Application security incorporates a set of measures and technologies to safeguard applications from threats and attacks when the applications are deployed and run. Application security is designed to protect software and data against unauthorized access, tampering, or corruption to ensure business continuity and user information security. This topic describes the application security capabilities that are supported by Elastic Compute Service (ECS) instances: host security protection, vulnerability management, network security protection for web applications, and traffic security protection for web applications.
Most business relies on the computing power provided by various hosts, which serve as hubs where different cloud services such as web applications, databases, and Object Storage Service (OSS) converge. Ensuring host security is a crucial part of the required efforts to protect applications in the cloud. Selecting effective host security services ensures that you provide your hosts with antivirus and threat detection capabilities to defend against viruses and hacker attacks.
Vulnerabilities can be exploited by attackers. You can use the vulnerability management feature of Security Center to ensure that vulnerabilities on ECS instances are discovered and remediated at the earliest opportunity. In addition, you can use the patch management feature of Operation Orchestration Service (OOS) to perform batch patching and scan for and automatically install missing patches on ECS instances.
Network security protection for web applications
Configuring Cloud Firewall or security groups ensures that attacks are confined to a limited scope in the event of virus intrusions without affecting the overall business.
Traffic security protection for web applications
Attacks targeted at web applications remain one of the sources of security threats over the Internet. In addition to traditional webpages and applications, APIs and miniapps are the new hotspots that generate heavy traffic. Security attacks become diversified as the number of hotspots increases and more convenient call methods are used. Use Web Application Firewall (WAF) and Anti-DDoS services to defend against traffic attacks or vulnerability attacks from networks and prevent business interruptions caused by these attacks.
You can use the events in ActionTrail to perform risk, exception, and behavior analysis and trace back all application security operation chains to check their completeness and identify defects. Then, you can make adjustments to ensure the in-cloud security.
Host security protection
Feature introduction
ECS can use the security features provided by Security Center Basic to protect ECS instances (hosts). Security Center Basic provides basic security features, such as vulnerability detection, unusual logon detection, AccessKey pair leak detection, and compliance check. For more information, see Introduction to Security Center Basic.
NoteTo use additional security features, such as vulnerability fixing, anti-ransomware, and website tamper-proofing, purchase Security Center. For more information, see Purchase Security Center.
Configuration methods
ECS console: When you create ECS instances in the ECS console, select the Free Security Hardening option to enable security hardening. This way, the created ECS instances are protected by the security features of Security Center, such as vulnerability detection and compliance check.
NoteYou can also call the RunInstances operation with
SecurityEnhancementStrategyset to Active to create ECS instances for which security hardening is enabled.Security Center console: Install the Security Center agent on existing ECS instances to use the security features of Security Center. For more information, see Install the Security Center agent.
Check the security status of ECS instances
ECS console: On the Instance page, move the pointer over the
icon in the Monitoring column corresponding to an ECS instance to check the security status of the instance. You can click Process Now to view the alert details of an unhandled task. If high-severity risks exist, we recommend that you handle the risks as prompted to prevent your business from being affected.
Security Center console: In the left-side navigation pane of the Security Center console, choose . Then, find the ECS instance that you want to manage and view the security details of the instance. For more information, see Manage servers.
Vulnerability management
Scan for and handle vulnerabilities
Feature introduction
Security Center provides the vulnerability management feature, which can detect security vulnerabilities in operating systems, web content management systems, and applications, assess the severities of the vulnerabilities, and prioritize the vulnerabilities based on their severities. You can enable the feature to fix specific vulnerabilities with a few clicks and reduce the attack surface in your system.
By default, Security Center Basic automatically scans for Linux software vulnerabilities, Windows system vulnerabilities, and Web-CMS vulnerabilities every two days. You can also use the quick scan feature provided by Security Center Basic to manually scan for vulnerabilities. The paid editions of Security Center can not only scan for Linux software vulnerabilities, Windows system vulnerabilities, and Web-CMS vulnerabilities, but also automatically update vulnerability information and fix the vulnerabilities. For more information, see Overview.
Configuration methods
To protect ECS instances from viruses, we recommend that you scan for vulnerabilities on a regular basis and fix the detected vulnerabilities. For more information, see Scan for vulnerabilities and View and handle vulnerabilities.
Use patch baseline to automatically update security patches
Feature introduction
The patch management feature of Alibaba Cloud OOS allows you to use security-related or other updates to automatically install patches on ECS instances. You can use the patch management feature to install a service pack on a Windows ECS instance, update the minor version of a Linux ECS instance, and install patches on multiple ECS instances that run the same type of operating system at a time. You can also use the feature to scan ECS instances for missing patches and automatically install the patches on the instances. For more information, see Overview.
Configuration methods
To ensure the operating system security and stability of ECS instances, we recommend that you use the patch management feature to automatically scan system patches on the instances and download and install the required patches.
ECS console: Go to the instance details page of an ECS instance, choose Scheduled and Automated Tasks > Automatic Patch Installation. Click Automatic Patch Installation and install system patches as prompted.
OOS console: For more information, see Patch baseline and Immediate fix.
Network security protection for web applications
Configure Cloud Firewall
Feature introduction
Alibaba Cloud Cloud Firewall is a software as a service (SaaS) service that comes with its own operations and management console. Cloud Firewall implements centralized security isolation and traffic management for your cloud assets at the Internet, virtual private cloud (VPC), and host boundaries. Cloud Firewall is your first line of defense for your workloads in Alibaba Cloud. For more information, see What is Cloud Firewall?
Configuration methods
You can configure firewalls based on network boundaries to facilitate logical layering and subsequent maintenance.
If you want to protect only traffic over the Internet, you need to only configure inbound or outbound access control policies for the Internet firewall. For more information, see Create access control policies for the Internet firewall.
If you want to manage outbound traffic from resources, such as an ECS instance or elastic container instance, in a VPC to the Internet over a NAT gateway, you can enable a NAT firewall for the NAT gateway and configure an access control policy to manage traffic from internal-facing resources to the Internet in a fine-grained manner. For more information, see Create access control policies for the Internet firewall.
If you want to protect traffic over the Internet and traffic between ECS instances, use the Internet firewall together with internal firewalls. For more information, see Create an access control policy for an internal firewall.
If you want to protect traffic over the Internet, traffic between VPCs, and traffic between VPCs and data centers, use the Internet firewall together with VPC firewalls. For more information, see Create an access control policy for a VPC firewall.
Configure security groups
Feature introduction
A security group is a virtual firewall that controls inbound and outbound traffic of ECS instances. You can configure inbound rules for a security group to control traffic to ECS instances in the security group and outbound rules to control traffic from the instances. For more information, see Overview.
Configuration methods
When you create an ECS instance, you can specify one or more security groups for the instance. You can add an existing ECS instance to one or more security groups. For more information, see Manage ECS instances in security groups.
Traffic security protection for web applications
Configure WAF
Feature introduction
WAF identifies and filters out malicious traffic that is destined for websites and applications and forwards clean, scrubbed traffic to the websites and applications. This protects web servers against intrusion and ensures the security of data and services. For more information, see What is WAF?
Configuration methods
If you already created an ECS instance, you can add the ports of the instance to WAF to forward web traffic of the instance to WAF for protection. After you add an ECS instance to WAF, all web traffic of the instance is forwarded to WAF for inspection by using a specific gateway. WAF filters out malicious traffic and forwards clean traffic to the ECS instance. For more information, see Enable WAF protection for an ECS instance.
Anti-DDoS Basic
Feature introduction
Anti-DDoS Basic provides a basic mitigation capability ranging from 500 Mbit/s to 5 Gbit/s against DDoS attacks for ECS instances free of charge. For more information, see What is Anti-DDoS Basic?
NoteYou can also use advanced editions of Anti-DDoS, such as Anti-DDoS Origin and Anti-DDoS Proxy, to add more layers of protection for ECS instances. For more information, see What is Anti-DDoS Origin? and What is Anti-DDoS Proxy?
After Anti-DDoS Basic is activated, the service monitors inbound traffic to ECS instances in real time. When network traffic destined for an ECS instance that has a public IP address exceeds the specified traffic scrubbing threshold, Anti-DDoS Basic automatically scrubs the traffic to protect your business from DDoS attacks.
Configuration methods
By default, Anti-DDoS Basic is activated and cannot be deactivated. You do not need to manually configure Anti-DDoS Basic.
Regular operation audit
Feature introduction
ActionTrail monitors and records the operations of your Alibaba Cloud account. You can use this service to perform security analysis, resource change tracking, and compliance audits. ActionTrail can deliver management events to Logstores in Simple Log Service or OSS buckets. This way, you can audit the events in real time and identify the causes of issues. For more information, see What is ActionTrail?
In the ActionTrail console, you can query the management events that are generated when you manage ECS resources. For more information, see Audit events of ECS. If an error occurs when you perform operations on ECS instances, you can query the details of the related events to obtain information such as the time when the events occurred, the region where the events occurred, and the ECS instances involved.
Configuration methods
By default, ECS is integrated with ActionTrail and ActionTrail is activated. You do not need to manually configure ActionTrail.