Community

Blog Events Webinars Tutorials Forum
  1. Blog
  2. Events
  3. Webinars
  4. Tutorials
  5. Forum
Create Account
×
Community Blog Friday Q&A - Week 10 - Questions From The Vault

Friday Q&A - Week 10 - Questions From The Vault

Come time traveling with us, as we look back at old questions users have asked in Alibaba Cloud live and broadcast training sessions!

By Jeremy Pedersen

Welcome back for the 10th installment in our weekly Q&A blog series! In this week's column, we'll take a look at questions from trainings past. Read on.

So there is only one Alibaba Cloud, but there's two websites: aliyun.com and alibabacloud.com. What's the difference?

Great question. aliyun.com is Alibaba Cloud's mainland China website, while alibabacloud.com is our portal for users from everywhere else.

Both of these websites have access to the same set of Alibaba Cloud regions and zones, but there are some important differences. I've summarized them here:

Aliyun and Alibaba Cloud Differences

It's also worth noting that when new products are launched, they usually go live on aliyun.com first, and aliyun.com offers some services that have no direct equivalent outside China (for instance, the aliyun.com marketplace offers a service to verify Chinese ID cards).

However, unlike some other major cloud providers, Alibaba Cloud's account system is a unified account system. This means that - regardless of whether you sign up for aliyun.com or alibabacloud.com - you will have full access to every Alibaba Cloud region.

What happens when a RAM user has multiple policies attached, with conflicting permissions?

The most restrictive policy wins! RAM uses "Deny first" logic, when applying policies to RAM users, groups, and roles.

Let's examine a simple case. We have a RAM user, let's call her Stephanie. Stephanie has two policies bound to her RAM user account. The first one is an "Allow everything" policy, which looks like this:

{
    "Statement": [
        {
            "Action": "*",
            "Effect": "Allow",
            "Resource": "*"
        }
    ],
    "Version": "1"
}

The second policy is a "Deny everything" policy, which looks like this:

{
    "Statement": [
        {
            "Action": "*",
            "Effect": "Deny",
            "Resource": "*"
        }
    ],
    "Version": "1"
}

So what will happen when Stephanie logs into the Alibaba Cloud console? What actions will she be allowed to perform?

Can she create a VPC group? Nope:

Create VPC

Can she manage Resource groups? Also no:

manage_rg

Here we see RAM's "Deny first" policy evaluation logic in action. Although this user has both an "Allow all" and a "Deny all" policy attached, the "Deny" policy takes precedence, so our user isn't able to do anything.

When using Alibaba Cloud Security Center, I notice an "Authorize Immediately" or "Access Denied" message popping up when I click on certain things. What's going on?

Not all of the features of security center are free. When this happens, it means you've tried to use a feature that isn't included in your current plan, and you need to upgrade to use it!

Security Center has quite a lot of different features, and there's no need to turn on every single feature. You should consider carefully what your security needs are before you purchase any additional features.

There's a table here (click on "Pricing") which summarizes the features included in each Security Center Edition.

Alibaba Cloud has an SSL certificate service. Does that mean Alibaba Cloud is a CA (Certificate Authority)?

No, Alibaba Cloud is not a CA, because the certificates we issue are generated and signed by our partners, such as GlobalSign or Entrust. We help automate the process of applying for (and deploying) SSL certificates, but we don't generate them directly. Don't worry, though: any SSL certificate that you manage from within Alibaba Cloud's SSL Certificate Service can be one-click deployed onto Alibaba Cloud Server Load Balancer, CDN, or other supported web-facing Alibaba Cloud services.

For more information about what types of SSL certificates we support (as well as who generates them for us), look here.

Ok, so I have created an ActionTrail "Trail". Now I want to start analyzing my ActionTrail logs. How do I access them?

  1. You can ship your ActionTrail logs to OSS (Object Storage Service), where you can access them as simple text files. This is a good choice if you are using a 3rd party monitoring tool and want to feed it your ActionTrail logs, or if you just want to keep an archival copy of your ActionTrail log data.
  2. You can ship your ActionTrail logs to Log Service, which includes built-in full text search and allows you to generate alerts based on patterns in the logs. This is a good choice if you don't want to construct your own custom analysis / alarm system.

You can enable ActionTrail trails for a single Alibaba Cloud account or for multiple accounts.

Does Alibaba Cloud Log Service let you use regular expressions in your searches?

Log Service does have some support for regular expressions, but the native query and analysis syntax for Log Service looks more like SQL. You can learn more about how log search works here and there's information about the Log Service query language here

If you have enabled indexing and full-text search, then you can search for just about anything in Log Service: it's just a matter of asking it the right questions!

Does Cloud Config check the configuration of all resources under an Alibaba Cloud account, or is it limited to a particular Region or Zone?

Cloud Config is a "global" service, which means it applies to all resources under your account. However, when you write custom Cloud Config rules, you can of course create different rule-sets for different regions. For instance, you could create a rule that only checks the Security Group configurations for ECS instances in the Singapore region, if you wanted.

See this page to learn how to create a Cloud Config rule.

Does Alibaba Cloud's basic DDoS protection (called Anti-DDoS Basic) apply to Alibaba Cloud services automatically?

Whew, finally an easy question! Yes, it is enabled by default. Users don't have to do anything to turn on this basic DDoS protection: it's built right into the Alibaba Cloud platform, and applies across every Alibaba Cloud region.

## I've Got A Question!

Great! Reach out to me at jierui.pjr@alibabacloud.com and I'll do my best to answer in a future Friday Q&A blog.

You can also follow the Alibaba Cloud Academy LinkedIn Page. We'll re-post these blogs there each Friday.

Not a LinkedIn person? We're also on Twitter and YouTube.

RAM Alibaba Cloud Log Service Marketplace Security Center ActionTrail Training and Certification alicloud aliyun
0 1 0
Share on

Read previous post:

Friday Q&A - Week 9 - Questions From The Vault

Read next post:

Friday Q&A - Week 11 - Questions From The Vault

JDP

71 posts | 157 followers

You may also like

Comments

JDP

71 posts | 157 followers

Related Products

More Posts by JDP

See All