensures that the original data cannot be read. Residual data on the physical disk from delete or overwrite operations is later permanently deleted.
  - When you release a block device, such as a cloud disk, the storage system immediately destroys its metadata to make the data inaccessible. The physical storage space that the cloud disk occupied is also reclaimed. This physical space is cleared before it is reallocated. All newly created cloud disks return zeros for all read operations before the first write.
- Configuration method: By default, cloud disks support this feature.
CRC
- Feature description: Cloud disks support CRC for end-to-end data verification during transmission and storage:
  - Full-link CRC is performed on all read and write operations.
  - The block storage system periodically performs CRC and redundancy checks on persistent media.
- Configuration method: By default, cloud disks support this feature.

Data confidentiality

Encryption prevents unauthorized access and disclosure. Even if data is intercepted during transmission or illegally accessed in storage, the content cannot be decrypted.

ECS ensures data confidentiality across storage, network transmission, and computing environments.

Storage encryption

Disk encryption
- Feature description: Enable encryption when you create a system disk or data disk. Data is automatically encrypted on write and decrypted on read, transparent to the operating system. No key management infrastructure is required. Disk encryption protects data privacy and provides a secure boundary for business data.
- Configuration method: See Overview of cloud disk encryption.
Important
For enterprises with high security compliance requirements, ECS allows you to configure custom policies so that RAM users can create only encrypted disks. See the Restrict creating unencrypted cloud disks section of the "Custom policies for ECS" topic.
Snapshot encryption

Snapshots of encrypted cloud disks (system disks and data disks) inherit the disk's encryption attribute. The snapshot data stays encrypted during storage, transmission, cross-region copy, and disk restoration.
Image encryption

Image encryption protects data stored in images from unauthorized access. Even if an unauthorized user accesses the image data, it cannot be read or decrypted. Create an encrypted image from an instance with an encrypted system disk, from an encrypted snapshot, or by copying a non-encrypted image to an encrypted image.

Network transmission encryption

ECS supports multiple methods to encrypt data in transit: metadata access in security hardening mode, VPN Gateway for secure connectivity, and HTTPS for ECS resource access.

Access instance metadata in security hardening mode
- Feature description: In normal mode, Metadata Service returns instance metadata without authentication. If the metadata contains sensitive information, it may be eavesdropped on or leaked. A server-side request forgery (SSRF) vulnerability can allow attackers to obtain Security Token Service (STS) tokens from Metadata Service, causing risks similar to AccessKey leaks. The security hardening mode mitigates SSRF attacks by requiring token-based authentication for metadata access.
- Configuration method: Select security hardening mode to access Metadata Service. See Instance metadata.
Secure access with VPN Gateway
- Feature description: VPN Gateway (VPN) establishes encrypted tunnels between on-premises networks, office networks, or Internet clients and Alibaba Cloud Virtual Private Cloud (VPC) environments. It supports two connection methods: IPsec-VPN and SSL-VPN. Data is encrypted with Internet Key Exchange (IKE) and IPsec protocols.
  - IPsec-VPN: Each data packet is encrypted by IPsec before transmission. IPsec provides data encryption and authentication to ensure data integrity.
  - SSL-VPN: An SSL client certificate is installed on the client to establish an encrypted connection to the VPN gateway. SSL encrypts traffic for data protection, identity authentication, and data integrity.
  See What is VPN Gateway?
- Configuration method: By default, this feature is supported.
Access ECS resources with HTTPS
- Feature description: HTTPS encrypts data in transit with Transport Layer Security (TLS) and SSL, preventing third-party monitoring, interception, and tampering. ECS supports 256-bit HTTPS encryption. TLS 1.2 is used when you connect to an instance by using Session Manager, connect to an instance by using a password or key, or use Cloud Assistant to access instances.
- Configuration method: By default, this feature is supported.
Important
Alibaba Cloud provides the acs:SecureTransport condition key. Configure a custom policy that references this condition key and attach it to RAM users to restrict ECS resource access to HTTPS only. See Custom policies.

Runtime computing environment

Feature description: Compute- and security-optimized ECS instances use techniques such as hardware encryption, isolation, and audit capabilities to provide secure, isolated computing environments. These instance types support host memory encryption, trusted computing, and confidential computing. See Security capabilities overview.
Configuration methods: See Trusted computing, Confidential computing, and Best practices.

Data availability

Feature description: Data availability keeps data complete, consistent, and accurate throughout its lifecycle. ECS supports snapshot-based backup, image-based backup, data disk partition restoration, and multi-zone deployment for disaster recovery.
Configuration methods: See ECS disaster recovery solutions.

Data integrity

Triplicate storage

Data erasure mechanism

CRC

Data confidentiality

Storage encryption

Disk encryption

Snapshot encryption

Image encryption

Network transmission encryption

Access instance metadata in security hardening mode

Secure access with VPN Gateway

Access ECS resources with HTTPS

Runtime computing environment

Data availability